Scribd Logo
Upload

Welcome to Scribd!

  • 3 views

    Automation For Manual Bug Bounty Hunters

    Uploaded by

    Sologgh
    This document discusses how manual bug bounty hunters can incorporate automation into their workflows. It begins by providing background on the author's journey as a manual bug bounty hunter. It then explains that hunters typically fall into automated or manual camps, requiring different skillsets. The document advocates that manual hunters should not rely exclusively on "browser-and-Burp" techniques, and that free tools now allow automating parts of the recon, test, and exploit phases. It provides examples of how tools like Semgrep, ClusterFuzzLite, RESTler, and exploit generators can automate portions of the workflow while still allowing manual hunters to focus on their strengths like triage and exploitation. The goal of automation, it

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Automation For Manual Bug Bounty Hunters

    Uploaded by

    Sologgh
    3 views35 pages
    This document discusses how manual bug bounty hunters can incorporate automation into their workflows. It begins by providing background on the author's journey as a manual bug bounty hunter. It then explains that hunters typically fall into automated or manual camps, requiring different skillsets. The document advocates that manual hunters should not rely exclusively on "browser-and-Burp" techniques, and that free tools now allow automating parts of the recon, test, and exploit phases. It provides examples of how tools like Semgrep, ClusterFuzzLite, RESTler, and exploit generators can automate portions of the workflow while still allowing manual hunters to focus on their strengths like triage and exploitation. The goal of automation, it

    Original Description:

    Original Title

    Automation_for_Manual_Bug_Bounty_Hunters

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses how manual bug bounty hunters can incorporate automation into their workflows. It begins by providing background on the author's journey as a manual bug bounty hunter. It then explains that hunters typically fall into automated or manual camps, requiring different skillsets. The document advocates that manual hunters should not rely exclusively on "browser-and-Burp" techniques, and that free tools now allow automating parts of the recon, test, and exploit phases. It provides examples of how tools like Semgrep, ClusterFuzzLite, RESTler, and exploit generators can automate portions of the workflow while still allowing manual hunters to focus on their strengths like triage and exploitation. The goal of automation, it

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views35 pages

    Automation For Manual Bug Bounty Hunters

    Uploaded by

    Sologgh
    This document discusses how manual bug bounty hunters can incorporate automation into their workflows. It begins by providing background on the author's journey as a manual bug bounty hunter. It then explains that hunters typically fall into automated or manual camps, requiring different skillsets. The document advocates that manual hunters should not rely exclusively on "browser-and-Burp" techniques, and that free tools now allow automating parts of the recon, test, and exploit phases. It provides examples of how tools like Semgrep, ClusterFuzzLite, RESTler, and exploit generators can automate portions of the workflow while still allowing manual hunters to focus on their strengths like triage and exploitation. The goal of automation, it

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 35

    Automation for

    Manual Bug
    Bounty Hunters
    Eugene Lim
    @spaceraccoon
    Eugene Lim 🇸🇬
    spaceraccoon
    Blog: spaceraccoon.dev
    Twitter: @spaceraccoonsec
    Why automate?
    3
    My bug bounty journey mostly involved manual hunting.

    Jan 2019
    • IDORs, business logic, XSS – First bounty end-Feb 2019 IDOR
    • Nov 2019: H1-213 Live Hacking Event Most Valuable Hacker
    • Large number of programs and bugs
    • Entered global all-time top 100 by Mar 2020

    2022
    • Native vulnerabilities, reverse engineering, code review
    • Jan 2021: H1-Elite Hall of Fame
    • Selective programs and higher impact
    • Still global top 40, but not really farming rep

    4
    In the long run, bounty hunters tend to fall into two camps.

    Automation Manual

    •Recon •Scope
    •Services •Applications
    •Scanners •Humans
    •Signatures •Heuristics

    5
    Despite overlaps, they require different skillsets and resources.

    • Signature-based
    • Subdomain enumeration scanners • Automated
    • Attack surface mapping • Fixed payload templates exploitation

    Recon Test Exploit


    • Explore application • Manually modify • Custom escalation and
    functionality payloads pivoting
    • Enumerate APIs • Observe behavior
    • Decompile source code

    6
    However, manual
    hunters should not rely
    exclusively on
    “browser-and-Burp”.
    Time-intensive Inconsistent

    Manual

    Inefficient BORING!

