Some Core Tips to Win BUG BOUNTY in Minutes!!

News & Articles
1

Here is the little briefing of Bug Bounty:

A bug bounty program is a deal offered by many websites and software developers by which any ethical hacker can receive recognition and reward for reporting bugs, especially those pertaining to exploits and vulnerabilities. In this blog, we are going to talk about 5 rules to running a successfully bug bounty. Bug bounty is a kind of reward which is given by the company when someone identifies an error or vulnerability in a software or computer program.

Some of the bug bounty platforms are given below:

Bugcrowd: https://www.bugcrowd.com/

HackerOne: https://www.hackerone.com/

Synack: https://www.synack.com/

Hackenproof: https://hackenproof.com/

BountyFactory: https://bountyfactory.io

Intigriti: https://www.intigriti.com/

Cesppa: https://www.cesppa.com/

Zerocopter: https://www.zerocopter.com/

Antihack: https://www.antihack.me/

10 Core Tips for hunting a program:

1- Always read the Source Code:

If you are trying to find out the bugs in software, the first thing you need to do is always read the source code. It helps you to find out the bugs, to find interactions, to review, to see the interface and you can learn more about the software. These are some kinds of source code:

  • C++
  • Javascript
  • ES6
  • Coffee Script
  • Shell Script

2- Enumerate Maximum Subdomains & Try to takeover Subdomains:

To enumerate Subdomains there are several tools are available over the internet.

Here is the list of tools, I use usually to enumerate subdomains or information gathering:

  1. Sublist3r
  2. Knockpy
  3. https://crt.sh
  4. https://dnsdumpster.com

Try to enumerate maximum subdomains of the target to find more severe vulnerabilities and try for subdomains takeover.

Also, another method to extract the subdomain is from the IP range:

nmap IP_range -sn | grep “domain” | awk ‘{print $5}’

After enumerating the Subdomains move on to Subdomain takeover. Knockpy is a good tool for testing the Subdomain takeover.

Subdomain takeover is a process of registering a non-existing domain name to gain control over another domain. The most common scenario of this process follows:

The domain name (e.g., sub.xyz.com) uses a CNAME record to another domain (e.g., sub.xyz.com CNAME anotherdomain.com).

At some point in time, anotherdomain.com expires and is available for registration by anyone.

Since the CNAME record is not deleted from the xyz.com DNS zone, anyone who registers anotherdomain.com has full control over sub.xyz.com until the DNS record is present.

3- Always check the Back-end CMS & backend language:

Before finding bugs in software, you need to check the backend CMS and backend language. You have to understand the programming language of that application. Some of the common backend languages are PHP, Java, .net, HTML, MySQL and Ruby.

4- Google Dorks is very helpful:

Google dork also is known as Google Hacking. It’s a technique that uses Google search to find out security loopholes and vulnerabilities in the programming language of the software. Google dorks are very helpful while performing security tests. It keeps our time save and unknowingly exposes sensitive corporate information on the Internet. Google Dorking can return usernames and passwords, email lists, sensitive documents, and website vulnerabilities.

5- Check each request and response:

When we are into the website, check each request and response and analysis that, and trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any). Sometimes, use negative testing through the error, this Error information is very helpful in finding internal paths of the website.

Keep your mind active and think out of the box.

6- Want to check out the internal code of companies or some sample codes of new features?

Checkout with:

https://repl.it/ intext:

In the company domain, If you know the internal domain it is even better.

7- Enumerate the directories:

You can enumerate directories in some buckets with Wfuzz

Wfuzz is a tool to enumerate directories

The rule for Wfuzz: http(s)://bucket-address-here/FUZZ

There are some other tools are available for directories enumeration which I personally use

  1. Dirbuster
  2. Dirsearch

Try to fuzz each and everything directory and parameter.

8- Testing for Server Side Request Forgery (SSRF):

Change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely.

This has worked to bypass several SSRF fixes in the past.

9- Amazon Buckets Assess Controls:

Validate the bucket access controls:

Reference to this article: https://medium.com/@protector47/how-i-earned-1-500-in-just-15-mins-due-to-amazon-s3-bucket-misconfiguration-953b28242f95

10- Secret Authentication Keys:

Found a firebase API key in the Android app, not sure what to do?

Use Pyrebase, a simple python wrapper for the Firebase API to test Authentication, DB, and storage permissions.

These are the tips that every bug hunter should consider while doing bug hunting because Sometimes a small trick can give you Big Reward.

Credits: protector47
Main Article: https://medium.com/@protector47/some-core-tips-to-win-bug-bounty-in-minutes-fdc4025ca4cc

7 Likes