Table of Contents for
Bug Bounty Hunting Essentials

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Bug Bounty Hunting Essentials by Shahmeer Amir Published by Packt Publishing, 2018
  1. Bug Bounty Hunting Essentials
  2. Title Page
  3. Copyright and Credits
  4. Bug Bounty Hunting Essentials
  5. About Packt
  6. Why subscribe?
  7. Packt.com
  8. Contributors
  9. About the authors
  10. About the reviewers
  11. Packt is searching for authors like you
  12. Table of Contents
  13. Preface
  14. Who this book is for
  15. What this book covers
  16. Conventions used
  17. Get in touch
  18. Reviews
  19. Disclaimer
  20. Basics of Bug Bounty Hunting
  21. Bug bounty hunting platforms
  22. HackerOne
  23. Bugcrowd
  24. Cobalt
  25. Synack
  26. Types of bug bounty program
  27. Public programs
  28. Private programs
  29. Bug bounty hunter statistics
  30. Number of vulnerabilities
  31. Number of halls of fame
  32. Reputation points
  33. Signal
  34. Impact
  35. Accuracy
  36. Bug bounty hunting methodology
  37. How to become a bug bounty hunter
  38. Reading books
  39. Practicing what you learned
  40. Reading proof of concepts
  41. Learning from reports
  42. Starting bug bounty hunting
  43. Learning and networking with others
  44. Rules of bug bounty hunting
  45. Targeting the right program
  46. Approaching the target with clarity
  47. Keeping your expectations low
  48. Learning about vulnerabilities
  49. Keeping yourself up-to-date
  50. Automating your vulnerabilities
  51. Gaining experience with bug bounty hunting
  52. Chaining vulnerabilities
  53. Summary
  54. How to Write a Bug Bounty Report
  55. Prerequisites of writing a bug bounty report
  56. Referring to the policy of the program
  57. Mission statement
  58. Participating services
  59. Excluded domains
  60. Reward and qualifications
  61. Eligibility for participation
  62. Conduct guidelines
  63. Nonqualifying vulnerabilities
  64. Commitment to researchers
  65. Salient features of a bug bounty report
  66. Clarity
  67. Depth
  68. Estimation
  69. Respect
  70. Format of a bug bounty report
  71. Writing title of a report
  72. Writing the description of a report
  73. Writing the proof of concept of a report
  74. Writing exploitability of a report
  75. Writing impact of a report
  76. Writing remediation
  77. Responding to the queries of the team
  78. Summary
  79. SQL Injection Vulnerabilities
  80. SQL injection
  81. Types of SQL injection vulnerability
  82. In-band SQLi (classic SQLi)
  83. Inferential SQLi (blind SQLi)
  84. Out-of-band SQLi
  85. Goals of an SQL injection attack for bug bounty hunters
  86. Uber SQL injection
  87. Key learning from this report
  88. Grab taxi SQL Injection
  89. Key learning from this report
  90. Zomato SQL injection
  91. Key learning from this report
  92. LocalTapiola SQL injection
  93. Key learning from this report
  94. Summary
  95. Cross-Site Request Forgery
  96. Protecting the cookies
  97. Why does the CSRF exist?
  98. GET CSRF
  99. POST CSRF
  100. CSRF-unsafe protections
  101. Secret cookies
  102. Request restrictions
  103. Complex flow
  104. URL rewriting
  105. Using HTTPS instead of HTTP
  106. CSRF – more safe protection
  107. Detecting and exploiting CSRF
  108. Avoiding problems with authentication
  109. XSS – CSRF's best friend
  110. Cross-domain policies
  111. HTML injection
  112. JavaScript hijacking
  113. CSRF in the wild
  114. Shopify for exporting installed users
  115. Shopify Twitter disconnect
  116. Badoo full account takeover
  117. Summary
  118. Application Logic Vulnerabilities
  119. Origins
  120. What is the main problem?
  121. Following the flow
  122. Spidering
  123. Points of interest
  124. Analysis
  125. User input
  126. Out-band channels
  127. Naming conventions
  128. Keywords related to technologies
  129. Analyzing the traffic
  130. Application logic vulnerabilities in the wild
  131. Bypassing the Shopify admin authentication
  132. Starbucks race conditions
  133. Binary.com vulnerability – stealing a user's money
  134. HackerOne signal manipulation
  135. Shopify S buckets open
