Editor's Note: Today I’d like to introduce you to Bugcrowd member Anshuman Bhartiya (anshuman_bh). As an information security professional as well as bug bounty researcher, Anshuman has helped improve the security of many organizations. He has submitted several P1 & P2 bugs leading to his high standing within the programs he is involved in. As an active member on our Bugcrowd forum he also contributes to the bug bounty researcher community. This blog is from one of his responses on the forum that he has allowed us to post here. We are thrilled to share his thoughts and experience on how to successfully approach a target. Thanks!
Editor's Note: Bugcrowd community researcher, Duarte Silva, shares the story behind how he started working in information security. Duarte is one of Bugcrowd's top researchers, you can follow him on Twitter at @serializingme.
About the Author: Ben Sadeghipour has been participating in bug bounty programs since February of 2014. After his first few bugs, he came to realize that bug bounties are a great way to learn more about web application security as well as make some extra money while going to school - computer science major. Currently Ben is an intern at Bugcrowd and continues to do bug bounty research. You can see more of his work on nahamsec.com.
[Today I’d like to introduce you to Bugcrowd member Ciaran McNally. (maK0) As a freelance security consultant as well as entrepreneur, Ciaran has helped improve the security of many organizations. We are honored to share is thoughts and experience on how organizations can increase their overall security. Thanks!
This post originally appeared on Tripwire.
[Today I'd like to introduce you to Bugcrowd member Satish Bommisetty. An author and professional security researcher, Satish has helped improve the application security of dozens of companies by reporting over 170 valid vulnerabilities through Bugcrowd. We are honored to share his thoughts on how bounty hunters can deliver high quality professional results and create a respectful security research community. These are things that help form a researcher's positive reputation among peers as well as with customers.
[Bugcrowd is a proud sponsor of Nullcon 2015, which is less than a week away! While we are putting the finishing touches on our Bug Bash event, we want to introduce you to another of our outstanding Crowd members in India that will be on the ground helping all the Nullcon Bug Bash participants to have a great experience.
[Bugcrowd is a proud sponsor of Nullcon 2015, which is rapidly approaching! While we are hard at work preparing to host an awesome Bug Bash event, we want to introduce you to a few of our outstanding Crowd members in India that will be on the ground helping all the Nullcon Bug Bash participants to have a great experience.
[The Shmoocon presentations I recommended last week did not disappoint, and I'm excited to have the opportunity to share some of the great research I saw there with Bugcrowd customers and Crowd members. This tool released by Justin Kennedy and Steve Breen can be used by both Red Teams and Blue Teams. Enjoy! ~Kymberlee]
Guest Blog: httpscreenshot - A Tool for Both Teams
Shmoocon is one of those few security conferences that has been around for quite some time, each year selling out of tickets in record timing, and only allowing those with the quickest mouse clicks to obtain them. Luckily for Steve Breen and me, we had the privilege of giving our talk “httpscreenshot – A Tool for Both Teams” this year at Shmoocon, securing tickets for ourselves.
The reason that we named this talk “A Tool for Both Teams” was we believe that both red teams and blue teams can benefit from using it just the same. I’ve been on both teams myself, defending networks, as well as breaking into them, so I feel justified in talking about the problems faced on both.
On the blue team, the biggest problem we’re trying to solve is for networks and systems administrators not having a good idea what is sitting on their networks. On the red team, every single network we are targeting (and in turn, supposed to be assessing) is an unknown to us, and we don’t always have a lot of time to explore it. Our solution to these two problems is httpscreenshot.
httpscreenshot is a set of two python scripts (httpscreenshot and cluster) developed internally over the past two years that takes screenshots of websites quickly and reliably. The cluster script then perform “fuzzy matching” on the HTML output of the pages to produce an immediately usable output with “similar” pages grouped together.
What we believe sets httpscreenshot apart from other similar tools out there are the amount of features that we’ve put into it, but keeping the tool fast and thorough. Here is a quick list of the features of the tool:
- Has the ability to parse gnmap output from nmap and masscan
- Performs autodetection of SSL if version scans weren’t run
- Scrapes SSL certificates for domain names and alt names to add to the queue (no more missing vhosts due to hitting by IP address)
- Runs headless or configurable fail-over to FireFox so you can use your favorite remote server easily
- Threaded, so it’s pretty quick
- Saves output of websites to both PNG and HTML so you can easily grep the source if you’re looking for something specific
One of the few ways that I’ve leveraged this tool myself has been on bug bounties. For any bounties out there that allow for fairly open scope such as Facebook, Google, eBay, etc…. this tool is a fantastic way to quickly uncover attack surface (as demonstrated in the demo at the end of this post). Just a few weeks ago Ryan Dewhurst (@ethicalhack3r) mention that he found Jenkins on one of Facebook’s acquisitions on a non-standard, netting him some fairly easy cash. I found the same on eBay, and the cluster portion of httpscreenshot put them all together for me for multiple submissions. :)
If you find the tool useful, want to provide some feedback, or need any help with it, just reach out to @breenmachine or me (@jstnkndy) on Twitter, IRC (breenmachine or juken), or raise an issue on github (github.com/breenmachine/httpscreenshot). If you want to see the tool in action, check out the demo below or go play with it yourself!
Justin Kennedy (@jstnkndy) is a Principal Security Consultant at NTT Com Security and currently leads the Offensive Security team there. His expertise lies in social engineering, physical security, and other areas of penetration testing and offensive security. Justin's background includes systems administration, network defense, and being mischievous. When he's not popping boxes and rolling networks, you can often find him being a coffee and beer snob.
Recently Geekspeed discussed the importance of well written repro
steps when he shared his tips on writing a great vulnerability submission.
Digging deeper into that, I'd like to reference a great blogpost by
Planet Zuda on Writing a Proof of Concept For Security Holes. ~Kymberlee