New - Learned Things - No Bounties Yet

New here… spent a month on a program just trying things. As result, I submitted two reports, one was a duplicate and one was interesting but not entirely exploitable so no luck. What would be your next steps? (Try another program, or keep digging? Focus more on a particular exploit?)

  1. Did some recon, did google dorking, portscanning, WAF detection, determined some technologies being used like Adobe Experience Manager, etc…

  2. Looked for SQLi chucking payloads using Burp… mostly rejected by WAF

  3. Decided to focus on Authorization… learned how the mechanism worked, explored session cookies, password Paramus that were encoded, JWT tokens, tried to look for patterns or predictable tokens or padding Oracle type of exploit but no luck.

  4. Focused next on sessions, JWT tokens were not crackable, looked at remember me and other session related cookies but didn’t find any way to exploit.

  5. Shifted to specifically focus on access of PII by requesting user information. Was able to identify user enumeration method to get valid account numbers and submitted report… it was a duplicate.

  6. Along with PII work, identified some JSON tokens that never expired. The tokens worked in combination with a logged in user cookie/session. I reported that they didn’t expire, response was they were not exploitable without the user credentials/cookie. Tested numerous endpoints for exploitation of this in expiring json but none worked without appropriate user also being logged in and submitting the token

  7. Next for interested in DOM XSS and followed approach from TomNomNom on using chrome dev tools to look for JavaScript sinks and user input into JavaScript but no luck.

  8. Tried to replace JSON parameters in various requests with XML to explore for XXE… no luck… got invalid JSON or internal server error.

  9. Tried for path traversals, none found.

  10. Tried messing with some url redirects that were passed as query string arguments. Came up against whitelist or regex filter that required https://target domain and attempts to hack resulted mostly in browser errors, invalid redirect

  11. Tried chucking a bunch of XSS payloads in any parameters I could find using BURP, almost entirely blocked by WAF.

I learned a lot but also a bit frustrated that I didn’t find anything. Any tips/advice or recommendations?

Thanks

2 Likes

Continue trying to find something and continue learning. You actually tried and learned many things which is a good thing. Imagine if you did the same for an entire year, how much you will learn, improve your skills and hopefully earn.

I understand the frustration. But if it were easy to find a bug, everyone will be doing it.
Happy 2022!

Thanks. Lately started focusing on DOM XSS because I have programming background. Found plenty of ‘sinks’ in JavaScript that will pop an alert when manipulated in console, but no sources that seem to lead to sinks

1 Like

This should by as passion .I learn about 1 year.I do not have any IT knowledge.No success yet.Of course I got 3 xss stored but on program where the do not pay.My advice for not smart person as I .Just do not give up.Look on Twitter how people do some bounty .They show way how to do this .Also look on YouTube .

No need to focus only on DOM because you suppose you are better suited for it. Also, if you only focus on XSS or just one kind of vulnerability you will miss many bugs. Unless you decide to focus on the kind of bugs that pay a lot, but also sometimes you are not looking for something and you find it.
So, if you are going to focus in only one kind of bug, maybe shoot for those that pay a lot, otherwise you will be wasting a lot of time. Unless you don’t need money in any way, in that case do whatever you want.

In addition to what others have said, I would look into taking notes of interesting findings while you’re testing. Some even map the entire infrastructure out using mind maps. This way you could always come back at a later stage.

Also, something to be aware of is that companies constantly push code.

I have also found user enumeration on forget password page but got duplicated. I was confused between Brute Force and Non-Brute Force Username/Email Enumeration during reporting. I Need your thoughts about it and please clear my doubt.

Thanks

I am in a quite similar situation. I try not to let frustration cover the whole thing.
I try to focus on what I learn day to day (new tools, new techniques, new bugs) which is enormous indeed.

And for this johndoebee’s advice is an excellent one because you may switch between bug bounty and learning period. Keeping notes of what you’ve found allows you to come back to whats seemed interesting and apply new techniques you’ve learnt.