A Guide To Finding Security Holes For Fun And Profit

With a little practice, those big bug bounties software companies are handing out could be yours.

A Guide To Finding Security Holes For Fun And Profit
[Image: Flickr user zzzack]

Paying developers to find bugs is all the rage these days. GitHub just announced a bug bounty program offering ethical hackers $5,000 rewards for discovering vulnerabilities in its platform. This comes just a week after Facebook paid out a $33,500 reward to a researcher who uncovered a security hole.


So how can fledging hackers reap these kinds of huge rewards?

“If you’re interested in getting involved in security as a field, bug bounty programs are a great way as a practical matter to demonstrate your mastery of the material,” says Neal Poole, a security researcher at Facebook. He would know. Before starting his current position, Poole claimed more than 20 bounties from Facebook, Google and other tech companies.

Now that Poole’s doing internal security audits at Facebook, he has the advantage of being able to access company source code to look for unusual programming styles or areas of code where special requirements force programmers to deviate from standard security practices.

But as an outside bug bounty participant, he got used to relying on “black box” analysis–having access only to the requests sent by the browser to the target server and the responses sent back.

“As an outside researcher, when you’re looking at Facebook, all you have to go on is the requests and responses you see,” says Poole.

To help with that analysis, he uses a free tool called Burp Proxy that sits between his browser and the rest of the Internet. It lets users replay and tweak requests from the browser to better understand how different parameters affect what the server sends back.


“It just makes the testing process that much easier,” he says.

Poole occasionally uses more sophisticated vulnerability-scanning tools, but warns they can sometimes generate time-wasting false positives or lead to a false sense of security when they miss genuine security holes.

“If I run a scanner and it tells me everything is clean, it’s not the same as me looking at the site and saying everything is clean,” he says.

Cross-site scripting vulnerabilities, where it’s possible for a hacker to inject JavaScript into the content a site shows to another user, are among those Poole sees most often, he says. Such attacks generally rely on either linking a victim to a URL with JavaScript encoded inside the address to be regurgitated to the victim’s browser or circumventing restrictions preventing users from posting live code to social networking profiles or forum posts.

“When you’re looking for a cross-site scripting issue, one of the things you often do is you take all these fields that are taking user input and you put in all these strings and when they come out, you see if they’re being escaped properly,” says Poole.

Poole’s website features a number of those types of bugs that he’s found, and, he says, people interested in learning more about searching for security holes can read numerous online tutorials and books like browser security expert Michal Zalewski’s The Tangled Web. Aspiring bug bounty hunters can also practice with tutorials like WebGoat and Damn Vulnerable Web App that offer downloadable websites with deliberately inserted vulnerabilities for researchers to experiment with.


Once new hackers have mastered the basics, they can start looking for holes in real-world sites like Facebook and GitHub, as long as they follow accepted bug bounty practices for not interfering with site operations or other users.

“When you are trying to demonstrate your mastery of the material, the best way to do that is to find a real-world site that has these issues,” he says. “Build a good report; build a proof of concept.”

As the web incorporates new technologies, new classes of security holes inevitably arise, though often they’re variations on bugs that have been seen in the past, Poole says. For instance, as sites move from traditional structured SQL databases to more customizable NoSQL data stores, they’ve seen attackers move from SQL injection to NoSQL injection, but the general principle is the same: sneaking malicious database commands into data sent to the site.

“Very often, right on the heels of those [new] technologies, security researchers are coming along and saying, ‘make sure you don’t forget the lessons of the past in building out these new systems,'” Poole says.

As for Poole’s own activities, he’s enjoying working with bug bounty participants from the other side of the fence but finding that he’s spending less time actually searching after other companies’ bounties than he did in his college days.

“I’ve been kept pretty busy here, so I haven’t quite as much time to spend on bug bounty programs as I used to,” says Poole. “Sometimes, I just lie down and watch some TV or read a good book.”