Hi, i got into bug bounty some months back and i have been having problems finding bugs, i have watched video tutorials on hacker101, i tried reading the books, but i dont understand it when i read and am not getting the video, and i really dont want to stop it, i dont know what to as i am confused and tired, i dont know if this is appropriate but please can i find someone who can teach me personally, please am begging you guys
hay i have a problem.how to access denied website.
If you want people to help you, you should provide more details. First of all, it’s not really clear what you’re asking. Second, there is no one way to bypass access control (imagine if there was…). If you’re looking for 403 bypass techniques, use Google/Twitter. Only ask a question here when you have something specific you need help with.
Learning hacking takes years. Mastering it takes more years than we have in a lifetime. If you’re having trouble understanding things, maybe take a step back and try understanding the web technologies first. If you understand the web works, web hacking will be far more intuitive.
1 Like
Hello! Will appreciate some ideas. There is a site where one can enter error codes for Azure AD (e.g. AADSTS50000) and get their description (couple of text lines). One field for the error code input and a submit button. Nothing else.
Here’s the page source - nothing special:
}</style></head><form action="/error" method="post">
<label>Error Code: </label> <input type="text" name="code" placeholder="Code.."><br>
<input type="submit" value="Submit">
</form></body>
But, if the input is like “<?” or some othe similar combination, the MS Azure login page with an error is presented - see below.
It looks like an injection is possible into some API call performed with some credentials by the application to Azure, where “<?” sequence breaks the authentication. What could be the injection path and method here?
Thanks
I can’t use my bugcrowd ninja email. how to use it? I tried using myusername@bugcrowdninja.com
But did not work. What can i do now? please help
This explains why I could not find a way to post a message 
Thank you for making this option available.
I have a set of AWS credentials (aws_access_key_id, aws_secret_access_key and aws_session_token) and I am trying to figure out if it has any interesting privileges.
aws iam list-roles
aws iam list-users
aws iam list-groups
and a couple of other attempts all return similar AccessDenied errors. Here is one for list-roles
An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:sts::xxxxx:assumed-role/xxxx/xxxxx is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::xxxxxxx:role/
I was wondering if there is a tool/script that can do a comprehensive check
Hi all,
I’m new here so I hope I’m asking in the right place. I’ll keep it short and simple!
On this lab, we can use the payload in the URL:
But, on Google’s firing range, the same payload gets encoded to:
%3Cimg%20src=1%20onerror=alert(document.domain)%3E
What’s the difference? (I thought modern browsers encoded all tags. Is this a server setting?)
Thanks,
- Dan
I am trying xss on a program and “<>” and “()” are blocked and displays 403 forbidden. Is there any solution to bypass it???
i was doing a portscanning on a website, and found an open port 8000 with http-alt. When i visited the website thrrough this port i got the login page of panasonic network disk recorder wj-nv200. I have tried all the default credentilas and failed, and i also failed to get any cve in google or any vulnerabilities. while googling i found that the last update of this device was 2017. can anybody help me?
Can we do intercept/testing of android apps using burpsuite? i am not asking for web applications i am asking for android apps? if not then which tool to be use for intercepting android apps?
I just wanted to say that Python is power!
I submitted my tax form but it rejected because I don’t have last name in my documents so what I can do to complete this process. I emailed alot of times to support@bugcrowd but no reply.
Hey guys, I am new to bug bounty. I was able to identify some low impact bugs on a program. When I reported I found out those bugs were already found nearly a year ago. Those bugs were pretty low impact and very easy to solve. Why don’t companies solve those low impact bugs ? Isn’t it waste of everybodies time?
1 Like
Hi everyone! I got invite to my first bug bounty and I do not know how to go about getting started. I read the details of the invitation but I am lost on what to do next. Can someone offer some guidance please? Thanks in advance. Nice to meet you all virtual 
Hey everyone!
Just came to see y’all 
Hey everyone!
I’m looking to get into Bug Bounty Hunting but have a somewhat legal question, maybe someone has an idea about this?
Say I join a Bug Bounty program of company XYZ and discover that they use AWS and Google for their web and email servers.
In my current pentesting course, I learned that in such a case we would not only need the written consent from company XYZ but also from AWS and Google, since we are testing their infrastructure as well.
How do I deal with this when it comes to Bug Bounty programs? Can I assume that Bugcrows/the companies will contact their hosters, or should I contact them myself in some way?
Hi thanks for having me.
Hello 
Beginner question here - I’ve been hunting for IDORs using the BurpSuite add-on Autorize. I started by creating two accounts for the website I’m targeting. I logged in to both accounts and took the cookie from account 2 and pasted it into Autorize as a temporary header. Then after some poking around using account 1, I found that when I uploaded a file on this website (more specifically I uploaded a file to my user profile where only the logged in user should be able to upload), it uploaded 3 files - one from my original POST request (account #1), one from the modified request (account #1 with account #2’s cookie), and the unauthenticated request.
From my base level of understanding, it seems as though I may have found an IDOR. My problem is I am not sure what my next steps should be. Are the file uploads proof of a bug in this case? Or do I need to further validate this? If so, what can I do to validate?
Any help would be much appreciated!
I was lucky enough to find a P1 bug first go.
Trying to figure out how to get my tax form …. Anyone know how to do it for non residents?