Author image Glenn 'devalias' Grant | | 28 minutes to read | #security, #minddump, #bugcrowd, #bugbounty, #conference

Today was LevelUp, Bugcrowd's first Virtual Hacking Conference. With 2 seperate streams over 8 hours, the schedule was jammed packed with interesting talks and knowledge drops across topics including web, mobile, IoT and even car hacking.

Waking up at 1:30am (AEST) to get some Bulletproof coffee in before it started, I think I briefly moved once from the couch in the whole session. The rest was solid and intent focus on the topics, trying to keep up with all of the amazing content, while also taking notes (~1200 lines worth!), and dropping out tweets at the same time. I don't think i've been as engaged or intently focussed on something for such a long period in a long time. Testament to the quality of the conference!

One of the common themes of the conference today (besides all the tech knowledge) was that of community and sharing. This is something that speaks to my core, and one of the things that I love about the security industry. How people can be so open, be willing to share their knowledge, and humbly learn in return. Such a great way to bring everyone up across the board, and super grateful for it.

There are a few places you can get connected with bug bounty hunters / security researchers that I wanted to list here:

  • Twitter!
    • This sort of goes without saying given how active the security community is here. But with regards to this conference and related things, check out Bugcrowd's hashtag: #ItTakesACrowd
    • Also make sure to follow @Bugcrowd, and if you'd like to see more from me (when I rarely but occasionally tweet) you can find me at @_devalias (always feel free to say hi!)
  • Bug Bounty World
  • Bug Bounty Forum
  • Bugcrowd Forum
    • Make sure to also check out the discussions over at the Bugcrowd forum.

In light of that theme, I wanted to share what I have from today, not only so I remember what I saw, but so that everyone else has the opportunity to see some of the great stuff that was presented today. This post will be largely my raw and unedited notes, with any future posts likely to be more structured/refined.

It's also worth noting that every talk from both streams was recorded, and will be published to YouTube within the next week or so, so keep an eye out for that! I'll probably update this page when they're released, and I intend to write some more thorough blog posts based on each session when I have a chance to go back through it all at a slower pace, so keep an eye out for those!

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below!

Overview of this post

  • Videos
  • Schedule
    • Stream 1
    • Stream 2
  • Raw Notes
    • Welcome + Kickoff (Sam Houston)
    • How to Hack Web v2 (Jason Haddix)
    • How to Fail at Bug Bounty (Caleb Kinney)
    • Giving Back to the Community (ZSeano)
    • Doing Recon Like a Boss (Ben Sadeghipour)
    • Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski)
    • Targeting for Bug Bounty Research (Matthew Conway)
    • How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie)
    • Hacking Internet of Things for Bug Bounties (Aditya Gupta)
    • Intro to Car Hacking (Alan Mond)
  • Thanks!

Videos

Schedule

Just in case the schedule goes offline sometime in the future, here are the main bits for posterity:

Stream 1

  • Welcome
    • Welcome + Kickoff, Sam Houston (20min)
    • Welcome, State of Bug Bounty & The Future of Crowdsourced Securit, Casey Ellis (60min)
    • How to Hack Web v2, Jason Haddix (50min)
  • General Bug bounty and Web Hacking
    • How to Fail at Bug Bounty, Caleb Kinney (25min)
    • Giving Back to the Community, ZSeano (45min)
    • Doing Recon Like a Boss, Ben Sadeghipour (25min)
  • Web Hacking
    • Hidden in Plain Site: Disclosing Information via Your APIs, Peter Yaworski (25min)
    • Targeting for Bug Bounty Research, Matthew Conway (25min)
    • How does unicode affect our Security?, Christopher Bleckmann-Dreher @schniggie (45min)
  • Hardware Hacking
    • Hacking Internet of Things for Bug Bounties, Aditya Gupta (45min)
    • Intro to Car Hacking, Alan Mond (25min)
    • MarkDoom: How I Hacked Every Major IDE in 2 Weeks, Matt Austin (45min)
  • Ending Ceremony
    • Final Words, JHaddix w/intro from Sam (30min)

