BugeDex: Getting Started with Bug Bounty

Introduction

Whenever I saw some article about someone finding a bug/security threat, I wanted to do the same and enter the world of Bug Bounty but was unable to find any beginner friendly resources and eventually gave up but BugeDex proved to be a perfect opportunity for getting started with Bug Bounty

BugeDex was a workshop organised by CSI-VIT in association with CloudSEK (an AI-powered Digital Risk Monitoring platform providing real-time visibility of cyber threats). The event consisted of a webinar and a hands-on workshop

Let me start by telling you what bugs exactly are.

Nope… Not that one

A software bug is a fault, error or failure in the software/system being built that produces unexpected results. It can be any component of the system doing things it isn’t expected to do.

Coming back to the session, it comprised of an amazing team from CloudSEK with

• Mr. Syed Shahrukh Ahmad (CTO-BeVigil at CloudSEK)
• Mr. Sudipta Pandit (Security Engineer at CloudSEK)
• Ms. Sai Ahladini Tripathy (Engineering Manager at CloudSEK)

Webinar

The webinar started with introduction to bugs(obvious..) and various scenarios where bugs caused huge losses like in 1982, the Vancouver Stock Exchange started with 1,000 points but surprisingly dropped to half in 2 years because of wrong index calculation due to the use of floor() in place of round(). So if the index was calculated as 532.7528, it was being stored as 532.752 rather than 532.75 which is the rounded form and eventually as many transactions took place the loss amounted to millions of dollars(read more about this here). From this and some other examples I clearly understood that bugs can be very dangerous and it is essential to eliminate them

Now let me tell you about some other important topics which were covered in this session

SDLC

It stand Software Development Life Cycle. The software development lifecycle (SDLC) is a framework that development teams use to produce high-quality software in a systematic and cost-effective way. Both large and small software organizations use the SDLC methodology.

Phases of SDLC

Software Testing

It is a part of SDLC and very important to ensure that user has a proper experience while using the application. The goal is to find errors, gaps, or missing requirements in comparison to the actual requirements. Various kinds of tests are

1. Acceptance tests
2. Conformance/Compliance tests
3. Usability tests
4. Performance tests
5. Reliability tests
6. Robustness tests

Mainly we test for Functional and Security vulnerabilities, Usability and Compatibility

Guidelines to Write a Report and Triage Process

There are various guidelines to be kept in mind while writing a bug report like 1.Mention the bug properly and stating the affected endpoint

2.Include the package name

3.Impact and Exploitability of the bug

4. Any solution if known

Sample Report

Triage Process

Triage process shows that reports are reviewed and responded based upon the issue severity and asset priority

OWASP

Open Web Application Security Project (OWASP) is an non-profit organization dedicated to improving software security in web apps and mobile apps. They maintain a list of Top 10 most prevalent vulnerabilities in web and mobile applications

Injection Attacks

Injection attacks allow the attacker to inject some unwanted/malicious code into a program to execute remote commands that can read ,modify or delete a database, or change data on a web site. Various types of injection attacks were discussed and I found SQL injection particularly interesting as I have just started learning SQL.

This was the example on SQL injection discussed in the session .Now as we all know that OR returns true if any one of the given conditions is satisfied and the “1=1” is always true so by writing this the attacker can access all the details of students from the database

Hands On-Workshop

Here comes the fun part

We were introduced to BeVigil (developed by yours truly CloudSEK) which is the World’s first security search engine for threats on Mobile App. You might not believe me how amazing this platform is until you try it out yourself

Simple steps to use BeVigil are:

1. Search for the app and click on view report

If not found try using the scan app option giving the package name/Playstore url of the app or upload an apk

2. You will be able to see a dashboard with various tabs like Vulnerabilities, Strings, etc available

Very easy and simple right

Bug Hunt

After the workshop participants were asked to find bugs in any app of their choice and submit a report to get their name on the leaderboard and so I started searching multiple apps on BeVigil looking for some sort of bugs and soon I was able to find an app(which shall remain nameless) having a TwitterOAuth2.0 publicly available for that app.

Bug1

Lets discuss what TwitterOAuth2.0 exactly is. Twitter provides developers with Key and Secret which are used to generate a Bearer Token. OAuth 2.0 Bearer Token authenticates requests on behalf of the developer App. Now what can happen is any unauthorised user can make twitter api call(to access data) and exceed the rate limit of that particular developer api and thus crashing the app or disabling the app users to access data using the app and there will also be unregulated access to twitter data(Read more about this here).I found this Twitter OAuth bug in various other apps as well.

But now the problem was that I had no idea how to verify the obtained Key and Secret and see if they are actually working but CloudSEK team came to the rescue again providing this very useful resource to verify various apis found during Bug Bounty. Even after the session they were available on discording helping out beginners like me

So using postman I made a post request entering the said details and voila I was able to access the bearer token.

Now I created a report (as taught in the session) to be submitted on the BugeDex platform and got my name on the leaderboard after the report was accepted.

After this I was curious to find more bugs and so I didn’t stop and thus found other bugs as well

Bug2

Similar to TwitterOAuth I was able to find Facebook Authentication vulnerability for another app which can cause the same problems

Bug3

I found a Non Parameterised SQL Vulnerability in 2 apps which could have been exploited to delete data from the database by anyone

Conclusion

BugeDex was not only a fun event but quite informative as well .I would like to thank CSI-VIT and CloudSEK for organizing this great event with amazing speakers. This event ignited an interest of Bug Bounty in me.

One major thing I learnt while looking for bugs is that being patient is very important and now I will continue my journey of Bug Bounty which started because of BugeDex

Thank you for reading till the end

CloudSEK-link

BeVigil-link