devalias.net https://www.devalias.net Follow me into the rabbit hole that is my mind and learn about topics including.. security, technology, efficiency, biohacking, health, personal growth and probably a whole lot more. en_GB Presenting at DEF CON 26 - Bug Bounty Hunting on Steroids /devalias/2018/08/19/presenting-at-def-con-26-bug-bounty-hunting-on-steroids/ devalias 2018-08-19T00:00:00+10:00 /devalias/2018/08/19/presenting-at-def-con-26-bug-bounty-hunting-on-steroids/ (Update: The talk recording is now up on YouTube, latest links to related content in this tweet)

Wow, what a trip! I just had the opportunity to not only live out a childhood dream of attending DEF CON, but I even had the privilege to be able to present at the DEF CON Recon Village! Talk about achievement unlocked!

If you've been following along on twitter, you might be aware that I've been working on a security automation framework with regards to bug bounty hunting; to increase our agility, automate the boring bits, and let us JustHackThings. It's something that our team (@anshuman_bh, @mhmdiaa, and myself) have been calling BountyMachine.

It's no secret in the security/pentest/bug bounty world that there are a lot of boring bits when it comes to assessments. The recon, finding good targets, and all those things that eventually lead to being able to do all of the sweet hacks. There are a lot of people thinking about and working in this space to try and make things better, both publicly/open source, as well as privately with their own methods and frameworks.

@anshuman_bh has been working on improving this space over a number of years, with various open source projects and explorations (such as brutesubs, FASTSAM, hodor, kubebot, etc) eventually leading us to where we are now. It was actually after I referenced some of his projects in my talk "Gophers, whales and.. clouds? Oh my!" (GitHub) at BSides Wellington last year that he reached out about this current project. Not to mention @mhmdiaa's "Automation For Bug Hunters" presentation on Bug Bounty World (slides) and other work in this space. With our views and efforts so closely aligned we decided to join forces and work on this latest rendition, a v3 of sorts, BountyMachine.

So coming back to our talk at DEF CON this year, "Bug Bounty Hunting on Steroids" was an opportunity to share what we have been working on, along with some of the process, patterns, ideas and lessons we have learned along the way; with the ultimate goal of inspiring others to think outside the current box, and reinvent the way we all approach our security research.

I put together a little overview post for our work blog at TSS (we had a few of us speaking this year!), so instead of repeating all of the talk specifics you can check that out. I will reshare the talk overview here though, for posterity:

Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting security issues has never been as easy, open, and risk-free as it is right now. Everybody wins!

Though that doesn’t mean we should stop there. As researchers, we spend a lot of time doing the same menial tasks for each program: monitoring for new targets, checking for common issues, remembering just which flags you needed to pass to that tool (or even which tool is best for that job). We build new tools, hack together shell scripts, and generally make small incremental changes to our process. But surely there’s a better approach?

Are you sick of repeating the same tedious tasks over and over? Wouldn’t it be nice to have your own bug hunting machine? One that -

  • Is always watching
  • Reacts as soon as a new target becomes available
  • Takes care of those tedious repetitive steps for you
  • Makes life easy when you want to integrate a new tool/workflow
  • Doesn’t cost the world to run, and trivially scales
  • Leverages lessons and technologies battle tested in the dev world to improve your offensive capacity, capability and productivity
  • Monitors your own infrastructure and reacts before hackers can (while saving you the cost of those Bug Bounty payouts in the meantime)

We call this approach Bug Bounty Hunting on Steroids. We will discuss our research and approach to building such a machine, sharing some of the lessons we learned along the way.

Now if you didn't manage to catch us at DEF CON (and I don't blame you, there was SO much happening ALL THE TIME.. it's such a non-stop week..) don't fret! Our slides are online, we put together a bit of a blog post covering a bunch of the areas we were talking about, and the talk was also recorded, so you can catch up on that at your leisure. Or if Twitter is more your style, go along and retweet this one (and make sure to follow the team for more BountyMachine updates!).

The response to our talk has been awesome: we packed out the presentation room, had a lot of really interesting questions after the talk; and have had a constant stream of feedback, questions and support on twitter and elsewhere since.

I truly believe that this is the space we need to be thinking and working in right now:

  • encoding and automating our processes
  • improving our tooling
  • accelerating our agility
  • collaboratively working to improve the entire security space

Does this resonate with you? Are you sick of the same repetitive manual processes again and again? Want to automate it? Want to save your precious time for actually doing the interesting hacks? Me too! Let's talk! You can find me here in the comments, twitter, or idling around the various slack channels (user: devalias) and otherwise across the internet. How can we work together to improve the entire state of things?

]]> Atlassian Confluence: Cross-Site Scripting (XSS) (CVE-2017-16856) /devalias/2017/12/05/atlassian-confluence-cross-site-scripting-xss/ devalias 2017-12-05T00:00:00+11:00 /devalias/2017/12/05/atlassian-confluence-cross-site-scripting-xss/ Earlier this year I spent some time delving into Atlassian Confluence to see if I could dig up any bugs that had slipped through the cracks. I wasn't really expecting to turn up much, but I was super excited and surprised when I managed to find an issue within the RSS feed plugin leading to Cross-Site Scripting (XSS) (Twitter: 1, 2; LinkedIn: 1, 2; BugCrowd: 1, 2).

Thanks to Atlassian and BugCrowd for running an awesome bug bounty program and giving researchers the opportunity to hack things, make the internet safer, AND get rewarded while doing so!

The CVE

Remediation

This issue was fixed in Confluence 6.5.2. Update to this version or newer to be protected. See the CVE advisory details for more information.

Chaining bugs, social engineering and platform features

As part of my PoC, I put together some fun little phishing code using the Confluence web plugin API's. If there is interest (and I'm allowed), I might share it (and some of the useful features/places to look to build similar) sometime.

Once XSS is achieved, if the current user isn't already an 'elevated' administrator, the code provides error messages using standard Confluence GUI elements to convince the user to elevate their privileges with 'websudo'. Once they do that, you can basically abuse their full privileges to create new administrators, or (my favourite) install a small malicious plugin to provide Remote Code Execution (RCE) on the server.

While these aren't security issues in themselves, it does show how you can leverage social engineering techniques and other platform features to chain smaller issues into something more powerful and damaging.

Acknowledgements

These issues were identified by myself and the team at TSS:

Conclusion

It pays to look in places less travelled. If there are older features in products, or things that may not be as popular/used as often, try looking in there. Who knows what may have been overlooked.

Have you ever looked into some popular software and found issues you never expected to find? Got a cool story to share about it? Maybe you've chained some bugs in an interesting way, or just want to hear more about my PoC? I'd love to hear from you in the comments below!

]]> Presenting all the things! (BSides Wellington, CSides Canberra, SecTalks Canberra) /devalias/2017/11/19/presenting-all-the-things-bsides-wellington-csides-sectalks/ devalias 2017-11-19T00:00:00+11:00 /devalias/2017/11/19/presenting-all-the-things-bsides-wellington-csides-sectalks/ Recently I had the opportunity to present at a few local security meetups, and one international security conference.

