Bug Bounty Hunting (methodology ,tips & Tricks )

Bug Bounty Hunting (methodology ,tips & Tricks )

How I approach a Target

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.

A reward offered to a perform who identifies an error or vulnerability in a computer program or system. ‘The company boosts security by offering a bug bounty’

dd47ea33044e92972d89e4a59a977849.jpg

Bug Bounty Platforms

Bugcrowd, Hackerone, Synack, Japan Bug bounty Program, Cobalt, Zerocopter, Hackenproof, BountyFactory, Bug Bounty Programs List, AntiHack.

1_XZNT6RtSnQMii-_X9kXS0A.png

Some Books for reading about Bug Hunting

There are some books for Web application penetration testing methodology and hunting the web. Through this you learn the basics and essentials of penetration testing and bug hunting. Since bug bounties often include website targets, we’ll focus on getting you started with Web Hacking and later we’ll branch out.

  • The Web Application Hacker’s Handbook
  • OWASP Testing Guide
  • Highly suggested by Bugcrowd’s Jason Haddix
  • Penetration Testing
  • The Hacker Playbook 2: Practical Guide to Penetration Testing
  • The Tangled Web: A Guide to Securing Web Applications
  • Jhaddix Bug Hunting Methodology
  • The Hacker Playbook-3
  • Ethical Hacking and Penetration Guide
  • Web Penetration Testing with Kali Linux

My Tips & Tricks

  • Bug Bounty Hunting Tip #1- Always read the Source Code
  • Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
  • Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language (builtwith)
  • Bug Bounty Hunting Tip #4- Google Dorks is very helpful
  • Bug Bounty Hunting Tip #5- Check each request and response
  • Bug Bounty Hunting Tip #6- Active Mind - Out of Box Thinking :)

My Methodology for Bug Hunting

  • First review the scope
  • Perform reconnaissance to find valid targets
  • Find sub-domains through various tools Sublist3, virus-total etc.
  • Select one target then scan against discovered targets to gather additional information (Check CMS, - Server and all other information which i need)
  • Use google dorks for information gathering of a particular taget.
  • Review all of the services, ports and applications.
  • Fuzz for errors and to expose vulnerabilities
  • Attack vulnerabilities to build proof-of-concepts

For Bug bounty programs, First I’m going to review the scope of the target. There’s a huge difference between a scope such as *.facebook.com versus a small company’s single application test environment.

If scope is big than they accepts submissions for any of their servers, I’m going to start doing reconnaissance using search engines such as Google, Shodan, Censys, ARIN, etc. to discover subdomains, endpoints, and server IP addresses. This is a mix of Google dorking, scanning IP ranges owned by companies, servers ports scanning etc. Anything that gives me information on servers that may be owned by that company.

When I have a list of servers, I start to perform nmap port and banner scanning to see what type of servers are running. You may get some quick finds such as open SSH ports that allow password-based authentication. At this point I tend to stay away from reporting those smaller issues. I opt to spend more time looking for critical applications running on non-standard web ports such as Jenkins that may have weak default configuration or no authentication in front of them.

Before I hunt into the websites too deeply, I first do a quick run through the web servers looking for common applications such as WordPress ,Drupal , joomla etc . This is a mix of just browsing the sites manually or directory hunting by using wordlist, looking for sitemaps, looking at robots.txt, etc. Some open source plugins are typically poorly made and with some source review can lead to critical findings.

Then dig in to website, check each request and response and analysis that, I’m trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any).

Sometimes I use negative testing to through the error, this Error information is very helpful for me to finding internal paths of the website. I spend most of my time trying to understand the flow of the application to get a better idea of what type of vulnerabilities to look for.

Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for wordlist bruteforcing endpoints. This can help with finding new directories or folders that you may not have been able to find just using the website. This tends to be private admin panels, source repositories they forgot to remove such as /.git/ folders, or test/debug scripts. After that check each form of the website then try to push client side attacks. Use multiple payloads to bypass client side filters. Best tools for all over the Bug Bounty hunting is “BURP SUITE” :)

This is just the methodology for Bug bounty hunting and Penetration testing that seems to work for me :)

Tools & OS :

  • Bug Bounty Forum Tool list
  • Bug crowd Tool list
  • Nmap
  • Burp Suite
  • Wp-scan
  • Kali Linux
  • Browser :)

Screenshot 2021-06-18 182819.png

Let's Connect

Hope you like it , If you have any queries … Feel free to connect me through Instagram or Linkedin :) If I missed something, kindly comment below so i will add to the Bug Bounty- Infosec List- If you like this blog- do clap and share with your friends :)