new

SEC552: Bug Bounties and Responsible Disclosure

  • Online
12 CPEs

SANS SEC552 teaches students how to apply modern attack techniques, inspired by real-world bug bounty case studies. The course will teach pen testers how to discover and responsibly disclose tricky, logic-based application flaws that automated scanning tools do not reveal.

What You Will Learn

Pen testers and security researchers face the challenge of discovering and weaponizing complicated vulnerabilities in order to properly perform security assessments for applications. Modern applications are enriched with advanced and complex features that increase the attack surface. Every application has its own unique logic that requires the pen tester to deeply understand how the app functions before beginning a security assessment. Discovering and exploiting tricky security bugs in these assessments requires the art of mixing manual and automated techniques.

Bug bounty programs are put in place so that the security community can help vendors discover application security flaws that are difficult to discover and exploit. The scope of such programs includes security bugs for web apps, mobile apps, APIs, and more. Large IT companies, such as Google, Facebook, Twitter, and PayPal, have participated in such programs. Security researchers who follow the responsible disclosure policy of bug bounty programs are rewarded and acknowledged, since such programs improve and secure applications.

SEC552 is inspired from case studies found in various bug bounty programs, drawing on recent real-life examples of web and mobile app attacks. The experiences of different researchers yield ideas for pen testers and developers about unconventional attack techniques and mindsets. Each section of the course is influenced by bug bounty stories that are examined through the following structure:

  • Attack concept: The idea, concept, and root cause of the attack.
  • Test technique: How to test and discover the application security flaw manually and automatically.
  • Attack exercise: This lab uses tools such as Burp Professional to analyze the vulnerable applications.
  • Related bug bounty case study: Analysis of several bug bounty stories that are related to the attack.
  • Defense techniques: The best security practices to defend from the attack and mitigate the application security flaws.

Here are just a few considerations when organizations are implementing bug bounty programs:

  • Regardless of whether a company has a bug bounty program, attackers and researchers are assessing their Internet-facing and cloud applications. Security teams within companies, as well as consulting teams that provide security services for customers, need to understand how to assess Internet-facing applications.
  • Companies rely on single sign-on (SSO) with third parties such as Dropbox. Authentication and session management shared between these sites offer opportunities for attackers.
  • Most companies have cloud applications, many of which have weak APIs, weak single-factor authentication, poor session management, and other issues that can result in data exposure or remote code execution

In SEC552, students will perform labs on real-world applications using professional tools to practice hunting genuine security bugs. We will then examine web application defenses and extra code review exercises to close the loop on the attacks covered. Finally, we'll look at reporting and responsible disclosure, ensuring delivery of quality app security bug reports with proper description, evidence, and recommendations. Bug bounty stories are full of ideas and clever tactics from which much can be learned about mixing manual and automated techniques. This course will teach you how to apply modern attack techniques to discover and disclose tricky, logic-based application flaws that automated scanning tools will not reveal.

Syllabus (12 CPEs)

Download PDF
  • Overview

    Day 1 begins by introducing you to setting up a bug bounty program in an organization, and how to get started and manage the process. Understanding an app's functionality can open attack ideas and facilitate catching tricky app security bugs. You will learn and practice mapping the app logic and features into HTTP requests of real-life apps. You will learn different techniques inspired from real-life case studies in order to perform authentication bypass and account takeover. You will discover and exploit real-life bugs manually in an authentication bypass exercise. We'll inspect source code to understand the root cause of the bug, and all exercises will be performed on real-life apps using a trial license for Burp Suite Professional. You'll be hunting security bugs like professionals. Tricky logic bugs are some of the hardest to discover and catch in complex apps. You will learn different tricks to conduct logic and authorization bypass attacks while walking through real-life cases in bug bounty programs. An authorization bypass lab will enable you to practice catching tricky logic bugs. Finally, you will learn about various methods to perform SQL injection attacks in different contexts inspired by real-life bug bounty case studies.

