Summary: Beginning Bug Bounty – Part 2

This is the continuation of summary ( https://onappsec.com/summary-beginner-notes-on-bug-hunting-part-1/ )

• https://www.youtube.com/watch?v=-xbbvAKGXK8&t=484s
• https://www.youtube.com/watch?v=y23l5P4-HAk

Bug Bounty Methodology

Preparation

• You retain the understanding by teaching others, practice doing and having discussion.
• Most of the time, you are exposed to something new which you are not familiar with. You need to research the issue and test it. If it doesn’t work, then you need to work on CTF examples to gain hands-on experience with it.
• Immerse yourself in hacking by learning and reading the things which you might not understand. Follow people who post complex stuffs in blogs or twitter. Read disclosed reports to understand the thinking process of others.
• Recommended Resources:
  • Burp Proxy
  • PentesterLand Newsletter
  • Conferences: DefCon, BSides, BlackHat
  • Podcast: Bug Bounty Podcast, Darknet diaries, Security Now, Risky Business, Price of An Attack
  • Reading Resources: Web Hacking 101, OWASP Testing Guide, Bug Bounty Cheat-sheets, Hacktivity, @Disclosed
  • Practice: CTFS (OWASP DVWA, Juice Shop, Hacker 101)
  • Structured Course: PentesterLab, Web Security Academy
  • Videos: STOK, CyberMentor, CS50, MIT OCW

Goal-Setting

• Hacking is a trial by fire process and require hands-on experience.
• If you have some experience in security, then begin by practicing CTFs, watch and read contents from actual attackers. And then find a real target to test.
• When it comes to Goal-setting, aim for autonomy, mastery and purpose. Motivation for money does not work well for cognitively demanding tasks.
• Example of Goals:
  • Technical: Learn to use Burp
  • Communications: Write report and understand the impact of the bug to a company
  • Personal Effectiveness: Learn how to set goals and self-improve,
  • Community Engagement: Share what you learn with others.
  • Short-term: Get private invitation
  • Medium-term: Earn at least 5K
  • Long-term: Find a technically difficult bug such as RCE.

Recon (Asset Identification)

• This can be done manually by browsing the app or using automated spidering tools.
• Ideally, you want to identify the assets faster than majority of the hunters.
• Look for assets that can be targeted e.g. API endpoints.
• Learn what the assets do:
  • Interact with DB?
  • Using APIs
• Write down your observations in notes. Think about the financial impacts to the company.
• Tips:
  • Pick assets with high amount of user interaction.
  • Understand the privileges of different user account.

Identify Potential Attack Vector

Common Patterns:

Observation	Possible Attacks
Forms without CSRF Token	Try CSRF attacks
APIs with IDs	Try IDOR attacks
GraphQL Endpoints	Try IDOR attacks
UI Validation checks	Try XSS or SQLi attacks

• Pay attention to attack vectors that are relevant to the web or mobile apps.
• Keep track of the endpoints found and test them one by one for possible attacks. Make sure you test every endpoints that you have found before moving on.
• Map the regular program flow and learn how the app is supposed to work.
• Prioritize the endpoints:
  • Look for strange or different endpoints
  • Endpoints with large amount of parameters.
  • Link to logic such as account changes or payment gateway
  • Common endpoints such as wordpress.

Stuck in a Plateau?

• What if I don’t find any bugs?
  • Sometimes the app is beyond your current skill level .
  • Make sure you have really exhausted everything
  • No more endpoints to test on.
  • Tried everything with the endpoints
  • No luck with Biz Logic
• Pause your testing :
  • Take notes and record your process so that you can go back to your target.
  • Reflect on what you learned and apply on a new target.