At the start of 2017, I set a loose goal in the back of my mind that I would like to "get out there more" and "speak about the things I do". Little did I know at the time that this would actually eventuate; leading to me having a pile of great experiences, and meeting some really cool and talented people!

TL;DR

SecTalks Canberra

SecTalks Canberra is a monthly security meetup with more of a focus on participation and learning from others, rather than the traditional 'super awesome technical talk but how do I do it' style of things.

I had the opportunity to run a little workshop on how to use Docker and OpenFaaS to improve offensive capabilities.

Hack FaaSter: Leveraging Docker and OpenFaaS for fun and offensive (security) profit.

Slides, workshop files and more details are available from the 'TL;DR' section above.

Description:

Join us this month for Hack FaaSter - leveraging Docker and OpenFaaS to improve offensive tooling, with the glorious @_devalias (Github // LinkedIn)

CSides Canberra

CSides Canberra is a monthly security meetup run by the organisers of BSides Canberra.

I had the opportunity to present a v0.2-prewlg-alpha version of my BSides Wellington talk, and get some practice and feedback in before the big thing.

Gophers, whales and.. clouds? Oh my! (v0.2-prewlg-alpha)

Slides and more details are available from the 'TL;DR' section above, as well as the BSides Wellington section below.

BSides Wellington

BSides Wellington (Twitter) is an annual security conference (based in Wellington, New Zealand) that ran it's first event in 2017. Popping up to fill the void left by Kiwicon (Twitter), they had a strong first event, and hopefully will continue that trend into the future!

I had the opportunity to present my talk on leveraging DevOps trends and tools (Docker, Serverless, FaaS, Golang, etc), to increase my efficiency and effectiveness on the offensive side.

Gophers, whales and.. clouds? Oh my!

Slides and more details are available from the 'TL;DR' section above.

You can read the official brief of my talk:

Go, Docker and Microservices; some great technologies and buzzwords that we hear so much about on the development side of the fence, but how can we leverage these technologies to improve our offensive capacity? Armed with a passion for new tech, a vague theory, and an ‘nsa-o-matic’ approved project name; gopherblazer was born.

Whether through dockerising and improving existing tooling, leveraging Function-as-a-Service (FaaS) offerings, or just distributing offensive capabilities; I’ll share what I learned on my journey into improving my offensive capacity and productivity (while having an excuse to play with shiny technologies along the way!).

And I can even now say that I have a professional speaker bio:

Glenn ‘devalias’ Grant is a full-stack, polyglot developer with an acute interest in the offensive side of security. Whether building something new or finding the cracks to break in, there is always a solution to be found; even if it requires learning something entirely new. If you can improve/automate something, do it, and if you’ve put the effort in to do so, open-source it and share it with everyone else.

When not hacking and coding, Glenn can be found snowboarding the peaks of Japan, falling out of the sky, floating around underwater, or just finding the most efficient path between A and B (even if that’s over walls). Life is short. Do the things you love, embrace the unknown, live your dreams, and share your passion.

Overall, the conference was amazing. As expected, there were a number of deeply interesting technical talks, but as a bit of a twist from traditional security conferences, there were quite a few talks that focussed on mental health, impostor syndrome, and other 'culture based' topics that so often go unmentioned in the infosec industry. Very much appreciated and would love to see this sort of thing happen at more conferences in future.

If you missed the talks, or want to go back and re-watch them, videos should be posted online at some point (once the organisers recover from running the conference). A lot of the presenters also seem to be pushing their slides/content out online. Here's a selection of the few I've stumbled across so far (in no particular order):

It looks like there are also some good summaries, notes and writeups of the conference popping up around the net. Some places to start looking:

And of course, Twitter is always full of content when it comes to the security industry, with 3 hashtags mainly being used throughout the conference:

Conclusion

While at times I was definitely feeling the stress and pressure of having a few looming deadlines, and at times possibly not allocating enough time/energy/focus to working on them as I would have liked, it has been a great experience, and left a smouldering flame of passion to speak at more events in the future.

Know of any other writeups, slides or tools; or got a cool story to share from BSides Wellington? Would love to hear from you in the comments!

]]> Squiz Matrix: Multiple vulnerabilities /devalias/2017/09/07/squiz-matrix-multiple-vulnerabilities/ devalias 2017-09-07T00:00:00+10:00 /devalias/2017/09/07/squiz-matrix-multiple-vulnerabilities/ Earlier this year I had an opportunity to spend some time looking at Squiz Matrix, a Content Management System (CMS) used across a number of sectors including higher eduction, media and publishing, goverment, finance, health, and utilities. With a huge number of features, a massive PHP codebase, and a numbr of high profile sectors as clients, I set out to see if I could find any interesting little bugs hidden away.

While I won't get into the nitty gritty of most of the assessment process, I did find some things, and 3 CVE's were assigned (detailed below). One was interesting enough that I will probably write up the process in more detail at some point.

Given the rich functionality and plugins in the Matrix product, it could be interesting to dedicate more research time to explore the areas I didn't get to cover this time around. Who knows, perhaps Squiz would even be open to setting up a Bug Bounty program through someone like Bugcrowd in the future too. That would be cool!

If you want to try it out, or play around yourself, there is a downloadable demo VM available on the Squiz website.

The CVE's

  • CVE-2017-14196: An information disclosure caused by a Path Traversal issue in the 'File Bridge' plugin allowed the existence of files outside of the bridged path to be confirmed.
  • CVE-2017-14197: Multiple reflected Cross-Site Scripting (XSS) issues in Matrix 'WYSIWYG' plugins.
  • CVE-2017-14198: Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag.

Remediation

These issues were fixed in version 5.4.1.3. Update to this version or newer to be protected. See the CVE advisory details for more information.

CVE-2017-14198: A Walkthrough

TODO: Write up how this was identified, and the core issue that lead to it.

Acknowledgements

These issues were identified by myself and the team at TSS:

Special thanks to Micky at Squiz for being an amazing resource throughout the disclosure process, and keeping us informed as patching and rollout progressed.

Conclusion

It seems the core issues here were a few bugs popping up in legacy code, and passing user-controlled values into sensitive areas without proper checks/sanitisation. Easy mistakes to make when managing such a large codebase that has evolved over the years.

Have you had a similar experience? Manage a large codebase and legacy code? Got good tips for how best to identify and avoid these sorts of issues? Would love to hear your ideas in the comments!

]]> An unexpected journey with webpack and RequireJS /devalias/2017/08/05/unexpected-journey-webpack-requirejs/ devalias 2017-08-05T00:00:00+10:00 /devalias/2017/08/05/unexpected-journey-webpack-requirejs/ So the other day I ran into what seemed like a bug in some software I was using during a test. Narrowing things down in the codebase, it looked as though the error may have been related to a library in use by the application I was testing.

I needed an easy way to isolate the code that seemed to be causing the error from the rest of the application, which took me down a rabbit hole to learn a little bit more about a few different technologies.

The Situation

So I had a JavaScript project that I wanted to build and include in a little test webpage. A few things in the repo stood out:

  • package.json - So it's using node.js in some measure.
    • This also had a number of entries under the scripts section, including some that made use of gulp (another build tool)
  • gulpfile.js - Another strong indicator that gulp was in use. Didn't need to dig too deeply into this side of things, though it did indicate that webpack was in use.
  • webpack.config.js / webpack.prod.config.js - The webpack configuration files.

