January 2020 - Application Security

You retain the understanding by teaching others, practice doing and having discussion.
Most of the time, you are exposed to something new which you are not familiar with. You need to research the issue and test it. If it doesn’t work, then you need to work on CTF examples to gain hands-on experience with it.
Immerse yourself in hacking by learning and reading the things which you might not understand. Follow people who post complex stuffs in blogs or twitter. Read disclosed reports to understand the thinking process of others.
Recommended Resources:
- Burp Proxy
- PentesterLand Newsletter
- Conferences: DefCon, BSides, BlackHat
- Podcast: Bug Bounty Podcast, Darknet diaries, Security Now, Risky Business, Price of An Attack
- Reading Resources: Web Hacking 101, OWASP Testing Guide, Bug Bounty Cheat-sheets, Hacktivity, @Disclosed
- Practice: CTFS (OWASP DVWA, Juice Shop, Hacker 101)
- Structured Course: PentesterLab, Web Security Academy
- Videos: STOK, CyberMentor, CS50, MIT OCW

Hacking is a trial by fire process and require hands-on experience.
If you have some experience in security, then begin by practicing CTFs, watch and read contents from actual attackers. And then find a real target to test.
When it comes to Goal-setting, aim for autonomy, mastery and purpose. Motivation for money does not work well for cognitively demanding tasks.
Example of Goals:
- Technical: Learn to use Burp
- Communications: Write report and understand the impact of the bug to a company
- Personal Effectiveness: Learn how to set goals and self-improve,
- Community Engagement: Share what you learn with others.
- Short-term: Get private invitation
- Medium-term: Earn at least 5K
- Long-term: Find a technically difficult bug such as RCE.

This can be done manually by browsing the app or using automated spidering tools.
Ideally, you want to identify the assets faster than majority of the hunters.
Look for assets that can be targeted e.g. API endpoints.
Learn what the assets do:
- Interact with DB?
- Using APIs
Write down your observations in notes. Think about the financial impacts to the company.
Tips:
- Pick assets with high amount of user interaction.
- Understand the privileges of different user account.

Common Patterns:

Pay attention to attack vectors that are relevant to the web or mobile apps.
Keep track of the endpoints found and test them one by one for possible attacks. Make sure you test every endpoints that you have found before moving on.
Map the regular program flow and learn how the app is supposed to work.
Prioritize the endpoints:
- Look for strange or different endpoints
- Endpoints with large amount of parameters.
- Link to logic such as account changes or payment gateway
- Common endpoints such as wordpress.

What if I don’t find any bugs?
- Sometimes the app is beyond your current skill level .
- Make sure you have really exhausted everything
- No more endpoints to test on.
- Tried everything with the endpoints
- No luck with Biz Logic
Pause your testing :
- Take notes and record your process so that you can go back to your target.
- Reflect on what you learned and apply on a new target.

Summary: Beginning Bug Bounty – Part 1

The summary is written based on the following resources:

(a) Hack with intention to learn

Realize that you will gain knowledge and the know-how when you are trying to hack something.
Investigate a product / app to see how it works. The knowledge can be used for future hacking.
Journal down what you are learning everyday.
Do not worry about duplicates. It means that you found a genuine issue.
There are always bugs out there since companies are frequently pushing their code.

(b) Invest time in reading hands-on guide

Take note of how you can apply what you read to improve your methodology.
Read a lot of documentation about APIs, Products, Business Logic, Security Technologies, New Languages, CTFs, etc.

Test for Injections vulnerabilities in Web and Mobile apps (SQLi, Command Injection, ORM injection, etc.). Understand if there are any validation or filter done.
Test to see if sensitive data are encrypted while it is transit, at rest.
Testing XML External Entity (XXE). Check if you can upload files (DOCs, PPT, etc.) / xml types. Know the impact:
- Retrieve file from server
- Server Side Request Forgery (SSRF)
- Denial of Service (DoS)
Testing for Broken access Control. Check if a user can have privileges of other roles to exploit. Access control is only effective if it is enforced on server-side code or serverless APIs.
- Look at the where the access roles are indicated. JWT? Cookie? URL?
- Can you access admin pages without authentication?
Learn how to test for XSS – in depth. Know the potential XSS loopholes in modern framework such as ReactJS, etc.
- Reflected: Unvalidated Input becomes part of HTML output.
- Stored: Unsanitized input are stored to be viewed later.
- DOM: JS / Single Page App (SPA) / API that dynamically uses user data to create DOM.