Have a question? Ask it here in this thread!

Hello All,
This is Himanshu. I Am Computer Science engineering 3 year student.
Till now i Learnt Python ,C ,C++, Data structures And algorithm as perfect, and competitive programming. But I was doing all these thing just for the " campus placement" …
Now I really want to continue my passion to know cybersecurity…
Can anyone please how should a b.tech guy can learn all these skills …
and how to start with bug bounty if it is right for me at the moment…

I’m quite new into hacking in general. I was thinking about an area to start as a serious researcher and noticed not only from people talking but also from Bugcrowd’s Priority One Report 2019 that the focus on Mobile Hacking is pretty small (even the size of the particular forum is small when compared to the one dedicated to web apps), although the bounties seem to be raising in value. The submissions of Web-based bugs seem to dominate around 90% of the overall activity.

The reference to this information can be checked on pages 4 and 7 of the report.

Far from being discouraged by that I started to wonder whether this would not be a good thing for one who has enough dedication to Mobile App bug hunting. The “market” seems to be quite saturated when it comes to Web-App bug hunting (although not in its maximum, I realize), so just maybe some value can be extracted from Mobile. Why jump in an area such as Web-Apps when everyone seems to be doing just that? From what I could gather in my limited experience in the field, the barrier to entry in Mobile App bug hunting seems to be higher (which might actually be a good thing).

My question is: Why is it that so few people go for Mobile App pentesting / bug hunting? Is it because it’s harder? Is it because you actually have to understand how things work at a low/coding level instead of just firing automated vulnerability scans all over?

Excellent topic for discussion. I actually think it deserves its own thread. Please consider creating one.

You’re completely correct - too many hackers (myself included) focus pretty much only on attacking webapps. There are a few reasons for that. Firstly, it’s the most common kind of asset on bug bounty programs. Secondly, it’s very easy to get started - IoT and Mobile hacking requires some reverse engineering and setting up an testing environment whereas you can get started on webapps right away with just a browser and a proxy. Thirdly, there are tons of writeups and resources available online for learning web hacking. The same can not be said about other kinds of targets.

You should definitely get into Mobile App hacking if you have the skills. There’s way less competition (meaning more bounty potential) and many programs are looking for testers for their mobile applications.

1 Like

Thanks for the reply. I’m pretty new to all this stuff so my plan is to get a good grasp on the fundamentals before jumping into mobile hacking. I’d like to go through the basics of owning a ton of boxes on VulnHub and Hack the Box, as well as understanding what I can about web application hacking in general. All this can be done relatively fast by using labs. I’m not even interested in investing time hunting bugs on web apps.
From there I intend to go for mobile hacking with the goal of getting actual bounties. I’m also very involved with Python right now and trying to dominate the LAMP development stack. From there I’ll go for Javascript and, finally, Java (for the Android reverse engineering I plan to do).
There are at least three great books available on the topic on Amazon right now and I’ll buy all of them.
I can also bet that Chinese mobile ecosystems will start getting bigger pretty soon and will eventually open up for bug bounties too.

You could write some JavaScript that appends a character to your string and automatically submits it as the token. Do this in a loop.

If only length is checked then eventually it will succeed.

Token+='z';

Some API keys also require the secret key to be useful.

So you will probably need the secret key as well. Check the relevant API documentation available on the web.

However, try and make a poc using the key to find out. I found a Stripe Payment key on a bug bounty and made and submitted a python script that printed out all card transactions. This demonstrated that the key could be used to extract private data. That’s the key with bug bounties… Make a poc that shows it’s a real issue.

Since starting out, i’ve found a few things that were received as duplicates. no worries, i found it. Now i think i’m on track of finding something else, but i’m actually lost on my next steps at the moment.

anyone familiar with passworwdless logins?

Depends on what you feel most comfortable with. I’m also a beginner, no degree, just found my first ever valid bug over at Hackerone. Nyself Sql injection or XSS I believe are in your means just takes time from what I’m learning and experiencing and most importantly, Patience!

Total beginner question:

Is having a domain a requirement on doing bug bounty hunting?

Thanks! Cheers!

[Q]
Is it worth reporting a CORS miss-configuration (wildcard) if it only affect a few non sensitive files?(eg:fonts)

It is not. In some cases (for PoCs) it might be useful, but in those cases you can just use a ngrok address or Canary token.

It doesn’t really have a security impact, so probably not. It might even be a conscious choice by the company to allow resource sharing. Try to see you can find a more sensitive endpoint affected by the same misconfiguration.

Web Cache Poisoning POC:

So I’m pretty sure I found a web cache poisoning attack, but when I submitted…they want a POC that shows impact. In summary:

I added the following headers to the request:

X-Forwarded-Host: r804p4qn34wcm3nhyto9ohdokfq8e64uxvll8bw0.burpcollaborator.net

This resulted in a response containing ‘r804p4qn34wcm3nhyto9ohdokfq8e64uxvll8bw0’. I then resent the request without these headers and got the same response, indicating that it had been cached.

Can anyone advise on a POC that I can use?

Would I just need to put something like evil-url.com/maliciousfile.exe in?

Thanks in advance!

