Sunday, 25 November 2012

On Bug Bounties...

I think bug bounty programs are awesome, as much as I can understand they are not for everyone (I think they required a bit of agility), they are really helpful and have a lot of pro if you use them smartly...

First, as someone who provides learning material, I think a bug bounty can be your first official pentest:

  • You don't need to pass a job interview.
  • You don't need to sell the gig to a company. 
  • You just need to participate and be respectful of the platform.

Furthermore, if you end up being listed in the some bug bounty hall of fame, landing a security job will be far easier...

For a company running a bug bounty program, I think you need to be careful and probably avoid to give access to your production (to avoid data leak) and get a pre-prod environment (AWS EC2?) with anonymised data dedicated to the bug bounty (unless your name is Facebook or Google). But other from that, I see that as a less-expensive/modern alternative to hiring a pentest company. And you may end up with a lot of testing from a lot of skilled people pretty fast and for a reasonable price.

If you're on twitter, you probably heard of bugcrowd, a new company who offers to manage bounty program for other companies. I think it's a great idea and I bet a lot of people are already looking into this. I hope they will create a "Private Bounty" program where only identified people (identity check) can participate, it will probably solve the problem of a lot of people afraid to run a bounty program because everyone will be allowed to attack all their systems (which is not true since most program have scope)...

Saturday, 24 November 2012

Links on code review (1 of many)

Soonish, I will be doing a lot more code reviews...

I put together some links/books and thought I should share them with my readers:

I will do more posts when I found worthy things ;) If you have good links or books you recommend, leave them in comments :)

I'm also thinking of creating some exercises on (web or/and mobile) code review for PentesterLab

Friday, 16 November 2012

Accidental security improvements

I'm fascinated by things that improve security even if they were not initially designed for this purpose (as opposed to some appliances who are designed to improve security and don't... ).

My first (and favorite example) is home ADSL router. Back in the days, people (in France at least) used to have USB modem, and their Windows was fully available on Internet with a nice public IP address, and so were their Windows shares... But people started to have more than one computer at home and move to "Ethernet router" (this was actually their name as opposed to USB router) with NAT and that prevented unpatched Windows systems with shares to be available on Internet... Just a simple modification changed a lot, specially if you think about client-side attacks.

Another example is web framework (like Ruby on Rails or Spring), they have been created to increase developers' productivity but they became a great asset for security (automatic XSS and CSRF protection, automatic object to database mapping, ...). If you're a pentester, you can probably see the "before framework" and "after framework" and see how many problems are generally fixed automatically now (hopefully, people still do mistakes).

Do you have more examples?

Wednesday, 14 November 2012

Being accurate...

I'm trying to put together a list of posts for new pentesters, I think that may be helpful to some people. If you are new to pentesting, you probably want to read the following posts as well:

One of the key issue new pentesters have is accuracy, it mostly annoys me when I'm working remotely with people and can only discuss through IRC.

One of the most common example is: "I can't access the web application".

I can't access means nothing...
  • Do you have DNS resolution for the host?
  • Is the TCP port accessible (hping FTW)?
  • Is the web server available but you have the wrong vhost?
  • Is the web server available but the application errors?

In the same way: "I can't log in".

It does not mean anything:
  • Can you access the application (see above)?
  • Can you access the application and can't log in because the credentials are wrong?
  • Can you access the application and can't log in because the application crashes?
  • Do you have a message saying why?

A key skill to work (remotely) on the same pentest is accuracy in the information you provide, so as a new pentester being accurate is easy and will make working with you easier ;)