DEF CON 23 - Jason Haddix - How to Shot Web: Web and mobile hacking in 2015

字幕表動画を再生する

this is how to shot web web hacking and mobile hacking in
2015. I really appreciate everyone being here he's way
smarter than me this is me I work for bug crowd I'm director
-- I manage a team of hackers behind the scenes by bounty can
you write the program. In 2014 I participated as a researcher.
This talk is about my mend I use to do web hack king as well as
stuff I learned from other researchers while doing this
work. What is this really about. It's just -- I put a lot of --
my wife says it's okay. So more specifically what I did I
started off with my mend which is a pen tester mend when I
started doing this, application assessment. And so, I then went
out manually parse d out all of the public researchers of all
the badasses bug hunter I new about a hundred visit -- -- as
well as people I new were good at it I went through ever
article from the beginning of the crowd source bug bounty seen
and also all of the Google and Facebook plans inter Bryce -- I
created a presentation what I disstilled around that
knowledge. This is kind of the stuff I'm going to bring in this
presentation. Bug bounty testing from web -- discovery
techniques, parameters often a tack useful fuzz strings, by
pacer filter and some too long I think is cooler than other too
long. Cool. So the first sections philosophy. So the
differences between kind of bug bounty hunting and being a web
pen test templet both sides and they are both right but when you
get down to the practical work you introduce a lot of stuff
here, up under dues time ton to a security tester they are not
use to exesion when you are doing this kind of stuff unless
you are playing in CTF I played in CFF's I was kind of used to
it. You are only -- for what you find and not the hours you put
in, so, I mean this is a basic overview of how they differ the
talk is more about the technical stuff. Yeah, you basically
tailor method based around finding stuff in 20 percent as
opposed top 80 percent application assessment we'll go
into how that 80/20 rule kind of fits in the rest of the slides.
So if you are doing regular web app assess. -- this is usually
what you are trained from and what your internal method is
built off mostly any of the good consultants use and authors are
you know super great testers, right but these take from you A
to Z and you even though them find good bugs they take a long
time to complete in full scale. So bug bounties are different if
you want to do web hack and these are what you go for my
talk as little bit different. Let's talk about discovery in
web application assessment for a bounty. What you want to do is
basically find the road less traveled if you are aiming to
get paid I think so, you can a tack the flag ship application
that the company has, right. That's not where the
vulnerability is going to be that application has been tested
by a pen test team probably had a bug bounty on it for a long
time. Was really want to find part of the -- maybe has been
secure web servers on different ports. You what about to find
acquisition maybe the company had recently that came from a
different development team and they might have a whole view of
problems that came from a whole different group. You want to
look at functional will the changes and redesigns on sites.
Mobile websites because you are set to renter differently on
your phone. And also a new mobile app version when you are
testing. We are going to go into tools and stuff I used to find
for you to a tack. So recouldn't MG is this tool that a lose to
you do -- one part has all these modules to do subdomain
discovery. Now subdomain discovery is a big part of
finding application left out there marketing spins up a
sight, -- DEF -- finding those and hacking those code execution
through those sites is kind of where you can get big pay
outside. So this script what it does is it scrapes Google for
all -- given web property so let's say Acme.com this will --
for everything that is in ACME and remove those result until
you are down to this long list of subdomains. Also scrapes
being -- net craft, subdomains like common fires tool would
this is on get had you been wrap around reCON installed if to you
use -- you can pop the script in and go. Yes, so this is the
output of something like that against the company like this.
You can see -- probably a lot of domains here that have gone
under assessed as far as you go, so, -- this is that idea of it
rating through Google to find subdomains here you have sight
then minus dub dub dub sites I found on its first hit sand box
I removed that this is the scraping that the cool -- tool
-- is doing. You get credit plier, business or shopping or
advertising and you just keep on removing these until you have
all of them. Then you -- then you end up with a huge list of
sites to assess. Then you want to go through and on your entity
that you are attacking you want to find mergers or acquisition
that may be on -- they just purchased accompany, purchased
by Facebook they got popped as soon as they were a choired they
were not under Facebook six month rule I don't know if it's
six month I can't remember how long. But yeah they got popped
immediate until was a whole different DEF team. They got hit
with injection and custom header that was great well not great
but it was good for the bounty hunter. Wikipedia, update these
things for stock reasons so keep an eye on these if you are --
your company has to purchase something else they have new
domain may not be in the bug about tea -- there's also a
repository of links of ever kind of -- that's comes out on pay
pal and Googled. This one is post -- hosted and Facebook I
have no idea its linked it has everything high percent linked
these are the blog articles. Why is this important if somebody
already found these bugs. Because, bugs get represented
across the domain In different places. So you can tell a lot
about an organization once you read these articles and find the
same bug in other locations like the subdomains may be rogue --
how they filter out input you get a lot of in tell around the
application, so, you no really doing a lot of research on your
target can help but it's not the fast stuff so so port scanning I
mentioned port scanning, it's not just for net pen, so, yeah,
I mean how I hacked Facebook there was an article by Ryan I
started out port scanning found a weird server he got in --
simple as that 8,000 dollar bug right or even more I don't
remember. So, I asked do the net the Microsoft domain that you
know -- that already opened to the world with MS12 zero 20 on
it vulnerable so that was a thing. Go ahead and use simple
map syntax to start port standing all of your sites make
sure you check all those services this syntax will port
scan for all ports on a domain as well as pull out any HTTP
servers and display those it's a sin scan and OS -- so. So
mapping so you found all of these new servers right like
maybe subdomains or maybe you found an acquisition and
something like that now you want to move you want to move into
mapping an individual application, so, and take and
notes is really important when you are doing this whether
inside of like note pad or you know just using pen and paper
like I use ever note all my bugs or in Temples I can copy and
paste disclosure E-mail. So these are mapping tips that I
use right away. Google is actually your friend you can get
a lot of information -- I know there's parameter par sink
scripts I couldn't find a good one for this presentation you
know just parse parameters out of the Google like catch stuff
but really the next big thing is directory reinforcing finding
unlinked content content that's not supposed to be there. A lot
of beam use content discovery for this kind of thing that's
good they are good list but those list were created by going
out spider the internet and then prioritizing them. There's some
other lifts that are better for this type of work, so, the list
or these list that came out of talk maybe four or five years
ago raft was application proxy it was a decent one but since
been discontinued its list for directory reinforcing has lived
on. They are a spider of the internet robot do the text files
everything that everybody doesn't want you to see is in
this directory group forcing list super sick I can't tell you
how many bugs I found just using this list like couldn't figure
files all over the place. There's another list like this
they went out and spider all the project if your sight or target
is open source place you can take all the paths have have
been -- get application or find config files. So after you do
some unlink content discovery or directory re-- you can try to
identify platform. So, there's just some really simple wins
here -- you can alcoholic and looking at the heeders the
comments in the pages analytic things that have been integrated
they will give you the whole server stack they will give you
version numbers if they can identify them. Retire do the JS
one of my new favorite it will profile all of the server side
Java script -- as well as give you all the vul never viability
before that patch or your vulnerable -- list of prioritize
process script tig. Once you identify all of these server
version numbers check nor CVE and server type stuff that's
standard that's web stuff. But these are good -- tools. Have
you happen tho come across SMS you want to use these two tools
curative scan for word compress a lot of people use this
already. It will identify all plug ins and users for word
compress install as well as look up any bones that are associated
with those plug ins that have been disclosed. And then SMS map
for -- and what is the other SMS -- so those are the two that