  136. HackerOne S buckets open
  137. Bypassing the GitLab 2F authentication
  138. Yahoo PHP info disclosure
  139. Summary
  140. Cross-Site Scripting Attacks
  141. Types of cross-site scripting
  142. Reflected cross-site scripting
  143. Stored cross-site scripting
  144. DOM-based XSS
  145. Other types of XSS attacks
  146. Blind XSS
  147. Flash-based XSS
  148. Self XSS
  149. How do we detect XSS bugs?
  150. Detecting XSS bugs in real life
  151. Follow the flow
  152. Avoiding input validation controls
  153. Other common strings
  154. Bypassing filters using encoding
  155. Bypassing filters using tag modifiers
  156. Bypassing filters using dynamic constructed strings
  157. Workflow of an XSS attack
  158. HackeroneXSS
  159. Executing malicious JS
  160. Embedding unauthorized images in the report
  161. Redirecting users to a different website
  162. Key learning from this report
  163. Slack XSS
  164. Embedding malicious links to infect other users on Slack
  165. Key learning from this report
  166. TrelloXSS
  167. Key learning from this report
  168. Shopify XSS
  169. Key learning from this report
  170. Twitter XSS
  171. Key learning from this report
  172. Real bug bounty examples
  173. Shopify wholesale
  174. Shopify Giftcard Cart
  175. Shopify currency formatting
  176. Yahoo Mail stored XSS
  177. Google image search
  178. Summary
  179. SQL Injection
  180. Origin
  181. Types of SQL injection
  182. In-band SQL injection
  183. Inferential
  184. Out-of-band SQL injection
  185. Fundamental exploitation
  186. Detecting and exploiting SQL injection as if tomorrow does not exist
  187. Union
  188. Interacting with the DBMS
  189. Bypassing security controls
  190. Blind exploitation
  191. Out-band exploitations
  192. Example
  193. Automation
  194. SQL injection in Drupal
  195. Summary
  196. Open Redirect Vulnerabilities
  197. Redirecting to another URL
  198. Constructing URLs
  199. Executing code
  200. URL shorteners
  201. Why do open redirects work?
  202. Detecting and exploiting open redirections
  203. Exploitation
  204. Impact
  205. Black and white lists
  206. Open redirects in the wild
  207. Shopify theme install open redirect
  208. Shopify login open redirect
  209. HackerOne interstitial redirect
  210. XSS and open redirect on Twitter
  211. Facebook
  212. Summary
  213. Sub-Domain Takeovers
  214. The sub-domain takeover
  215. CNAME takeovers
  216. NS takeover
  217. MX takeovers
  218. Internet-wide scans
  219. Detecting possibly affected domains
  220. Exploitation
  221. Mitigation
  222. Sub-domain takeovers in the wild
  223. Ubiquiti sub-domain takeovers
  224. Scan.me pointing to Zendesk
  225. Starbucks' sub-domain takeover
  226. Vine's sub-domain takeover
  227. Uber's sub-domain takeover
  228. Summary
  229. XML External Entity Vulnerability
  230. How XML works
  231. How is an XXE produced?
  232. Detecting and exploiting an XXE
  233. Templates
  234. XXEs in the wild
  235. Read access to Google
  236. A Facebook XXE with Word
  237. The Wikiloc XXE
  238. Summary
  239. Template Injection
  240. What's the problem?
  241. Examples
  242. Twig and FreeMaker
  243. Smarty
  244. Marko
  245. Detection
  246. Exploitation
  247. Mitigation
  248. SSTI in the wild
  249. Uber Jinja2 TTSI
  250. Uber Angular template injection
  251. Yahoo SSTI vulnerability
  252. Rails dynamic render
  253. Summary
  254. Top Bug Bounty Hunting Tools
  255. HTTP proxies, requests, responses, and traffic analyzers
  256. Burp Suite
  257. Wireshark
  258. Firebug
  259. ZAP – Zed Attack Proxy
  260. Fiddler
  261. Automated vulnerability discovery and exploitation
  262. Websecurify (SECAPPS)
  263. Acunetix
  264. Nikto
  265. sqlmap
  266. Recognize
  267. Knockpy
  268. HostileSubBruteforcer
  269. Nmap
  270. Shodan
  271. What CMS
  272. Recon-ng
  273. Extensions
  274. FoxyProxy
  275. User-Agent Switcher
  276. HackBar
  277. Cookies Manager+
  278. Summary
  279. Top Learning Resources
  280. Training
  281. Platzi
  282. Udemy
  283. GIAC
  284. Offensive Security
  285. Books and resources
  286. Web Application Hacker's Handbook
  287. OWASP Testing Guide
  288. Hacking 101
  289. The Hacker Play Book
  290. Exploiting Software
  291. CTFs and wargames
  292. Hack The Box
  293. Damn Vulnerable Web Application
  294. Badstore
  295. Metasploitable
  296. YouTube channels
  297. Web Hacking Pro Tips
  298. BugCrowd
  299. HackerOne
  300. Social networks and blogs
  301. Exploitware Labs
  302. Philippe Hare Wood
  303. PortSwigger's blog
  304. Meetings and networking
  305. LiveOverflow
  306. OWASP meetings
  307. DEFCON meetings
  308. 2600 meetings
  309. Conferences
  310. DEFCON
  311. BlackHat
  312. BugCON
  313. Ekoparty
  314. Code Blue
  315. CCC
  316. H2HC
  317. 8.8
  318. Podcasts
  319. PaulDotCom
  320. Summary
  321. Other Books You May Enjoy
  322. Leave a review - let other readers know what you think

Bug bounty hunting methodology

Every bug bounty hunter has a different methodology for hunting vulnerabilities and it normally varies from person to person. It takes a while for a researcher to develop their own methodology and lots of experimentation as well. However, once you get the hang of it, it is a self-driven process. The methodology of bug bounty hunting that I usually follow looks something like this:

  1. Analyzing the scope of the program: The scope guidelines have been clearly discussed in the previous chapters. This is the basic task that has to be done. The scope is the most important aspect of a bug bounty program because it tells you which assets to test and you don't want to spend time testing out-of-scope domains. The scope also tells you which are the most recent targets and which are the ones that can be tested to speed up your bounty process.
  2. Looking for valid targets: Sometimes the program does not necessarily have the entire infrastructure in its scope and there are just a number of apps or domains that are in the scope of the program. Valid targets are targets that help you quickly test for vulnerabilities in the scope and reduce time wasting.
  1. High-level testing of discovered targets: The next thing to do is a quick overview of targets. This is usually done via automated scanning. This basically tells the researchers whether the targets have been tested before or have they been tested a long time ago. If automated scanning does not reveal vulnerabilities or flaws within a web application or a mobile application, it is likely that the application has been tested by researchers before. Nonetheless, it is still advised to test that application one way or another, as this reveals the application's flaws in detail.
  2. Reviewing all applications: This is a stage where you review all the applications and select the ones based on your skill set. For instance, Google has a number of applications; some of them are coded in Ruby on Rails, some of them are coded in Python. Doing a brief recon on each application of Google will reveal which application is worth testing based on your skill set and level of experience. The method of reviewing all the applications is mostly information gathering and reconnaissance.
  3. Fuzzing for errors to expose flaws: Fuzzing is termed as iteration; the fastest way to hack an application is to test all of its input parameters. Fuzzing takes place at the input parameters and is a method of iterating different payloads at different parameters to observe responses. When testing for SQL injection vulnerabilities and cross-site scripting vulnerabilities, fuzzing is the most powerful method to learn about errors and exposure of flaws. It is also used to map an application's backend structure.
  4. Exploiting vulnerabilities to generate POCs: By fuzzing, we identify the vulnerabilities. In other scenarios, vulnerability identification is just one aspect of it. In bug bounty hunting, vulnerabilities have to be exploited constructively to generate strong proof of concepts so that the report is considered in high regard. A well explained the proof of concepts will accelerate the review process. In conventional penetration tests, vulnerability exploitation is not that important, but in bug bounty hunting, the stronger the proof of concept, the better the reward.