My name is Frans Rosén, based in Stockholm, Sweden. I started of as a developer back in the days. A few years ago I met a bunch of friends that were involved a lot in the web security community (avlidienbrunn & almroot) we started a company together with some more friends which became Detectify, doing security monitoring for the web. They also introduced and taught me a lot, ending up with me taking the journey into the community myself. About 4.5 years ago I learned about bug bounties, and my first attempts at it were against Paypal, Facebook, Google and Yandex.
I also realized I had been thinking about security during my whole time as a developer, which in return also made me know about common pitfalls and mistakes developers tend to do. (Regular expressions anyone?)
I do it as a combined work and hobby. I have actually plotted a graph showing my activity in bug bounties since the beginning, and it seems I do bug bounties in intervals, I dip every 3.5 months, then it takes about 1-1.5 months not doing it at all, and then I become really active again for another 3.5 months.
Being a security advisor at Detectify I can really combine the bug hunting, which helps Detectify in finding issues that’s possible to automate, together with finding interesting research areas to blog and talk about.
I also have a 3 year old daughter, I’m trying to get her interested into taking stuff apart. Once, I got her help in a bounty program to trigger a race condition in a specific process on an Android tablet, that was really cool!
Due to the graph I made I really see how often and how active I am. Me and avlidienbrunn will release BountyDash soon, which is a local instance of a dashboard to visualize all the bounties from HackerOne, Bugcrowd and Synack. This was actually an eye opener to me in regards to how often and how many bugs I’m reporting. I can go from 40 to 1 report a month basically, it all depends on my focus area and my current research of interest. I’ve gotten at least 1 reward for every month since 2013-12 from H1, BugCrowd and/or Synack.
In the beginning the hardest thing was to figure out what I was actually supposed to look for. At first, it was basically “if I get an alert, they are vuln”, but this changed pretty quick since you had to think about “how can this actually get exploited?”. That’s probably the most important question and something I still see people not thinking about that much. To me, that question is often what makes me try to go deeper and to find chains with other bugs to find the highest impact possible. The best trigger in this case is when the company comes back and say “But we have mitigation X preventing this” and you continue digging for a few hours, responding back with a bypass of that mitigation.
I have a bunch of favorites really. I had some fun bugs lately with two different password managers.
With the first password manager I started to look at their desktop app. I looked at the strings in the binary, and noticed some weird phrases and URLs connected to the login process.
It turned out that passing a specific prefix of your login email, would allow you to log in with a static password that was allowing anyone in, basically a “qwerty123” for all emails beginning with “qa123”. However, you still had to go through their 2FA-process.
The thing was, when signing in to one of the emails with that prefix, it triggered a call to a specific URL. Browsing to that URL, you would see each email together with the responding 2FA code. This turned out to be their QA-solution to have an external entity test their password manager with a bunch of services.
Looking at the URL for a while, other test-users showed up. Signing in to a few of these QA-accounts revealed logins for a bunch of services, one being the company’s JIRA (Imagine posting the vulnerability report in there instead..).
I contacted them by a proper report and they fixed it the same day.
The other password manager had the ability to store a password for arbitrary protocols, such as “javascript://twitter.com?%a0alert%281%29”. This URL would then show up in the password list as “twitter.com”.
If you clicked on the item in the Firefox extension to sign in, it would run the javascript on the current page you were on (not necessarily twitter.com). They also had a functionality to share credentials with people. When sharing this one, it would say “Frans wants to share credentials for twitter.com with you”, if the person accepted it and clicked on it, it would run on the page they were on, which could be any site really. That one was also fixed pretty quick.
I had my breakthrough after HackerOne changed their reputation model around 2014. I suddenly popped up as #1 for quite some time back then. At that point I realized I was doing something right. Back then, I also realized I had a responsibility to share as much as possible. Both to actually help other people in getting started, but also to challenge myself to always keep up. Also, the feeling of sharing is one of the best feelings there is.
I try to say that reporting bugs gives you a bunch of “kicks” (like, a rushing feeling in your body). You can divide them into the following bullet points:
The kicks of a bug bounty:
I read A LOT. The interesting thing here is that you can never read too much. It’s really just a game of addition, you never lose your knowledge. Keep reading. By the way, Warren Buffett have suggested a similar technique to succeed in business, reading about 80% of the day.
Absolutely, primarily I talk a lot and do stuff with avlidienbrunn and almroot, but I’ve done some magic both with for example @nnwakelam and @ITSecurityguard as well.
Being a developer, combined with working with a company doing automation, I do a lot of my research using automation. The recon process is very similar to what avlidienbrunn wrote about in his AMA, basically fetching a bunch of data from many different resources trying to get a proper view of the company’s assets. Being good at asset discovery is very much a key to success. Since my research around subdomain takeovers back in 2014, a lot of stuff has happened both in terms of recon tools but also the actual process of looking for similar issues.
