Researcher explores tips and tricks for Web and mobile hacking

Jason Haddix has a master list of tips and tricks to make application bug hunting better and faster

blackhat bsides defcon23

LAS VEGAS - Bounty programs are becoming quite popular. Since 2014, the number of researchers taking part in a growing number of bounty programs has continued to climb.

At the same time, the task at hand isn't easy, and researchers come with different levels of skill and experience. So some are collecting more than others when it comes to bounties.

On Saturday, during a talk at DEF CON, Jason Haddix, Director of Technical Operations at Bugcrowd, will be giving a talk geared towards streamlining and improving the processes used by those already in the AppSec field or those looking to join. There's a mix of everything in his talk, which is what caught my attention.

I admit, my interest is a bit selfish. I wanted to learn more about AppSec (assessment and pentesting) and his talk on existing methodologies looked like a good fit. As it turns out, scheduling conflicts will prevent me from attending his talk this weekend, but as luck has it, he gave me a run down on the topic and shared his slides.

Here then, is a quick recap of the talk and some of the details.

"The presentation is basically a hit list of tips and tricks for application testers of all kinds," Haddix explained.

He started by collecting data published by other bug hunters, including their own tips and tricks and code – which when combined with his own knowledge and tools, resulted in the creation of the Bug Hunter's Methodology.

"It's mostly Web stuff and some mobile stuff. But it shifts a little bit from traditional security testing, because a lot of the vulnerabilities you see when you start looking at this data in depth are heavily embedded in the applications. So automated scanners won't find them, even an intro pentester won't find some of these flaws; because they don't know where to look, or they're not using the same mindset that bug hunter has to use when they're competing against thousands of other people on a program," Haddix said.

Without giving away the entire talk, Haddix has taken the elements that form the Bug Hunter's Methodology and broken down the areas where the mindset shifts between researchers.

From there, he dives into the technical aspects of the tools and techniques that make AppSec work faster or easier; including examples of where the vulnerabilities are represented, specific bug examples, and details on the researchers who developed these tools and methods, so there is an opportunity for later learning.

I can honestly say, after going through the talk with him, Haddix has created a great overview of the topic. Anyone currently testing Web or mobile applications, looking to expand on an existing set of skills, or looking to get started in this line of work will benefit from this talk.

Unfortunately, I was only able to follow about half of the things he covered, but I've never done professional pentesting on a Web or mobile platform, so I'm rather pleased with 50 percent.

Given that part of my job is to cover and understand data breaches and security / privacy issues – knowing how a Web or mobile platform can be broken or leveraged in an attack is useful knowledge to have.

True, I obviously have more to learn, but this was a great introduction for me – so it fits perfectly in the DEF CON 101 track.

Again, I won't burn the entire talk here, but there are some things that stood out to me.

- Locating obscure sub-domains or related properties that are in scope is essential to someone working a bounty program. These areas might be missed by others, and they're worth something – or they can be leveraged as part of the test against a different application.

Haddix has written a tool to help with this and he talks about leveraging obscure applications that were forgotten by the company. Moreover, pay attention to mergers and acquisitions, because often a vulnerable application came from another source, but it's still in scope.

- Logic flaws, or access control bugs, are serious issues that are often overlooked for bigger, sexier vulnerabilities. Sometimes, they're overlooked because the tester didn't know how to find them.

- Tools, so many tools. This talk had more tools than I knew what to do with, but again – I don't have the experience. However, after they were explained to me I can see how they help. The cheat sheets will come in handy for me, but I'm sure the professionals will make use of them too.

Haddix is giving his talk during DEF CON on Saturday at 16:00 in DEF CON 101.

New! Download the State of Cybercrime 2017 report