Bug bounty - Simple tips and tricks
Its been a couple of months that I am bug hunting and I think I got hang of it now. Bug bounties are the most fancied way of earning money among the ethical hackers and otherwise engineers. I get many requests on Linkedin and Telegram to teach them about bug bounty. I have followed a few big time bug hunters and learnt from them. There are awesome writeups, podcasts and tutorials on Pentester.Land
Here are a few tips and tricks to get started with any bounty program.
Follow platforms like HackerOne and BugCrowd. They have organised bounty programs which reward in points and money according to the priority of the bug found. They have charity programs too if you wish to donate.
So, when there are new programs launched for websites, mobile apps and APIs, you get to see whats in scope of the program and whats not. If you are reporting a bug thats not in scope, you get -ve points. There will be rules of the program which you MUST read carefully to understand the type of program and areas of focus. Some look for issues in UI. Some look for issue in Broken Authentication and session management mechanisms, Some for functional security issues. Be sure to get their point of view.
When you find a bug, be sure you choose the right category to report. This is important because reporting in a lesser priority category do not get the attention that the bug requires. It does not mean you choose P1 or P2 for all bugs that you choose. Just choose right.
Make a POC of the bug with log trace, screenshots, replication method and explain the impact of the bug in plain english and do not disclose your personal information or any sensitive information thats known to you.
Submit the bug and wait for the response. Generally they will reply within 2 days to 7 days if its from HackerOne or BugCrowd. If the bug is duplicate or rejected, you get nothing.
You can look for private bounty programs by searching on google too using any string that corresponds to bug disclosure. Examples like
insite: Responsible disclosure policy
insite: Security issue disclosure.
So here are the most commonly seen and found issues in the bug bounties.
1. Rate limiting - Rate limit can be for email or OTP. Look for places like Sign Up and Reset Password, Forgot Password. Provide the same email or phone # and see if there is rate limiting. If you can get hundreds of reset password links or OTPs, then you found the bug.
2. No email validation - Again look for Sign up mechanism where one needs to register. If there is an ask to enter email and there is no validation(You get an email on the registered email id and you got to click on it to activate your account), then attacker/you can enter anyone's email and get the signing up going on.
3. Rate limiting login attempts - From the burp suite, identify which is the login API and check for params sent with it. Send the API to intruder. Add a few usernames and passwords. Send the requests. After a few times for a given username, the application should error out saying no more login attempts or provide a captcha.
4. Brute forcing login - Use Burp Suite again to capture login API. If you know/guess any of the usernames and their passwords, try them or use a dictionary file in the intruder brute force the login. This only works if there is no rate limiting on the login attempts
5. Third party reset token leak - When a password reset token is sent to the legitimate user, see if the same is sent as part of any calls made in the third parties integration calls.
6. Captcha bypass - Use a proxy like FoxyProxy or SmartProxy or JetProxy and open the website link where the captcha is posed to the user. If the website opens, you have bypassed the captcha implemented on the website
7. Injections - Look for a search field in the website and see if the search string gets attached to the URL of the page as an extension. Eg: https://example.com?search/key-alumni
Modify this and inject "><script>alert('pop up')</script>
XSS injections and HTML injection are the most commonly seen apart from sql injections.
8. Clickjacking - Make use of chrome extensions like "Clickjacking test" to generate the HTML or simply use the below code. Change the iframe src to the one you are testing. If there is an output, then there is a bug
<html>
<--Report Generated by Clickjacking Test v1.0-->
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="https://cloudinary.com" width="500" height="500"></iframe>
</body>
</html>
Here are a few tips and tricks to get started with any bounty program.
Follow platforms like HackerOne and BugCrowd. They have organised bounty programs which reward in points and money according to the priority of the bug found. They have charity programs too if you wish to donate.
So, when there are new programs launched for websites, mobile apps and APIs, you get to see whats in scope of the program and whats not. If you are reporting a bug thats not in scope, you get -ve points. There will be rules of the program which you MUST read carefully to understand the type of program and areas of focus. Some look for issues in UI. Some look for issue in Broken Authentication and session management mechanisms, Some for functional security issues. Be sure to get their point of view.
When you find a bug, be sure you choose the right category to report. This is important because reporting in a lesser priority category do not get the attention that the bug requires. It does not mean you choose P1 or P2 for all bugs that you choose. Just choose right.
Make a POC of the bug with log trace, screenshots, replication method and explain the impact of the bug in plain english and do not disclose your personal information or any sensitive information thats known to you.
Submit the bug and wait for the response. Generally they will reply within 2 days to 7 days if its from HackerOne or BugCrowd. If the bug is duplicate or rejected, you get nothing.
You can look for private bounty programs by searching on google too using any string that corresponds to bug disclosure. Examples like
insite: Responsible disclosure policy
insite: Security issue disclosure.
So here are the most commonly seen and found issues in the bug bounties.
1. Rate limiting - Rate limit can be for email or OTP. Look for places like Sign Up and Reset Password, Forgot Password. Provide the same email or phone # and see if there is rate limiting. If you can get hundreds of reset password links or OTPs, then you found the bug.
2. No email validation - Again look for Sign up mechanism where one needs to register. If there is an ask to enter email and there is no validation(You get an email on the registered email id and you got to click on it to activate your account), then attacker/you can enter anyone's email and get the signing up going on.
3. Rate limiting login attempts - From the burp suite, identify which is the login API and check for params sent with it. Send the API to intruder. Add a few usernames and passwords. Send the requests. After a few times for a given username, the application should error out saying no more login attempts or provide a captcha.
4. Brute forcing login - Use Burp Suite again to capture login API. If you know/guess any of the usernames and their passwords, try them or use a dictionary file in the intruder brute force the login. This only works if there is no rate limiting on the login attempts
5. Third party reset token leak - When a password reset token is sent to the legitimate user, see if the same is sent as part of any calls made in the third parties integration calls.
6. Captcha bypass - Use a proxy like FoxyProxy or SmartProxy or JetProxy and open the website link where the captcha is posed to the user. If the website opens, you have bypassed the captcha implemented on the website
7. Injections - Look for a search field in the website and see if the search string gets attached to the URL of the page as an extension. Eg: https://example.com?search/key-alumni
Modify this and inject "><script>alert('pop up')</script>
XSS injections and HTML injection are the most commonly seen apart from sql injections.
8. Clickjacking - Make use of chrome extensions like "Clickjacking test" to generate the HTML or simply use the below code. Change the iframe src to the one you are testing. If there is an output, then there is a bug
<html>
<--Report Generated by Clickjacking Test v1.0-->
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="https://cloudinary.com" width="500" height="500"></iframe>
</body>
</html>
Comments
Post a Comment