Bug Bounties ๐Ÿ—บ

I've been dancing around web hacking for a while. I think my deep-seated hatred of web programming (mainly css) makes this fun ๐Ÿ˜ˆ. The web is just a tangled complicated mess. It can be satisfy to rip things apart a bit…anyway this is a post about my process for getting into doing bug bounties.

Watch this first ๐Ÿ”‘:

This video is a bit long, but its so compendious and worth your time. Why? She talks about learning theory, vets resources, goes against the common (bad) advice, and debunks lots of myths. And then she gives you bunch of sane paths based on where people are at (not everyone is starting from zero): https://youtu.be/hDYqWZ11njU

What to focus on?

I should note that I'm not starting from zero. I've been programming for a while and gone through some of this material before. But I've learned a lot about, well, learning in the past couple years and I'm going to try and apply a “Whole Game” approach: quickly get the lay of the land, do some practical challenges first, figure out where the high value is, figure out what to focus on (harder things, $$$ bugs).

I've been doing my usual learning resource recon. Here are some huge ones:

This guide to a great interview with Jason Haddix has so many nuggets.

1st month: “You should not expect to find anything great for your first three months.” That crap will get you to private invites. You'll get used to it, used to bounty. 3 months in: standardize and undertand recon automation. Find fresh targets, get private invites. My bread and butter - recon finds old shit. “Most of my great bugs have been pretty generic. SQLi, auth bypass, idor. Then get into something newer (like mobile). Get at mobile web services in a file. You're gonna be ahead with that because nobobody wants to do that.”

Nugget: 90% of my great vulns are from content discover. Recon, finding shit other people don't, and then finding endpoints in Javascript. Learn to parse JS!!

For bug bounty, I don't look for XSS and CSRF bugs. Mostly injections, RCE, XXE, SSRF and business-related vulnerabilities.

ยซ Any tips for testing for RCE? In my experience a lot of RCE reports are not disclosed, and payloads aren't that largely available, making it hard to get a feeling for what might be vulnerable.

ยป RCE is an impact, not a vulnerability class. Vulnerabilities you're looking for: command injections (of course), SQLi (f.e. with xp_cmdshell), leaked or weak credentials (CMS admin can change Jinja templates), file creation (overwrite a script), SSRF to an internal unprotected admin interface, and of course, everything with a CVE (ImageTragick, ShellShock, …). And I disagree which the point that RCE reports and/or payloads aren't commonly available. Relevant Google dork: “site:hackerone.com/reports/ rce”.

The raw materials

To be executed concurrently: go

Can haz order?

There's a huge bunch of vulnerabilities everywhere and it can be overwhelming to figure out which to learn about first. Tool is burp. Always burp. And in order of vulnerability, start with the easy/classic ones and progress from there:

injections/SQLis/xss
lfi, rfi (local/remote file inclusion)
RCE
XXE
SSRF
IDOR
business-related vulnerabilities (logic)

First up: