SlideShare a Scribd company logo

Finding_bugs_in_Azure_and_the_Bounty_Program_Nullcon2017.pptx

Download as PPTX, PDF
D
DARSHANBHAVSAR14

microsoft bug bounty program

Education
1 of 53
Agenda + = 
Azure Attack Surface
Azure Bug Bounty Background
Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Office Insider Bounty Program $15,000 End June 15, 2017 Active .NET Core and ASP.NET Core $15,000 Sustained Active Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active Online Services (O365 and Azure) $15,000 Sustained Active Mitigation Bypass $100,000 Sustained Active Bounty for Defense $100,000 Sustained Active .NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed Nano Server TP5 $15,000 Ended 29 July Closed ASP.NET and CoreCLR (part 1) $15,000 2015 Closed Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed
$1,000 to $30,000 USD March 1 to May 1, 2017 For additional information about this program: https://technet.microsoft.com/en-us/dn800983
Microsoft Services Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Double rewards in ExO and Office 365 Portal $30,000 Ends May 1, 2017 Active Online Services - Azure $15,000 Sustained Active Online Services - O365 $15,000 Sustained Active Sept 2014 Microsoft O365 June 2013 Mitigation Bypass Bounty Apr 2015 Azure NEW
Vulnerability Impact Proof of concept Report Quality Potential Payout range (USD) * Elevation of privilege via Office Protected View sandbox escape Required High Up to $15,000 Required Low Up to $9,000 Office VBA macro execution in Word, Excel, or PowerPoint without enabling macros or disabling security mitigations Required High Up to $15,000 Required Low Up to $9,000 Code execution by bypassing Outlook’s automatic attachment block policies Required High Up to $9,000 Required Low Up to $6,000 Impact and Payouts For additional information about this program: https://technet.microsoft.com/en-us/mt797549.aspx
Microsoft Edge Beta Web Platform Bounty (Part 2) W3C standards • The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build or Creator’s Update • Program runs Aug 4, 2016 to May 15, 2017 • RCE = $15,000 • UXSS/Referer Spoofing/Compromise of privacy or integrity of user data = $6,000 For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx
.NET Core and ASP .NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500 For additional information about this program: https://technet.microsoft.com/en-us/mt764065
$500 to $15,000 USD • Double bounty on exchange online and O365 portal for the next 2 months Online Services Bug Bounty Program O365 + Azure For additional information about this program: https://technet.microsoft.com/en-us/dn800983 Follow us on the MSRC Blogs to get information on new bounties https://blogs.technet.microso ft.com/msrc/
Hyper-V escapes that will receive a bounty Up to $100,000 USD Hyper-V For additional information about this program: https://technet.microsoft.com/en-us/dn425049
novel mitigation bypass defense idea that would block an exploitation Up to $200,000 (Mit. Bypass + Bounty for Defense) Mitigation Bypass and Bounty for Defense For additional information about this program: https://technet.microsoft.com/en-us/dn425049
Past payouts MSRC case Amount Vulnerability Type Security Impact 31042 $24,000.00 OAuth2 Authentication bypass Auth token theft 34219 $13,350.00 Azure virtual network gateway Auth Bypass Unauthorized Access 32235 $13,000.00 Federated identity impersonation via SAML IdP Elevation of privileges 32377 $13,000.00 Double Unicode decoding in URL redirection. Auth token theft 31586 $12,000.00 XSS in OAuth2 authorization Elevation of privileges 32583 $12,000.00 Embedded password in Azure Stack VHD Information Disclosure 32635 $ 10,000.00 Open redirection bypass (%80 char) Spoofing
VNet Point to Site Auth Bypass $13k+ bug bounty paid
account.windowsazure.com%2f evildomain.net Token leaking This is seen as username to log in to domain Evildomain.net will get the token, not account.windowsazure.com $13k bug bounty paid
OAuth Authorization XSS $12k bug bounty paid Login with Authorize MyApp to access: - account, email… Yes No OAuth Provider Welcome Michael!  Yes
Blind Stored XSS $2k bug bounty paid javascript%3a%2f*<%2fscript><svg%2fonload%3d'%2b%2f"%2f%2b%2fonmouse over%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%2fue73s5a naf53xull8bw0.burpcollaborator.net%2f).replace(%2f%2fg%2c[]))%2f%2f'> <svg/onmouseover=1/+/[*/[]/+((new(Image)).src=([]+//ue73s5anaf53xull8bw0.b urpcollaborator.net/).replace(//g,[]))//'>
Insecure links $500 bug bounty paid
Online Services Bug Bounty Program Security Vulnerability Types XSS CSRF Authentication vulnerabilities Privilege escalation Injection Vulnerabilities Insecure direct object reference Unauthorized cross tenant access or tampering Server-side code execution Significant security misconfiguration The highest bounties can be earned on: 1. Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs 2. Privilege Escalations 3. XSS and CSRF (on high traffic, high impact sites) For additional information about this program: https://technet.microsoft.com/en-us/dn800983