So now I had a fair idea of what we had to work with, time to try and build it.

Building with npm and gulp

This part was actually extremely straightforward, so I won't spend too long here. After cloning the repo, all I had to do was:

  • npm install
  • npm build (which is just a script that runs gulp build)

After a bunch of downloads and a few warnings, I had 3 new files sitting in my ./build folder. So easy!

  • idtoken-verifier.js
  • idtoken-verifier.min.js
  • idtoken-verifier.min.js.map

For the purposes of my standalone test website, I should only need the main file.

So I built it, but how do I use it?

Now that I had the library built, I just had to include the script in a little test webpage, call the functionality I needed, and I'd be done. But looking at the start of the built script.. it didn't look as straightforward as I expected.

(function webpackUniversalModuleDefinition(root, factory) {
    if(typeof exports === 'object' && typeof module === 'object')
        module.exports = factory();
    else if(typeof define === 'function' && define.amd)
        define("idtoken-verifier", [], factory);
    else if(typeof exports === 'object')
        exports["idtoken-verifier"] = factory();
    else
        root["idtoken-verifier"] = factory();
})(this, function() {

Looks like webpack plays a part here.. and something called a 'universal module definition'.

Webpack

I started off by doing a little reading about webpack config, and in particular this umd thing:

So it seems that webpack allows you to export 'wrapped' modules in a number of formats, and umd is a combination of amd, commonjs2 and/or a property in the root.

Sure enough, looking at the output section of the webpack config I came across some references to umd:

output: {
  path: path.join(__dirname, '../build'),
  filename: '[name].min.js',
  library: 'idtoken-verifier',
  libraryTarget: 'umd',
  umdNamedDefine: true
},

At this point I decided to learn how to use an amd module, and after some quick googling I was lead to RequireJS.

RequireJS

RequireJS is a JavaScript module loader, and supports AMD (or 'Asynchronous Module Definition') modules. Since I just wanted to get this code working, I went back to Google to find a quick example of how to use RequireJS, finding myself on the following page:

So it sounds like RequireJS handles a lot of the module injection/ordering that I would have otherwise had to think about myself. I decided to make life easy for myself and use a CDN hosted version, so all I had to do was stick the following code in the head section of my test page:

<script data-main="main" src="https://cdnjs.cloudflare.com/ajax/libs/require.js/2.3.4/require.js"></script>

This loaded RequireJS and told it to inject the main.js file, which looks like:

require(['idtoken-verifier'], function(IdTokenVerifier){
    var verifier = new IdTokenVerifier({});
    // Do interesting things here..
});

Sticking to the 'easy and obvious' pattern that I'd seen so far, this would inject the idtoken-verifier.js file, and then make the library accessible inside this require block. Nice!

Bringing it all together with Plunker

I wanted to keep all of the files together in an easily accessible format so others could test and play with it. After a little looking around I ended up using Plunker since it let me have multiple files (unlike JSFiddle):

Success?

I found that trying to test the Plunker hosted version complicated things a bit, so I ended up downloading the zipped files and hosting them locally with Python while I tested things:

python -m SimpleHTTPServer

Running it through the tool.. everything worked as expected, no bugs. sadface I could have spent more time digging into the specifics and trying to unearth what actually lead to the bug in the first place, but given I had other things I needed to test I decided to leave that as a possible future endeavour, if I run into it again.

Conclusion

So an unexpected rabbit hole lead me to understand a little more about Webpack, RequireJS and how to use packaged JavaScript applications. Not a bad little lesson :)

Had a similar experience or got any interesting tips to share about any of these technologies? Would love to hear from you in the comments!

]]> Bugcrowd LevelUp 2017 /devalias/2017/07/16/bugcrowd-levelup-2017/ devalias 2017-07-16T00:00:00+10:00 /devalias/2017/07/16/bugcrowd-levelup-2017/ Today was LevelUp, Bugcrowd's first Virtual Hacking Conference. With 2 seperate streams over 8 hours, the schedule was jammed packed with interesting talks and knowledge drops across topics including web, mobile, IoT and even car hacking.

Waking up at 1:30am (AEST) to get some Bulletproof coffee in before it started, I think I briefly moved once from the couch in the whole session. The rest was solid and intent focus on the topics, trying to keep up with all of the amazing content, while also taking notes (~1200 lines worth!), and dropping out tweets at the same time. I don't think i've been as engaged or intently focussed on something for such a long period in a long time. Testament to the quality of the conference!

One of the common themes of the conference today (besides all the tech knowledge) was that of community and sharing. This is something that speaks to my core, and one of the things that I love about the security industry. How people can be so open, be willing to share their knowledge, and humbly learn in return. Such a great way to bring everyone up across the board, and super grateful for it.

There are a few places you can get connected with bug bounty hunters / security researchers that I wanted to list here:

  • Twitter!
    • This sort of goes without saying given how active the security community is here. But with regards to this conference and related things, check out Bugcrowd's hashtag: #ItTakesACrowd
    • Also make sure to follow @Bugcrowd, and if you'd like to see more from me (when I rarely but occasionally tweet) you can find me at @_devalias (always feel free to say hi!)
  • Bug Bounty World
  • Bug Bounty Forum
  • Bugcrowd Forum
    • Make sure to also check out the discussions over at the Bugcrowd forum.

In light of that theme, I wanted to share what I have from today, not only so I remember what I saw, but so that everyone else has the opportunity to see some of the great stuff that was presented today. This post will be largely my raw and unedited notes, with any future posts likely to be more structured/refined.

It's also worth noting that every talk from both streams was recorded, and will be published to YouTube within the next week or so, so keep an eye out for that! I'll probably update this page when they're released, and I intend to write some more thorough blog posts based on each session when I have a chance to go back through it all at a slower pace, so keep an eye out for those!

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below!

Overview of this post

  • Videos
  • Schedule
    • Stream 1
    • Stream 2
  • Raw Notes
    • Welcome + Kickoff (Sam Houston)
    • How to Hack Web v2 (Jason Haddix)
    • How to Fail at Bug Bounty (Caleb Kinney)
    • Giving Back to the Community (ZSeano)
    • Doing Recon Like a Boss (Ben Sadeghipour)
    • Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski)
    • Targeting for Bug Bounty Research (Matthew Conway)
    • How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie)
    • Hacking Internet of Things for Bug Bounties (Aditya Gupta)
    • Intro to Car Hacking (Alan Mond)
  • Thanks!

