Bug Bounty Hunting (Methodology, Toolkit, Tips & Tricks, Blogs)

1

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities.

A reward offered to a perform who identifies an error or vulnerability in a computer program or system.

‘The company boosts security by offering a bug bounty’

Bug Bounty Programs

Practice makes Perfect!

While you’re learning it’s important to make sure that you’re also understanding and retaining what you learn. Practicing on vulnerable applications and systems is a great way to test your skills in simulated environments. These will give you an idea of what you’ll run up against in the real world.

Read tech Vulnerabilities POCs (Proof of Concepts) and write-ups from other hackers

Now that you’ve got a baseline understanding of how to find and exploit security vulnerabilities, it’s time to start checking out what other hackers are finding in the wild. Luckily the security community is quite generous with sharing knowledge and we’ve collected a list of write-ups & tutorials:

Watch tutorials (Bug Hunting) on YouTube!

Bugcrowd Approach for Bug Hunting

Okay, now you’re at the point where it’s almost time to start hunting for bounties. But first, let’s learn how bug bounties work and how to get started, just to make sure we maximize our chances of success.

Vulnerability guides

My Tips & Tricks

  • Bug Bounty Hunting Tip #1- Always read the Source Code
  • Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
  • Bug Bounty Hunting Tip #3- Always check the Back-end CMS
  • Bug Bounty Hunting Tip #4- Google Dorks is very helpful
  • Bug Bounty Hunting Tip #5- Check each request and response
  • Bug Bounty Hunting Tip #6- Active Mind - Out of Box Thinking :slight_smile:

My Methodology for Bug Hunting

  • First review the scope
  • Perform reconnaissance to find valid targets
  • Find sub-domains through various tools Sublist3, virus-total etc.
  • Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
  • Use google dorks for information gathering of a particular taget.
  • Review all of the services, ports and applications.
  • Fuzz for errors and to expose vulnerabilities
  • Attack vulnerabilities to build proof-of-concepts

For Bug bounty programs, First I’m going to review the scope of the target. There’s a huge difference between a scope such as *.facebook.com versus a small company’s single application test environment.

If scope is big than they accepts submissions for any of their servers, I’m going to start doing reconnaissance using search engines such as Google, Shodan, Censys, ARIN, etc. to discover subdomains, endpoints, and server IP addresses. This is a mix of google dorking, scanning IP ranges owned by companies, servers ports scanning etc. Anything that gives me information on servers that may be owned by that company.

When I have a list of servers, I start to perform nmap port and banner scanning to see what type of servers are running. You may get some quick finds such as open SSH ports that allow password-based authentication. At this point I tend to stay away from reporting those smaller issues. I opt to spend more time looking for critical applications running on non-standard web ports such as Jenkins that may have weak default configuration or no authentication in front of them.

Before I hunt into the websites too deeply, I first do a quick run through the web servers looking for common applications such as WordPress ,Drupal , joomla etc . This is a mix of just browsing the sites manually or directory hunting by using wordlist, looking for sitemaps, looking at robots.txt, etc. Some open source plugins are typically poorly made and with some source review can lead to critical findings.

Then dig in to website, check each request and response and analysis that, I’m trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any).

Sometimes I use negative testing to through the error, this Error information is very helpful for me to finding internal paths of the website. I spend most of my time trying to understand the flow of the application to get a better idea of what type of vulnerabilities to look for.

Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for wordlist bruteforcing endpoints. This can help with finding new directories or folders that you may not have been able to find just using the website. This tends to be private admin panels, source repositories they forgot to remove such as /.git/ folders, or test/debug scripts. After that check each form of the website then try to push client side attacks. Use multiple payloads to bypass client side filters. Best tools for all over the Bug Bounty hunting is “BURP SUITE” :slight_smile:

This is just the methodology for Bug bounty hunting and Penetration testing that seems to work for me :slight_smile:

TOOLS , Wordlists , Patterns, Payloads , Blogs

Tools & OS:

Wordlist :

Browser Plugin’s:

Passive Reconnaissance

Payloads for Hunting

Information Security / Bug Hunting Blogs

“My daily inspiration are those who breaks their own limits and get success. “

2 Likes