REGISTRATION CLOSED

DATE: 9-10 May 2022

TIME: 0900-17:00 CEST/GMT+2

Pen testers and security researchers face the challenge of discovering and weaponizing complicated vulnerabilities in order to properly perform security assessments for applications. Modern applications are enriched with advanced and complex features that increase the attack surface. Every application has its own unique logic that requires the pen tester to deeply understand how the app functions before beginning a security assessment. Discovering and exploiting tricky security bugs in these assessments requires the art of mixing manual and automated techniques.

Bug bounty programs are put in place so that the security community can help vendors discover application security flaws that are difficult to discover and exploit. The scope of such programs includes security bugs for web apps, mobile apps, APIs, and more. Large IT companies, such as Google, Facebook, Twitter, and PayPal, have participated in such programs.

“Bug Bounties and Responsible Disclosure” is inspired from case studies found in various bug bounty programs, drawing on recent real-life examples of web and mobile app attacks. The experiences of different researchers yield ideas for pen testers and developers about unconventional attack techniques and mindsets. Each section of the course is influenced by bug bounty stories that are examined through the following structure:

• Attack concept: The idea, concept, and root cause of the attack.
• Test technique: How to test and discover the application security flaw manually and automatically.
• Attack exercise: Analyze the vulnerable applications, understand the root cause of the bug in the source code and a learn how to fix it.
• Related bug bounty case study: Analysis of several bug bounty stories that are related to the attack.
• Defense techniques: The best security practices to defend from the attack and mitigate the application security flaws.

Agenda

Day 1: Authentication Bypass, Logic, and Blind SQLi Attacks

Day 1 begins by introducing you to setting up a bug bounty program in an organization, and how to get started and manage the process. Understanding an app’s functionality can open attack ideas and facilitate catching tricky app security bugs.

You will learn and practice mapping the app logic and features into HTTP requests of real-life apps. You will learn different techniques inspired from real-life case studies in order to perform authentication bypass and account takeover. You will discover and exploit real-life bugs manually in an authentication bypass exercise. We’ll inspect source code to understand the root cause of the bug, and all exercises will be performed on real-life apps using a trial license for Burp Suite. You’ll be hunting security bugs like professionals. Tricky logic bugs are some of the hardest to discover and catch in complex apps. You will learn different tricks to conduct logic and authorization bypass attacks while walking through real-life cases in bug bounty programs.

An authorization bypass lab will enable you to practice catching tricky logic bugs. Finally, you will learn about various methods to perform SQL injection attacks in different contexts inspired by real-life bug bounty case studies.

Exercises

• Exercise 1.1: App Mapping
• Exercise 1.2: Authentication Bypass
• Exercise 1.3: Authorization Bypass
• Exercise 1.4: SQL injection
• Exercise 1.5: Boolean-Based SQL Injection

Students will perform labs on real-world applications using professional tools to practice hunting genuine security bugs. We will then examine web application defenses and extra code review exercises to close the loop on the attacks covered. Finally, we’ll look at reporting and responsible disclosure, ensuring delivery of quality app security bug reports with proper description, evidence, and recommendations.

Topics

• Bug hunting challenges
  – Preparationforbughunting o Reconnaissanceandtools
• App mapping and analysis
  – Identifying app components
  – Translating business into HTTP requests o Tracingthedataflow
• Authentication and session analysis
  – Parameter manipulation and account takeover
  – Improper reset password implementation
  – Multi-factor authentication bypass
  – Improper validation on session variables
  – Real-life case studies
  – Authentication and session defenses
• Authorization and business rules
  – Logic attacks and authorization bypass
  – Parameter manipulation and IDOR
  – Bypassing client-side authorization controls
  – Second order authorization bypass
  – Business rules bypass and lack of integrity checks o Improper synchronisation between modules
  – Real-life case studies
  – Logic attacks defenses
• SQL injection
  – Blind SQL injection context
  – Boolean-based SQL injection
  – Time-based SQL injection
  – Real-life case studies
  – SQL injection defenses

Day 2: SSRF, Client-Side and Mobile API Attacks

Day 2 continues covering various attack techniques for different security bugs such as Open Redirect, Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). The attack techniques covered will draw on real-life bug bounty stories that give different attack ideas for discovery, filter bypass, and exploitation.

You will learn attack techniques on modern apps that are rich with client-side code and API calls. You will also learn how to chain different bugs to cause a greater security impact. The day is filled with exercises that will walk you through real-life apps. During the exercises, you’ll learn how to discover the bug manually, how to inspect the root cause of the bug from the source code, and how to fix the bug. Finally, you will learn how to deliver quality app security bug reports with proper descriptions and evidence.

Exercises

• Exercise 2.1: CSRF
• Exercise 2.2: Discovering stored XSS
• Exercise 2.3: XSS bypassing filters
• Exercise 2.4: API attacks
• Exercise 2.5: Chaining logic attacks

Topics

• Open redirect and server-side request forgery (SSRF)
  – Stealing OAuth access tokens using open redirect
  – SSRF and stealing metadata API key in cloud environments
  – Blind SSRF and mapping internal infrastructure
  – Chaining open redirect and SSRF attacks
  – Real-life case studies
• Cross-site request forgery (CSRF)
  – Account takeover using CSRF
  – Anti-CSRF token implementation
  – Bypassing CSRF defenses
  – Real-life case studies
• Cross-site scripting (XSS)
  – Tracing the data flow and analyzing the context
  – Filter detection and WAF bypass
  – Discovering blind XSS
  – Improper input validation and output encoding
  – Real-life case studies
• Client-side code and APIs
  – Mapping APIs attack surface
  – APIs authentication bypass
  – Mobile APIs authorization bypass
  – Improper OAuth implementation
  – XSS and insecure client-side code escaping
  – Real-life case studies
  – APIs defenses
• Chaining attacks
  – Enumeration and logic attacks
  – Self-XSS and logic attacks
  – Escalating LFI to RCE
  – Command injection and CSRF
  – Real-life case studies
• Reporting the findings
  • Managing a bug bounty program