Videos

Schedule

Just in case the schedule goes offline sometime in the future, here are the main bits for posterity:

Stream 1

  • Welcome
    • Welcome + Kickoff, Sam Houston (20min)
    • Welcome, State of Bug Bounty & The Future of Crowdsourced Securit, Casey Ellis (60min)
    • How to Hack Web v2, Jason Haddix (50min)
  • General Bug bounty and Web Hacking
    • How to Fail at Bug Bounty, Caleb Kinney (25min)
    • Giving Back to the Community, ZSeano (45min)
    • Doing Recon Like a Boss, Ben Sadeghipour (25min)
  • Web Hacking
    • Hidden in Plain Site: Disclosing Information via Your APIs, Peter Yaworski (25min)
    • Targeting for Bug Bounty Research, Matthew Conway (25min)
    • How does unicode affect our Security?, Christopher Bleckmann-Dreher @schniggie (45min)
  • Hardware Hacking
    • Hacking Internet of Things for Bug Bounties, Aditya Gupta (45min)
    • Intro to Car Hacking, Alan Mond (25min)
    • MarkDoom: How I Hacked Every Major IDE in 2 Weeks, Matt Austin (45min)
  • Ending Ceremony
    • Final Words, JHaddix w/intro from Sam (30min)

Stream 2

  • Web Hacking and Mobile Hacking
    • OWASP iGoat – A Self Learning Tool for iOS App Pentesting and Security, Swaroop Yermalkar (25min)
    • Esoteric sub-domain enumeration techniques, Bharath (45min)
    • Finding Hidden Gems in Old Programs, Yappare (25min)
  • Mobile Hacking and API Hacking
    • Breaking Mobile App Protection Mechanisms, Ben Actis (45min)
    • Reverse Engineering Mobile Apps, Emily Walls (25min)
    • Identifying and Evading Android Protections, Tim Strazzere (45min)
    • Do you like fuzzing? Why I built fuzzapi to fuzz REST APIs for profit, Abhijeth Dugginapeddi (25min)
    • Advanced Android Bug Bounty skills, Ben Actis (45min)
  • Browser Hacking
    • Browser Exploitation for Fun and Profit, Dhiraj Mishra (25min)

Raw Notes

The following are my raw notes from todays session. Apologies in advance for the format..

Welcome + Kickoff (Sam Houston)

http://twitter.com/samhouston

Stream 1, mostly web, switches to hardware later
Stream 2, mostly mobile hacking

Tweet with #ItTakesACrowd and @BugCrowd

http://www.bugbountyworld.com, new slack, bugcrowd channel

## Welcome, State of Bug Bounty & The Future of Crowdsourced Security (Casey Ellis)

Casey Ellis, Founder/CEO of Bugcrowd

https://twitter.com/caseyjohnellis

casey@bugcrowd.com

@caseyjohnellis #ItTakesACrowd

How to Hack Web v2 (Jason Haddix)

Head of Trust and Security at Bugcrowd

https://twitter.com/jhaddix
https://securityaegis.com
https://blog.bugcrowd.com/author/jason-haddix

The Bug Hunters Methodology (Def Con 23)
    distilling a lot of learnings over the years
  google it for the video

The Bug Hunters Methodology v2
  XXS, SSTI, SSRF, code/command injection, fuzzing, tooling
  API testing, object deserialisation, XXE in v2.5

Light reading:
  Web Application Hackers Handbook
  OWASP Testing Guide
  Web Hacking 101
  Breaking into information security
  Mastering modern web penetration esting

Discovery
  Enumall (recon-ng, alt-dns wrapper, etc)

Sub scraping
  https://github.com/aboul3la/Sublist3r
    scrapes search engines/etc for mentions of domains
    sources are different from enumall

  anshumanbh/brutesubs
    set of docker images that include multiple tools
      inc enumall and sublister
      along with gobuster and altdns
      run against a domain you want
      need to modify config/docker scripts to add custom bits
      disable bruteforce for enumall
    did a presentation about this topic recently (TODO)

  mandatoryprogrammer/cloudflare_enum
  anshumanbh/censys.py

Subdomain bruteforcing
  Like: subbrute, gobuster, massdns, dns-parallel-prober, blacksheepwall
  gobuster (21m) and massdns (1.5m) are quick
  massdns found more quicker, but more false positives
  could feed massdns stuff into gobuster to reduce?

  blechschmidt/massdns

  all.txt: https://gist.github.com/jhaddix/86A06C5DC309D085/80A018C66354A056
           https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
    list of all the dns brute lists in one

Acquisitions
  crunchbase
    protected by distil bot protection
    can write a tool to beat that

Port scanning
  nmap is great, but don't try and scan 65536 hosts with the default port list
  massscan
    doesn't provide a default port list
    use nmaps (giant list of ports)
      https://twitter.com/_devalias/status/886280729327312896

Visual identification
  https://github.com/ChrisTruncer/EyeWitness
    checks HTTP(S), RDP and a couple of other protocols too
  https://github.com/breenmachine/httpscreenshot
    another tool

Platform identification and CVE searching
  retire.js, wappalyzer, builtwith

  https://vulners.com/
    combine a lot of CVE/etc sources

  https://github.com/vulnersCom/burp-vulners-scanner
    search in scope domains
    find versions/etc
    link to vulns for lower than that version
    get list of CVE's that might be related

Content discovery/directory bruting
  TBHMv1
    wordlists: seclists, raft, digger_wordlists
    patator
    wpscan
    cmsmap
  
  https://github.com/maurosoria/dirsearch

  
   https://github.com/OJ/gobuster
    super fast

  burp content discovery
    in burp pro
    pretty good, but sort of bogs down java

  danielmiessler/RobotsDisallowed

Parameter bruting?
  https://github.com/maK-/parameth
    This tool can be used to brute discover GET and POST parameters

PortSwigger/backslash-powered-scanner
  /resources/params
    good wordlist

XSS
  TBHMv1
    polyglot strings, seclists, flash reversing, common input vectors
  TBHMv2
    blind XSS
      sleepy puppy (python)
      xss hunter (python)
      ground control (ruby, small)
    polyglots
    xss mindmap

  Blind XSS
    input may eventually end up on some backend app and executes somewhere
    use a payload that loads JS
    need a framework to catch it

    XSSHunter
      payload gathers a lot of really useful data

Polyglots
  injection string that executes in multuple contexts
  may bypass multiple filters
  starting to integrate in lots of scanners
  0xS0bky/HackVault
    unleashing an ultimate xss polyglot

Jackmasa's XSS Mindmap
  breaks down attacks based on context
  PoC's
  ideas for all sorts of things
  used to just be in Japanese
  ported recently to english
  huge image file (svg)
    https://github.com/jackmasa
      seems to have a bunch of projects worth looking at
    https://github.com/jackmasa/XSS.png/tree/master

Server Side Template Injection (SSTI)

  engine identification
    wappalyzer, builtwith, vulners scanner
    test fuzzing
    tooling
    tplmap + burp extension
    backslash powered scanner?

  tl;dr: send some template payload and check for result
    {{2*3}}

  epinna/tplmap
    code/server side template injection detection/exploitation

  other SSTI resources
    lots of links

Server Side Request Forgery (SSRF)
  look for any paths/urls referenced
  wilded/psychoPATH
  will release a tool with his Def Con talk in a week
  can bypass filtering blacklists using alternate IP encoding
  SSRF bible: https://www.reddit.com/r/netsec/comments/2tpfz7/ssrf_bible_cheatsheet_by_onsec/
    protocol/schema mappings
    exploit examples
    update coming soon, BlackHat US-17?
  SSRF resources
    many links
    including BishopFox link: burp, collaborate and listen

Code Inject, Command Injection, Future of Fuzzing
  SQLi
    polyglot, seclists, swlmap, params, tooling, resources

  https://github.com/commixproject/commix
    CMDi
      supports PHP code injection
      custo modules
      powershell and python shells

