Bug Bounty Tips — Part 1
Para ler a versão em português, clique aqui / To read the portuguese version, click here
Context
I have read some articles and writeups about bug bounty, and I tried to focus on broken access controls vulnerability writeups because I want to learn this vulnerability type first. These are the annotations that I made. The articles/writeups are linked at the end. I recommend reading them to have a better understanding and maybe writing your own annotations if you want.
Tips
- Read as many web hacking books as possible (Bug Bounty Bootcamp and Web Hackers Handbook 2 and 3 are good recommendations)
- Frequently read writeups on Medium
- Complete modules on Portswigger
- Go beyond and prove impact (for example, in XSS don’t just use alert(1), prove that you can steal cookies with this vulnerability)
- Build your own custom recon scripts
- Find unique tools on Github and test them, learn them and know exactly what they do
- Don’t use just one tool. In subdomain enumeration and directory brute force, for example, you should use multiple tools
- Always read the Javascript, there can be really important information in the Javascript of a website
- Develop your own methodology and keep improving it
- Focus only on one bug bounty program, spend a lot of time on it and understand the flow of its application. Broken access control, for example, often can be found on features that people never bother to test, due to only skimming the application or not understanding it
- Build a list of requests and parameters of the application that you are testing
- Get all the subdomains and put them in the Scope of Burp Suite (by the way, if you are not using Burp Suite, start using it)
- Use URL discovery tools, like search engines, searching APIs, Javascript and Github, to search through indexed URLs. Doing so, maybe you can find private keys
- Use every function available on the website to be used, with every HTTP request method
- Have more than one testing account on the website
- Try to manipulate requests with 403 responses
- At the end, export all the request with IDs and either throw them in a notepad and use “find and replace” to change the IDs with other ones (that can be great to try to find requests that allow you to make requests as if you were someone else), or manually mess with them again to see what you have missed
- Once a vulnerability class is done testing, move to the next one
- Identify all subdomains within scope and test to see what is “alive” and what is not, and then build a file with this information
- Identify exactly what are the parameters of the requests and what data is allowed within these parameters, all that while using several tools, and put this information in a list
- Check to see exactly what parameters are reflected within each URL query
- In XSS, don’t just use alert(1), because maybe alert is blocked, but other words aren’t
- Look at the Burp Suite’s request history and look for endpoints that request a higher privilege account and see if they can be accessed with a lower privilege account
- To search for broken access control with automation, use the extension Autorize Burp
- To search with a manual process, use PWNfox
- Spent some time in the program page in Hackerone (or other bug bounty platform that you use)
- Try searching in the Pro/Premium/VIP services, that’s what just a little amount of hunters is doing
- If you don’t know what something means, google it (seems obvious, but is very good to remember that)
Articles/Writeups
How To Earn Your First Bounty — https://medium.com/@tobydavenn/how-to-earn-your-first-bounty-6fb37ef77bbd
$1500 Of Broken Access Controls — https://medium.com/@tobydavenn/1500-of-broken-access-controls-503d8a5f56f5
$700 Bounty writeup — https://medium.com/@tobydavenn/700-bounty-writeup-28ec1f310831
Access control worth $2000 (everyone missed this IDOR+Access control between two admins.) — https://medium.com/pentesternepal/access-control-worth-2000-everyone-missed-this-idor-access-control-between-two-admins-9745eaf15d21
