How would you approach a site like this?

Hi everyone, beginner bug bounty hunter here. In the past all I used to do was hack random websites by shooting for the low hanging fruit (SQLi, XSS, etc), however within a short span of time of joining the bug hunting community I’ve realized that going for low hanging fruit isn’t sufficient whatsoever. With that being said, I’m pretty inexperienced when it comes to finding anything other than the low hanging fruit, so how would I approach a site like this? - https://instacart.com

It has a bug bounty program on hackerone, and reports are being constantly sent to it and reports are constantly being resolved by it, and I’m completely baffled. When I try to look at the site, the only thing I see when going through sent requests are parameters that either look like they’re prone to 1. SQLi or 2. XSS. It boggles my mind that people are able to find vulnerabilities on this site at a steady rate, and I have no idea how they do it.

No, I am not asking you to do the research for me or find vulnerabilities for me, I’m just curious as to what your vulnerability finding process would be if you were handed that site. Please share your wisdom with me, be it in a post or a PM. I’m just a curious novice wishing to delve deeper into the art of bug bounty hunting. Thanks in advance.

I have the same issue just not sure how to look for other vulnerabilities only concentrating on sqli which is not very easy to be found on popular websites. Can someone guide me a little on how i can go with my vulnerability finding method ?

I dont need your exact method or neither i am looking to be spoon feed but some tips that might help improving my scanning techniques would be a great help.

Regards!

Hello friends, I am a beginner too and I had almost the same questions you have. As a beginner I don’t have a lot of Rep or Kudos but I want to give my 2 cents to help someone like me.

You should read “The Web Application Hacker’s Handbook 2nd Edition” and you can download the nice book of Peter Yaworski available for free in https://hackerone.com/resources/web-hacking-101 (if you are registered). Other option is to visit frequently hxxp :// hackerone . com /hacktivity or http://h1.nobbd.de where you can find a lot of limited information or totally open reports. With that resources your eyes will be opened and you’ll have the idea that there are a lot interesting types of vulnerabilities and how to approach it.

Other suggestion I could give is you should learn to use at least the basic Burp Suite’s features (repeater, intruder, decoder, spider without any particular order) if you can’t afford yet buying the BS Pro version, or another proxy software you feel comfortable with, because if you come (like me) from shooting targets having SQLi or XSS found by Google dorks, when you find targets like Instacart it’s tedious to shot XSS payloads directly in the URL website. I think Burp Repeater might help if you have some XSS payloads and shot them from there, in the aside window you can see if your payload fired the pop-up you are waiting (the response time I guess is faster).

In the time you’ve acquired some experience and your knowledge it is increased maybe you will look for a methodology, the Jason Haddix methodology in this link hxxps :// github . com /jhaddix/tbhm I think is good (I stumbled with that resource yesterday while reading a twitter time line).

I don’t know if Instacart has a private or public program in BugCrowd too, but if know about them by HackerOne, keep reading the open reports they offer in that platform (since this initial question, 8 months ago, Sep/16, a hacker found a XSS at Instacart in Jan/17 and another hacker found a bypass in the same company in May,11th, 17).

This morning I was reading open reports and saw one from Instacart, where a hacker found a XSS (hxxps :// hackerone . com / reports/196221) and around 5 months later another hacker found a bypass for the fix implemented in the same url (hxxps :// hackerone . com /reports/227809).

There’s a lot good information in HackerOne reports. Personally in the BugCrowd Forum I see low participation (8 months without a helpful answer) from experienced hackers or maybe there’s no enough time to answer so basic questions like this. Maybe the success of HackerOne is the open reports where beginners like us we can find.

Good luck, try harder and happy hacking!

PS.
“Sorry, new users can only put 2 links”, why limiting to new users? That are really weird policies but I think are useful for someone. it is appreciated you are sorried for new users about that limitation.