Burp backslash powered scanner
  generic payloads
  multi-tiered
  checks responses
  basically gives you an idea of where it might be useful to look
    supports testers rather than replacing them!
  watch the video THEN read the paper
    see link

Infrastructure and coding
  subdomain takeover
    register, control traffic that goes there
    lists a bunch of services most often vuln
    github
      autoSubTakeover
      HostileSubBruteforcer
      tko-subs

  Article: Deep dive into AWS S3..
  yasinS/sandcastle
  michernriksen
  gitrob
  dxa4481/truffleHog
  
Domain Discovery at Def Con
DefCon hunt tool

jhaddix/tbhm
  The Bug Hunters Methodology

jhaddix@bugcrowd.com

How to Fail at Bug Bounty (Caleb Kinney)

Twitter: @aphire
Blog: http://bountyhuntersguild.com
GitHub: calebkinney OrOneEqualsOne

Lessons learned during bug bounties

Conferences: rushing to see talks, not networking

Failed to read the bug bounty program brief
  rules of engagement
  scope
  focus areas
  out of scope
  excluded vuln types
  rewards/incentives
  disclosure rules

Failed to show impact
  used to submit every bug, priority often wasn't in thought process
  understand vulnerability prioritisation and explain it to program owners
    P1 - Critical
    P2 - Severe
    P3 - Moderate
    P4 - Low
    P5 - Informational / Won't Fix
  can you combine a self-XSS with CSRF to up the priority?

Failed to understant criticality
  submitting a won't fix will hurt your average vuln score
  utilize the Bugcrowd Vulnerability Rating Taxonomy

Failed to understand the application
  eg. 'vuln' that is a feature of the application
  research the application and ask questions
  cross-reference functions between different platforms (eg mobile/web)

Failed to plan for private programs
  Don't ignore the start time, may make you hit many duplicates
  Schedule time to work on the program as soon as it's published

Failed to plan for blacklisting
  have a way to get a new IP address
  or use a VPN/proxy

Bug Bounty != Penetration Test

Part time hunt tips
  wide scopes
    acquisitions/mergers
  assume automated scanning
  recon, recon, recon
    subdomain bruteforcing, port-scanning, google dorking
    censys.io
    shodan.io
  burp extensions
    reflected parameters
    https://github.com/allfro/BurpKit
      used Webkit to better render responses in burp
      JS
    Co2
  payload lists
    polyglots!
  community
    read, give back, collaborate

Hunting makes me a better tester
  understand whats important
  attuned to emergent security trends
  challenge for more technical exploits
  etc..

Personal mobile recon setup
  iPhone with Blink Shell
    doesn't require jailbreak
  DietPi with MOSH (jump mox)
  Port Fowarding
  personal recon script
    Sublist3r, domain, knock, eyewitness
    wraps a bunch of things and combines
    https://github.com/OrOneEqualsOne/Recon
    next gen will be a webapp to help 

Bug Bounty Resources
  https://twitter.com/_devalias/status/886295129807396865

Giving Back to the Community (ZSeano)

https://twitter.com/zseano
http://zseano.com
  tutorials, blog posts, etc
full time bug bounty, ranked #2 on bugcrowd
25 years old

Overview
  Finding first bug, chaining to higher priority
  Recon: what are you missing
  Big bounties for a living, and staying sane

Open URL Redirects
  easy to find
  aboutads.info, run burp whilst opting out
  google dorking
    inurl:refirect inurl:&
  bypasses
    will release a lit of bypasses later
  making them more useful
    chain to account takeover via misconfigured oauth
      check their facebook app
        mobile app logs in via FB with app_token
    make sure to url encode the redirect_url
  Stored XSS + Oauth
    redirect user to stored XSS page, JS executes, grab oauth token and login to users account
  key things people miss
    bypassing filters
      generally use some form of regex
      fuzz as much as possible
      plan to update zseano.com with section on bypasses
    not checking for oauth systems in place
    try vulnerable parameter on as many endpoints as possible
      eg. one param on one program used througout the web application
      burp intruder against all endpoints, etc
    check their mobile app
      sometimes use oauth, FB login
      google logins tend to be more secure
    redirect oauth to stored XSS

In future, want to do more talks on more topics

Recon: go back in time
  waybackmachine
    search for old files like robots.txt
    https://gist.github.com/mhmdiaa
      waybackurls
      waybackrobots
    tool idea
      scraping website from years back for URLs/links/etc
      eg. burp-wayback-spider
  .js files are your friends
    way things work, paths
    discovery of new endpoints
    hardcoded app secrets
    sometimes user information
  built a couple of tool
    Burp
      copy selected URLs
      copy links in selected items
    zScanner
      burp spider to discover endpoints
      copy ites found, import to inputscanner
      visits each url, extracts all input names + ids and links to js files
      outputs to burp intruder format
        mass test XSS/sql/etc
      outputs 3 files, ready for burp intruder
        getoutput.txt
        postoutput.txt
        posthostoutput.txt
    use output from zScanner with JS-Scan
      visit each .js file, extract URLs using regex
      displays results on page
      easier to see whats in files without manually reading
    didn't plan on releasing these until recently

Finding bugs full time
  remain calm, take a step back
  see if someone has found something similar
  don't be afraid to ask people  
  be professional, waiting to be paid can be annoying
  be smart, learn where to spend your time
  test programs before diving in
  look at disclosed reports
  bugcrowd are managed programs
  managed programs on hackerone/synack can be good too
  you don't need an update every week, unless its a P1
  chain bugs to achieve the highest possible impact
    usually leads to bigger payout
  collaborate
  You WILL have bad days. Take time to relax, collect your thoughts, then keep going.
  re-test endpoints, re-visit certain areas of a site
    can either report on the old bug, or open a new report
    depends how much time you put in
  Find a program you love that treats you fair and give it your all
  Sharing is caring! If the program allows for it, share your bugs!  

People need to fuzz more

Store all vulnerable paramets found in a text file

Include your bug bounty name/how to contact/etc in your user agent

Have a few blog posts in the works

Doing Recon Like a Boss (Ben Sadeghipour)

https://twitter.com/Nahamsec

Agenda
  Overview
  Traditional way (brute forcing)
  AWS
  Abusing Github
  Asset identification

Why
  bigger attack surface
  more bugs
  more bounties
  more problems

Bruteforcing
  tools
    sublist3r, enumall, massdns, altdns, brutesubs, dns-parallel-prober, dnscan, knockpy, tko-subs, HostileSubBruteforce
  find a patterns
    .dev, .corp, .stage
  brute force again
    different permutations/environment

Amazon Web Services
  look for S3 buckets
    site:s3.amazonaws.com + ...
  use google for patterns
  GitHub
  automate your work

Automation
  create a list of subdomains
  create a list of environments
  automate
  catch them all
  new tool: Amazon S3 Bucket finder
    other tools: sandcastle, bucket_finder
    hopefully will release on github sometime next week

AWS Recon, what could go wrong
  S3 bucket not owned by company
  may be out of scope
  S3 bucket without sensitive info
  3rd party apps

Github Recon
  environments (dev, stage, prod)
  secret keys (API_key, AWS_Secret, etc)
  internal credentials
  API endpoints
  Domain patterns
  example
    "foo.com" "dev"
    "dev.foo.com"
    "bar.com" API_key
    "bar.com" password
    "api.bar.com"
    google dork
      site:"github.com" "org"
  tools
    gitrob
    git-all-secrets
    truffleHog
    git-secrets
    repo-supervisor
    do it manually..

