A Conceptual Introduction to Automating Bug Bounties

Rough Statistics as per Hackerone’s 2020 Report

The Origins of Human Insecurity

Since the beginning of its time, mankind has relied upon each other to stay on top of the food chain. Working together, as a community, has led us to survive long enough that time could fuel our evolution from ancestral Australopithecus afarensis to modern Homo Sapiens. With this evolution came our ability to deceive, & the most popular application of that ability is what we call plagiarism, which led to both diverse cultures & technological advancements happening all around the world & both of these phenomena have turned out to be the root cause of modern-day insecurity.

Insecurity is directly proportional to independence. The more independent a living entity of any species gets, the more insecure it becomes inside an ecosystem.

The power of many has always threatened a singularity. Except in a case where the singularity has reached a level of intelligence & awareness that many are just having prophecies about. Intelligence is the ability of the mind to acquire, understand & apply knowledge whereas Awareness is the ability of consciousness to assess, acknowledge & approve the happenings in a being’s surroundings. These two are the core abilities being used by solitary beings to adapt & dominate in any kind of environment they encounter. But limitations exist even when we aren’t ready to acknowledge them.

The Chakravyūha of Mahabharata

Surviving in the Ecosystem

One can always choose to be happy hoping for the best, but should not delay in planning for the worst either. When a lion wakes in the morning, he knows that if he fails to outrun the leopard, it might be his last day. Similarly, when a leopard wakes in the morning, he knows that if he fails to outpower the lion then it might be his last day. This is the precarious boundary that governs all living entities in nature. Even though they both know that the inevitable is coming someday, they don’t acknowledge their limitations & do whatever is needed to survive for that moment. Their short-term fear of insecurity limits them to adapt & survive peacefully in the long term.

A day will come when the ecosystem’s balance will get disturbed because of the internal monstrosities & nature will be just forced to eliminate a weaker entity or introduce a stronger one for bringing back the balance inside that ecosystem.

Right and Wrong is just a matter of perspective & situation. We should always remember that our competition doesn’t need to be an enemy. If forming alliances can be profitable in the long term for competitors, then they should go for it. Although the leopard has a tactical advantage of being faster & having night vision, an ideal way for him to survive in the long term is to acknowledge his limitation of having less strength, form alliances & be ready for what’s inevitable.

Every living entity has a purpose, weakness, strength & competition, which are all interdependent. The purpose is to maintain the balance by countering or collaborating with the competition while working through the weakness & utilizing the strengths efficiently, smartly & responsibly with its intelligence & awareness at its peak, not just for their well-being, but for the greater good.

Rising above the Darkness

We have approached an age of cyber warfare where this law still holds: all warfare strategies are based on deception. The only truth that you need to understand those strategies is the differentiation between deception & reality. Deception has always been fueled by ignorance. If you truly want to dissect & break something then never skip digging its very details. There’s always some reason behind everything happening.

People in today’s world are so happy experiencing positive vibes around them that their dopamine level is distracting them from the details of reality & terming it as ignorance to negativity.

Choosing a side & fighting for it or forming an alliance & establishing peace are the only two ways of ensuring survival in the long term. Ignorance has & will never be an option. It may seem easy to you but has never been easy for the ones who are affected & the ones who are left behind to experience the aftereffect.

Ignorance is just a temporary solution that has long-term consequences affecting widely. The Ostrich Algorithm was only meant to be used in rare situations. Excess usage of anything can be a real balance breaker. Light comes and goes at its will but darkness is the one everlasting thing. Light at its highest intensity will both restrict & harm your vision but darkness is like a neutral thing. Learn to thrive in darkness solitarily & someday it’ll turn out to be your tactical advantage. And as I pointed out earlier, every tactical advantage comes with a limitation, & this time that limitation is the fear & risk of getting lost.

A perception of deceptive reality is more real than the reality itself.

Comparison between the number of incidents as per Positive Technologies Q1 2021 Report

Light & Dark are the only entities in the passage of time which will continue to exist independently & both have planted enough clues, in the same passage, to help us differentiate between deception & reality, in the most often ignored details of plain sight, waiting to be interpreted.

The Crowdsourced Revolution

Security is something that is not only supposed to be free of holidays & breaks but also demands evolution with time. I agree that training in-house soldiers & investing in brutal mercenaries to regularly test a kingdom’s security is an ideal way to approach its security which is why I am very intrigued by the concept of Crowdsourced Security. Although it isn’t something that should be solely relied upon, it has drastically reduced the feeling of insecurity since it was introduced.

Statistics as per Synack’s 2021 Signals in Security Report
Rewards offered by Lazada BBP on YesWeHack

A true warrior must always remember the boundaries of both war & victory.

Either way, it’s also the responsibility of both government & organization to stop taking crowdsourced security for granted & offer practical compensation to the security researchers. The criteria which our selected program has successfully passed. Kudos to that!

