spaceraccoon hacks for good! From Amazon to Zendesk, he has helped secure organizations from a range of vulnerabilities. In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the HackerOne H1-Elite Hall of Fame. Outside of bug bounty, he researches cutting-edge cybersecurity issues that span a diversity of domains such as artificial intelligence and social engineering. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.
Automation for Manual Bug Bounty Hunters
In the bug bounty space, hunters are typically split into two camps: automation masters who detect and scan assets at scale, and manual researchers who dive deep into application logic. Due to the different skillsets and resources needed, hunters prefer to stick to one approach. However, manual bug bounty hunters do not need to rely exclusively on Burp Suite and the browser. My talk will explore the bountiful field of automation they can use to speed up and enhance in-depth research, from code review to macros. Regardless of your approach to bug bounty, you will take away new ideas to integrate automation into your work.
- Introduction: At more advanced levels, bug bounty hunters typically either pursue wide automation or deep manual research.
- Automation requires large investments in compute resources to discover and scan assets faster than others – often a winner takes all outcome.
- Manual research requires large investments in time to explore app functionality and discover unique bugs, which can be a toss-up
- However, in recent years the tools available to manual researchers has increased in quantity and quality; manual bug bounty hunters should integrate some of these into their work.
- Attack Surface Management (ASM) may appear to be a repackaged form of automated reconnaissance, but manual bug bounty hunters can take away new techniques from this product space.
Cloud asset discovery has become even more important as companies adopt these technologies; techniques have become more sophisticated than simply brute-forcing subdomains or storage buckets.
- Cloud service provider-specific quirks, such as Azure Autodiscover (demonstrated in letitgo tool), can reveal assets invisible to traditional asset discovery methods.
- Meanwhile, continuous monitoring of specific assets can provide maximum cost-to-benefit for manual hunters by alerting them to specific changes in applications rather than scanning wide.
- Code search and review tools supercharge vulnerability discovery and scales individual findings.
- grep.app and Sourcegraph allow researchers to quickly search for vulnerable code patterns across all Git repositories.
- When looking into a specific codebase, researchers can apply automated code review with Semgrep and CodeQL to identify weak areas.
- Source-to-sink tracing automates much of researchers’ manual code review and can cover up for blind spots.
- Discussion of vulnerabilities discovered this way (pending disclosure).
- Even within the Burp-and-browser paradigm, researchers can apply quality-of-life automation.
Client-side vulnerability discovery greatly improved with DOM Invader and custom extensions like postmessage-tracker.
- Useful extensions covering cryptographic weaknesses to authorization checks.
- Learn to write your own extensions and macros to cover unique technologies or request flows.
- Conclusion: Being a manual bug bounty hunter doesn’t have to mean slogging through lots of repetition.
Pay attention to where you are repeating unnecessary work and invest the time to automate it.
- It’s difficult to squeeze blood from a stone; asset discovery is important to surface new attack surfaces, but you don’t need to do the same thing everyone is doing.
- Ultimately, the goal is to improve your existing workflow, not replace it – manual in-depth research is still incredibly impactful.