In-Scope Domains • *.onedrive.live.com • *.onedrive.com • login.windows.net • login.microsoftonline.com • login.live.com • portal.azure.com • manage.windowsazure.com • account.windowsazure.com • blog.azure.com • portal.office.com • outlook.office365.com • outlook.office.com • *.outlook.com • *.sharepoint.com (excluding user-generated content) • *.lync.com • *.officeapps.live.com • www.yammer.com • *.sway.com • *.storage.live.com • *.skyapi.live.net • *.apis.live.net • *.settings.live.net • *.policies.live.net • api.yammer.com • management.azure.com • management.core.windows.net • graph.windows.net • *.passwordreset.microsoftonline.com • account.activedirectory.windowsazure.com • syncfabric.windowsazure.com • provisioningapi.microsoftonline.com • enterpriseregistration.windows.net • adminwebservice.microsoftonline.com • credential.activedirectory.windowsazure.com • reportingservice.activedirectory.windowsazure.com • *.remoteapp.windowsazure.com
In-Scope Domains (continued) • <Tenant>.scm.azurewebsites.net (excluding user-generated content) • <Tenant>.ftp.azurewebsites.net (excluding user-generated content) • <Tenant>.batch.core.windows.net (excluding user-generated content) • <Tenant>.batchapps.core.windows.net (excluding user-generated content) • <Tenant>.trafficmanager.net (excluding user-generated content) • <Tenant>.media.windows.net (excluding user-generated content) • <Tenant>.azure-mobile.net (excluding user-generated content) • <Tenant>.task.core.windows.net (excluding user-generated content) • <Tenant>.watask.core.windows.net (excluding user-generated content) • <Tenant>.workflow.windows.net (excluding user-generated content) • <Tenant>.biztalk.windows.net (excluding user-generated content) • <Tenant>.servicebus.windows.net (excluding user-generated content) • <Tenant>.vault.azure.net (excluding user-generated content) • <Tenant>.blob.core.windows.net (excluding user-generated content) • <Tenant>.table.core.windows.net (excluding user-generated content) • <Tenant>.queue.core.windows.net (excluding user-generated content) • <Tenant>.files.core.windows.net (excluding user-generated content) List available on : https://technet.microsoft.com/en-us/security/dn800983
• High volume scanning • Abusing gathered credentials Bug Bounty Out-Of-Scope
Rewarding scheme CVSS Score, inclusive of "environment" score Bounty Payout 1 $500 2 3 4 5 6 7 8 9 10 $15,000
Anonymous users Horizontal Abuse vs Vertical Abuse User A User B App Admin User C User D App Admin User E User F App Admin Tenant Admin Tenant Admin Fabric Admin Privilege level
• Azure offers: Get cracking (no pun intended) https://azure.microsoft.com/en-us/free/
Card won’t be charged, in fact you need to manually enable it.
The “old” portal, https://manage.windowsazure.com Also covered in bug bounty
Adding users to your tenant.
Adding enterprise applications to your tenant, can be done using different channels.
• Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD • Online Services Bug Bounty > $400,000 USD • Software Bounties > $200,000 USD Bounties Paid To Date
Finder Appreciation and Retention (FAR) BlueHat invitations and speaking opportunities Private Microsoft party invites at various conferences Bountycraft invitations Get hired by Microsoft Unique Opportunities At conferences we award top finders with MSDN licenses, customized Surface Pro laptops, Surface Books and other hardware This will continue to grow Rewards Bounties are offered across a number of Microsoft products This will continue to grow Bounty Credit to finders in the form of CVE number attribution, and a formal thanks in the KB articles This will continue Credit For more information: • https://technet.microsoft.com/ en-us/security/mt767986 • https://technet.microsoft.com/ en-us/security/dn469163 • https://technet.microsoft.com/ en-us/security/dn469163
Making It To The MSRC Top 100 List The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100 MSRC has 1000s of finders across time Most have reported 1 bug over time Many times the 1 bug was a duplicate A few more have reported 2-3 across time Our top 100 finders report regularly Responsible for most of our critical vulnerabilities Discover 2+ novel security bugs per year Still get regular duplicate reports (internally or externally known) The top 10 have reported LOTS of bugs Spend most of their time looking for bugs Many work for partner companies Others are full-time bug hunters Penetration Testers Professional Bug Bounty hunters
Now we’re running, what are the rules of the game? • CVD : Coordinated Vulnerability Disclosure • Keep customers secure by maintaining the confidentiality of the vulnerability report to MSRC. • You can submit exploits to us up to 90 days after sending us the vulnerability and can still claim the full reward • If you wish to discuss the vulnerability publically or blog about it, please wait till it has been fixed and patches have been released to customers. • Preferably, 30 days after it has been patched. This gives customers enough time to take the patch • Never publish any exploit code (please ) • We are happy to provide technically review to any talks, white papers or blogs you are publishing
1. Visit https://aka.ms/BugBounty for a current list of active bounties 2. Identify the bounty you want to go after and start hacking away at it 3. Report your findings to secure@microsoft.com • Describe the bug and how you exploit it • Provide a Proof of Concept (PoC) • For complicated bugs (software) provide a white paper or detailed write up • If it’s a high quality report, you get larger bounties • If it has greater impact to Microsoft, you get larger bounties 4. Give us your name and a good email to reach you at 5. Encrypt with our public key (if it’s a PoC or working exploit) 6. For eligible bounty cases, GET PAID! Take Action
Recap