Stream 2

  • Web Hacking and Mobile Hacking
    • OWASP iGoat – A Self Learning Tool for iOS App Pentesting and Security, Swaroop Yermalkar (25min)
    • Esoteric sub-domain enumeration techniques, Bharath (45min)
    • Finding Hidden Gems in Old Programs, Yappare (25min)
  • Mobile Hacking and API Hacking
    • Breaking Mobile App Protection Mechanisms, Ben Actis (45min)
    • Reverse Engineering Mobile Apps, Emily Walls (25min)
    • Identifying and Evading Android Protections, Tim Strazzere (45min)
    • Do you like fuzzing? Why I built fuzzapi to fuzz REST APIs for profit, Abhijeth Dugginapeddi (25min)
    • Advanced Android Bug Bounty skills, Ben Actis (45min)
  • Browser Hacking
    • Browser Exploitation for Fun and Profit, Dhiraj Mishra (25min)

Raw Notes

The following are my raw notes from todays session. Apologies in advance for the format..

Welcome + Kickoff (Sam Houston)

http://twitter.com/samhouston
Stream 1, mostly web, switches to hardware later
Stream 2, mostly mobile hacking
Tweet with #ItTakesACrowd and @BugCrowd
http://www.bugbountyworld.com, new slack, bugcrowd channel
## Welcome, State of Bug Bounty & The Future of Crowdsourced Security (Casey Ellis)
Casey Ellis, Founder/CEO of Bugcrowd
https://twitter.com/caseyjohnellis
casey@bugcrowd.com
@caseyjohnellis #ItTakesACrowd

How to Hack Web v2 (Jason Haddix)

Head of Trust and Security at Bugcrowd
https://twitter.com/jhaddix
https://securityaegis.com
https://blog.bugcrowd.com/author/jason-haddix
The Bug Hunters Methodology (Def Con 23)
 distilling a lot of learnings over the years
 google it for the video
The Bug Hunters Methodology v2
 XXS, SSTI, SSRF, code/command injection, fuzzing, tooling
 API testing, object deserialisation, XXE in v2.5
Light reading:
 Web Application Hackers Handbook
 OWASP Testing Guide
 Web Hacking 101
 Breaking into information security
 Mastering modern web penetration esting
Discovery
 Enumall (recon-ng, alt-dns wrapper, etc)
Sub scraping
 https://github.com/aboul3la/Sublist3r
 scrapes search engines/etc for mentions of domains
 sources are different from enumall
 anshumanbh/brutesubs
 set of docker images that include multiple tools
 inc enumall and sublister
 along with gobuster and altdns
 run against a domain you want
 need to modify config/docker scripts to add custom bits
 disable bruteforce for enumall
 did a presentation about this topic recently (TODO)
 mandatoryprogrammer/cloudflare_enum
 anshumanbh/censys.py
Subdomain bruteforcing
 Like: subbrute, gobuster, massdns, dns-parallel-prober, blacksheepwall
 gobuster (21m) and massdns (1.5m) are quick
 massdns found more quicker, but more false positives
 could feed massdns stuff into gobuster to reduce?
 blechschmidt/massdns
 all.txt: https://gist.github.com/jhaddix/86A06C5DC309D085/80A018C66354A056
 https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
 list of all the dns brute lists in one
Acquisitions
 crunchbase
 protected by distil bot protection
 can write a tool to beat that
Port scanning
 nmap is great, but don't try and scan 65536 hosts with the default port list
 massscan
 doesn't provide a default port list
 use nmaps (giant list of ports)
 https://twitter.com/_devalias/status/886280729327312896
Visual identification
 https://github.com/ChrisTruncer/EyeWitness
 checks HTTP(S), RDP and a couple of other protocols too
 https://github.com/breenmachine/httpscreenshot
 another tool
Platform identification and CVE searching
 retire.js, wappalyzer, builtwith
 https://vulners.com/
 combine a lot of CVE/etc sources
 https://github.com/vulnersCom/burp-vulners-scanner
 search in scope domains
 find versions/etc
 link to vulns for lower than that version
 get list of CVE's that might be related
Content discovery/directory bruting
 TBHMv1
 wordlists: seclists, raft, digger_wordlists
 patator
 wpscan
 cmsmap
 