Asset identifcation
  censys.io
    look for SSL certificates
    "company" + internal

  shodan.io
    search by hostname
    filter for
      ports 8443, 8080, 8180, etc
      title: "dashboard [jenkins]"
      product:Tomcat
      hostname:corp.levelup.com
      etc
    buy book by shodan creator for $5

  archive.org
    review source
    find old endpoints/functionality
    look for JS files
    exploit them!

  .js files
    endpoints
    credentials/tokens
    subdomains (inc internal)
    new tool being released next week

All tools included in this talk will be on the bugbountyforum website
Personal tools will be released next week

Burp 'should' be able to do JS parsing stuff
  in reality, seems to not work as well as it should
  can be easier to make external tools, do them your own way, etc
  hope someone takes this tool (when released) and create a burp plugin for it
  another tool (might get released)
    crawl website, download all JS files locally

Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski)

https://twitter.com/yaworsk

Application Security Engineer at Shopify
Wrote Web Hacking 101
  Hopefully Real World Web Hacking via No starch press

Overview
  What we're talking about
  Why we care
  Why it happens
  How you find it
  Examples

What we're talking about
  API's that reveal personal info or app sensitive info
  Focus on API's that render info to page source, parsed by react/angular/etc

Why we care
  Easy
  Impacts range from benign to critical
  Sometimes they can be chained together

Why it happens
  automation of repetitive tasks
  code abstraction
  easy to make mistakes, incur technical debt

Automation
  eg. rails is great at automating repetitive tasks, generate scaffold
  Will generate HTML view, but also .json endpoint for API
  You could remove those from the HTML view, won't see the information
  But can still get the full data from the API endpoint
  May not realise you need to edit the json file as well

Code abstraction
  eg. merging all json fields
  add new secret field
  manually, haven't updated json file, so fine
  but using json merge, the new param will be exposed

How do you find it
  initial recon
    identify software on site
      wappalyzer
        look for rails, angular, react
      eg rails sites follow certain patterns
  watch your proxy history
    look for gian json blobs in page sources
    watch for API calls
  mobile apps

http://www.leanpub.com/web-hacking-101
http://www.shopify.com/careers

Targeting for Bug Bounty Research (Matthew Conway)

Lead product security engineer: Heroku, Salesforce

https://twitter.com/mattreduce

Focuses
  Efficient, repeatable discovery
  Judge targets on measurable criteria
  Keep flexible/portable records
  Put it into use

Reconnaissance Stage

When to enumerate
    start first, return to

Why spend time on info gathering?
  don't miss a target/vuln
  better coverage for program owner
  deep understanding yields great findings

Enumeration methods
  Before you find problems, you need to find all the places they live 
  need to cast the net wide

Enumerating hosts
  information sources
    dns
      for info, but also vulns
      eg. subdomain takeovers, exfil data, command&control
    github
      may identify api's/etc
    rapid7 project sonar
      scans the whole public internet, seeing what's vulnerable
    google search
      hosts
      software running
      secret pages
    google certificate transparency report
      can find hosts through subdomains company registered certs for
    beta access
      if a company with bug bounty program has beta program, try it
      test new features
      follow them on twitter, other social media, be aware of what they put out there
    other open sites
      dnsdumpster
      threatcrowd
      thratminer
      https everywhere atlas
      look for opportunities to repurpose tools online

  techniques
    google queries
      site:foo.com
      find results from subdomains not on list yet
    brute forcing
      try common subdomains
      bonus points for expanding with own wordlist from crawling own targets
    own scripts
      automate this + anything else you can
    dns tools
      dig, host
      dnsrecon
      dnsenum
      dnsmap
    recon-ng
      more framework than a script, like metasploit for recon
    altdns (shubs)
      read shubs blog: high frequency bug hunting
    https://github.com/jhaddix/domain
      Setup script for Regon-ng/altdns

Recording results
  CSV file, SQL database
  get creative
  choose what to catalog
    domain
    type
    think about what you'd like to know when choosing the next target you want to work on
  Find, Fix, Finish, Exploit, Analyze (F3EA) cycle
  https://github.com/infosec-au/assetnote-poc
    push notifications for passive DNS data
  cleaning up data
    write some scripts to run against hosts
    screenshots
   validating possible targets
    SSL certificates used by that host
    common cookie names across hosts
    distinctive HTTP headers, fragments, etc
    logo images
    copyright lines
    privacy policy links
    contact information
    google analytics tracking codes

Using target data
  understanding ownership
    some sites give subdomains out to customers
    just because it's on a subdomain of that company, may not be an app they control
      eg company.github.io
    subdomains that point to external services
      eg. blog.company.com
    find out who owns the host before you hack it
  consider scope
    may be explicitly in/out of scope
    sometimes may be implicitly in scope based on rules of engagement
  what now
    enumerate services
    look for vulnerabilities

Summary
  find out everything you can, keep good notes
  Respect program scope, remember pitfalls
  Automate as much as you can

How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie)

https://twitter.com/schniggie?lang=en
Pentester, german car manufacturer
Retired bughunter

ASCII
  7-bit, 128 characters

ISO-8859-?
  ASCII compatible
  8-bit, 256 characters
  Multiple standards

Unicode
  multibyte character set
  fully ASCII/ISO-8859 compatible
  Different encodings (UTF-8, UTF-16, UTF-32, UTF-EBCDIC, ..)
  more like a database, links between copoint to character + some attributes
  Basic Multilingual Plan 65k chars
  Astral plans 1mil+ characters

Unicode Encodings
  different encodings use different bytes to store characters

Security implications - Length
  Length of UTF-8 string vs size of the string
  When allocating memory, etc

Security implications - JavaScript compare
  comparing 2 strings that look the same to the eye
  'ma\xF1ana' == 'man\u0303ana' -> false
  length of strings differ

Security implications - JavaScript regex
  /foo.bar/.test('fooPOOEMOJIbar')
  regex . should match 1 character
  \s\S matches whitespace, not whole of astral symbols
  multi-byte emoji
  current JS in most browsers is ECMScript5
    had trouble with chars in astral planes
    not completely supported by default
    some workarounds for it
  http://scriptular.com
    regex javascript application
    can test it

Security implications - MySQL vs UTF-8
  create table, charset set to utf8
  update table fooPOObar
    shows a warning, incorrect string value
  selecting back the entry, column name is only the prefix before poo emoji
  solution: set database to utf8mb4

Security implications - Internationalised Domain Names
  Stored as ascii strings using punycode
  eg. email spoofing using special characters
  UTF8 symbols that look identical
  Use punycode converter
  Register the converted domain
  real world attack scenarios
    an attack released earlier this year to spoof apple.com/etc
    not meant to be able to mix character sets in domain registrations
      google registrar seemed to allow it
    browsers realised that displaying UTF8 in the domain is bad
      now show the punycode instead

Unicode character - Right to left overide
  can rename the file using ruby File.rename \xe2\x80
  able to rename exe file to a file that looks like it has the extension .ppt
  old attack, known since Windows 98 or so, still works today..