Recommended

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 

Recommended

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slidesAlireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesProject for Public Spaces & National Center for Biking and Walking
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 

More Related Content

Featured

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 

Featured (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

Finding_bugs_in_Azure_and_the_Bounty_Program_Nullcon2017.pptx

  • 1.
  • 4. Azure Bug Bounty Background
  • 5. Microsoft Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Office Insider Bounty Program $15,000 End June 15, 2017 Active .NET Core and ASP.NET Core $15,000 Sustained Active Edge Web Platform on WIP slow $15,000 End May 15, 2017 Active Online Services (O365 and Azure) $15,000 Sustained Active Mitigation Bypass $100,000 Sustained Active Bounty for Defense $100,000 Sustained Active .NET Core and ASP.NET Core RC2 $15,000 End Sept 7, 2016 Closed Nano Server TP5 $15,000 Ended 29 July Closed ASP.NET and CoreCLR (part 1) $15,000 2015 Closed Microsoft Edge Beta Bounty Program (part 1) $15,000 2015 Closed
  • 6. $1,000 to $30,000 USD March 1 to May 1, 2017 For additional information about this program: https://technet.microsoft.com/en-us/dn800983
  • 7. Microsoft Services Bounty Programs Old and New Program Maximum Bounty Duration Active/Closed Double rewards in ExO and Office 365 Portal $30,000 Ends May 1, 2017 Active Online Services - Azure $15,000 Sustained Active Online Services - O365 $15,000 Sustained Active Sept 2014 Microsoft O365 June 2013 Mitigation Bypass Bounty Apr 2015 Azure NEW
  • 8. Vulnerability Impact Proof of concept Report Quality Potential Payout range (USD) * Elevation of privilege via Office Protected View sandbox escape Required High Up to $15,000 Required Low Up to $9,000 Office VBA macro execution in Word, Excel, or PowerPoint without enabling macros or disabling security mitigations Required High Up to $15,000 Required Low Up to $9,000 Code execution by bypassing Outlook’s automatic attachment block policies Required High Up to $9,000 Required Low Up to $6,000 Impact and Payouts For additional information about this program: https://technet.microsoft.com/en-us/mt797549.aspx
  • 9. Microsoft Edge Beta Web Platform Bounty (Part 2) W3C standards • The bugs must reproduce on the most recent Windows Insider Preview (WIP) slow build or Creator’s Update • Program runs Aug 4, 2016 to May 15, 2017 • RCE = $15,000 • UXSS/Referer Spoofing/Compromise of privacy or integrity of user data = $6,000 For additional information about this program: https://technet.microsoft.com/en-us/mt761990.aspx
  • 10. .NET Core and ASP .NET Core Bug Bounty • Vulnerabilities in the latest available .NET builds • Program began September 1, 2016 (continuous) • All bugs have to reproduce in the latest beta or release candidates to qualify • Pays up to $15,000 USD Vulnerability type Payout range (USD) Remote Code Execution $15,000 to $1,500 Security Design Flaw $10,000 to $1,500 Elevation of Privilege $10,000 to $5,000 Remote DoS $5,000 to $2,500 Tampering / Spoofing $5,000 to $500 Information Leaks $2,500 to $750 Template CSRF or XSS $2,000 to $500 For additional information about this program: https://technet.microsoft.com/en-us/mt764065
  • 11. $500 to $15,000 USD • Double bounty on exchange online and O365 portal for the next 2 months Online Services Bug Bounty Program O365 + Azure For additional information about this program: https://technet.microsoft.com/en-us/dn800983 Follow us on the MSRC Blogs to get information on new bounties https://blogs.technet.microso ft.com/msrc/
  • 12. Hyper-V escapes that will receive a bounty Up to $100,000 USD Hyper-V For additional information about this program: https://technet.microsoft.com/en-us/dn425049
  • 13. novel mitigation bypass defense idea that would block an exploitation Up to $200,000 (Mit. Bypass + Bounty for Defense) Mitigation Bypass and Bounty for Defense For additional information about this program: https://technet.microsoft.com/en-us/dn425049