 https://github.com/maurosoria/dirsearch
 
 https://github.com/OJ/gobuster
 super fast
 burp content discovery
 in burp pro
 pretty good, but sort of bogs down java
 danielmiessler/RobotsDisallowed
Parameter bruting?
 https://github.com/maK-/parameth
 This tool can be used to brute discover GET and POST parameters
PortSwigger/backslash-powered-scanner
 /resources/params
 good wordlist
XSS
 TBHMv1
 polyglot strings, seclists, flash reversing, common input vectors
 TBHMv2
 blind XSS
 sleepy puppy (python)
 xss hunter (python)
 ground control (ruby, small)
 polyglots
 xss mindmap
 Blind XSS
 input may eventually end up on some backend app and executes somewhere
 use a payload that loads JS
 need a framework to catch it
 XSSHunter
 payload gathers a lot of really useful data
Polyglots
 injection string that executes in multuple contexts
 may bypass multiple filters
 starting to integrate in lots of scanners
 0xS0bky/HackVault
 unleashing an ultimate xss polyglot
Jackmasa's XSS Mindmap
 breaks down attacks based on context
 PoC's
 ideas for all sorts of things
 used to just be in Japanese
 ported recently to english
 huge image file (svg)
 https://github.com/jackmasa
 seems to have a bunch of projects worth looking at
 https://github.com/jackmasa/XSS.png/tree/master
Server Side Template Injection (SSTI)
 engine identification
 wappalyzer, builtwith, vulners scanner
 test fuzzing
 tooling
 tplmap + burp extension
 backslash powered scanner?
 tl;dr: send some template payload and check for result
 {{2*3}}
 epinna/tplmap
 code/server side template injection detection/exploitation
 other SSTI resources
 lots of links
Server Side Request Forgery (SSRF)
 look for any paths/urls referenced
 wilded/psychoPATH
 will release a tool with his Def Con talk in a week
 can bypass filtering blacklists using alternate IP encoding
 SSRF bible: https://www.reddit.com/r/netsec/comments/2tpfz7/ssrf_bible_cheatsheet_by_onsec/
 protocol/schema mappings
 exploit examples
 update coming soon, BlackHat US-17?
 SSRF resources
 many links
 including BishopFox link: burp, collaborate and listen
Code Inject, Command Injection, Future of Fuzzing
 SQLi
 polyglot, seclists, swlmap, params, tooling, resources
 https://github.com/commixproject/commix
 CMDi
 supports PHP code injection
 custo modules
 powershell and python shells
Burp backslash powered scanner
 generic payloads
 multi-tiered
 checks responses
 basically gives you an idea of where it might be useful to look
 supports testers rather than replacing them!
 watch the video THEN read the paper
 see link
Infrastructure and coding
 subdomain takeover
 register, control traffic that goes there
 lists a bunch of services most often vuln
 github
 autoSubTakeover
 HostileSubBruteforcer
 tko-subs
 Article: Deep dive into AWS S3..
 yasinS/sandcastle
 michernriksen
 gitrob
 dxa4481/truffleHog
 
Domain Discovery at Def Con
DefCon hunt tool
jhaddix/tbhm
 The Bug Hunters Methodology
jhaddix@bugcrowd.com

How to Fail at Bug Bounty (Caleb Kinney)

Twitter: @aphire
Blog: http://bountyhuntersguild.com
GitHub: calebkinney OrOneEqualsOne
Lessons learned during bug bounties
Conferences: rushing to see talks, not networking
Failed to read the bug bounty program brief
 rules of engagement
 scope
 focus areas
 out of scope
 excluded vuln types
 rewards/incentives
 disclosure rules
Failed to show impact
 used to submit every bug, priority often wasn't in thought process
 understand vulnerability prioritisation and explain it to program owners
 P1 - Critical
 P2 - Severe
 P3 - Moderate
 P4 - Low
 P5 - Informational / Won't Fix
 can you combine a self-XSS with CSRF to up the priority?
Failed to understant criticality
 submitting a won't fix will hurt your average vuln score
 utilize the Bugcrowd Vulnerability Rating Taxonomy
Failed to understand the application
 eg. 'vuln' that is a feature of the application
 research the application and ask questions
 cross-reference functions between different platforms (eg mobile/web)
Failed to plan for private programs
 Don't ignore the start time, may make you hit many duplicates
 Schedule time to work on the program as soon as it's published
Failed to plan for blacklisting
 have a way to get a new IP address
 or use a VPN/proxy
Bug Bounty != Penetration Test
Part time hunt tips
 wide scopes
 acquisitions/mergers
 assume automated scanning
 recon, recon, recon
 subdomain bruteforcing, port-scanning, google dorking
 censys.io
 shodan.io
 burp extensions
 reflected parameters
 https://github.com/allfro/BurpKit
 used Webkit to better render responses in burp
 JS
 Co2
 payload lists
 polyglots!
 community
 read, give back, collaborate
Hunting makes me a better tester
 understand whats important
 attuned to emergent security trends
 challenge for more technical exploits
 etc..
Personal mobile recon setup
 iPhone with Blink Shell
 doesn't require jailbreak
 DietPi with MOSH (jump mox)
 Port Fowarding
 personal recon script
 Sublist3r, domain, knock, eyewitness
 wraps a bunch of things and combines
 https://github.com/OrOneEqualsOne/Recon
 next gen will be a webapp to help 
Bug Bounty Resources
 https://twitter.com/_devalias/status/886295129807396865

