Presented at ToorCon San Diego 20 (2018)
Sept. 16, 2018, 4:30 p.m.
Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting security issues has never been as easy, open, and risk-free as it is right now. Everybody wins!
Though that doesn’t mean we should stop there. As researchers, we spend a lot of time doing the same menial tasks for each program: monitoring for new targets, checking for common issues, remembering just which flags you needed to pass to that tool (or even which tool is best for that job). We build new tools, hack together shell scripts, and generally make small incremental changes to our process. But surely there’s a better approach?
Are you sick of repeating the same tedious tasks over and over? Wouldn’t it be nice to have your own bug hunting machine? One that -
* Is always watching
* Reacts as soon as a new target becomes available
* Takes care of those tedious repetitive steps for you
* Makes life easy when you want to integrate a new tool/workflow
* Doesn’t cost the world to run, and trivially scales
* Leverages lessons and technologies battle tested in the dev world to improve your offensive capacity, capability and productivity
* Monitors your own infrastructure and reacts before hackers can (while saving you the cost of those Bug Bounty payouts in the meantime)
We call this approach Bug Bounty Hunting on Steroids. We will discuss our research and approach to building such a machine, sharing some of the lessons we learned along the way.
Introducing the speaker
Briefly discuss the presentation’s agenda
Discuss some of the problems that plague Bug Bounties, from both the researcher and program owner perspectives, – duplicates, noisy submissions, costs, lack of standards, new tools being released frequently, not easy to automate most tools as they seem to be their own platform
Briefly discuss some of the technologies we will be using to build our bug hunting machine – Docker, Kubernetes, Argo
The Bug Bounty Machine
Introducing the architecture and talk about some of the components of the Bug Bounty machine – architecture walkthrough, asynchronous queuing system, microservices modular framework, ability to deploy across multiple cloud providers – (GCP, AWS)
Live Demo of how it works – walkthrough of a sample bug bounty workflow that can be implemented in the Bug Bounty machine i.e. how can the machine find a bug bounty submission before the researchers can. Also, as a researcher, how can you attack multiple programs on a scheduled basis
What we have learned while trying to build something like this – the geographic limitations, teamwork, technology learning curve, consensus on the approach and architecture, MVP product
Anshuman Bhartiya has been in the IT industry for about 11 years now and has had the opportunity to wear multiple hats. Anshuman has been a web developer, cloud consultant, systems engineer and security engineer to name a few. Anshuman has a varied skillset and he likes to tinker with the latest technology coming up with innovative solutions for difficult and challenging problems. Security, Automation and Innovation are some things he is really passionate about and he firmly believes in sharing knowledge and the Open Source community. You can find some of Anshuman's work at his Github here - https://github.com/anshumanbh where he has open sourced tools such as “git-all-secrets”, “brutesubs”, “kubebot”, “tkosubs”, etc. Anshuman has also participated and submitted vulnerabilities to some of the top bug bounty platforms like Bugcrowd, HackerOne and Synack.
Twitter - @anshuman_bh
Website - www.anshumanbhartiya.com
LinkedIn - https://www.linkedin.com/in/anshumanbhartiya/