Crashing every iOS and OSX device
  2013, vulnerable to an arabic string
  https://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

Backend != Backend
  Frontend may allow UTF8
  Backend may not be expecting it
  exception from backend

Spotify account hijacking
  Allowed unicode usernames
  Register an account with a superscript word of an existing account user
  Trigger forget password function
  Password reset canonical'ises the username
  Sent him the password reset link
  Using that, used the canonicalised name again
  Was the victim user
  Reset password on that user

Phabricator bypass
  Facebook, like github
  Error, email at that domain not allowed
  MySQL
  add foo@attacker.comPOO@fb.com
  POO is the new %00  

Summary
  for developer
    verify methods, functions, frameworks handle unicode
    input validation should handle unicode
    verify all system and interconnection can handle unicode

POO is the new %00

Hacking Internet of Things for Bug Bounties (Aditya Gupta)

https://twitter.com/adi1391

https://twitter.com/_devalias/status/886339682958680064
  Run attify, pentesting IoT devices
  Author: "Learning Pentesting for Andorid Devices"
  Book: IoT hackers handbook, this month
  IoT pentesting guide to be released after this talk

Why
  if not, missing great stuff
  best to do in 2017
  easy targets
  higher barrier of entry
  enormous growth soon
  be prepared
  Examples
    IoT fridge that sends spam email
    Smart home compromised
    Hardcoded password in a medical device
    Shodan for scada things
    Controlling mining trucks

What
  what to look for during IoT big bounties

  When you look at a device
    figure out possible attack vectors
    look closely
    pentesting mindset
      components
      entrypoints
      communication
      protocols
      exposed ports

  Once you have a target
    compromise the whole target
    don't just look at one small part, whole thing
      micro and macro
    where would be most vulnerable?
      start there

How
  how to find vulns that companies will pay for
  "Hacking IoT is not a 'black magic' It can be learnt. Too less resources."

  How to start IoT bug bounty hunting
    attack surface mapping
    hacking the embedded device
    hacking firmware
      may not be available, but can dump from device
    hacking mobile/web/cloud components
    hacking radio communications

  Attack Surface Mapping - Step 1
    https://twitter.com/_devalias/status/886341534450307072
    Recon
      understanding device
      visible ports
      components
      communication mediums
    Available info
      google
      datasheets
      support groups
      community center
      social engineering
      FCC ID

    Attack Surface Mapping - Step 2
      https://twitter.com/_devalias/status/886341954404929536
      map attack surface (architecture diagram)
      entrypoints
      commuications
      additional web endpoints
      protocol/standard
      specifications

      Creating an architecture diagram

      Looking at a device
        FCC ID mentioned on the back of the device
          required for any radio communication device sold in US
        https://fccid.io/
          eg. EW780-8913-00
            https://fccid.io/EW780-8913-00
          gives you frequencies, internal/external pictures, etc
          can look for JTAG/etc ports

    What next?
      perform exploits
      be systematic
      often one component leads to another
      device -> dump firmware

    How to approach
      embedded -> firmware/web/mobile -> communication

    Hack the embedded device
      open device
      physical tamper protections, special screws, etc
        get a good screwdriver kit
      look at chipsets
        USB microscope
        phone flashlight
      identify things, label them
      dig deep
        look for exposed ports

    UART are easy to find/export
        multimeter to test Tx, Rx, GND
        connect to attify badg or USB-TTL
        identify baudrate
        run minicom for shell access
      screen can be used to connect to a TTY
        sudo screen /dev/ttyUSB0 ..

    JTAG
      can be harder than UART
      can be scattered across board
      JTAGulator or arduino nano flashed with JTAGEnum
      easily identify pinouts for JTAG
      https://twitter.com/_devalias/status/886344370944786432
        Hacking Embedded Devices - Debug JTAG

    Dump Flash
      look for flash chips
      read compoent sheet/datasheet
      may need to solder to adapter, pins are tiny
      then can dump flash

    NAND glitching
      generate fault scenario, have it behave in unexpected way
      drops to bootloader shell
      can set bootloader flags, eg single user mode

    Other attacks too

Firmware Hacking
  Easy to find basic vulns
  Good at RE -> lots of stuff to find
  Learn ARM and MIPS RE
  Sensitive hardcoded values, API keys, encryption mechanisms, etc

Firmware methodology
  binwalk
    extracts filesystem
  firmwalker
    identifies interesting things to look at
  Firmware-Mod-Kit
    allows filesystem modifications, then flash back to device
  Detect if device allows firmware modifications, security checks, etc

Encryption?
  XOR with empty space will give you the key itself

Hardcoded sensitive values
  eg. creds to ftp update server, etc
  Can find all sorts of things
    api keys, backdoors, SSL certs, staging URLs, etc
  Quick binary analysis in IDA
    can see harcoded creds
    command injection vulns
    ROP
    etc

Analysing mobile apps
  native libraries can store secrets
    file, readelf
    IDA demo version can dissass ARM binaries
    look at functions, eg. encryption
  understand the app code

Hacking communication
  look at mobile app -> device communication
  MQTT? CoAP?
  view resources unauthed?
  publish messages/subscribe topics?

  MQTT
    works on pub/sub topic
    might be able to subscribe to *

Hacking radio
  radio analysis/exploitation needs special hardware
  depends on protocol
  BLE/ZigBee most common

  Hacking Zigbee
    attify killerbee
      zbstumbler
      zbdump
      zbreplay
      etc

  Hacking BLE
    ubertooth, BLE sniffer
    sniff traggic
    see what handles being written
    rewrite handles using gatttool

Pentest methodology
  focus on 'attacker simulated exploitation' rather than pentest
  look at macro and micro
  95% success rate, critical vulns, devices compromised
  follow the guide

https://www.iotpentestingguide.com/
  https://twitter.com/_devalias/status/886350210724646912

https://twitter.com/_devalias/status/886350674266537984

https://twitter.com/_devalias/status/886350817741094912

Intro to Car Hacking (Alan Mond)

https://twitter.com/mondalan?lang=en
https://twitter.com/carloopio?lang=en
  Car hacking tool

Car Hacking 101
  How to get started
  vehicle networking basics
  demo
  build your own testing buck

What are the different attack surfaces?
  Tire pressure monitoring sensor
    sensor in each tire, connects to car, measures pressure
    communicates via low frequency radio signal
    can intercept that signal
  Bluetooth/wifi
    hotspot may be open
  ODBII port
    underneath steering wheel
    main entry point for access, but already inside car
  Infotainment system
    USB, root access possible, etc

How to get started
  Book: The Car Hacker's Handbook, Craig Smith
  Free download http://ebook-dl.com/book/5277
  Tools, protocols, references

What you'll need
  access to the OBD-II port
    mandated to be on 'CAN' since 2008
  CAN hardware tool
    USB2CAN
    microcontroller with CAN controller on it
  OBD-II to serial (RS-232) cable
  linux machine
    rasberry pi, virtual machine on osx
  OR
    Carloop basic ($55)
    open source
    wireless
  why not cheap ODB2 dongles from amazon?
    could.. just a lot of work to use them
    integrated circuit, converts raw CAN messages to values
    not getting raw messages