Giving Back to the Community (ZSeano)

https://twitter.com/zseano
http://zseano.com
 tutorials, blog posts, etc
full time bug bounty, ranked #2 on bugcrowd
25 years old
Overview
 Finding first bug, chaining to higher priority
 Recon: what are you missing
 Big bounties for a living, and staying sane
Open URL Redirects
 easy to find
 aboutads.info, run burp whilst opting out
 google dorking
 inurl:refirect inurl:&
 bypasses
 will release a lit of bypasses later
 making them more useful
 chain to account takeover via misconfigured oauth
 check their facebook app
 mobile app logs in via FB with app_token
 make sure to url encode the redirect_url
 Stored XSS + Oauth
 redirect user to stored XSS page, JS executes, grab oauth token and login to users account
 key things people miss
 bypassing filters
 generally use some form of regex
 fuzz as much as possible
 plan to update zseano.com with section on bypasses
 not checking for oauth systems in place
 try vulnerable parameter on as many endpoints as possible
 eg. one param on one program used througout the web application
 burp intruder against all endpoints, etc
 check their mobile app
 sometimes use oauth, FB login
 google logins tend to be more secure
 redirect oauth to stored XSS
In future, want to do more talks on more topics
Recon: go back in time
 waybackmachine
 search for old files like robots.txt
 https://gist.github.com/mhmdiaa
 waybackurls
 waybackrobots
 tool idea
 scraping website from years back for URLs/links/etc
 eg. burp-wayback-spider
 .js files are your friends
 way things work, paths
 discovery of new endpoints
 hardcoded app secrets
 sometimes user information
 built a couple of tool
 Burp
 copy selected URLs
 copy links in selected items
 zScanner
 burp spider to discover endpoints
 copy ites found, import to inputscanner
 visits each url, extracts all input names + ids and links to js files
 outputs to burp intruder format
 mass test XSS/sql/etc
 outputs 3 files, ready for burp intruder
 getoutput.txt
 postoutput.txt
 posthostoutput.txt
 use output from zScanner with JS-Scan
 visit each .js file, extract URLs using regex
 displays results on page
 easier to see whats in files without manually reading
 didn't plan on releasing these until recently
Finding bugs full time
 remain calm, take a step back
 see if someone has found something similar
 don't be afraid to ask people 
 be professional, waiting to be paid can be annoying
 be smart, learn where to spend your time
 test programs before diving in
 look at disclosed reports
 bugcrowd are managed programs
 managed programs on hackerone/synack can be good too
 you don't need an update every week, unless its a P1
 chain bugs to achieve the highest possible impact
 usually leads to bigger payout
 collaborate
 You WILL have bad days. Take time to relax, collect your thoughts, then keep going.
 re-test endpoints, re-visit certain areas of a site
 can either report on the old bug, or open a new report
 depends how much time you put in
 Find a program you love that treats you fair and give it your all
 Sharing is caring! If the program allows for it, share your bugs! 
People need to fuzz more
Store all vulnerable paramets found in a text file
Include your bug bounty name/how to contact/etc in your user agent
Have a few blog posts in the works