I’m actually speaking on Appsec EU on the 18th of May in Belfast about my latest techniques in the domain hijacking area. All the slides will be out after that talk as well. I will actually tell a bit on how to improve the tools out there to create a better coverage of a company’s assets.
My technique is that I start on the surface then I dig deeper and deeper. A typical flow for me could look something like this: 1. Look for regular input validation mistakes like XSS etc. 2. Proxy all requests and look at them at a later point, marking the ones that looks interesting or responds funky. 3. Go through their javascript, look for endpoints or parts of the code that does something weird with user provided data. I have taught myself to read minified javascript just to be fast and comprehend what’s going on as quick as possible (I do recommend beautifiers though, you get no chicks by knowing how to read minified code).
My Burp is pretty clean still, I have some protobuf extensions and some JSON-fiddling tools, but nothing spectacular. I use Chrome JS-Console a LOT. It’s probably the best and fastest developer tool right now to debug javascript, create breakpoints and walk through the code.
I have some recon-tools running, pinging me about interesting stuff, it’s a nice combo of a completely a transformed version of SubBrute together with Altdns, Massdns and a bunch of bash.
The input validation process of my flow sometimes also catches cases where specific input ends up as parsed in different ways, so I’ve been finding server side vulns often together with actually looking for XSS or similar. In the case of template injections, which is becoming so increasingly common, there are some common ways to detect them. I recommend looking at some strings in the most common template engines to find a payload that works for you, being able to detect when it is actually parsed server side.
I would say there are at least three steps of a program: 1. When they launch, A LOT OF PEOPLE LOOKING. A bunch of dupes. You can find some really good stuff here, but you either need to be fast or thorough, you don’t stumble upon stuff in this step. 2. When the program has been running for a while. Depending on the company this could either be a minefield of dupes or a pretty good, patched up system. You need to gamble here if it’s worth spending the time here. 3. When the program has been running for a longer period of time (like between 6 months - 1.5 year). The focus is a lot less on this program, but the company continues to ship code all the time. This is actually a really good point in approaching the company, as there will be a lot of areas people haven’t been looking at. I sometimes do a old program walkthrough, going to old programs just to take a look. Reading newsletters from the companies are one of my triggers.
Developer, absolutely. If you are a developer, try think of times when you thought “Oh shit, I did this wrong, or what if I didn’t had done this, imagine what could have happened”. If you really think about that, you will find a lot of cases where there are anti-patterns or pitfalls in your area of expertise that most likely not all developer have realized. Try use those moment to make a note and then try look for the same mistake in bug bounty programs. I promise you it will work.
This is just as broad as “What do you eat?”, so, I will give you five tracks I listen a lot to:
https://open.spotify.com/track/1Xph5ScMGNnwxTD6lhheZ7 https://open.spotify.com/track/6MzuROznsagl5Szc8w3Smj https://open.spotify.com/track/1EbacZvcixTCTzBcJfaua2 https://open.spotify.com/track/58zUXL0gN6eqk6sogjlGnM I’m going to end with some “Swedish Sauce” by Todd Terje: https://open.spotify.com/track/0Def9GQnjyliBmy7LmoXvn
I build a bunch of businesses together with my partner in crime, @piotrzaleski. I travel and talk a lot on conferences, research for Detectify and a lot of tech and architecture for a company called Centra. I also enjoy biking, I’m riding an old women’s bike that’s just as solid as a tank every day to work.
Huge impact, apart from the community which has been the biggest gain for me personally, I’ve also been able to fund companies of mine using bug bounties. I’ve gotten to know so many people all over the world, and also, being able to go out and speak on conferences has been a huge change in my life. I was really scared going up on a stage in the beginning, but as soon as I got into it it became so extremely fun and exciting.
Keep digging. Really. You will have times where you just want to quit. Then do that. But come back later. The feeling you get of the kicks I explained a bit above is so rewarding that you really should keep trying.
I have some friends doing hardware and to me they are still doing magic. Magic for me is knowledge about a subject I don’t know anything of, so it’s magic to me. Magic gets you interested, and the goal is often to figure out the tricks. I’m trying to mind pick them as much as I can.
I didn’t have anything to put on it yesterday, so I put some grapes on it. It was weird.
Probably one of those where you expected to get something but got nothing. To me, those are just to be ignored, no need to scream a lot, except to maybe the platform having them as a customer.
One time I got a .NET RCE on a Bitcoin site, resulting in a amazing payout of 0.002BTC. I partied like a boss that night.
Wow, long list, but I think I would get some stuff to break, talking or playing around with: @NahamSec, @infosec_au, @IAmMandatory, @TheBoredEng, @filedescriptor, @0x6D6172696F, @insertScript, @albinowax, @garethheyes, @magicmac2000, @bbuerhaus, @OrenHafif, @aboul3la, @BenHayak, @irsdl, @shafigullin, @NightRang3r, @sirdarckcat and @Nirgoldshlager.
Techniques enabling collaboration. Collaboration is the logical next step in the progress of how to do bug bounties, and platforms and companies should enable researchers to come together in joint efforts.