have really yielded any value for me across SMS. You see a
screen shot of curative scan. And its you know found aversion
of a plug in or theme that has a file -- sometimes there's false
positives honestly for what this script does it provides so much
value so its great. So the directory we talked about a
little bit earlier the work flow for this a lot of people do I
just put this slide in here because I see a lot of people do
it a little bit weird I see people -- off the top level path
a lot and then just stop right they'll get errors don't know
what to do with it they'll go to Acme.com and go to 200, 404, and
more 404 you know there's nothing there then they'll hit
control panel and see 401 I can't do anything I'm not
authorized right so they -- after control panel there's so
many like messed up access control on web server bugs you
can explicit if you route -- I just see this a lot where people
stop after the top level domain that's kind of the work flow you
are doing there. Some other things that you can do is
mapping and bone discovery using open source intelligence. Five
sites six methods that you can use to find already publish bugs
or almost all right public bugs I guess they are considered --
or whatever access .com, punk spider a burden of proof engine
that scans the internet if your car get is a high profile sight
information might all right be in here you can pull it out and
use it to your van tach. Even if those bugs have already been
disclosed. I found bugs on here not dis-- that's actually worked
before it was like a super easy win. Help you get a feeling for
what the company has faced before as far as prevalent
across side -- file up loads and then you can do regression
testing on all the domains up found earlier in the
presentation. Go out and use these resources to try and find
bugs in the platter form as quickly as possible they are
free and out L the customer should know about them any way
its the responsible thing to do. Okay. So this is my intern Ben,
he's never spoken before at DEF CON neither have I this is my
first speaking but he did an awesome project and he's going
to talk about it for a couple seconds I really like it so. >>
[Applause] >> So hello everyone my name is Ben. I'm on Jason's
team. For the past couple months we actually gathered a bunch of
files that includes all the date to for each Bugs Bunny program
that's out there 200 visit plus programs that are included in
this project they include how much a minimum is how much a
maximum is, what's not included in the scope of the program as
well. We use all this data and fed it into different scripts
like CC on -- it just went through every single one of
those programs and -- for subdomains. And this also is
available on get had you been account and everyone can be in
and use it if they want to. This is Yahoo's program a couple
months ago -- what we have is record that shows that's the
Yahoo.com all -- end flicker and all supplements of flicker
included in scope as well as all mobile apps included as well you
can see there's two dope maintenance which is Yahoo do
the net and subdomains and Yahoo.com itself not included in
the scope of the program. What we ended up doing with this
using Ruby we wrote a script fed ever -- file and we crawl them
and using -- for example for this one we -- and you can see
there was disclose a dough -- just close a domain there's a
you bunch of sites out there that you can easily report and
report to venture. Taking it further we, same idea use all --
and we fit that into in treating which in treating is API
framework that is for intelligence gathering and it
does a bunch of tasks that you can see on the left side of the
screen includes doing -- web spider end map and you name it
we can do it with in treating. Also in treating is available on
get H U B as well go ahead and commit to it if you need to.
What we ended up doing for in treating we parse d every file
with -- and you can see it says R, we are taking the task DNS
boot sub-- and give it an entity and option all included in the
manual and we are running that for Jason file the bottom shows
its being assigned an ID that you can just go in local host
and check it out and see what in treating has found. So for
example we did in treating IO and for DNS root force you can
see all those subdomains that have been out there that in
treating found with IPI addresss as well. And make sure you guys
check it out like I said it's on line -- the possibility, -- you
can do whatever you can think of it. Being a bug bounty hunter I
think it's huge for -- useful for everybody out there. >>
[Applause] >> Yeah. That's a sick tool and sick framework
both wrapping and reCON entry facility you've used -- I love
both those tools using them both if you can in treating is going
to be sick you guys should check it out so. Okay. So onto I'm
going to have to blow through some of this. This presentations
long. The one thing I want to say these are low -- the problem
is if people start not paying attention to them you can't --
multiple bugs or I've have multiple bugs where where we've
had a couple small issues like with pass pass or resets
something like that we chain them to make like a critical
account taker these are really important these are the kind of
bugs that a lot of people see and like the hash tag beg a
bounty people really don't like them. Don't discount them just
note them if they that are out of scope don't discount them.