    Exercises
    • Exercise 1.1: App mapping
    • Exercise 1.2: Authentication bypass
    • Exercise 1.3: Authorization bypass
    • Exercise 1.4: SQL injection
    • Exercise 1.5: SQL injection - Boolean
    Topics
    • Bug hunting challenges
      • Prepararation for bug hunting
      • Reconnaissance and tools
    • App mapping and analysis
      • Identifying app components
      • Translating business into HTTP requests
      • Tracing the data flow
    • Authentication and session analysis
      • Parameter manipulation and account takeover
      • Improper reset password implementaion
      • Multi-factor authentication bypass
      • Improper validation on session variables
      • Real-life case studies
      • Authentication and session defenses
    • Authorization and business rules
      • Logic attacks and authorization bypass
      • Parameter manipulation and IDOR
      • Bypassing client-side authorization controls
      • Second order authorization bypass
      • Business rules bypass and lack of integrity checks
      • Improper synchronizarion between modules
      • Real-life case studies
      • Logic attacks defenses
    • SQL injection
      • Blind SQL injection context
      • Boolean-based SQL injection
      • Time-based SQL injection
      • Bug bounty case studies
      • SQL injection defenses
  • Overview

    Day 2 continues covering various attack techniques for different security bugs such as Open Redirect, Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).The attack techniques covered will draw on real-life bug bounty stories that give different attack ideas for discovery, filter bypass, and exploitation. You will learn attack techniques on modern apps that are rich with client-side code and API calls. You will also learn how to chain different bugs to cause a greater security impact. The day is filled with exercises that will walk you through real-life apps. During the exercises, you'll learn how to discover the bug manually, how to inspect the root cause of the bug from the source code, and how to fix the bug. Finally, you will learn how to deliver quality app security bug reports with proper descriptions and evidence.

    Exercises
    • Exercise 2.1: CSRF
    • Exercise 2.2: Discovering stored XSS
    • Exercise 2.3: XSS bypassing filters
    • Exercise 2.4: API attacks
    • Exercise 2.5: Chaining logic attacks
    Topics
    • Open redirect and server-side request forgery (SSRF)
      • Stealing OAuth access tokens using open redirect
      • SSRF and stealing metadata API key in cloud environments
      • Blind SSRF and mapping internal infrastructure
      • Chaining open redirect and SSRF attacks
      • Real-life case studies
    • Cross-site request forgery (CSRF)
      • Account takeover using CSRF
      • Anti-CSRF token implementation
      • Bypassing CSRF defenses
      • Real-life case studies
    • Cross-site scripting (XSS)
      • Tracing the data flow and analyzing the context
      • Filter detection and WAF bypass
      • Discovering blind XSS
      • Improper input validation and output encoding
      • Real-life case studies
    • Client-side code and APIs
      • Client-side code analysis
      • Mapping APIs attack surface
      • APIs authentication bypass
      • Mobile APIs authorization bypass
      • Improper OAuth implementation
      • XSS and insecure client-side code escaping
      • Real-life case studies
      • APIs defenses
    • Chaining attacks
      • Enumeration and logic attacks
      • Self-XSS and logic attacks
      • Escalating LFI to RCE
      • Command injection and CSRF
      • Real-life case studies
    • Reporting the findng
    • Managing a bug bounty program

Prerequisites

SEC552 is designed for those students who have completed SEC542 or already have equivalent experience. SEC642 students will also benefit from the course.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. It is also strongly advised that you not bring a system storing any sensitive data.

Baseline Hardware Requirements

  • CPU: 64-bit Intel i5/i7 2.0+ GHz processor
  • BIOS: Enabled "Intel-VT"
  • USB: 3.0 type-A port
  • RAM: 8GB RAM
  • Hard-drive free space: 30 GB free space
  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Additional Requirements

These requirements are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Additional Hardware Requirements

  • Network, Wireless Connection: A wireless 82.11 B, G, N or AC network adapter is required.

Additional Software Requirements

  • Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class.
  • If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  • Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
  • VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"During my journey working in bug bounty programs, it was always challenging to catch security bugs. The bugs had to be risky, unique, and tricky so that they wouldn't be considered duplicate by other researchers. This course is inspired by real-life case studies and is designed to help you catch and fix tricky security bugs using logic techniques and professional tools."

- Hassan El Hadary

Reviews

Much more relevant than any other bug bounty type course I've taken. Too many courses show a couple command lines and say, ‘So that's how it works.’ Not good enough. This course was great.”
Tom Prigg
University of Pittsburgh
Actually applicable, achievable and well explained. Goes beyond what a regular Udemy course would cover.
Erika Hudiono
NASA
Great content with walk-through for the codes and labs, perfect! This course is excellent, and is exactly what I want to learn.
Harry Foy
TELUS
Relevant case studies from an expert in the field which were followed up with corresponding labs for hands on learning opportunities. I think all developers should take this course.
Justin King
L.L. Bean
I've recently started participating in the bug bounty world, and this really helped push me in the right direction for how to approach testing. The labs having the purposeful "missteps" is also useful. I appreciate seeing what DOESN'T work and pivoting to what does!
Elias Martinez

    Register for SEC552

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more

    Loading...