Congratulations!
Are you asking about the W-8 BEN form?
Hi @Pmoc.
Usually, the programs mention something about that on their description, but I wouldn’t worry about it. I think AWS and Google Cloud have some kind of terms about pentesting, but I guess it can be summarized as: don’t be evil. You can google those terms to be sure if you want, but I wouldn’t worry about it unless you have 100 servers running some kind of automated pentesting.
Where you able to do it?
Hello everyone
I wanted to write this text in my bio of my bugcrowd account, but I quickly realized that it is too long. First of all my English skills are not the best. I am glad to become part of this community.
I hope this post is not out of place here
For some time now I have been on the path to further educate myself in the field of cybersecurity, to acquire in-depth knowledge. First I have learned independently to me. Now I also work in IT.
I originally come from the forestry industry.
Goal:
- to be allowed to wear the title “hacker” honestly and truly. What I make dependent on my GOOD deeds in the cyberspace.
- Gain a stable and promising job or self-employment in the IT industry.
- Acquire knowledge, learn, learn and learn again and apply it at the same time. GET HANDS ON!!!
- Networking. I want to make “real” friends to enrich each other’s knowledge, to complement each other and to solve problems together. There is no such thing as can’t!
- I want to obtain a title, a diploma, which will make me an “expert” in my country, or let’s say I will be allowed to include the word “expert” in the title of my profession.
- I want to enjoy the work.
- take up projects. Support projects.
and last but not least, to earn as much money as possible and build a house for my family. Achieve financial independence.
Projects:
- “De-Googelization”
-
GraphOS setup on various devices.
-
Expansion of GPS, microphones and all cameras.
-
Avoid any part of Google as much as possible.
-
Change daily used OS from Windows to Linux. Target QubesOS
And more…
Learning objectives:
Goals mentioned here give me a way to give myself a SMART approach.
- Learn and understand the basics.
- Especially in the network and server area.
- Learn Linux Fundamentals (Goal: Understand and use Linux Essentials Exam 010 and HTB LinuxFundamentals and more).
- Learn the script language bash to be able to create your own script tool under Linux.
- Learn about the various tools, tactics, techniques and procedures that come along.
- (I’m interested in, but I don’t prioritize learning various programming languages like PowerShell and C (etc)).
I am a strong advocate of privacy on the Internet and general “security” in the digital space. The transparency from producer to user is very important to me.
I am open for any kind of suggestions, talks, discussions and criticism.
Hi,
how should I handle a situation where building and especially running a PoC for a given bug would violate the code of conduct for a given program, yet it is marked as non-applicable and “theoretical” because I didn’t build a PoC? I feel mocked.
Your English skills are great. Those are some awesome goals to have! I look forward to seeing your progress.
Hey all, I hope you’re having a great week 
Hi,
Greetings. Need a help regarding a pass reset link modification bug.
If an attacker can able to modify some part of the password reset link what would be the impact or how can an attacker exploit it?
For example target.com/Modified-Part/?email=test@eamil.com&token=xxxx
Here, attacker can modify the “Modified-Part”
Thanks in advance
Hi everyone,
I discovered web application testing mid 2020 and after 18 months puzzling on ctf and various online challenges, I decided to start bug bounties a few months ago.
I have a few questions about things you allow yourself to do or not when testing a website.
The following may seem strange but anyway, someone may have some good advices /opinions :
-
Question #1: up to now, I started on vdp programs with vast scope and a lot of different websites (fws, monash for instance). Some application have local credential. Do you use available forms to get credentials or do you ask creds to support teams ? My fear is to face some people that do not even know they are part of bug bounty (very local teams for instance, included in bigger organizations). For the moment, I limit my self to public accessible information but it is very limited.
-
Question #2: do you have specific elements that let webmaster know that you are testing in the frame of bug bounty program ? For instance, I have seen some program asking to add element to user agent
-
Question #3 : do you limit yourself in terms of tools to use (Except tool declared as out of scope in the program). I think about nmap which may be seen as an intrusive tool, zap scanner. I also think about using very long word lists or very high rates on fuzzing tools.
-
Question #4 : does it really matters for you to work on a safe harbour program or not ? Is it really risky if the program does not have this mention ?
Thank you in advance for your time.
Your questions are excellent!
It’s really nice to see that someone is interested in discussing some important topics, some which rarely get discussed at all.