  • 14. Past payouts MSRC case Amount Vulnerability Type Security Impact 31042 $24,000.00 OAuth2 Authentication bypass Auth token theft 34219 $13,350.00 Azure virtual network gateway Auth Bypass Unauthorized Access 32235 $13,000.00 Federated identity impersonation via SAML IdP Elevation of privileges 32377 $13,000.00 Double Unicode decoding in URL redirection. Auth token theft 31586 $12,000.00 XSS in OAuth2 authorization Elevation of privileges 32583 $12,000.00 Embedded password in Azure Stack VHD Information Disclosure 32635 $ 10,000.00 Open redirection bypass (%80 char) Spoofing
  • 15. VNet Point to Site Auth Bypass $13k+ bug bounty paid
  • 16. account.windowsazure.com%2f evildomain.net Token leaking This is seen as username to log in to domain Evildomain.net will get the token, not account.windowsazure.com $13k bug bounty paid
  • 17. OAuth Authorization XSS $12k bug bounty paid Login with Authorize MyApp to access: - account, email… Yes No OAuth Provider Welcome Michael!  Yes
  • 18. Blind Stored XSS $2k bug bounty paid javascript%3a%2f*<%2fscript><svg%2fonload%3d'%2b%2f"%2f%2b%2fonmouse over%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%2fue73s5a naf53xull8bw0.burpcollaborator.net%2f).replace(%2f%2fg%2c[]))%2f%2f'> <svg/onmouseover=1/+/[*/[]/+((new(Image)).src=([]+//ue73s5anaf53xull8bw0.b urpcollaborator.net/).replace(//g,[]))//'>
  • 19. Insecure links $500 bug bounty paid
  • 20. Online Services Bug Bounty Program Security Vulnerability Types XSS CSRF Authentication vulnerabilities Privilege escalation Injection Vulnerabilities Insecure direct object reference Unauthorized cross tenant access or tampering Server-side code execution Significant security misconfiguration The highest bounties can be earned on: 1. Authentication Vulnerabilities – Oauth, SAML 2.0 related bugs 2. Privilege Escalations 3. XSS and CSRF (on high traffic, high impact sites) For additional information about this program: https://technet.microsoft.com/en-us/dn800983
  • 21. In-Scope Domains • *.onedrive.live.com • *.onedrive.com • login.windows.net • login.microsoftonline.com • login.live.com • portal.azure.com • manage.windowsazure.com • account.windowsazure.com • blog.azure.com • portal.office.com • outlook.office365.com • outlook.office.com • *.outlook.com • *.sharepoint.com (excluding user-generated content) • *.lync.com • *.officeapps.live.com • www.yammer.com • *.sway.com • *.storage.live.com • *.skyapi.live.net • *.apis.live.net • *.settings.live.net • *.policies.live.net • api.yammer.com • management.azure.com • management.core.windows.net • graph.windows.net • *.passwordreset.microsoftonline.com • account.activedirectory.windowsazure.com • syncfabric.windowsazure.com • provisioningapi.microsoftonline.com • enterpriseregistration.windows.net • adminwebservice.microsoftonline.com • credential.activedirectory.windowsazure.com • reportingservice.activedirectory.windowsazure.com • *.remoteapp.windowsazure.com
  • 22. In-Scope Domains (continued) • <Tenant>.scm.azurewebsites.net (excluding user-generated content) • <Tenant>.ftp.azurewebsites.net (excluding user-generated content) • <Tenant>.batch.core.windows.net (excluding user-generated content) • <Tenant>.batchapps.core.windows.net (excluding user-generated content) • <Tenant>.trafficmanager.net (excluding user-generated content) • <Tenant>.media.windows.net (excluding user-generated content) • <Tenant>.azure-mobile.net (excluding user-generated content) • <Tenant>.task.core.windows.net (excluding user-generated content) • <Tenant>.watask.core.windows.net (excluding user-generated content) • <Tenant>.workflow.windows.net (excluding user-generated content) • <Tenant>.biztalk.windows.net (excluding user-generated content) • <Tenant>.servicebus.windows.net (excluding user-generated content) • <Tenant>.vault.azure.net (excluding user-generated content) • <Tenant>.blob.core.windows.net (excluding user-generated content) • <Tenant>.table.core.windows.net (excluding user-generated content) • <Tenant>.queue.core.windows.net (excluding user-generated content) • <Tenant>.files.core.windows.net (excluding user-generated content) List available on : https://technet.microsoft.com/en-us/security/dn800983
