first of all remove all the doubts from your mind. Practice what you learn,read on vulnerable labs. try Ctf to get better at things. And dont worry about N/A. I had like 10 N/A before getting my first valid bug. but never submit the wrong report intentially. dont give up, keep pushing.
keep a screen recording of the bug.
Hi
I’m a relatively experienced software dev, thought I’d have a look at this bug hunting stuff despite not really knowing much about it from this side and in a few hours I’ve had quite a productive time, I felt.
- One site with a subdomain showing a cert with a common name that doesn’t match (wasn’t expected anything, but thought it community minded to report)
- Another site where I could set the marketing preferences of any user - literally by email address turn on or off all the marketing spam of any user
- And an issue where after changing password I’d frequently (but not always) find myself logged in as a different user on a retail site with addresses, credit cards, etc listed
So how have three issues reported worked out?
-1 points!
The cert name mismatch wasn’t worth any money, so they didn’t care. The marketing preferences was a duplicate they put down to being an issue with a third party that they won’t fix (I’m not buying it - I’m authenticated with them, making the request to them and they’re passing anything on to the third party). And then the third was dismissed as not reproducible despite steps to reproduce and a video showing it happen with the third party’s details shown. They must be able to validate that data, see log files that verify it, etc - or does bugcrowd triage these out before the company’s devs can view them?
I’m feeling a bit frustrated. I didn’t expect to find any issues in the first few hours so to find two reasonably serious ones and still end up down on points is somewhat painful. Is this normal?
Hi,
Just wanted to ask, how long did it take everyone between when they first started looking for bugs on websites to finding their first bug and collecting their first bounty?
I’ve read web app hacking handbook and 101 and been doing this for a few weeks but still haven’t managed to find anything. I’ve been focused on one program currently and haven’t really found anything promising but I see other people submitting bugs for it occasionally.
Should I take a different approach and try more programs?
Thanks
Hey,
Welcome to the chaos of bug bounties. You’ve got a few uses cases all in one go, and not all of them pleasant.
-
certificate errors - this is normal, and many programs exclude these as spam. This will also include missing HSTS headers, some verbose error pages and other ‘junk risk’ that any scanner will pick up - unless of course, you can provide a proof of concept to show how the sub-domain mismatch leads to something more serious in a vulnerability chain.
-
The ‘won’t fix’ is a common frustration. What’s worse is when they eventually fix it. If it’s a duplicate though, means someone else has logged it, so not much you can do about that.
-
The last one sounds quite serious and I’m surprised they can’t replicate it. If you feel the triager is having difficulty, I’d write to support@bugcrowd.com to escalate it, and they can get someone to look at it. The researcher success team is currently interested in cases where triagers can’t replicate bugs that they should be able to. I come across this a lot and I agree, definitely frustrating. If you can access other’s people info though, you’re definitely looking at a serious bug. I’d insist on resolving this one.
To answer your last question, yes unfortunately your experience is par for the course. Frustration, elation, arguments, but eventual goodness in there somewhere. 
I’d start with the ‘oldest’ programs, and pick ones with a ‘large’ scope (anything with *.domain) and focus on ones that give ‘points’ only or low payouts (in the hundreds, rather than thousands). Then work backwards. You have to accept that the default is that you won’t find bugs, but once you get better and practice you’ll know where to look and start finding more. You have to also find the right motivation - see it as a playground where you can play around with real sites to find bugs, rather than as an end to earn money (even if it is your eventual aim).
If you’re not finding anything on a single program, by all means branch out.
Thanks a lot for the advice!
i guess it makes sense, I also understand what you mean regarding right motivation. However, regarding picking the oldest programs, wouldn’t that result in finding less bugs and more duplicates? Since they’ve probably been around for much longer and would have patched easy to find ones?
It might seem counter-intuitive, but I find older programs have had many more ‘features’ added since they were released, so there’s lots of new functionality to check out and they haven’t necessary been revisited by many researchers. Again, this is just me, but I’m looking back at the last dozen or so vulnerabilities and they are all older programs that were released over 6 months ago (and some years ago). That’s where the next piece of advice is useful - learn one or two programs really really well, so you know when they’ve got new functionality, follow their blogs just to see when stuff is released, that way you’ll be the first to pounce upon that new functionality, and hopefully, find some bugs.
1 Like
Hello @Ackbar03, I completely agree with @ARKADA. Perfect example, I got a private invite for a program which launched in 2015. I was like, “Yeah, I’ll pass because there’s definitely nothing for a little n00b like me to find.” Well, turns out, I found a web-cache poisoning bug which they deemed as high and I got $500 for it. The bugs are there, you just have to remain motivated to find them. I couldn’t agree more when ARKADA mentioned that you should think of it like a playground and think of the payout secondary. That’s exactly what I’ve been thinking in my time so far. It helps so you’re not like, “Oh my gosh, I’m not finding anything, I’m just going to quit because I can’t find any bugs.” I honestly care more about the reputation and swag (I have a full-time job, so I am not hurting for money, but I most definitely don’t complain when I do get bounties), so I think that helps me to stay motivated and interested. Plus this is really stupid and maybe just me, but it’s really cool when you see an ad for a company that you were hacking on and you found a bug and helped them to resolve.