    7
    Free tools have increased in quantity and quality…

    Fuzzing Mobile SAST


    clusterfuzz AppShark Semgrep

    RESTler MobSF CodeQL

    8
    …helping manual hunters focus on triage and exploitation.

    Recon Test Exploit

    • Automate • Filter • Automate


    attack surface interesting payload
    mapping behaviour generation
    • Manually define • Manually • Manually write
    search sources confirm bug generators
    9
    More importantly, they help manual hunters differentiate
    themselves from automation and recon hunters.

    10
    Automation for manual hunters uses a different set of tools
    and workflows from standard automation.

    “Rather than scanning for vulnerabilities, we need to scan


    for interesting behaviour. Then, having identified the tiny
    fraction of inputs that yield interesting behaviour, we can
    investigate further.”

    – James Kettle, “Backslash Powered Scanning: hunting unknown vulnerability classes”


    Today, I will discuss how you can add automation in each
    stage as a manual bug bounty hunter.

    Recon Test Exploit

    12
    Recon
    13
    Single-app scope doesn’t have to mean zero recon.

    Client-side source code API enumeration / Cloud / SaaS Reverse engineering


    introspection integration

    14
    Client-side code can yield important data.

    APIs
    • Prod
    • Dev

    Secrets
    • Credentials
    • Encryption

    Integrations
    • Cloud
    • SaaS

    15
    1-to-1 (or close to) decompilers are key!

    webpack-
    asar
    exploder

    wabt hbctool

    Shoutout to LinkFinder for quick API extraction

    16
    Common API frameworks and how to enumerate them.

    GraphQL Introspection*

    OpenAPI Swagger UI

    Apollo Suggestions + Playground

    Generic Dirbusting + Documentation

    17
    Keep an eye out for third-party integrations.

    Cloud SaaS
    • Resource • Dangling urls
    enumeration (letitgo, • Shortlink services
    recon.cloud)
    • CORS/PostMessage
    • Bucket naming misconfigurations
    patterns
    • Role permissions

    18
    Frida

    Radare

    Reverse-engineering (dynamic
    and static) is a highly-
    underrated skill in bug bounty. Ghidra
    Test
    20
    My old spreadsheet method…

    Path Method Params XSS SSRF


    /users GET id X X
    Use features /users POST email X X
    /users PUT name Y X
    … … … … …

    Log request path

    Manually test

    21
    As I moved to part-time hunting, this became untenable.
    Positives
    • Extremely thorough
    • Customized for each context
    • Easy to bootstrap

    Negatives
    • Extremely slow
    • Inconsistent and not codified
    • Difficult to scale

    22
    Leverage modern
    DevSecOps tools to
    pre-screen possible
    vulnerabilities.

    Static Dynamic

    • Semgrep • ClusterFuzzLite
    • CodeQL • Jaeles
    • AppShark* • RESTler

    23
    Semgrep / CodeQL quickly identifies potential vulnerabilities in huge codebases.

    Automatically identify vulnerable sources and sinks

    Automatically track tainted data


    LOTS OF
    FALSE
    POSITIVES
    Manually verify sanitizers and transformations

    Manually write proof-of-concept

    24
    The secret sauce is your curated custom rules.
    DON’T “spray and pray”!
    App-
    specific
    sinks
    App- App-
    specific specific
    sources responses

    Rules

    25
    Accumulate your corpus of battle-tested rules over time.

    Endpoints/Code Possible
    Bugs

    Filtered Triaged
    automatically manually by
    by SAST/DAST you
    26
    Exploit
    27
    Don’t just copy and paste
    Case Study: payloads, generate them.
    Generating EPUB • Locate exploit primitives e.g.
    HTTPLeaks
    payloads • Write generation scripts

    29
    Use tools like DOM Invader and write your own
    extensions.
    Burp logs are one of your richest sources of data as a manual bug bounty hunter!
    You don’t need to spin your own
    recon framework but try creating
    and hosting your own exploit
    services.
    31
    Modern Manual Bug
    Hunting
    32
    Same
    dirbusting
    If you find
    yourself doing Same
    payloads
    Same
    injection tests
    the same thing
    again and
    again, it’s time Same source-
    to-sink tracing
    Same authz
    checks
    to automate!
    33
    With the right automation, manual hunters can focus on their
    strengths. The goal is to complement your workflow, not replace it.

    Focused Test Fun and Profit

    Targeted Recon Comprehensive


    Exploit

    34
    Thank you
    Blog: spaceraccoon.dev
    Twitter: @spaceraccoonsec

    You might also like