That's what I have to say about some of these. So session -- the
kind of same thing failure to -- new -- no new cookies -- these
are all things are going to be able to use later a lot of times
they are out of scope so either you are out of scope or
unappreciated or due or something like that yeah, you
should keep them in mind when you continue testing they can
be. So the big part of this one is tackle fuzzingville -- we are
going to talk about cross sight scripting some really good
people have done the core idea of process scripting page
functional will the display to the user that's kind of the
question I ask myself you know can I get refreaks somehow with
Java script so you can do manual test king Q which is great you
can enter in your many character and see if they return but
really when I'm trying to work fast in a bug BON -- so, you
probably used them before the technical definition for them is
web POLLY -- first one you will recognize they used to call it
the R snake battering ram came out of -- you probably used this
before you pray that you get across sight scripting this is
multi context fillet by pass -- it's a mouthful I know. Its
designed to evade filter it's a loud to execute In different web
couldn't Detective and it's really cool so I have three of
these that eyesight here that if you are just doing bug down tea
hunting you can use and just kind of move a along on critical
functions in the sight S this one is from a researcher he does
cross sight -- I think he did Ph.D in cross sight scripting
which to me mows my mind. This is a multi context -- so you can
see here that he's trying to to markup in a whole burning of
different context he's got like an at sign here to like trick
trick E-mail like filter or maybe -- so he actually ran this
along like top one hundred and like 80 percent of them
vulnerable with search parameters with this string more
AMMO. This one is done by MATH -- so he did a whole
presentation on this idea of multi or payloads on websites so
this is his multi context so this is one that I use now so
thank you. Other observation when I started parse sink bug
bounty work is important so finding cost missable themes or
profiles that you -- trick them into using Java -- any
application that deals with those type of things you are a
pull things from U RI and render it for some reason. Import ting
from a third party like Facebook immigration where there may be
-- displace Facebook data in line so you can set your name on
Facebook to script alert and will alert this sight. -- that
didn't -- a lot of people discount web services right away
because they think the content time won't execute across sight
scripting won't execute Java script so you have to really
check and make sure they are returning otherwise you can get
-- and a lot of -- file up load names try to change it to script
alert whatever like that its -- a of the places up loaded files
themselves this as huge one actually that's all over the
place so compiled file or HTML file and you basically a tack a
file up load and so a lot of you know file up loads there's a
whole section about file up loads we'll talk about it more
in a little bit. Custom error pages where they are he can
company winning what you can't find. Make parameters -- put it
into your response and then log in and figure out password
forms. Also, this is a swift parameter access that is a huge
thing I don't think I've ever found a swift file that I
decompiled that hasn't been vulnerable or remote file
include actually Dennis here is like the guy I ask question all
the time. So, yeah, so, things like J player and all of these
software that are swift files that do media or whatever like
so there's a whole -- on the common programs that these
players use and then also the injection strong you have to do
more manual analysis to do that manual oh I use this flash bang
which I think is awesome you drop a swift file on the on the
end cups out all the program -- dash displace them along with if
they are going to execute out of the context of the swift file I
highly suggest this tool if you are going to do some swift
hacking way better than like a lot of the old once. Cool. So --
does the page look like it might need to call or stored data
obviously. SQL I where it will execute in single quote, double
quote and straight into -- context. I've seen a lot of --
remember these are things that actually scanners are starting
to do they don't want to send a -- you have ate million
parameters on a page takes forever to scan things, right.
