Bug Bounty Hunting
A simple and minimalist guide to start into Security Researching, specifically in the Bug Bounty.
What to do to start into Bug Bounty Hunting or Security Research
Essential Checklist
Discovery
Code Review
Authentication & Authorization attacks
Function-specific / business logic attacks
Technology-speficic atack
SSRF
IDORs
Injection (Headers, Cookies, APIs, Parameters, Values)
Other attacks (depends on the app)
Reporting and Get Bounty
Bugs & Vulnerabilities Checklist
Subdomain Recon
Subdomain Takeover
Open Ports
Admin panel
Default Credentials
Find Parameters
XSS
Path Traversal
LFI
RFI
Command Injection
Open Redirect
SQL Injection
NoSQL Injection
SSTI Injection
Cloud Enumeration
Open Buckets (AWS, Azure, Google Cloud, etc...)
Fuzzing Common Paths
401/403 Bypass
Directories and Endpoints
Login Panels
Forms and Inputs
Information Disclosure
IDOR
Top Vulnerabilities 2024
Authentication & Authorization attacks
Manual / Business Logic Error
NoSQL Injection (MongoDB & Redis)
Cross-site scripting (XSS)
Insecure direct object reference (IDOR)
Information Disclosure
SQL Injection
API Hacking
HackerOne Top 10 Vulnerabilities 2023
Improper access control - generic
Information Disclosure
Cross-site scripting (XSS) - Reflected
Insecure direct object reference (IDOR)
Privilege Escalation
Cross-site scripting (XSS) - Stored
Misconfiguration
Improper authentication - generic
Business logic errors
Cross-site scripting (XSS) - DOM
https://www.hackerone.com/top-ten-vulnerabilities
Where to look for Vulnerabilities
Where to look for SSRF
In query or parameters like "redirect", "url", "next", etc...
When server is fetching data like JS files, CSS or Images from another host.
Features depending on the app which check the "status" or something similar.
The key is to get access to the Internal Network and have access to the files and resources inside.
Where to look for SQLi
Forms with POST Requests, if the Response returns Status Code 500 (Internal Server Error) appear to be vulnerable.
Inputs that query the database for values such as usernames, passwords, ids, etc. ....
Always try to inject queries to the database to find out how to get access to the database or execute queries and get information.
Where to look for Business Logic Errors
These kinds of vulnerabilities are uniques bugs that are found by original techniques which can be performed by trying differents methods of hacking. So the mayority of those attacks depends specially on the app and the attacker.
It can be found by analyzing the source code and trying to exploit some specific features of the application.
Most common of business logic errors occur when you break the logic of the application and try to exploit the use of it.
Where to look for LFI or RFI (Path Traversal)
In order to perform Path Traversal it's necessary to identify where the application is loading an internal file like:
file://../../app/index.php
. Generally occurs in endpoints which has parameters like: "file", "view", "download", "doc", etc...Try with different encodings to bypass WAF like HTML, Unicode, URL, Double URL, Hex, etc.
Try perform path traversal by inyect
..0x2f..0x2f..0x2f..0x2f../etc/passwd
(if Linux), or as wellfile:///etc/passwd
, etc...
Where to look for XSS and how to craft it (Basic)
When submit a value to a key/parameter and it is reflected in the DOM (HTML), then try to inyect code to escape HTML Tags and create your custom XSS payloads. For example:
>;'</input><svg ONly ONLoad=confirm()>//
To you understand how to craft XSS payloads, you need: 1. Know HTML tags. 2. Understand the basics of JavaScript, and 3. Have fun crafting XSS payloads.
In order to bypass the most common multiple WAF rules it is necessary to encode the characters in encodings that are processed by the back-end. Some of them are the following: HTML tags, Hex, URL and double URL encoding, Unicode Escapes, and more.
Keep in mind that "If WAF is too hard to bypass, try in another endpoint". (Not all endpoints are vulnerables).
Where to look for IDOR
"IDOR" or "Insecure Direct Object Reference" is a vulnerability that occurs when the value as an ID or object identifier is modified and then the attacker gains unauthorized access to the information. Typically they are BOLA (Broken Object Level Authorization).
Let's take this example: You have intercepted with BurpSuite or Caido a request whose path is something like this:
/api/v2/current/view
. Here are many attacks to probe: 1. Changev2
tov1
,v0
orv3
, or just delete it. Then try changingcurrent
to an email, application user id, etc....You can also try changing
view
toedit
ordelete
,create
. These are some of the techniques most commonly found in vulnerable applications when the back-end is not sanitized.
Last updated