DeepSec 2018 Special Training: Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ August 29, 2018/ Conference, Security, Training

The first computer bug. Source: US Navy, https://www.history.navy.mil/our-collections/photography/numerical-list-of-images/nhhc-series/nh-series/NH-96000/NH-96566-KN.html

The first documented computer bug.

How do bugs in software get fixed? Well, first of all you have to find them. All code has bugs. Most probably, that is. Usually developers and users of applications find bugs. The history of information security has taught us that now attackers also look for bugs in software. Therefore flaws in code leading to security vulnerabilities have a higher priority for both developers and adversaries. The problem is that software testing finds all kinds of bugs and not always the important ones. Where is the incentive to go and debug software? Well, there is quality assurance, there is full disclosure, and now there are bug bounties.

Bug bounties are rewards for bugs in software that have an impact on security. Companies offer these bounties as a means of software quality testing. Bug bounties can be claimed by anyone. You just have to make sure that the fault can be reproduced. Documentation is important. This work is very important, because finding vulnerabilities before they can be used for attacks or deployment of malicious software is the best defence. Bad news is good news. HackerOne, a platform for hacker-powered security, has reached the milestone of $20 million in rewards to hackers. Their aim to to get to $100 million by 2020. That’s a lot of motivation. So how do you get the money?

In order to find weaknesses in applications, you have to acquire some skills and work on your mindset. First of all you absolutely have to master web application technology. Everything has a web server or talks to one. Modern web applications are complex, and it’s all about full-stack nowadays. This is the key. It’s not just watching request and response. You have to use and to understand all the layers and components involved. REST APIs, AngularJS, bypassing Content Security Policy, know your browser, NoSQL injection, database truncation attacks, type confusion vulnerabilities, exploiting race conditions, subdomain takeover, server-side request forgery, and more knowledge is required to find security-related bugs. This is way beyond the standard quality assurance. You have to know about software development, information security, and the tools of both worlds.

DeepSec has teamed up with Dawid Czagan (@dawidczagan) to turn you into a Bug Hunter. Dawid is one of the top 10 HackerOne bug hunters. He has found security vulnerabilities in applications from Google, Yahoo, Mozilla, Microsoft®, Twitter, Tesla, BlackBerry, Atlassian, and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid has prepared a two-day training for DeepSec attendees. Instead of sending months with books on your knees and hacking hard, he will guide you through the skills needed to find bugs in modern web applications and make money for your work in bug bounty programs. Only intermediate knowledge of web application security is needed. If you did some common web application vulnerability research and know how to use debugging/security proxies (such as BurpSuite Proxy or similar), then you have a good start in terms of requirements. The training session will bring you on the next level. We invite penetration testers, bug hunters, security researchers, and consultants to participate.

What students will receive: Students will receive a VMware® image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

What students should know: To get the most out of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What students should bring: Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB or more preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware® Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get download it from Microsoft®).

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.