Doing Recon Like a Boss (Ben Sadeghipour)

https://twitter.com/Nahamsec
Agenda
 Overview
 Traditional way (brute forcing)
 AWS
 Abusing Github
 Asset identification
Why
 bigger attack surface
 more bugs
 more bounties
 more problems
Bruteforcing
 tools
 sublist3r, enumall, massdns, altdns, brutesubs, dns-parallel-prober, dnscan, knockpy, tko-subs, HostileSubBruteforce
 find a patterns
 .dev, .corp, .stage
 brute force again
 different permutations/environment
Amazon Web Services
 look for S3 buckets
 site:s3.amazonaws.com + ...
 use google for patterns
 GitHub
 automate your work
Automation
 create a list of subdomains
 create a list of environments
 automate
 catch them all
 new tool: Amazon S3 Bucket finder
 other tools: sandcastle, bucket_finder
 hopefully will release on github sometime next week
AWS Recon, what could go wrong
 S3 bucket not owned by company
 may be out of scope
 S3 bucket without sensitive info
 3rd party apps
Github Recon
 environments (dev, stage, prod)
 secret keys (API_key, AWS_Secret, etc)
 internal credentials
 API endpoints
 Domain patterns
 example
 "foo.com" "dev"
 "dev.foo.com"
 "bar.com" API_key
 "bar.com" password
 "api.bar.com"
 google dork
 site:"github.com" "org"
 tools
 gitrob
 git-all-secrets
 truffleHog
 git-secrets
 repo-supervisor
 do it manually..
Asset identifcation
 censys.io
 look for SSL certificates
 "company" + internal
 shodan.io
 search by hostname
 filter for
 ports 8443, 8080, 8180, etc
 title: "dashboard [jenkins]"
 product:Tomcat
 hostname:corp.levelup.com
 etc
 buy book by shodan creator for 5ドル
 archive.org
 review source
 find old endpoints/functionality
 look for JS files
 exploit them!
 .js files
 endpoints
 credentials/tokens
 subdomains (inc internal)
 new tool being released next week
All tools included in this talk will be on the bugbountyforum website
Personal tools will be released next week
Burp 'should' be able to do JS parsing stuff
 in reality, seems to not work as well as it should
 can be easier to make external tools, do them your own way, etc
 hope someone takes this tool (when released) and create a burp plugin for it
 another tool (might get released)
 crawl website, download all JS files locally

Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski)

https://twitter.com/yaworsk
Application Security Engineer at Shopify
Wrote Web Hacking 101
 Hopefully Real World Web Hacking via No starch press
Overview
 What we're talking about
 Why we care
 Why it happens
 How you find it
 Examples
What we're talking about
 API's that reveal personal info or app sensitive info
 Focus on API's that render info to page source, parsed by react/angular/etc
Why we care
 Easy
 Impacts range from benign to critical
 Sometimes they can be chained together
Why it happens
 automation of repetitive tasks
 code abstraction
 easy to make mistakes, incur technical debt
Automation
 eg. rails is great at automating repetitive tasks, generate scaffold
 Will generate HTML view, but also .json endpoint for API
 You could remove those from the HTML view, won't see the information
 But can still get the full data from the API endpoint
 May not realise you need to edit the json file as well
Code abstraction
 eg. merging all json fields
 add new secret field
 manually, haven't updated json file, so fine
 but using json merge, the new param will be exposed
How do you find it
 initial recon
 identify software on site
 wappalyzer
 look for rails, angular, react
 eg rails sites follow certain patterns
 watch your proxy history
 look for gian json blobs in page sources
 watch for API calls
 mobile apps
http://www.leanpub.com/web-hacking-101
http://www.shopify.com/careers

Targeting for Bug Bounty Research (Matthew Conway)

