A Conceptual Introduction to Automating Bug Bounties
ft. ARPSyndicate, YesWeHack & ScanFactory
Is the crowdsourced security model working as intended? The “crowd” becomes more crowded every day but, ask any CISO and most will say, the quality is not improving with quantity. When companies fail to detect the low-hanging vulnerabilities with internal security practices in the first place, they instead expect the crowd to find and report these issues, rather than evolving their security strategies & tactics. Today’s threat landscape demands security to evolve as a continuous and intelligent automated approach.
The Origins of Human Insecurity
Since the beginning of its time, mankind has relied upon each other to stay on top of the food chain. Working together, as a community, has led us to survive long enough that time could fuel our evolution from ancestral Australopithecus afarensis to modern Homo Sapiens. With this evolution came our ability to deceive, & the most popular application of that ability is what we call plagiarism, which led to both diverse cultures & technological advancements happening all around the world & both of these phenomena have turned out to be the root cause of modern-day insecurity.
Insecurity is directly proportional to independence. The more independent a living entity of any species gets, the more insecure it becomes inside an ecosystem.
The power of many has always threatened a singularity. Except in a case where the singularity has reached a level of intelligence & awareness that many are just having prophecies about. Intelligence is the ability of the mind to acquire, understand & apply knowledge whereas Awareness is the ability of consciousness to assess, acknowledge & approve the happenings in a being’s surroundings. These two are the core abilities being used by solitary beings to adapt & dominate in any kind of environment they encounter. But limitations exist even when we aren’t ready to acknowledge them.
Surviving in the Ecosystem
One can always choose to be happy hoping for the best, but should not delay in planning for the worst either. When a lion wakes in the morning, he knows that if he fails to outrun the leopard, it might be his last day. Similarly, when a leopard wakes in the morning, he knows that if he fails to outpower the lion then it might be his last day. This is the precarious boundary that governs all living entities in nature. Even though they both know that the inevitable is coming someday, they don’t acknowledge their limitations & do whatever is needed to survive for that moment. Their short-term fear of insecurity limits them to adapt & survive peacefully in the long term.
A day will come when the ecosystem’s balance will get disturbed because of the internal monstrosities & nature will be just forced to eliminate a weaker entity or introduce a stronger one for bringing back the balance inside that ecosystem.
Right and Wrong is just a matter of perspective & situation. We should always remember that our competition doesn’t need to be an enemy. If forming alliances can be profitable in the long term for competitors, then they should go for it. Although the leopard has a tactical advantage of being faster & having night vision, an ideal way for him to survive in the long term is to acknowledge his limitation of having less strength, form alliances & be ready for what’s inevitable.
Every living entity has a purpose, weakness, strength & competition, which are all interdependent. The purpose is to maintain the balance by countering or collaborating with the competition while working through the weakness & utilizing the strengths efficiently, smartly & responsibly with its intelligence & awareness at its peak, not just for their well-being, but for the greater good.
Rising above the Darkness
We have approached an age of cyber warfare where this law still holds: all warfare strategies are based on deception. The only truth that you need to understand those strategies is the differentiation between deception & reality. Deception has always been fueled by ignorance. If you truly want to dissect & break something then never skip digging its very details. There’s always some reason behind everything happening.
People in today’s world are so happy experiencing positive vibes around them that their dopamine level is distracting them from the details of reality & terming it as ignorance to negativity.
Choosing a side & fighting for it or forming an alliance & establishing peace are the only two ways of ensuring survival in the long term. Ignorance has & will never be an option. It may seem easy to you but has never been easy for the ones who are affected & the ones who are left behind to experience the aftereffect.
Ignorance is just a temporary solution that has long-term consequences affecting widely. The Ostrich Algorithm was only meant to be used in rare situations. Excess usage of anything can be a real balance breaker. Light comes and goes at its will but darkness is the one everlasting thing. Light at its highest intensity will both restrict & harm your vision but darkness is like a neutral thing. Learn to thrive in darkness solitarily & someday it’ll turn out to be your tactical advantage. And as I pointed out earlier, every tactical advantage comes with a limitation, & this time that limitation is the fear & risk of getting lost.
A perception of deceptive reality is more real than the reality itself.
The threat landscape has been evolving rapidly since the beginning of this century & the threat actors are becoming stealthier, faster & smarter with time. They are & have always been operating from the dark, using it as a deception & the only way to counter that deception is to thrive & have a look from the inside. Their deceptive techniques & tactics can only be understood from their perspective & the only way to truly neutralize them is to safely emulate their methodology & developing proper defenses against them, which is something that we at ScanFactory truly specialize in!
Light & Dark are the only entities in the passage of time which will continue to exist independently & both have planted enough clues, in the same passage, to help us differentiate between deception & reality, in the most often ignored details of plain sight, waiting to be interpreted.