So I imagine a lot of scanners will start to pick up on this
kind of thing the idea of these multi context injection strong
this is awesome as well. So for injection to kind of go through
and fuzz things I use SECT list project its got a bunch of
fuzzing list and all this crazy stuff Daniel here actually
helped me curate it we designed it together and its it's in
valuable right its got like buy type of injection if you want to
do a log in by pass in my shekel its got all those K -- C. RATED
I highly suggest using this when I want to attack a form or
something like that some parameter I think ses vulnerable
so. -- so other observations to blind is the predominant -- you
hardly ever get -- in those cases bench mark strong and
stuff to make the page take a long time to load that's how you
identify whether you take it the whole explicit way up to you we
have a lot of researchers just want to identify and move on I
like to run see y'all map it's still king there's no other tool
that does it as good as SEQ U EL map. Everybody uses the map at
some point. So, yeah, some tips tore the map basically when you
are doing this you can actually parse a whole burden of proof
blog file parse fuzz the whole file it takes forever it's not
like the greatest way to do things its offering a lot of
coverage. If you are up against some kind of black list or
something like that it has tamper scrips you can use in
code all of your - you can evade black list. There's a good guide
on there, its somewhere on the form DBMS specific syntax -- so
if you are going up against -- there's a simple string you can
pass into map and get past black list A really fast way to in
instrument the map is -- basically allows to you right
alcoholic any window and Burp and request that to API running
on local box you can be inside a Burp right click and start
searching CLICK and start searching. Currency value item
number values sorting parameters I'm not going to go through all
these they are along lt slide this ses going to be on the hub
any way you can grab it and use it if you think its useful these
are the kind of place where I saw the most injection and --
this is sore right click on a request send it pi scan now that
Burp -- -- doesn't look like this anymore but you get the
idea. So this is my cheat sheet of S U L when I do broken down
by my skill type these are cheat seats that let you know manual
syntax a lot of these people pen test -- you have to use these
you have to have them handy when you are doing injection, access
who use access that suction, [indiscernible]. So, I keep
those handy in May ever note when I'm doing S U L injection
testing when I see errors something like that I just I
start you know getting in that mowed. So file up loads and file
inclusions next area. So local file inclusion the core idea is
does it or kit interact with server file system.
[indiscernible] obviously you can do it manually I have
allomorph LFI scripting stuff up. You can see here like I
tried a bunch of black list bypass to try to get common
system files this is on the project. Common parameters or
injection funds for this type of stuff you would think of this
but its good to have it in the list file location, locale,
path, display load, read or retrieve these are the most
common parameters that you will find those in. Malicious file up
loads. This is an important -- doing this type of testing not
only just to up load swift file and get SS -- you can -- one of
the ones I like a lot it's a DOS basically answering image? >>
Specifies itself to be large but isn't you can up load it in the
server we'll allocate all of this space not that big of zoo
file you can dos the application server there's a whole blog on
it. And then, you can you can actually one the things I think
is interesting I'm into the going to go into it interesting
buy passing security zones and store ring Malware so there's as
well as poll -- payloads there's also files that can execute code
In different context you think of a parse or reading a file it
basically will look until it finds what it wants and execute
that you can create ajar that is subtle so if I make executable
-- allow ajar is that -- well I don't know you can storing
Malware on your - I can send -- to go retrieve it can you do
anything about that right. And cut stuff out I don't think so
that's kind of hard to do. Interesting question there it's
kind of another road. Dan Crawley did a presentation on it
here at DEF CON it was super sweet so -- you should check
that out. Oh, no. Technical errors. That came at the perfect
time, actually. Oh wow. That's what we're doing. >> So who a --
he's a first time speaker. There's a story while we getting
ready. I guess he mentioned that DEF CON16 he met someone. >> I
met Julia my wife here. >> He met withs his wife here. Give
him a hand, huh. >> [Applause] >> Cheers. Now back to the show
I mean if I can deal with the laptop issue. Are these guys
doing all right. Should I kick them off the stage or do you
want to keep listening to them you want to keep listening. All
right. I guess you can stay. >> Okay. All right. Can you give me
a second until my throat stops burning. >> No. >> All right.