  • 23. • High volume scanning • Abusing gathered credentials Bug Bounty Out-Of-Scope
  • 24. Rewarding scheme CVSS Score, inclusive of "environment" score Bounty Payout 1 $500 2 3 4 5 6 7 8 9 10 $15,000
  • 25. Anonymous users Horizontal Abuse vs Vertical Abuse User A User B App Admin User C User D App Admin User E User F App Admin Tenant Admin Tenant Admin Fabric Admin Privilege level
  • 26. • Azure offers: Get cracking (no pun intended) https://azure.microsoft.com/en-us/free/
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33. Card won’t be charged, in fact you need to manually enable it.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. The “old” portal, https://manage.windowsazure.com Also covered in bug bounty
  • 42. Adding users to your tenant.
  • 43. Adding enterprise applications to your tenant, can be done using different channels.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48. • Mitigation Bypass, Bounty for Defense and BlueHat Prize > $600,000 USD • Online Services Bug Bounty > $400,000 USD • Software Bounties > $200,000 USD Bounties Paid To Date
  • 49. Finder Appreciation and Retention (FAR) BlueHat invitations and speaking opportunities Private Microsoft party invites at various conferences Bountycraft invitations Get hired by Microsoft Unique Opportunities At conferences we award top finders with MSDN licenses, customized Surface Pro laptops, Surface Books and other hardware This will continue to grow Rewards Bounties are offered across a number of Microsoft products This will continue to grow Bounty Credit to finders in the form of CVE number attribution, and a formal thanks in the KB articles This will continue Credit For more information: • https://technet.microsoft.com/ en-us/security/mt767986 • https://technet.microsoft.com/ en-us/security/dn469163 • https://technet.microsoft.com/ en-us/security/dn469163
  • 50. Making It To The MSRC Top 100 List The severity, quality and quantity of the bugs you send determine your rank in the MSRC Top 100 MSRC has 1000s of finders across time Most have reported 1 bug over time Many times the 1 bug was a duplicate A few more have reported 2-3 across time Our top 100 finders report regularly Responsible for most of our critical vulnerabilities Discover 2+ novel security bugs per year Still get regular duplicate reports (internally or externally known) The top 10 have reported LOTS of bugs Spend most of their time looking for bugs Many work for partner companies Others are full-time bug hunters Penetration Testers Professional Bug Bounty hunters
  • 51. Now we’re running, what are the rules of the game? • CVD : Coordinated Vulnerability Disclosure • Keep customers secure by maintaining the confidentiality of the vulnerability report to MSRC. • You can submit exploits to us up to 90 days after sending us the vulnerability and can still claim the full reward • If you wish to discuss the vulnerability publically or blog about it, please wait till it has been fixed and patches have been released to customers. • Preferably, 30 days after it has been patched. This gives customers enough time to take the patch • Never publish any exploit code (please ) • We are happy to provide technically review to any talks, white papers or blogs you are publishing
  • 52. 1. Visit https://aka.ms/BugBounty for a current list of active bounties 2. Identify the bounty you want to go after and start hacking away at it 3. Report your findings to secure@microsoft.com • Describe the bug and how you exploit it • Provide a Proof of Concept (PoC) • For complicated bugs (software) provide a white paper or detailed write up • If it’s a high quality report, you get larger bounties • If it has greater impact to Microsoft, you get larger bounties 4. Give us your name and a good email to reach you at 5. Encrypt with our public key (if it’s a PoC or working exploit) 6. For eligible bounty cases, GET PAID! Take Action
  • 53. Recap

Editor's Notes

  1. This is a brief overview of the Microsoft bounty programs. As we progress – we’ll go a little more in depth. The table is sorted by date of program launch We launched the office insider bounty program at csw for 3 months This does not include the IE 11 bounty program
  2. This is a brief overview of the Microsoft bounty programs. As we progress – we’ll go a little more in depth. The table is sorted by date of program launch for relevant bounties
  3. - PV is the Office Sandbox - cansecwest 2010 presentation - VBA allows code execution by design. Once running, there are no mitigations. - No bypasses. Escapes. - Outlook attachments...ILOVEYOU. - Logic flaws are interesting in these areas. These areas are ones that will likely need deeper human thought versus running automation (fuzzers).
  4. I like to call it part 2 of the Edge beta bounty series as the first one was in 2015 Please submit RCE and W3c standard We want you to use our latest bits and partner with us to help us understand the issue better. Additional money will be awarded for those who submit bugs on WIP slow All bugs must reproduce on the Windows Insider Preview slow branch. A lot of you have had questions in the past on why we focus primarily on beta – one of the reasons is that we want to find all these bugs in our latest and greatest software in earlier development stages. It ensures the end user receives the most secure software possible (it’s been through internal and crowdsourced pen testing)
  5. .NET Core & asp.NET CORE are the cross-platform and open source implementation of .NET and ASP.NET.
  6. Moving on to the largest bounty scope -> our online services bounty programs This includes Azure and Ofiice 365 properties. A snippet of the domains are: O365 sites = yammer.com, sway.com, sharepointonline.com, exchangeonline.com Authentication = Hotmail, outlook and AAD = login.live.com, login.microsoftonline.com Azure = approx. 35 eligible azure endpoints including our storage services. Call out to azure credit We plan to add more in the near future. Please look at the Microsoft bug bounty site to get a detailed overview of the domains.
  7. Hyper-V is a Microsoft security feature that we protect quite dearly. We will pay the highest amount for this. + Hyper-V escapes (guest -> host, guest-> guest) Additional information about this can be found in the mitigation bypass terms page online and here (point to bottom) A lot of folks weren’t aware that e bounty hyper-v since it is listed in the mitigation bypass.
  8. a Security Mitigation tries to improve security of our products. Mitigation bypass bounty falls squarely in our goal to make it harder to exploit our products by eliminating classes of bugs. Hence, if you find a way to break our defenses, we want to know and we are paying top dollar for it. then read from slide. We urge you to submit … Mit bypasses include, stack and heap corruption and code execution Stack = overrun of a buffer beyond the amount of stack space that was allocated. Mitigation include Buffer security check Heap = mistakes that make it possible to write beyond the bounds of a heap buffer DEP: you can only run code from executable memory ASLR: it's hard to find where things are at in memory, and is fundamentally about randomness CFG: you can only indirectly call valid functions ACG, child process policies and other mitigations in the latest creator’s update (released on April 11, 2017)
  9. This slide gives an overview of the payouts on our services bugs. Focusing on the bugs marked in orange lead to the highest payouts – with the double bounties – generally $30K We award bounties based on where the bug falls in the CVSS scale Talk about double bounties. To get the highest paid bugs, we looked at all O365 and Azure bugs paid since 2014 and authentication type bugs, reap the highest rewards
  10. We’ve paid over a million dollars in bounties till date The following are the dollars paid out for the bounties.
  11. Moving on to the next part of the presentation – and this portion focusses on what you get when you report bugs to MSRC CVEs, bulletin acknowledgements and bounties are the more obvious ones in this list In august 2016, during Black Hat, we launched the new conference speaker acknowledgement page. We also offer free software and hardware to researchers who regularly partner with us If you are a prolific researcher who has contributed to the security of our customers, then you will be awarded MSDN based on Microsoft’s discretion Can you put a price to a sentiment. Not really. We sincerely value your partnership and go above and beyond to create custom swag for you We reserved surfaces for the elite researchers. We laser etch them with the bounty logo and your handle. And the best bit is – unique opportunities to directly work with us to make our products secure