Most comprehensive list
  github.com/jaredthecoder/awesome-vehicle-security
  https://twitter.com/_devalias/status/886354216968609792

Vehicle networking basics
  CAN bus
    connects all modules through 2 wires
    dashboard, engine, control modules, infotainment system
    Controller Area Network (CAN)
    2 wires, high and low
    more than 1 CAN bus on vehicle

  Why focus on CAN?
    mandated since 2008
    well supported in linux
    more than just diagnostics..
    currently not encrypted at all..
    signals go from high to low

  Anatomy of a CAN message
    arbitration ID
    IDE: 0 (always for CAN)
    Data length: 1 byte
    Data: payload
    ID and data most important

Demo
  intall can-utils
  provision CarLoop with can-utils, flash over the air
    https://www.carloop.io/apps/app-scoketcan
  cansniffer
  identify by ID, see what changes in the data
    see what changes when you do something on the car
    no documentation out there
    manufacturers don't want you seeing it
    straightforward when you start to see it happen though

Build your own testing buck
  can build a test bench for less than $100
  Power supply
  engine control module
  CAN device
  adding more modules, can get more interesting data
  car-part.com

tools and resources on
  http://illmatics.com/carhacking.html
  https://community.rapid7.com/community/transpo-security/blog/2017/07/11/building-a-car-hacking-development-workbench-part-1

How to access proprietary parameter ID's?
  harder to decode
  query/response structure
  specific to ODB-II
  need to send specific PID to get it back
  most people use a scan tool for that brand, use a y-splitter
  then can capture the request/response

Replay of keyfobs from HackRF/similar devices?
  don't know much about it

Difference between tools mentioned and those dropped with jeep hacking research?
  that paper is a really good read
  goes through process of decoding each CAN message
  has some PID's you can look at (for same brand of car)
  each manufacturer has different 'data dictionaries' for these PIDS
  all tools very similar, can bus/receiver
  simple toolchain

bugcrowd running car hacking CTF, prize is a truck
  https://www.carhackingvillage.com/

https://store.carloop.io/

Thanks!

Thanks for reading! Hope you found something useful.

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below! <3

]]> Link Dump: Clearing Out My Todo List /devalias/2017/07/14/link-dump-clearing-out-my-todo-list/ devalias 2017-07-14T00:00:00+10:00 /devalias/2017/07/14/link-dump-clearing-out-my-todo-list/ I tend to stumble across a lot of interesting things as I travel across the web, and one of my productivity methods is to save the things I don't have time to check out immediately to Todoist. Unfortunately, time can be short, and life busy, so those 'thats an interesting article', 'i could use that tech thing' and 'that would be cool to blog about' things tend to just build up, and clutter my todo lists in an ever less efficient manner. So today lets clear some of that out!

This post will be a vaguely categorised link dump, and depending on if I remember why I saved it, maybe some notes too.

Looking over everything, there seem to be trends around development, security, privacy, blog/website, docker, tech, automation, branding and general performance/efficiency. Not really surprising when I think about the things that tend to interest me :)

Hope you find something interesting!

Development

Security

Privacy

Blog / Website / Social

Docker

Automation, Scraping, etc

  • Guide to Web Automation | Hackernoon
    • peterdemin/web-automation-2017: An attempt to cover state of web automation in 2017
      • This GitHub should have a bunch of other projects detailed in some of the (probably closed) issues
  • Scrapy: An open source and collaborative framework for extracting the data you need from websites.
    In a fast, simple, yet extensible way.
  • scrapinghub/portia: Visual scraping for Scrapy
  • Netflix/Scumblr: Web framework that allows performing periodic syncs of data sources and performing analysis on the identified results
  • Home Assistant: Home Assistant is an open-source home automation platform running on Python 3.

Tech

Branding

Alfred-esque

Windows

MacOS (OSX) on Windows

GitHub

Quantified Self

Performance, nootropics, etc

Interests, activities, etc

Gaming

Unsorted

]]> Kiwicon 8 (2014) - Some quick notes /devalias/2014/12/16/kiwicon-8-2014-some-quick-notes/ devalias 2014-12-16T08:08:04+11:00 /devalias/2014/12/16/kiwicon-8-2014-some-quick-notes/
  • Kiwicon

    • This was most definitely one of the most interesting, exciting, and downright awesome 'con experiences i've ever had! In the past i've pretty much kept to myself, watched the talks and headed home, but hung out/chatted/discussed with a lot of people over the course of the week, and it was epic! So so so definitely worthwhile!!

    Not sure of the best way to go about this, so will just list out the different presentations and anything of interest/note from them.

    I assume slides/etc should be up later on, so if something looks interesting, keep an eye out for that.

    Thursday

    Friday

    Saturday

    ]]>         Symantec Web Gateway: Cross-Site Scripting (XSS) (CVE-2013-4670) /devalias/2013/09/05/symantec-web-gateway-cross-site-scripting-xss/ devalias 2013-09-05T00:00:00+10:00 /devalias/2013/09/05/symantec-web-gateway-cross-site-scripting-xss/ I found a Cross-Site Scripting (XSS) vulnerability within the Symantec Web Gateway.

    The CVE

    Acknowledgements

    This issue was identified by myself, as well as independently by another security researcher:

    Symantec thanks Glenn 'devalias' Grant, http://devalias.net, for also reporting CVE-2013-4670 and working with us as we addressed them.

    ]]>         [DAHAX-2013-001] Cloudflare XSS Vulnerability /devalias/2013/08/15/dahax-2013-001-cloudflare-xss-vulnerability/ devalias 2013-08-15T08:00:00+10:00 /devalias/2013/08/15/dahax-2013-001-cloudflare-xss-vulnerability/ Reference Number: DAHAX-2013-001 (/dev/alias/hacks 2013-001)

    Notification Timeline

    Details Published: 14/08/2013 (http://blog.devalias.net)

    What?

    • Reflected XSS (cross site scripting) attack

    Where's Affected?

    How?

    • To bring up the vulnerable page
      • Set your X-Forwarded-For header to 101+ characters
      • Eg:
    X-Forwarded-For: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK
    • Load a site using cloudflare
    • You should end up on "DNS Points to Prohibited IP" page
      • To trigger the XSS
    • Set your User-Agent string to the XSS attack
      • Eg:
    User-Agent: USER-AGENT being tested for XSS..<script>alert(''Vulnerable to XSS via USER-AGENT header [Found by devalias.net]'')</script>
    • The whole attack
      • Ensure your X-Forwarded-For and User-Agent headers are configured as above
      • Navigate to a page using cloudflare
      • ???
      • Profit!

    Who?

    Discovered by Glenn 'devalias' Grant (glenn@devalias.net)

    Responsible Disclosure Notice

    • Following in the footsteps of Google's vulnerability disclosure timeline, unless otherwise agreed to beforehand, I reserve the right to publicly announce the details of any discovered vulnerabilities 7 days post notification.
      • Google's Rationale: "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." - Google
    ]]>