All right see if this works. -- all right let's -- so follow-up
load attacks are a thing I've never seen any better
presentation along the road file up load attacks than this guy,
if I mess up your names I'm sorry I love all these guys they
are bug hunters just like me. This includes doing new and
attacks as well as old attacks. Up load by passing extension
trickery I'm trying to give you resources as well as the ones I
would use so a lot of this I think got parse d into the new
testing guide most of it at least. So, I would check that
out too. As an intro to malicious file up loads and
getting shells so -- oh this is what I talked about Dan I don't
know that guys real name, but, yeah, these are the types of
files that can execute In different ways. So you can see
they have like a PDF that's a zip or NBR interesting research
here coming out I would like to see interesting bugs come out of
it. So, remote file includes and redirect, common parameters
there destination continue redirect, U RI window next.
Common black list by passes, these are all kind of escaping
tricks you use normally in web stuff these are the most common
once I found these are also in SECT list that I use often. So
for RFI these are the common parameters file folder pass file
template yes yes yes yes. So, these are where I saw the most
bugs or you know other researchers published data
around their RA -- RFI these are the type of parameters you can
do. I think eventually the thing you do here, as you right a -- I
haven't yet but that automates any time you see these it sends
it to -- so you can just go test them later. I haven't done it I
do it with eyeballs it's probably the bet way to do it is
write an extension to do this work. How much time do I have
ten minutes okay I think I can do it. If everybody knows about
see suffer you find some function in the website that
does something, right, and it's a security related function
change password or whatever right there's a list latest
function then you write alcoholic and Burp that's -- so
what you have to focus on is C -- so common buy passes in my
research yielded removing the toe Ken from the request,
removing the parameter value from the request adding control
dashed -- or changing the requested method. So check this
out. This tool has gotten no love I don't know why I think
it's been out two -- for two years. Any of you used this tool
before no good give you something to take away. What it
does you enforced able -- and you crawl a sight that -- in it
like a C -- you create this template tell it what the TOKEN
was what an air page looks like this is really easy to add. This
has been out for I think two years already I don't understand
why people want to use this super sweet right you write this
it's a pie Anthony script then you run his PYTHON request all
those across the whole domain, yes, sir request with those
first three attacks then it produces HTMB -- L report which
one gave error messages pry or -- sew made a lot of money doing
this to Facebook and at this time because it wasn't direct
extension it didn't get a lot of notice Iran dimly found out and
I said sweet this is awesome this is part of the extreme
output here's the base request here's the first drafted request
and response and then you get a report back saying if they came
back the same. So, I highly suggest that tool its linked in
the talk. Another way to do it just to check for every request
across a whole file that didn't have the TOKEN in it. The actual
parameter so this is another scripted that does that its
another script that runs on a file that went undetected kind
of a little bit super sweet. I use these all the time it finds
bugs all the time so. So just a common critical function like
add and up load file, you know, password change, E-mail change
transfer money country tea, delete a file, add a profile,
things like that, so these are commonly where you see it.
Privilege transport and logic kind of get mashed into a
section. So, privilege, you know, -- but my testing thing
you have administrative user you need a couple counts to do this
then you have a low privilege user the low privilege user
tries to -- pretty simple. Ought mate that across multiple
function you might need too long this is what I use for is it
this one is available on Burp store and basically you spider a
site completely. You run through it. All of your post requests as
as ADMIN user then go in as a lower user and you give that
information -- was able to access that the ADMIN user I was
also able to access you look through those in your output. So
common function or views that I check for privilege escalation
or anything like that these can be combined with last two
seconds add a user delete a user start project change account
info, view customer -- there's a page that tells everything about
what that site does you want to try that view. Payment
processing view like receipts or any view any with PI on it you
want to focus on this is what that looks like. Again with low
privilege user request everything gives you pry or
advertised output. Prioritized look. >> Game mink head phones a
couple months back, so, I found a bug in a really cool company
and I had to disclose it and ended up call them on the phone
and their help desk guy was I have no idea what you are
talking about. Thing I actually linked -- of the IT group of
that company finally someone accepted I told him I'm
legitimated I just want to tell you this exist because I was
buying a pair of head phones already and they may fix this
bug. So, yeah and so the receipt function -- you could it rate up
and down and fine other people's receipts with credit card on it.