Strategy & Tactics

Moving onto strategies, it’s something that goes hand in hand with patience. Our strategy will be to primarily map & explore the attack surface to carry out automated black-box testing of the assets & rate their insecurity for prioritization of manual tests & at last, we will iterate the entire process for newly discovered assets & exploits. Sounds simple and easy right? We just have to evolve as per the demands & repeat the entire process in an efficient & easy manner. And again, always remember, an impatient sniper isn’t ready to be a sniper yet.

Defining strategy gives us a clear vision for achieving the target otherwise we’ll be just shooting with a myopic eye.

We have got to have a clear-cut idea about what we need to do & what tools are at our disposal. So, first of all, let’s define what we need to do -

  • Fingerprint the Services & Technologies being utilized.
  • Scan for all kinds of vulnerabilities.
  • Monitor for Exploits & Assets.
  • Organize everything

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.

— from Sun Tzu’s The Art of War

Enumerate, Fingerprint, Scan, Monitor & Organize. Now as we have narrowed down our goals, let’s discuss the tools that could help us in achieving them. Looking out for tools is like going down on a wild adventure of buying medicines in an Indian market. There are so many providers of the same salt that studying medicines seems more profitable than studying diseases. But in our scenario, things get more complicated, mostly because every offering is free. So what most hunters do is use all of them at all times. But that’s not recommended at all. I’d rather focus on the techniques & sources these tools are utilizing to get me the results. And most importantly, unless you have a rough idea of how a particular tools’ internals look, never use it. Never hesitate to sandbox & review everything, even the requests, logs & syscalls.

  • domlock — Enumeration of ASNs through subdomains
  • domrep — Ranking the subdomains by reputation
  • faraday — Pentest Management
  • favinizer — Fingerprinting applications through favicons
  • nxscan — Bulk port enumeration & scanning with fancy HTML output
  • rescro — Regex extractor for extracting socials from webpages
  • s3hunter — Enumerating & Fingerprinting S3 buckets
  • xlocate — Searching exploits
  • xray — Scanning vulnerabilities
  • puredns — Filtering DNS wildcards
  • ffuf — Fuzzing inputs
  • github-search — Enumerating endpoints & subdomains from Github
  • gitgraber — Monitoring Github for sensitive data
  • gospider — Spidering web apps & scraping endpoints
  • jaeles — Scanning vulnerabilities
  • gau — Scraping endpoints from passive sources
  • aquatone — Bulk screenshot of web apps
  • amass — Broader attack surface enumeration & visualization
  • dnsx — Enumerating DNS records
  • httpx — Enumerating web servers
  • metabigor— Enumerating ASNs
  • naabu — Enumerating open ports
  • nmap — Scanning open ports
  • nuclei — Scanning vulnerabilities
  • shuffledns — Bruteforcing subdomains
  • subfinder — Enumerating subdomains
  • sqlmap — Scanning for SQL injection
  • dnsvalidator — Retrieving reliable list of DNS servers
  • wapiti — Scanning vulnerabilities
  • burpsuite — Manually testing applications
  • maltego — Performing OSINT

The Beauty & Limitations of Automation

The greatest achievement of a war fought with honor should be its victory & not its long tiresome campaign.

— Modified from Sun Tzu’s The Art of War

With this idea in mind, Glatisant’s angels were brought to life — Kenzer & Freaker. Initially, when I started working on Kenzer, it was just a multifunctional zulip-based chatbot doing simple petty tasks. Then I started bug bounty, which led me into automating most of the common approaches adopted by the crowd while keeping things simple. The cool thing about Kenzer is that it’s more like a leopard while Freaker being a lion, working together to show how insecure the deer is. Usage of both is pretty basic & simple which is extensively covered in the repo docs. Believe me, it just gets better & exciting when you try it out yourself.

I do not like the concept of addiction or hard work, but I do like the idea of pushing a button & making things happen.

Kenzer’s Workflow
A Live Demo of Kenzer

Application Security Testing through Automation is better if done from the inside. It just gets complicated when both adversary & hired adversary have dressed alike.

At the End

Good & Evil is a just relative concept. Deer were always meant to be eaten. That’s how things are meant to end in that ecosystem & only an ignorant person runs away from that truth. The real problem is with the ecosystem. It could have been designed to evolve in a better way which could facilitate an everlasting balance & peaceful ending for everyone. And that’s what we are trying to do here at ScanFactory — redesigning the ecosystem. Most of the internal chaos can just be solved with carefully calculated separation. Most importantly, the majority of the crowdsourced security, especially the newcomers, have fallen into deception of the Indian market & are not doing what they should have been. Instead of investing time in researching diseases, they are investing the majority of time into experimentation & plagiarism of freely available medicines.

Oxygen may be the vital element responsible for existence but it’s also the element responsible for aging & damaging life itself.

Statistics as per Embroker’s 2021 Cyber Security Statistics Report
ScanFactory’s Competitive Analysis

Everything began from nothing & Nothing will be left at the end of everything.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ayush Singh

Ayush Singh

Founder @ Kłapeye Foundation | Strategist @ ScanFactory | Analyst @ ZieTRAD