Lead product security engineer: Heroku, Salesforce
https://twitter.com/mattreduce
Focuses
 Efficient, repeatable discovery
 Judge targets on measurable criteria
 Keep flexible/portable records
 Put it into use
Reconnaissance Stage
When to enumerate
 start first, return to
Why spend time on info gathering?
 don't miss a target/vuln
 better coverage for program owner
 deep understanding yields great findings
Enumeration methods
 Before you find problems, you need to find all the places they live 
 need to cast the net wide
Enumerating hosts
 information sources
 dns
 for info, but also vulns
 eg. subdomain takeovers, exfil data, command&control
 github
 may identify api's/etc
 rapid7 project sonar
 scans the whole public internet, seeing what's vulnerable
 google search
 hosts
 software running
 secret pages
 google certificate transparency report
 can find hosts through subdomains company registered certs for
 beta access
 if a company with bug bounty program has beta program, try it
 test new features
 follow them on twitter, other social media, be aware of what they put out there
 other open sites
 dnsdumpster
 threatcrowd
 thratminer
 https everywhere atlas
 look for opportunities to repurpose tools online
 techniques
 google queries
 site:foo.com
 find results from subdomains not on list yet
 brute forcing
 try common subdomains
 bonus points for expanding with own wordlist from crawling own targets
 own scripts
 automate this + anything else you can
 dns tools
 dig, host
 dnsrecon
 dnsenum
 dnsmap
 recon-ng
 more framework than a script, like metasploit for recon
 altdns (shubs)
 read shubs blog: high frequency bug hunting
 https://github.com/jhaddix/domain
 Setup script for Regon-ng/altdns
Recording results
 CSV file, SQL database
 get creative
 choose what to catalog
 domain
 type
 think about what you'd like to know when choosing the next target you want to work on
 Find, Fix, Finish, Exploit, Analyze (F3EA) cycle
 https://github.com/infosec-au/assetnote-poc
 push notifications for passive DNS data
 cleaning up data
 write some scripts to run against hosts
 screenshots
 validating possible targets
 SSL certificates used by that host
 common cookie names across hosts
 distinctive HTTP headers, fragments, etc
 logo images
 copyright lines
 privacy policy links
 contact information
 google analytics tracking codes
Using target data
 understanding ownership
 some sites give subdomains out to customers
 just because it's on a subdomain of that company, may not be an app they control
 eg company.github.io
 subdomains that point to external services
 eg. blog.company.com
 find out who owns the host before you hack it
 consider scope
 may be explicitly in/out of scope
 sometimes may be implicitly in scope based on rules of engagement
 what now
 enumerate services
 look for vulnerabilities
Summary
 find out everything you can, keep good notes
 Respect program scope, remember pitfalls
 Automate as much as you can

How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie)

https://twitter.com/schniggie?lang=en
Pentester, german car manufacturer
Retired bughunter
ASCII
 7-bit, 128 characters
ISO-8859-?
 ASCII compatible
 8-bit, 256 characters
 Multiple standards
Unicode
 multibyte character set
 fully ASCII/ISO-8859 compatible
 Different encodings (UTF-8, UTF-16, UTF-32, UTF-EBCDIC, ..)
 more like a database, links between copoint to character + some attributes
 Basic Multilingual Plan 65k chars
 Astral plans 1mil+ characters
Unicode Encodings
 different encodings use different bytes to store characters
Security implications - Length
 Length of UTF-8 string vs size of the string
 When allocating memory, etc
Security implications - JavaScript compare
 comparing 2 strings that look the same to the eye
 'ma\xF1ana' == 'man\u0303ana' -> false
 length of strings differ
Security implications - JavaScript regex
 /foo.bar/.test('fooPOOEMOJIbar')
 regex . should match 1 character
 \s\S matches whitespace, not whole of astral symbols
 multi-byte emoji
 current JS in most browsers is ECMScript5
 had trouble with chars in astral planes
 not completely supported by default
 some workarounds for it
 http://scriptular.com
 regex javascript application
 can test it
Security implications - MySQL vs UTF-8
 create table, charset set to utf8
 update table fooPOObar
 shows a warning, incorrect string value
 selecting back the entry, column name is only the prefix before poo emoji
 solution: set database to utf8mb4
Security implications - Internationalised Domain Names
 Stored as ascii strings using punycode
 eg. email spoofing using special characters
 UTF8 symbols that look identical
 Use punycode converter
 Register the converted domain
 real world attack scenarios
 an attack released earlier this year to spoof apple.com/etc
 not meant to be able to mix character sets in domain registrations
 google registrar seemed to allow it
 browsers realised that displaying UTF8 in the domain is bad
 now show the punycode instead
Unicode character - Right to left overide
 can rename the file using ruby File.rename \xe2\x80
 able to rename exe file to a file that looks like it has the extension .ppt
 old attack, known since Windows 98 or so, still works today..
Crashing every iOS and OSX device
 2013, vulnerable to an arabic string
 https://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/
Backend != Backend
 Frontend may allow UTF8
 Backend may not be expecting it
 exception from backend
Spotify account hijacking
 Allowed unicode usernames
 Register an account with a superscript word of an existing account user
 Trigger forget password function
 Password reset canonical'ises the username
 Sent him the password reset link
 Using that, used the canonicalised name again
 Was the victim user
 Reset password on that user
Phabricator bypass
 Facebook, like github
 Error, email at that domain not allowed
 MySQL
 add foo@attacker.comPOO@fb.com
 POO is the new %00 
Summary
 for developer
 verify methods, functions, frameworks handle unicode
 input validation should handle unicode
 verify all system and interconnection can handle unicode
POO is the new %00

