Find Blue Oceans Through the Competitive World of Bug Bounty Muneaki Nishimura (nishimunea) Weekend Bug Hunter Lecturer of Web Security of Security Camp in Japan Found 30 Bugs in Firefox Received Reward of $70,000+ from Mozilla Bug 1065909 Bug 1109276 Bug 1162018 Bug 1196740 Bug 1223743 Bug 1069762 Bug 1148328 Bug 1162411 Bug 1198078 Bug 1224529 Bug 1080987 Bug 1149094 Bug 1164397 Bug 1207556 Bug 1224906 Bug 1101158 Bug 1157216 Bug 1190038 Bug 1208520 Bug 1224910 Bug 1102204 Bug 1158715 Bug 1190139 Bug 1208525 Bug 1227462 Bug 1106713 Bug 1160069 Bug 1192595 Bug 1208956 Bug 1258188 Bug Bounty Programs are Competitive Required a lot of time and techniques to avoid duplicates 1084981 - Poodlebleed https://bugzilla.mozilla.org/show_bug.cgi?id=1084981 Hunting Time is Limited (4:00-7:00 AM) 4:00 Weekdays Hunt 4:00 Weekend 7:00 7:00 Hunt Find and Create Uncontested Bounty Targets Give you some tips from my experience of Firefox bug bounty program Tip #1 Find Bugs in Web Platforms ”Fox-keh" (C) 2006 Mozilla Japan • Browsers and networking features in OS are less competitive targets • There are common pitfalls but not widely known • Developers make similar mistakes whenever they introduce new features Learn Known Bugs from Security Advisories and try the same attack scenario on similar features Mozilla Foundation Security Advisories https://www.mozilla.org/en-US/security/advisories/ Example Improper Handling of HTTP Redirect browser victim.server evil.server Request to victim Location: evil HTTP redirects Redirect to evil Final response from evil Developers expect following code properly gets a response only from victim if( request.url.indexOf('http://victim.server/') === 0 ) { resource = http.get(request.url); parse(resource); } But still possible to load a resource from evil if( request.url.indexOf('http://victim.server/') === 0 ) { resource = http.get(request.url); parse(resource); } Resource from evil might be used due to redirect Similar bugs were found other than Firefox Firefox • Bug 1111834 - Cross-origin restriction bypass in navigator.sendBeacon • Bug 1164397 - Origin confusion in cache data of Service Workers • Bug 1196740 - Cross-origin restriction bypass in Subresource Integrity (SRI) Chrome • CVE-2015-6762 - Cross-origin restriction bypass in CSS Font Loading API Safari • CVE-2016-1782 - Non-http port banning bypass in WebKit Tip #2 Find Bugs in Unstable Features ”Fox-keh" (C) 2006 Mozilla Japan Firefox Nightly Builds https://nightly.mozilla.org/ Unstable Features in Dev. Builds are Eligible for Bounty e.g., Firefox Nightly, Chrome Beta and Dev Example Subresource Integrity (SRI) 2015.08.13 SRI has been enabled in Nightly