Wow, sounds like a bug with some serious potential impact. I guess it depends on where the input is reflected. Here’s a few ideas:

  • Is the input reflected in a Location response header? I know you didn’t say so, but it seems likely judging by the nature of the request header. In that case, you’ve got a stored open redirect.
  • Try to inject HTML or Javascript in the X-Forwarded-Host header. If you can execute Javascript, it’s a stored XSS vulnerability. If you can inject HTML, you can maybe completely deface the website and make it say whatever your want. Your evil-url.com/maliciousfile.exe idea is great, but the attack is more convincing with some HTML formatting.
  • Is the input reflected as an error message? In that case, you can probably perform a pretty scary DoS attack (check the program rules first). For more information on CPDoS, check out this awesome article.

If all else fails, it’s not a bad idea to inject a malicious link, but that obviously requires that the link is reflected visibly on the page. You should try to escalate it as much as you can first.

When testing, you should use a cache-buster (/path/endpoint.php?letsnotpoisonnormalusers=1) to get more reliable results and avoid bothering legitimate users.

1 Like

Hi,

I’m not exactly new, as I joined a couple of years ago.
I participated in a few public programs but wasn’t able to put the requisite time in in order to find anything worthy of submitting.

Fast forward to the present - it would appear that things have changed significantly.

It seems that all of the public programs have a list of 2 to 4 requirements that must be met before the “join” button becomes functional. All the requirements (except one) relate to past performance, of which I have exactly none.

So - is this a case of “You snooze, you lose”? Am I basically barred from participating due to not having submitted any reports in the past?

Best,
Yabai

Hi Yabai,

The “waitlisted” and “joinable” programs are news kinds of private programs that do not require an invitation. If you meet the requirements, you are eligible to participate or apply to participate in the programs. There are stills tons of public programs that don’t have any requirements - you just have to scroll a little further, since Bugcrowd just dropped about 30 waitlisted/joinable programs.

1 Like

Hi waike,

Thanks for your reply!

I had a chat with Breonna and she explained the various nuances. My main misconception was that I assumed that if a program had no “join” button at all, it meant that it was either full to capacity or otherwise off-limits to me. I didn’t realize that some programs don’t require you to explicitly “join” them in order to participate.

Thanks again!

Best,
yabai

I am new to to cybersecurity , as I starting to hacking and going through a program on Bug crowd I just stuck in this sentence *

Please add the following User Agent during the course of your testing: UA-BugBounty*

Please somebody give me idea how to do this.
Thank you for help

Hello,

I’m new in bug bounty, I must learn many things, I just need your help to know if there’s a possibility of exploitation in a website based on these remarks :

Let’s start with naming our target : website*com and this is what I observed :

  • Signing in, registration and password reset are made in the main website
  • Once signed in, you are redirected to a subdomain hosted on amazon (not sure yet) where you have your dashboard (settings, credit card details etc…)

And it is where weird things started to happen :

1- Subdomain dashboard : In my account settings I can change my email address, and here’s what I did :

A - I created two accounts with different emails : mymail1@gmailcom and mymail2@gmailcom

B - I logged in with myemail1@gmailcom and went to settings to change the email address to myemail2@gmailcom , then I put the two email addresses in the same field separated by a “,”

myemail1@gmailcom,myemail2@gmailcom and saved changes :

Result =

  • Both email received verification links.
  • Verification links are not the same, I wanted to verify the email of the account I wanted to takeover but it says invalid token
  • Using this method (two emails in one field), both tokens are not valid even when i verify e legitimate account with it’s token.
  • My new username is showing : mymail1@gmail,mymail2@gmail
  • Tried this with burp &email=mymail1@gmail.c*m&email=mymail2@gmail.com : Same result both mails received verification url

It turned out that the email field is set to :

<input type="text" autocomplete="off" class="el-input__inner">

I also tried :

  • Random emails with special characters : This notification shows up in my dashboard: “Sent email verification to t^mp0$@nothing.com” or “Sent email verification to mail@.com”
  • I do not enter any email in the field and I click on “Send email verification” I get this notification : “Sent email verification to”
  • I put many characters let’s say 100 in the field , and the result shows the same notification, and the new data become my username but the email is not changed.
  • I sent a verification link to an existing email (but not registered in the site) : I can receive a verification link to email even when i’m not registered in the site.
    Can I register with the same email after? Yes
    Once i registered with the new email, Can I use the previously sent verification llink? No.
  • All I have to do is to request a new verification link

2- Main domain Reset password :

  • Send password reset with empty email field. Result : Email ‘’ not found.

  • Send password reset with random email “randommail@email.com”. Result : Email ‘randommail@email.com’ not found

  • Send password reset with tow random emails seperated by “,” “randommail1@email.com,randommail2@email.com”.

Result : Email ‘randommail1@email.com,randommail2@email.com’ not found

Other observations :

  • There’s a second subdomain where I can login with the same credentials to an empty dashboard (no settings, no fields to change, only logout link).
  • Once you put your credit card details and save, all card details are visible not masked.

My goal here is to see if there’s a possibility of an account takeover and send custom content using the website email address.

There’s something is not right about this website. I know that I have to dig more and learn many things and it is what I’m doing and still, I’m just lost.

Please advise,

Thank you so much for your help.

If you use Burp Suite, you can set a Match and Replace rule that adds the header automatically to every request. Alternatively, you can use a browser extension such as User-Agent Switcher for Chrome.