The Crowdsourced Revolution
Security is something that is not only supposed to be free of holidays & breaks but also demands evolution with time. I agree that training in-house soldiers & investing in brutal mercenaries to regularly test a kingdom’s security is an ideal way to approach its security which is why I am very intrigued by the concept of Crowdsourced Security. Although it isn’t something that should be solely relied upon, it has drastically reduced the feeling of insecurity since it was introduced.
Without Crowdsourced Security, the extent of innovation that is being carried out would never have happened in the first place in such an independent & fearless manner. I truly appreciate the brokers that have been spreading the ideology of crowdsourcing attackers and helping independent security researchers to responsibly disclose security vulnerabilities.
Especially the platforms like Synack & YesWeHack, which I consider to be the most trustworthy & reliable platforms to outsource security researchers as they do not compromise with identity verification & use an elite crowd to stay efficient & impactful to their customers. YesWeHack has even gone one step ahead by implementing anti-laundering mechanisms for bounty disbursal & showing that they take every aspect of conducting business responsibly.
Moving onto the program we will be exploring today — Lazada, which seems to be a medium-scope BBP & I like that over a VDP. VDPs have their advantages too but they also have a monetary limitation which should & must be backed by genuine reasons. For example, VDP for a critical infrastructure backed by a government seems to be worth it because its compromise impacts very adversely to the citizens & at that time it becomes a responsibility of citizens to rise above monetary motivations & do things out of patriotism, but, doing the same thing for a multinational multibillion-dollar company which is profiting enough do compensate the researchers seems to be not worth it.
A true warrior must always remember the boundaries of both war & victory.
Either way, it’s also the responsibility of both government & organization to stop taking crowdsourced security for granted & offer practical compensation to the security researchers. The criteria which our selected program has successfully passed. Kudos to that!
Strategy & Tactics
Moving onto strategies, it’s something that goes hand in hand with patience. Our strategy will be to primarily map & explore the attack surface to carry out automated black-box testing of the assets & rate their insecurity for prioritization of manual tests & at last, we will iterate the entire process for newly discovered assets & exploits. Sounds simple and easy right? We just have to evolve as per the demands & repeat the entire process in an efficient & easy manner. And again, always remember, an impatient sniper isn’t ready to be a sniper yet.
Defining strategy gives us a clear vision for achieving the target otherwise we’ll be just shooting with a myopic eye.
We have got to have a clear-cut idea about what we need to do & what tools are at our disposal. So, first of all, let’s define what we need to do -
- Enumerate Domains, IPs, ASNs, Repositories, Socials & Endpoints.
- Fingerprint the Services & Technologies being utilized.
- Scan for all kinds of vulnerabilities.
- Monitor for Exploits & Assets.
- Organize everything
Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.
— from Sun Tzu’s The Art of War
Enumerate, Fingerprint, Scan, Monitor & Organize. Now as we have narrowed down our goals, let’s discuss the tools that could help us in achieving them. Looking out for tools is like going down on a wild adventure of buying medicines in an Indian market. There are so many providers of the same salt that studying medicines seems more profitable than studying diseases. But in our scenario, things get more complicated, mostly because every offering is free. So what most hunters do is use all of them at all times. But that’s not recommended at all. I’d rather focus on the techniques & sources these tools are utilizing to get me the results. And most importantly, unless you have a rough idea of how a particular tools’ internals look, never use it. Never hesitate to sandbox & review everything, even the requests, logs & syscalls.
Anyway, I have listed down the tools & their purpose —
- certex — Monitoring for new subdomains through CT logs
- domlock — Enumeration of ASNs through subdomains
- domrep — Ranking the subdomains by reputation
- faraday — Pentest Management
- favinizer — Fingerprinting applications through favicons
- nxscan — Bulk port enumeration & scanning with fancy HTML output
- rescro — Regex extractor for extracting socials from webpages
- s3hunter — Enumerating & Fingerprinting S3 buckets
- xlocate — Searching exploits
- xray — Scanning vulnerabilities
- puredns — Filtering DNS wildcards
- ffuf — Fuzzing inputs
- github-search — Enumerating endpoints & subdomains from Github
- gitgraber — Monitoring Github for sensitive data
- gospider — Spidering web apps & scraping endpoints
- jaeles — Scanning vulnerabilities
- gau — Scraping endpoints from passive sources
- aquatone — Bulk screenshot of web apps
- amass — Broader attack surface enumeration & visualization
- dnsx — Enumerating DNS records
- httpx — Enumerating web servers
- metabigor— Enumerating ASNs
- naabu — Enumerating open ports
- nmap — Scanning open ports
- nuclei — Scanning vulnerabilities
- shuffledns — Bruteforcing subdomains
- subfinder — Enumerating subdomains
- sqlmap — Scanning for SQL injection
- dnsvalidator — Retrieving reliable list of DNS servers
- wapiti — Scanning vulnerabilities
- burpsuite — Manually testing applications
- maltego — Performing OSINT
These 32 tools are the chess pieces you’ll need to start the game. Just like in a game of chess, using any more or different chess pieces means that either the situation demands that evolution or you are just not using the existing ones to their fullest potential, as an entity of the ecosystem.