Hacking Internet of Things for Bug Bounties (Aditya Gupta)

https://twitter.com/adi1391
https://twitter.com/_devalias/status/886339682958680064
 Run attify, pentesting IoT devices
 Author: "Learning Pentesting for Andorid Devices"
 Book: IoT hackers handbook, this month
 IoT pentesting guide to be released after this talk
Why
 if not, missing great stuff
 best to do in 2017
 easy targets
 higher barrier of entry
 enormous growth soon
 be prepared
 Examples
 IoT fridge that sends spam email
 Smart home compromised
 Hardcoded password in a medical device
 Shodan for scada things
 Controlling mining trucks
What
 what to look for during IoT big bounties
 When you look at a device
 figure out possible attack vectors
 look closely
 pentesting mindset
 components
 entrypoints
 communication
 protocols
 exposed ports
 Once you have a target
 compromise the whole target
 don't just look at one small part, whole thing
 micro and macro
 where would be most vulnerable?
 start there
How
 how to find vulns that companies will pay for
 "Hacking IoT is not a 'black magic' It can be learnt. Too less resources."
 How to start IoT bug bounty hunting
 attack surface mapping
 hacking the embedded device
 hacking firmware
 may not be available, but can dump from device
 hacking mobile/web/cloud components
 hacking radio communications
 Attack Surface Mapping - Step 1
 https://twitter.com/_devalias/status/886341534450307072
 Recon
 understanding device
 visible ports
 components
 communication mediums
 Available info
 google
 datasheets
 support groups
 community center
 social engineering
 FCC ID
 Attack Surface Mapping - Step 2
 https://twitter.com/_devalias/status/886341954404929536
 map attack surface (architecture diagram)
 entrypoints
 commuications
 additional web endpoints
 protocol/standard
 specifications
 Creating an architecture diagram
 Looking at a device
 FCC ID mentioned on the back of the device
 required for any radio communication device sold in US
 https://fccid.io/
 eg. EW780-8913-00
 https://fccid.io/EW780-8913-00
 gives you frequencies, internal/external pictures, etc
 can look for JTAG/etc ports
 What next?
 perform exploits
 be systematic
 often one component leads to another
 device -> dump firmware
 How to approach
 embedded -> firmware/web/mobile -> communication
 Hack the embedded device
 open device
 physical tamper protections, special screws, etc
 get a good screwdriver kit
 look at chipsets
 USB microscope
 phone flashlight
 identify things, label them
 dig deep
 look for exposed ports
 UART are easy to find/export
 multimeter to test Tx, Rx, GND
 connect to attify badg or USB-TTL
 identify baudrate
 run minicom for shell access
 screen can be used to connect to a TTY
 sudo screen /dev/ttyUSB0 ..
 JTAG
 can be harder than UART
 can be scattered across board
 JTAGulator or arduino nano flashed with JTAGEnum
 easily identify pinouts for JTAG
 https://twitter.com/_devalias/status/886344370944786432
 Hacking Embedded Devices - Debug JTAG
 Dump Flash
 look for flash chips
 read compoent sheet/datasheet
 may need to solder to adapter, pins are tiny
 then can dump flash
 NAND glitching
 generate fault scenario, have it behave in unexpected way
 drops to bootloader shell
 can set bootloader flags, eg single user mode
 Other attacks too
Firmware Hacking
 Easy to find basic vulns
 Good at RE -> lots of stuff to find
 Learn ARM and MIPS RE
 Sensitive hardcoded values, API keys, encryption mechanisms, etc
Firmware methodology
 binwalk
 extracts filesystem
 firmwalker
 identifies interesting things to look at
 Firmware-Mod-Kit
 allows filesystem modifications, then flash back to device
 Detect if device allows firmware modifications, security checks, etc
Encryption?
 XOR with empty space will give you the key itself
Hardcoded sensitive values
 eg. creds to ftp update server, etc
 Can find all sorts of things
 api keys, backdoors, SSL certs, staging URLs, etc
 Quick binary analysis in IDA
 can see harcoded creds
 command injection vulns
 ROP
 etc
Analysing mobile apps
 native libraries can store secrets
 file, readelf
 IDA demo version can dissass ARM binaries
 look at functions, eg. encryption
 understand the app code
Hacking communication
 look at mobile app -> device communication
 MQTT? CoAP?
 view resources unauthed?
 publish messages/subscribe topics?
 MQTT
 works on pub/sub topic
 might be able to subscribe to *
Hacking radio
 radio analysis/exploitation needs special hardware
 depends on protocol
 BLE/ZigBee most common
 Hacking Zigbee
 attify killerbee
 zbstumbler
 zbdump
 zbreplay
 etc
 Hacking BLE
 ubertooth, BLE sniffer
 sniff traggic
 see what handles being written
 rewrite handles using gatttool
Pentest methodology
 focus on 'attacker simulated exploitation' rather than pentest
 look at macro and micro
 95% success rate, critical vulns, devices compromised
 follow the guide
https://www.iotpentestingguide.com/
 https://twitter.com/_devalias/status/886350210724646912
https://twitter.com/_devalias/status/886350674266537984
https://twitter.com/_devalias/status/886350817741094912

