Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «how to get 1kk on the Bug Bounty». Кирилл Ермаков. QIWI

1. #securitymeetup
“When big brick wall becomes
wooden fence” or “how to get 1kk on
the Bug Bounty”

2. #:whoami?
• Known as ‘isox’
• Web penetration tester
• QIWI CISO
• Member of “hall-of-fames” (Yandex, Mail.ru,
Apple, and so on)
• JBFC participant ^___^

3. Hungry nomads
• Disparate groups
• Attacking every tower they see
• Using equal techniques and weapons
• Really meticulous
• Clever and creative
• You and I

4. Castle with gold
• Ready to pay tribute for every successful
attack
• Got enermous territory surrounding it
• Provides protection for their citizen
• Takes care about it’s borders
• Makes friendship with neighbors

5. Looking at the frontend
• Huge strong (fire)walls
• Musketeers and howitzers
• Moat with crocodiles
• Perfect gate citizenship control
• Flawless architecture
… gentlemans, what we are waiting for?

6. Common assault
• 10 days for one embossed brick
• Taked notice that walls are really pregnable
• 100 gold coins of income
• Got tired and went home

7. I worked using Burp Suite with plugins
for a week.

9. Why so bad?
• Most of us took weapons from the same
blacksmith
• Studied martial arts in one academy
• There is very little of “unique attack
techniques”
• Unless you are black (magic) fan or can make a
dozen of «PP» tricks
• All easy ways are already found

10. Just stats for one day and one vector

11. Let’s dot the i’s and cross the t’s
• We are not making “security research”
• We are working for our own
• We came here to hack em for money
• We are legal whitehats

12. Bad advice №1

13. Illusion of good network aggregation
• It does not really matter where this RCE or
SQLi will be
• Common case: injection in aux DB leads to
main DB takeover thru datalink
• Do you really believe writing “don’t hack this
domains” will stop anybody?
• Hack everything you can find in target AS

14. Sometimes like this

15. Or like that

16. Or even like “I just hacked this IP”

17. Bad advice №2

18. Rabbit’s are not only puff
• 50$ is 50$
• “I’m too cool for clickjacking, self-xss, bad
crossdomain.xml, POODLE, bad CSP”…forget
about it
• If it is security issue – report it
• Availability of bruteforce is also security bug
• Missing captcha too
• Information disclosure absolutely

19. Sometimes $140

20. 10 clickjacks == 1 XSS

21. Bad advice №3

22. Enterprise toys are expensive
• Nessus SC for enterprise costs a lot as example
• Sometimes security team just can’t configure
it well
• Or does not use it at all
• Scan it, validate it, report it!

23. For very nice bugs like this
Quagga is a routing software suite, providing
implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng
and BGP-4 for Unix platforms, particularly FreeBSD, Linux,
Solaris and NetBSD.

24. Good advice №1

25. First2discover is first2pwn
• Find your target AS-es (radar.qrator.net as
example)
• Find domains and regions (subbrute + google)
• Automate nmap for portscanning target AS
• Keep your eyes at the difference report
• Be the first bounty hunter to discover new service

26. Dev, test, debug…yummy!

27. Good advice №2

28. We are lazy
• RegEx for sanitizing “abG$2.###” is too lazy to
write
• Huge frameworks and API’s are awesome
• Just MD5 username and salt with IP, this will
be sessionid
• Keep in mind that developers are humans too
• Just imagine yourself at their place

29. Yandex.Disk case
• What we know: Our yandex id, 229857356
• What we see in requests:
_model.0=tree&id.0=/disk
• What we will try:
_model.0=tree&id.0=229857356:/disk
• Profit. Access any disk by full URI just changing
it’s uid.

30. Good advice №3

31. Automate your ideas
• Don’t be lazy, write your own plugins
• Automate every cool vector you can create
• Automate even every good vector you can
find!
• Your fuzzing and attacks must be uniq

32. Let’s try to find errors in a good way

33. Don’t take it all too serious
• Research new vulnerabilities
• Don’t stop working hands on. Repeater is your
best friend.
• Keep learning! It’s so much interesting you
don’t know!
• Share information with bro’s
• Money is nothing. Seriously.

34. Thanks :)
• @videns, u r a dick
• @d0znpp for good parties
• QIWI security team for a presented time to
write this slides
• Mail.Ru for this great evening
Email party invitations at isox@vulners.com

35. QIWI IS HIRING
• Security Expert in Application Security Team
– Write to videns@qiwi.com
• Security Expert in Infrastructure Security Team
– Write to mona@qiwi.com
• Python programmer in Internal Development
– Write to isox@qiwi.com
• Welcome 