1 Like
Thanks.
I did that and they referred it on and reopened it. I put a cypress test on the report with a video of it reproducing the issue and eventually they came back to say it was a duplicate and a won’t fix.
Apparently there’s a hash collision that happens only on their test system to a limited number of accounts and won’t happen on the live one. I’m off to bite my tongue!
I have nothing to say apart from this totally sucks. Unfortunately this is a business model issue whereby the customer get too much say in the vulnerabilities… Other bug bounty platforms don’t necessarily work this way. What I would do is just avoid that program going forward… it’s too easy to say ‘oh it doesn’t work like that in the live system’ since it’s just a way to weasel out of rewarding researchers.
Hello,
I am new to bug hunting, I have been studying lots lately and doing the bugcrowd university labs, I can feel comfortable enough to use burp suite and kali linux. I just have a few questions about safety. I do not have a VPN service, can I test on the allowed websites without this, and also if i should set up the proxychains in kali linux to hide my ip? It would be great if I could get a reply so I can start real testing.
noob question ALERT! when we go on github, how do i know what i need to find? For example, lets say i need a tool that i dont know i need, that tool is on github, but how would i know that i need that tool (if that made sense)? For example, there might be a problem im facing when hacking “a”, but im out of resources, how would i know what tool to get on github? Also, all these applications im very interested in learning, though i dont know how to execute their commands and i dont know EXACTLY what each application is used for, would i have to research about each individual application?
So you have a few circular questions but I think I know what you mean. A lot of learning about what toolsets will be from practice and just learning different applications. A lot of tools now are integrated into Kali Linux so I’d start there, and if you’re not sure what each one does just go through the menu and also just read the help or man file for the program in question to get a bit more info. ‘Searchsploit’ in Kali Linux is good to see if any exploits exist for particular software or application, and may or may not be relevant to what you’re looking at.
Going back to github, to give a few examples, if you’re too lazy to write your own code, you can leverage it to see if someone has written something similar. For example, once there was a CRC-128 checksum that I was trying to fuzz so just ended up searching for ‘CRC-128’ on github and found a few cool scripts that did what I wanted. It’s also a good resource for scanners which deal with specific vulnerabilities, in which case you can search by the CVE code or the issue. For example, if you run into an IIS 7.5 server, if you search ‘IIS scanner’ on github you’ll end up finding the excellent IIS short name scanner (example here and you’ll usually find some information disclosure that usually sits at the P3-P4 level depending on what’s disclosed.
Hope that helps steer your questions.
1 Like
im taking an ethical hackers course, is that a good start?
It’s a start, but honestly you don’t need them anymore. If you just go through bugcrowd university, go to Hacker101.com then sign up to ‘hackthebox.eu’ and go through individual youtube tutorials (pentester academy is a good one) that will be plenty to get you started - after that it’s all a matter of practice.
2 Likes
hy,
while i was doing sql injection with this command ‘||utl_http.request||’.
after executing this the response become weird.To every character there is an addition of the code character…
anybody please help me what is this?
I see many references to particular programming languages when I look over bug bounty materials and tutorials. I understand that one doesn’t have to master any particular language to get started in hunting for bugs, but it seems that familiarity with programming concepts and logic is important (as well as being able to read some code). With that said, what are the top 3 languages that would be most helpful to understand well to make strides towards becoming a better bug hunter?
In no particular order:
Python (helps with loads of stuff)
Any other scripting language (bash, powershell, etc.)
Javascript
A ‘web’ language of your choice: PHP, Java, C#
Hi guys,
from the position where this post is found, you can probably tell that I am new to this whole Bug-Bounty-Thing. I’m hoping that somebody can help with me a problem I ran into.
While searching for my very first vulnerability, I stumbled across an upload-function for a picture that allowed me - after a little tweaking - to upload a php-backdoor-shell I created via metasploit. The problem is this: After the server saves the file, it only allows access on it via DELETE-requests (HTTP-code 405). So I get the malicious file saved on the target-server, but I cannot access it afterwards to open a meterpreter-session.
Does anybody have an idea if there could still be a viable vulnerability here? Like, maybe it’s possible to upload code that doesn’t have to be directly accessed by me or maybe there is a way around the HTTP-Header-Limitation? I didn’t manage to find anything about that until now.
If there should be no way to follow up with this vulnerability, should I still report the way I found around the upload-filter, even though I couldn’t escalate this any further?
On a sidenote - when I managed to upload the php-shell and thought I found my very first vulnerability, I was literally trembling with excitement. This was already such an awesome experience, I’m really, really looking forward to find my first real vulnerability.
Also, this community has been damn helpful and nice until now, thank all of you guys for helping us newcomers.
Cheers!