Intro to Car Hacking (Alan Mond)

https://twitter.com/mondalan?lang=en
https://twitter.com/carloopio?lang=en
 Car hacking tool
Car Hacking 101
 How to get started
 vehicle networking basics
 demo
 build your own testing buck
What are the different attack surfaces?
 Tire pressure monitoring sensor
 sensor in each tire, connects to car, measures pressure
 communicates via low frequency radio signal
 can intercept that signal
 Bluetooth/wifi
 hotspot may be open
 ODBII port
 underneath steering wheel
 main entry point for access, but already inside car
 Infotainment system
 USB, root access possible, etc
How to get started
 Book: The Car Hacker's Handbook, Craig Smith
 Free download http://ebook-dl.com/book/5277
 Tools, protocols, references
What you'll need
 access to the OBD-II port
 mandated to be on 'CAN' since 2008
 CAN hardware tool
 USB2CAN
 microcontroller with CAN controller on it
 OBD-II to serial (RS-232) cable
 linux machine
 rasberry pi, virtual machine on osx
 OR
 Carloop basic (55ドル)
 open source
 wireless
 why not cheap ODB2 dongles from amazon?
 could.. just a lot of work to use them
 integrated circuit, converts raw CAN messages to values
 not getting raw messages
Most comprehensive list
 github.com/jaredthecoder/awesome-vehicle-security
 https://twitter.com/_devalias/status/886354216968609792
Vehicle networking basics
 CAN bus
 connects all modules through 2 wires
 dashboard, engine, control modules, infotainment system
 Controller Area Network (CAN)
 2 wires, high and low
 more than 1 CAN bus on vehicle
 Why focus on CAN?
 mandated since 2008
 well supported in linux
 more than just diagnostics..
 currently not encrypted at all..
 signals go from high to low
 Anatomy of a CAN message
 arbitration ID
 IDE: 0 (always for CAN)
 Data length: 1 byte
 Data: payload
 ID and data most important
Demo
 intall can-utils
 provision CarLoop with can-utils, flash over the air
 https://www.carloop.io/apps/app-scoketcan
 cansniffer
 identify by ID, see what changes in the data
 see what changes when you do something on the car
 no documentation out there
 manufacturers don't want you seeing it
 straightforward when you start to see it happen though
Build your own testing buck
 can build a test bench for less than 100ドル
 Power supply
 engine control module
 CAN device
 adding more modules, can get more interesting data
 car-part.com
tools and resources on
 http://illmatics.com/carhacking.html
 https://community.rapid7.com/community/transpo-security/blog/2017/07/11/building-a-car-hacking-development-workbench-part-1
How to access proprietary parameter ID's?
 harder to decode
 query/response structure
 specific to ODB-II
 need to send specific PID to get it back
 most people use a scan tool for that brand, use a y-splitter
 then can capture the request/response
Replay of keyfobs from HackRF/similar devices?
 don't know much about it
Difference between tools mentioned and those dropped with jeep hacking research?
 that paper is a really good read
 goes through process of decoding each CAN message
 has some PID's you can look at (for same brand of car)
 each manufacturer has different 'data dictionaries' for these PIDS
 all tools very similar, can bus/receiver
 simple toolchain
bugcrowd running car hacking CTF, prize is a truck
 https://www.carhackingvillage.com/
https://store.carloop.io/

Thanks!

Thanks for reading! Hope you found something useful.

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below! <3