The Beauty & Limitations of Automation
The greatest achievement of a war fought with honor should be its victory & not its long tiresome campaign.
— Modified from Sun Tzu’s The Art of War
With this idea in mind, Glatisant’s angels were brought to life — Kenzer & Freaker. Initially, when I started working on Kenzer, it was just a multifunctional zulip-based chatbot doing simple petty tasks. Then I started bug bounty, which led me into automating most of the common approaches adopted by the crowd while keeping things simple. The cool thing about Kenzer is that it’s more like a leopard while Freaker being a lion, working together to show how insecure the deer is. Usage of both is pretty basic & simple which is extensively covered in the repo docs. Believe me, it just gets better & exciting when you try it out yourself.
I do not like the concept of addiction or hard work, but I do like the idea of pushing a button & making things happen.
Consider you are sitting by your jacuzzi & you have got few Kenzer instances running, you open your phone, send commands to your Kenzer instances to scan the entire Lazada scope, & by the time you get out, then the entire procedure has already been done but unfortunately, you were unable to find any vulnerabilities, then you decide to get a little hands-on and look out for what the attack surface looks like which leads you into noticing a unique favicon hash popping up on multiple different assets for an application you never heard about & hopefully Xlocate was able to throw you some exploits for the same that you integrated into Freaker to score some bounty. That’s how convenient it is! The scenario is hypothetical but not too far away from reality either. However, there are plenty of limitations with automation.
If you are testing multiple assets of the same program & hoping that your vulnerability testing automation will just keep looking for vulnerabilities forever then brace for impact because a Security Analyst could be sitting on the other side, flagging suspicious scanners all day & keeping you in an illusion that everything is secure. Especially if you are fuzzing over 100 non-contextual exploits at a rate of 200 requests per second from the same machine. Maybe you got lucky but that’s not what Crowdsourced Security was supposed to be. Thousands of Crowdsourced Researchers running the same vulnerability scanning automation at such a high rate will just result in exceeding the target’s bandwidth if not DDoS.
Any properly hardened target, maybe soon if not now, will pick up the public exploits & signatures from public sources to build a firewall signature for it to detect & flag the IPs. Many might even just rate limit the requests. Or they could also just forget about blacklists & stick with whitelists. Most of the firewalls today are designed not just to detect any specific exploit but also to detect the exploitation of vulnerabilities or any specific class of vulnerabilities mostly through the presence of keywords often used to exploit one.
And this is where things start to get complicated for the massively big crowd of the Crowdsourced Security, which I hope you’ll be smart & experienced enough to figure out by yourself and move on from relying on just automation of publicly available vulnerability signatures & exploits & start creating your own by investing some time into doing some actual security research like finding an undiscovered vulnerability or reverse engineering a CVE or playing with Vulhub environments and bypassing the mitigations, something that doesn’t involve relying on unnecessary remote fuzzing at exponential higher rates than usual. This kind of automation should always be done from the inside while keeping the utilization of resources & sensitivity of the target in mind. Otherwise, it’ll just get difficult to identify a needle of adversaries in the haystack of Crowdsourced Security Researchers.
Application Security Testing through Automation is better if done from the inside. It just gets complicated when both adversary & hired adversary have dressed alike.
At the End
Good & Evil is a just relative concept. Deer were always meant to be eaten. That’s how things are meant to end in that ecosystem & only an ignorant person runs away from that truth. The real problem is with the ecosystem. It could have been designed to evolve in a better way which could facilitate an everlasting balance & peaceful ending for everyone. And that’s what we are trying to do here at ScanFactory — redesigning the ecosystem. Most of the internal chaos can just be solved with carefully calculated separation. Most importantly, the majority of the crowdsourced security, especially the newcomers, have fallen into deception of the Indian market & are not doing what they should have been. Instead of investing time in researching diseases, they are investing the majority of time into experimentation & plagiarism of freely available medicines.
Oxygen may be the vital element responsible for existence but it’s also the element responsible for aging & damaging life itself.
We at ScanFactory, not only monitor for new exploits & assets regularly but also the research of independent security researchers while maintaining a strong & experienced team of in-house security researchers who believe & are working harder every day for evolving the current cybersecurity ecosystem.
Additionally, we have transformed the limitations of existing security solutions into our tactical advantage by taking a road less taken. I, personally, always remember & believe in the first line of this blog. That’s why our alliance with industry leaders & open source security repository maintainers enables us not only in offering the best-in-class offensive assessment but also to equip you with next-gen defensive measures.
Everything began from nothing & Nothing will be left at the end of everything.