I’ll weigh in with some of my thoughts, question by question…
Question #1:
IME, most programs either direct the researcher to make a low number of user accounts for testing access control, usually using your bugcrowd email address, adding a digit after the username portion of the address and incrementing upward for each additional address, OR
they will require you do download supplied credentials that are intended for use by researchers only.
In either case, the permissions granted should generally be at the user level.
It doesn’t make a lot of sense for a researcher to be granted elevated privileges, as the security team usually wants to see what a normal user is able to do.
I suspect that somewhat elevated privileges are sometimes granted in invite-only programs.
Question #2:
Yes.
I will add an X header like:
X-Bugcrowd-ID:
Question #3
This is the big one that doesn’t get discussed enough!
From reading many program briefs and also thinking about this issue from the perspective of the SOC / blue-team, I am kind of reluctant to employ some of these tools that I consider to be very “noisy”.
The concept of thousands of researchers, often running the same tools (that generate sometimes thousands of requests per second) and receiving the same results, is the epitome of inefficiency and redundancy!
Imagine trying to manage a back-end in this situation.
Here’s where I’m conflicted:
On one hand, I feel it’s the “right thing to do” to rate-limit the requests generated by my tools and on the other hand…
What do the “Hall of Famers” do?
I suspect that many either only slightly rate-limit their requests or not at all and when they inevitably get IP-blocked, the just get a new IP issued and continue.
The question is - how to balance being a considerate researcher while still remaining competitive in the bug bounty space?
I’d love to hear what others think about this issue in particular.
Question #4:
While “Safe Harbor” is a nice gesture that indictes that the issuing company may have a clue, it is clearly not a legally binding document.
Having said that, I think for the most part, if a researcher conducts themselves in a manner that shows that they’re capable of following the guidelines of the program brief, is able to stay in scope, isn’t spamming contact forms etc and is genuinely trying to be useful, there shoudn’t be much to worry about.
Still…it’s a weird grey area that sometimes concerns me.
Hope this wan’t too long of a read!
Thank you for your answer. It helps a lot.
Generally speaking, I always wonder if operational team are aware of their domain beeing part of a bug bounty program, especially for institutional domains.
For instance, in one of the program I worked on, there is a single site (among hundreds) with a very local login form. The registration process is to send an email to a “local” admin to have credentials.
I fear a lot of questions in case I sent an email saying ‘hello, can you provide me a login/ password to try to hack your website ?’. Did you met this kind of situations ? Do you hesitate in this case ?
In another hand, limiting the test to publicly available pages will provide less signiciant results. In the end, both me and them would have less results.
I just would like to have your feedback concerning what you usually do.
Thanks,
I fear a lot of questions in case I sent an email saying ‘hello, can you provide me a login/ >password to try to hack your website ?’. Did you met this kind of situations ? Do you hesitate in >this case ?
I’ve only done work on public programs but AFAIK, you should direct your questions to the BC team and not contact the target company directly.
In a case where an email requesting creds is manually processed, just stick to the process like a normal user unless specified otherwise. There is no need to mention that you’re testing. Really, all this should be addressed in the program brief. Some briefs are definitely written better than others
Hey, one question!
It’s my first time at bug bounties platforms and I would like to know if to perform pentesting against the companies published here it’s necessary to give them my public IP address or advice them by any way like in traditional pentest.
Or in the other hand I can perform test without any legal penalization.
Thanks in advance.
How do I find someone’s website admin login URL?
On a wordpress site a couple of things you could try /wp-login.php, /login.php, /dashboard
I hope this helps!
Thank you but the owner used something strong. These addresses are not working there 
https://kinsta.com/blog/wordpress-login-url/#how-to-find-wordpress-login-url
Here’s a nice helpful article, another thing it suggests is to see if the login page has been put in a subdirectory, e.g
/wordpress/wp-login.php, /wordpress/login, /wordpress/admin, /wordpress/dashboard,
or perhaps:
/wp/wp-login.php, /wp/login, /wp/admin, /wp/dashboard
1 Like
Another thing you could try to help you understand the layout of the site is gather as much info as you possibly can to figure out what services it’s running…
Look at the html source, read the /robots.txt file, /sitemap.xml where are the site’s images coming from? Another subdirectory of the local site? or an external content delivery system(e.g. static.wixstatic.com/media, tells you that this site was likely made with Wix)
The more you understand the website the more likely you will be at finding a potential attack vector!
The robot.txt file is off for login page, others info is not working! Can you please give a check “abdullahaljaberDotcom”
Or what do you think about trying kali Linux? Any Idea?
Hi,
Is C and python good to start learning to find bugs making your own tools?