BUG BOUNTY HUNTING (METHODOLOGY ,TOOLKIT ,TIPS & TRICKS, BlOGS)

What is Bug Bounty?

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. 

A reward offered to a perform who identifies an error or vulnerability in a computer program or system.
‘The company boosts security by offering a bug bounty’


 
Bug Bounty - Image Source Google


Bug Bounty Programs





Bug Bounty- Image Source Google


Some Books reading about Bug Hunting

There are some books for Web application penetration testing methodology and hunting the web. Through this you learn the basics and essentials of penetration testing and bug hunting. Since bug bounties often include website targets, we’ll focus on getting you started with Web Hacking and later we’ll branch out. 

 For our Mobile hacking friends:

Practice makes Perfect!

While you’re learning it’s important to make sure that you’re also understanding and retaining what you learn. Practicing on vulnerable applications and systems is a great way to test your skills in simulated environments. These will give you an idea of what you’ll run up against in the real world. 


Read tech Vulnerabilities POCs (Proof of Concepts) and write-ups from other hackers

Now that you’ve got a baseline understanding of how to find and exploit security vulnerabilities, it’s time to start checking out what other hackers are finding in the wild. Luckily the security community is quite generous with sharing knowledge and we’ve collected a list of write-ups & tutorials: 


Watch tutorials (Bug Hunting) on YouTube!
  

 Bugcrowd Approach for Bug Hunting


Okay, now you’re at the point where it’s almost time to start hunting for bounties. But first, let’s learn how bug bounties work and how to get started, just to make sure we maximize our chances of success.



Vulnerability guides 


Web Vulnerability Scanners

Netsparker Application Security Scanner — Application security scanner to automatically find security flaws.
Nikto — Noisy but fast black box web server and web application vulnerability scanner.
Arachni — Scriptable framework for evaluating the security of web applications.
w3af — Web application attack and audit framework.
Wapiti — Black box web application vulnerability scanner with built-in fuzzer.
SecApps — In-browser web application security testing suite.
WebReaver — Commercial, graphical web application vulnerability scanner designed for macOS.
WPScan — Black box WordPress vulnerability scanner.
Zoom — Powerful wordpress username enumerator with infinite scanning.
cms-explorer — Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.
joomscan — Joomla vulnerability scanner.
ACSTIS — Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.
SQLmate — A friend of sqlmap that identifies sqli vulnerabilities based on a given dork and website (optional).

InfoSec CheatSheet

  1. Pentest Bookmarks
  2. Awesome OSINT Cheat-sheet
  3. Awesome Pentest Cheat-sheet
  4. Bug Bounty Cheat-sheet
  5. Awesome Hacking Cheat-sheet
  6. Awesome-Infosec Cheat-Sheet
  7. SQL Injection Cheat-Sheet
  8. XSS Cheat-Sheet
  9.  XXE Payload

Pen Testing Methodologies

  1. Penetration Testing Framework
  2. The Penetration Testing Execution Standard
  3. The WASC Threat Classification
  4. OWASP Top Ten Project
  5. The Social Engineering Framework

My Tips & Tricks

  • Bug Bounty Hunting Tip #1- Always read the Source Code
  • Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
  • Bug Bounty Hunting Tip #3- Always check the Back-end CMS
  • Bug Bounty Hunting Tip #4- Google Dorks is very helpful
  • Bug Bounty Hunting Tip #5- Check each request and response
  • Bug Bounty Hunting Tip #6- Active Mind - Out of Box Thinking :)

My Methodology for Bug Hunting 

  • First review the scope 
  • Perform reconnaissance to find valid targets 
  • Find sub-domains through various tools Sublist3, virus-total etc. 
  • Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need) 
  • Use google dorks for information gathering of a particular taget. 
  • Review all of the services, ports and applications. 
  • Fuzz for errors and to expose vulnerabilities 
  • Attack vulnerabilities to build proof-of-concepts

For Bug bounty programs, First I’m going to review the scope of the target. There’s a huge difference between a scope such as *.facebook.com versus a small company’s single application test environment.

If scope is big than they accepts submissions for any of their servers, I’m going to start doing reconnaissance using search engines such as Google, Shodan, Censys, ARIN, etc. to discover subdomains, endpoints, and server IP addresses. This is a mix of Google dorking, scanning IP ranges owned by companies, servers ports scanning etc. Anything that gives me information on servers that may be owned by that company.

When I have a list of servers, I start to perform nmap port and banner scanning to see what type of servers are running. You may get some quick finds such as open SSH ports that allow password-based authentication. At this point I tend to stay away from reporting those smaller issues. I opt to spend more time looking for critical applications running on non-standard web ports such as Jenkins that may have weak default configuration or no authentication in front of them.
Before I hunt into the websites too deeply, I first do a quick run through the web servers looking for common applications such as WordPress ,Drupal , joomla etc . This is a mix of just browsing the sites manually or directory hunting by using wordlist, looking for sitemaps, looking at robots.txt, etc. Some open source plugins are typically poorly made and with some source review can lead to critical findings.

Then dig in to website, check each request and response and analysis that, I’m trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any).
Sometimes I use negative testing to through the error, this Error information is very helpful for me to finding internal paths of the website. I spend most of my time trying to understand the flow of the application to get a better idea of what type of vulnerabilities to look for.
Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for wordlist bruteforcing endpoints. This can help with finding new directories or folders that you may not have been able to find just using the website. This tends to be private admin panels, source repositories they forgot to remove such as /.git/ folders, or test/debug scripts. After that check each form of the website then try to push client side attacks. Use multiple payloads to bypass client side filters. Best tools for all over the Bug Bounty hunting is “BURP SUITE” :)

This is just the methodology for Bug bounty hunting and Penetration testing that seems to work for me :)


TOOLS , Wordlists , Patterns, Payloads , Blogs

Tools & OS : 

Wordlist :

Browser Plugin’s:

Passive Reconnaissance 

Payloads for Hunting


Information Security / Bug Hunting Blogs


“My daily inspiration are those who breaks their own limits and get success. “

Comments

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

OWASP Top 10 2017 — Web Application Security Risks