Bug hunting without much tech knowledge or many tools

Bas Venis has been programming since he was 14 years old. After gaining some experience as a web developer, this 18-year-old self-taught security researcher got into IT security and aimed his sights at browsers. Specifically, at logic flaws that could be exploited.

Venis volunteered last year at the Hack in the Box Conference in his native Amsterdam, and he participated in CTF contests for a year before properly wading into the security field.

This year, he was one of the speakers at HITB, and shared information about the techniques he used, noting that a significant amount of browser vulnerabilities could be discovered in a black-box way of testing by challenging the logic of the sandbox and other security measures.

His lack of experience, technical knowledge and tools is what made him decide to concentrate on finding business logic bugs and, ultimately, he unearthed multiple vulnerabilities in Google Chrome and Flash player over the course of the last 2 years.

He admittedly did not know how to start his search, so he simply took a browser and started trying different stuff without actually knowing what he was doing. When he came across “weird” behaviours, he noted them, and later tried to exploit them.

The first vulnerability he found was CVE-2013-6636 in Google Chrome, and he used only the browser’s console to perform the research.

Realising that it wasn’t as hard as he initially thought it would be, he turned to Flash player, and searched for bugs in the sandbox logic and conflicts in the implementation of the Flash sandboxes in combination with the browser’s own sandbox.

Initially he found vulnerabilities that he could exploit locally, but then tried – and succeeded – in finding logic flaws that could be concatenated and exploited remotely to exfiltrate local user files.

His experiences with disclosing the flaws to the Chrome team and Adobe were ultimately positive, and he was satisfied with both the acknowledgment and the rewards.

Part of the reason he decided to talk about his experience publicly is to encourage other wannabe bug hunters to try this approach.

“I’m convinced anyone with general technical knowledge about the web-stack could find vulnerabilities like these. I hope to see more people that are new to IT security look into these types of vulnerabilities,” he said, noting that one of the advantages is that not many researchers are looking into them, so the field is ripe for picking.

Another is that you don’t need many tools.

On the negative side, there is not much information and resources on how to go about targeting this type of bugs. But still, he believes this is a more accessible way for new researchers to achieve successful results – all they need is dedication and creativity.

For those who are intrigued by his efforts and would like to know more, Venis helpfully described his vulnerability discovery process in this paper. Slides from the talk are also available.