Have a question? Ask it here in this thread!

It seems like you’re suppose to log in using your bugcrowdninja email for most of your testing. Once you do so they probably cross-reference your ip to see you’re not a actual black hat.

If you’re really worried just go for the programs that say they’re a safe harbor, and not just partially safe.
They would probably contact you in good faith if they ever couldn’t tell.

Thanks for this reply :slight_smile:


1 Like

What is the best type of service to use for pen testing? Proxychains, tor or a vpn

There’s really no need for any of those (unless you’re trying to avoid ip bans). Your testing is completely authorized.

If the target has a program with BugCrowd or one of the similar sites, and if you abide by the target’s stated conditions, then you have their permission to hack. Read the rules very CAREFULLY. Stay in scope and don’t degrade service or damage their site. In many/most cases, you won’t be able to use automation without degrading service. They may know you are there, but they probably won’t know who you, unless you screw up. :slight_smile: You might use a VPN in case you get detected and locked out by IP address. Good luck!

Hello @shujaat, is there any unique ID that you can find in the response? Example may be like:


Maybe there’s some sort of parameter you can try fuzzing in the request. Even though there may not seem like there’s anything on the client-side, fuzzing may find a parameter you can use. At that point, you potentially have IDOR. Maybe the fuzzing found a parameter uniqueUUID which you can try in the request. So it’d be like: https://login.example.com/api/v2/verify?uniqueUUID=100. Also, try searching archive.org, maybe the wayback machine has some old parameters or even more interesting endpoints that you can find for there.

I don’t know, something to look into.

Hi there!

I found api keys(google search api key, google map api key and dropbox api key) in a public program. I doubt these have been reported so far…

Do you think i should report these keys?

I want to discuss about a topic: CSRF TOKEN BYPASS
Suppose an application uses a csrftoken in request and a csrftoken header. If the length of the token and header matches, then only a request is successful. On changing the values of both( changing from the original value) but keeping the length same, our requests gets going. My question is: How can we bypass this for a csrf attack?

Hello @smodnix and welcome to the community! Did you just simply find the keys, or were you able to verify you can use them for gaining sensitive data? There are times where API keys are meant to be public. I’m just not sure the context in where you found them, how you found them, etc.

Hello All,
This is Himanshu. I Am Computer Science engineering 3 year student.
Till now i Learnt Python ,C ,C++, Data structures And algorithm as perfect, and competitive programming. But I was doing all these thing just for the " campus placement" …
Now I really want to continue my passion to know cybersecurity…
Can anyone please how should a b.tech guy can learn all these skills …
and how to start with bug bounty if it is right for me at the moment…

I’m quite new into hacking in general. I was thinking about an area to start as a serious researcher and noticed not only from people talking but also from Bugcrowd’s Priority One Report 2019 that the focus on Mobile Hacking is pretty small (even the size of the particular forum is small when compared to the one dedicated to web apps), although the bounties seem to be raising in value. The submissions of Web-based bugs seem to dominate around 90% of the overall activity.

The reference to this information can be checked on pages 4 and 7 of the report.

Far from being discouraged by that I started to wonder whether this would not be a good thing for one who has enough dedication to Mobile App bug hunting. The “market” seems to be quite saturated when it comes to Web-App bug hunting (although not in its maximum, I realize), so just maybe some value can be extracted from Mobile. Why jump in an area such as Web-Apps when everyone seems to be doing just that? From what I could gather in my limited experience in the field, the barrier to entry in Mobile App bug hunting seems to be higher (which might actually be a good thing).

My question is: Why is it that so few people go for Mobile App pentesting / bug hunting? Is it because it’s harder? Is it because you actually have to understand how things work at a low/coding level instead of just firing automated vulnerability scans all over?

Excellent topic for discussion. I actually think it deserves its own thread. Please consider creating one.

You’re completely correct - too many hackers (myself included) focus pretty much only on attacking webapps. There are a few reasons for that. Firstly, it’s the most common kind of asset on bug bounty programs. Secondly, it’s very easy to get started - IoT and Mobile hacking requires some reverse engineering and setting up an testing environment whereas you can get started on webapps right away with just a browser and a proxy. Thirdly, there are tons of writeups and resources available online for learning web hacking. The same can not be said about other kinds of targets.

You should definitely get into Mobile App hacking if you have the skills. There’s way less competition (meaning more bounty potential) and many programs are looking for testers for their mobile applications.

1 Like

Thanks for the reply. I’m pretty new to all this stuff so my plan is to get a good grasp on the fundamentals before jumping into mobile hacking. I’d like to go through the basics of owning a ton of boxes on VulnHub and Hack the Box, as well as understanding what I can about web application hacking in general. All this can be done relatively fast by using labs. I’m not even interested in investing time hunting bugs on web apps.
From there I intend to go for mobile hacking with the goal of getting actual bounties. I’m also very involved with Python right now and trying to dominate the LAMP development stack. From there I’ll go for Javascript and, finally, Java (for the Android reverse engineering I plan to do).
There are at least three great books available on the topic on Amazon right now and I’ll buy all of them.
I can also bet that Chinese mobile ecosystems will start getting bigger pretty soon and will eventually open up for bug bounties too.

You could write some JavaScript that appends a character to your string and automatically submits it as the token. Do this in a loop.

If only length is checked then eventually it will succeed.


Some API keys also require the secret key to be useful.

So you will probably need the secret key as well. Check the relevant API documentation available on the web.

However, try and make a poc using the key to find out. I found a Stripe Payment key on a bug bounty and made and submitted a python script that printed out all card transactions. This demonstrated that the key could be used to extract private data. That’s the key with bug bounties… Make a poc that shows it’s a real issue.

Since starting out, i’ve found a few things that were received as duplicates. no worries, i found it. Now i think i’m on track of finding something else, but i’m actually lost on my next steps at the moment.

anyone familiar with passworwdless logins?

Depends on what you feel most comfortable with. I’m also a beginner, no degree, just found my first ever valid bug over at Hackerone. Nyself Sql injection or XSS I believe are in your means just takes time from what I’m learning and experiencing and most importantly, Patience!

Total beginner question:

Is having a domain a requirement on doing bug bounty hunting?

Thanks! Cheers!

Is it worth reporting a CORS miss-configuration (wildcard) if it only affect a few non sensitive files?(eg:fonts)