How To Start Bug Bounty Hunting
2023-3-8 17:50:16 Author: infosecwriteups.com(查看原文) 阅读量:14 收藏

Short & Basic Intro to Bug Bounty World

I recommend registering on the following crowdsourced cybersecurity platforms (bug bounty platforms):

Searching for bugs in the wild (not on a bug bounty platform) can be great, but it may not be the best place to start as there is no guarantee that the company will respond to your report or that you will receive any reward or recognition for your work.

Bug bounty platforms can offer private invites over time, which can provide you with lower competition compared to public programs, increasing your chances of finding something unique.

Try focusing on programs that have a wide scope, where you can manage users (create roles), docs, images, etc.

And then start with a simple — create two users (one basic user & second admin), open two browsers, and start testing for BAC (Broken Access Control) vulnerability.

In short — this is the type of vulnerability, where a basic user can perform admin actions.

Some of these vulnerabilities can be found using direct links to sections/endpoints, but others will require you to modify requests that are sent to the browser

I recommend using @Burp_Suite for requests capture & modification. You can download Community Edition for Free.

Recommended Addon: Logger++

While testing the website/app for BAC bugs — you can highlight all GET requests to critical actions. E.g. /delete_user?id=1

Requests with critical actions (like deleting a user), that can be directly sent to a user, are treated as a CSRF (Cross-Site Request Forgery) vulnerability

POST requests can be used too to perform CSRF attack, but usually has CSRF protection mechanism in place (like csrf_tokens or referrer check)

CSRF protection can be bypassed sometimes. Try to switch the POST method to GET or remove the token value from a key — csrf_token=

With referrer protection, you can try to append your domain to a referrer, like this http://example.com.yourdomain.com

Or if there is a check that the domain should be at the end of the referrer you can try this way: http://yourdomain.com/site.com

And the third basic rule while performing bug bounty hunting — is to put a basic payload in all possible inputs: qwe'"<X</

And watch text reflections on a website. If you will see somewhere qwe'" (without angle brackets) — this could be a chance of XSS

Additionally, search for qwe text in the source code of the page. Use Developers Tools in the browser for this task.

Payloads can be reflected anywhere

1. In tag parameters:

<span>qwe'"<x</span>

2. In tag attributes:

<a class="qwe'"<x</">

3. In tag event attributes with location change logic:

<a onclick="location.href='qwe'">

Here you can try to inject javascript protocol. For example:

location.href='javascript:alert(1)'

4. Inside of a <script> tag:

<script>let a = "qwe'"<x</"<script>

That’s all for now.

Cheers, Happy Hunting 👍


文章来源: https://infosecwriteups.com/how-to-start-bug-bounty-hunting-94b1ff3dda27?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh