Have a question? Ask it here in this thread!


#1

Have a question or need help with something? Ask it here!

When new users enter this forum they are unable to post a new topic until they’ve replied to other threads and read other posts. We do this to help limit spam.

So, with that said, if you’re new you should use this thread to post your question!


#2

I have started reading The Web Application Hackers Handbook and really want to start practicing or working on getting some small bounties. I am about 200 pages in and have learned a few things and know how to map a website. What are some examples of small bounties I should aim for? What else should I be doing to get better at this bug hunting thing?


#3

I would suggest looking at places that don’t pay bounties so they are more out of sight that might have some low hanging fruit. Some websites run their bug bounty from their own help portal and I started by winning a few tshirts a game on steam etc. Bounties came later when I had more skills and tools.


#4

Hi,

After taking a computer security class in college I got into bug bounty and got a few bounties in the last couple months even just wrote my first write-up https://medium.com/@eraymitrani/4500-bounty-how-i-got-lucky-99d8bc933f75 .

However so far I’ve only found bugs like subdomain takeover, reflected XSS, IDOR, DOS most of which basically include me doing decent recon and playing around with parameters in a web app but so far I don’t even know where to begin to look for RCE, XXE, SQLi, SSRF etc. I try running sqlmap but I assume that is just a trivial way to go about it. I found a few possible code injections but I can never figure out how much padding I need for a command or run into a lot of 500 responses.

My main question is so far I only learned how to check the front door of an application, the part that faces the user or the surface level. How do you go even begin to look for the big bugs? I don’t expect to insert 2 quotes in a query to crash a server but there has to be a way to recognize issues other than I dont know running sqlmap and hoping for the best.

If it helps I know a little bit of React, GraphQL and basic web dev stuff but my only tool is Burp and Chrome Debugger. Looking at the compressed javascript is impossible to understand for me and I only found one bug by actually looking at code. I’m not asking to getting into decompiling binaries and looking for overflows but there should be an entry point.

I’m open to any and all suggestions.


#5

You already have more knowledge than me at least. I haven’t read that book. You should just start looking for bugs with all that knowledge and keep reading the book and learning from more resources.
I don’t agree with @emitrani about looking at places where no bounty is offered, I don’t see the value of doing that based in that “it’s easier”. However, if you want to do it for some conviction, or because you want to generate reputation to get private invites and things like that, or just because you want to spend more time on bug bounties, then it’s okay in my opinion. I don’t do it and the times I spent time just to see if it was easier I noticed that it wasn’t.
You should aim for the highest bounties. If you don’t get the highest that’s okay and understandable, but you should aim for that, otherwise you are never going to be challenged to learn more and be good enough at hunting bugs.


#6

Hi @emitrani
At the moment I’m trying to find those P1 bugs too, so I’m reading as much as possible to understand what to look for and how to notice when something may look suspicious. However, I don’t recommend running sqlmap everywhere unless you want to get banned :smiley:.
I hope someone else can give you guidance because I’m not used to find RCE/XXE/SQLi. But I don’t see other way than learning from reading and watching videos of talks about the issues you are interested in finding.

I hope you can find those P1s in the near future!


#7

whats helping me, believe it or not, is taking notes, for example, I am focusing on this particular domain right now and I take notes like this, for example

Has sign in page - this has to be connected to a database - maybe sql injection ?
Has register via facebook - this is is via OAUTH - maybe an Oauth token leak exists ?
Can receive in-app messages - maybe an IDOR - can I read another user’s messages?
subdomains are not in scope - no point using sublist3r then - would be waste of time
etc

it is helping me but not sure about others, I then have an idea what tools to run and not run, but also what exploits may or may not exist etc etc. I have figured to do this by reading reports/reading OWASP testing guide/ practise on mutillidae

I have also started putting all publicly disclosed reports in a csv so I can log previously vulnerable endpoints, as they may still be vulnerable or become vulnerable in the future eg

http://store.steampowered.com/widget/386360/?t=[ == endpoint
]xss == payload
vulnerabiility == reflected XSS
bounty == $1000
report == https://hackerone.com/reports/313250

I will upload the csv to github at some point. help this helps my fellow beginners

Good Luck


#8

Can’t ban you if you use VPN :smiley:


#9

Hey guys,

Actually I am not new to this BB thing, but I haven’t been able to find any good bugs in the past 1 year I have been introduced to this field. Most of the bugs are either low priority or Duplicates in case of XSS’s. Right now, I have been working on a program, and it will be a great help if you people could help me in exploiting this Open Redirect issue.