They sent me two free pair of head phones I have one one goes
to Daniel for his birthday but I forgot to bring it. I'm sorry,
Dan. But there's -- any way five minutes. Okay. Cool. Increment,
key crash., sense five tongues, stewing user ideas these are how
you test. These are common functions user fires that deal
with [indiscernible] everything from the table everything that
says user hash E-mail images that are supposed to be private
so you can go through the slides and kind of go through this all
of this is going to be on -- this as simple, I don't know why
I put -- you see this newspaper -- new miracle -- this is
exactly what I did. This were you what a disclosed bag that
was patched. Transport -- there's this awesome script that
will take up blog file again request ever request in your
sight tree -- so you can see what's going over on unsecure
channels instead of having to sort columns and all that stuff
I find this useful try to downgrade everything then you
report this is SSL downgrade attack or whatever. Logic, logic
are us usually manual, the one I see a lot of styting hash
parameters where there's -- they've -- irreversible or I'm
too dumb to reverse it just finding another item -- and so
doing that is usually yield the product for less money so, step
manipulation this is like the bread and butter example
everybody gives multiple steps order or put things in -- check
out, pay, ship, so you just skip or you like put everything in
your cart and you just ship because you have the whole
process, so you just skip a process. Using negative
quantities in -- or using negative in quantity value so
actually had websites pay me credit because I put in a
negative value on some pricing or or negative quantity right
like order number equals one usually I want to buy one thing
I put in negative 20 now they dread Ted my account like a
thousands or something like that. So application level DOS
this is interesting not actual DOS, right I'm not add
indicating bug BONNTY I've seen sites that can't handle just
like parse go a parameter with you know 40 zero or me putting
in a math function as a parameter value server like I
don't know what to do so those are interesting and then timing
attacks I think there was a DEF CON talk about -- mobile I'm
running into -- check these files for data storage as well
as logging this is the best tool to get spun up. Basically jail
-- it gives you full list of the hand her of all of the files all
of the encryption val use. If it's using explicit -- most
functional tool. I think it's partly based off of talk I gave
a long time ago and he made it in rube be and its super sick
its the best way to get into IOS testing if you've never done it
before. This is a thing babblings we got to go there's
other -- I repeat them don't discard them. Security head did
he path disclosure keep them in your pocket later to escalate if
you can use them. This is one idea of like you know if I have
five or 30 minutes or something like that, what can I do so I
try to time myself wimpled using this stuff in here so in 15 to
30 minutes I can doomiest of this using Burp and the
automation maybe an hour depend how motivated I am these are the
steps I go through, I register hit password resetting do all
the forms go to security function check the cookie, I do
like like perform enumerate or U ID I see in U RD, using one of
the short list in the background up load a file if it had up load
win 30 minutes or an hour I can usually find some pretty corner
good bugs. Crowd source is different. It's a the same but
different. You find like 20 percent of the stuff instead of
80 percent a lot of stuff goes quick of the data analysis is
cool. You can probably do a 15 to 20 minute web test done --
[indiscernible] and follow all of the bug bounty people on the
list. I put them on a list for you you can watch them hack
things and talk about their find and. There's a lot of stuff that
didn't get put opinion here there's a lot of data visit
percent of the data is still unparsed I'm going to put it up
as or maybe just mark down and you guys can contribute to it if
you care enough if you just want to ticket and use it that's
fine. Stuff to go in there more too long that I found XXE, meant
to say [indiscernible] techniques, more detail and to
add an toyed mobile tools that I use often. -- we good. Thanks.
These are bug hunters that did -- who did things in this
presentation all of them are awesome I respect every single
one of them or who made tools. Also my team John Todd, Patrick,
Katie, Kim consideration case see criss and Sam everybody in
the -- I love doing this. So that's it.