The main url looks something like this:

www.attack.com/login?next=/forgot_password/

See the ‘next’ parameter here?

When I try to change the parameter’s value to www.google.com
It changes to
attack.com/u/www.google.com/ , showing oops, we will be right back and an error page. The URL got connected somehow, but it was not redirecting.
I thought there must be something here, but I was unable to exploit it after reading many other reports. Any personal help in this case will be much helpful.
Thanks in advance.:slight_smile:
Any hints?


#10

Maybe expensive :rofl:


#11

Whatever makes you work more efficiently is welcome. I do makes notes too, and sometimes has been useful coming back to those notes because I ended up finding a bug worth reporting.
Good luck for you too!


#12

Hi @luffydragneel,

check the response from the server using your preferred tool (Burp and similar, or the browser), because sometimes the redirection is made using Javascript code instead of a 302/301/… response (and sometimes you may see they use the tag). If they use Javascript for the redirection try to find the code that does the redirection so you can find how to use it to your advantage. If it’s a 30X redirection look at the value of the header Location, if it is exactly what you send as value of next= and http://your.domain is not ignored, try //your.domain/.
Maybe you already tried all those things, if you haven’t that’s a useful way to look for what to do.
If you end up realizing that it’s just a relative redirection, then save it in your notes or similar because in the future it can be useful.


#13

Hello hunters,

I came across these codes and I think a XSS exploit can be squeeze out of here but I don’t understand what this code does exactly. So I could write any successful XSS payload.

hash,$targetElement,$accordion,offset,delay,speed;offset=.2,delay=300,speed=0,(hash=window.location.hash)&&($targetElement=$(hash),$targetElement.length&&($accordion=$targetElement.find(’[data-vc-accordion][href="’+hash+’"],[data-vc-accordion][data-vc-target="’+hash+’"]’),$accordion.length&&(setTimeout(function(){$(“html, body”).animate({scrollTop:$targetElement.offset().top-$(window).height()*offset},speed)},delay),$accordion.trigger(“click”))))


#14

Hey thanks @stefanofinding
I will surely try that


#15

Hi Somesh,

I recommend you to use some kind of Javascript beautifier. There are online if your text editor doesn’t provide a plugin to do that. That way you will be able to understand a little more the code.

This is the code beautified:

hash, $targetElement, $accordion, offset, delay, speed;
offset = .2, delay = 300, speed = 0, (hash = window.location.hash) && ($targetElement = $(hash), $targetElement.length && ($accordion = $targetElement.find('[data - vc - accordion][href = "'+hash+'"], [data - vc - accordion][data - vc - target = "'+hash+'"]'), $accordion.length && (setTimeout(function() {
  $("html, body").animate({
    scrollTop: $targetElement.offset().top - $(window).height() * offset
  }, speed)
}, delay), $accordion.trigger("click")))) 

From what I understand from it, I find interesting the $(hash). I would check if they use a vulnerable version of jQuery to the issue $('<svg onload=alert()>') that ends up executing the alert(). You can use this page to check if the version they have is vulnerable: http://research.insecurelabs.org/jquery/test/. The bug 9521 is the one that interests you in this case. Never tried with the .find(), but maybe it’s vulnerable to the bug 11290, so you will have two issues there.


#16

invaluable sharing of knowledge thank you @stefanofinding


#17

I wonder if anybody can help understand this I am testing a web app and when i enter a benign string into search and check the proxy I get several 500 response codes mime type html and then eventually a 200 response code, mime type JSON . this only happens on first visit then subsequent visits it starts calling an API some of the response codes for which are 418 all MIME types JSON

any ideas
what

what1


#18

One day you will realize that it’s not that invaluable. :smiley:
But I’m glad it’s useful for you at the moment.


#19

From what I see the 200 response is a different URL. Is that right? Maybe share the path, not the domain if it’s a private domain. Or at least, a redacted path.


#20

thanks for the reply @stefanofinding Its really strange I simply entered xxxxxxxxxxx and pressed search that’s the 1st image and then I pressed searched again the result is the second image. I will add the path another time as on the way out now