10 tips and questions to help you find secondary context bugs — Bug Bounty Tuesday
Subscribed to: https://medium.com/@kerstan
Hello everyone, I’m Kerstan.
Today is Bug bounty Tuesday, I will share with you about 10 tips and questions to help you find secondary context bugs in bug bounty.
So, let’s dive right in.
1. Do different endpoints return different sets of headers or different content types?
2. Lots of times secondary context is blind, meaning you can’t see the full HTTP response from the request
3. Building out a map and understanding of how control characters modify the response. i.e a “&” does this behaviour and a “#” result in this behaviour, it helps identify where your input is being placed in a request.
4. Using special characters to cause stack traces can reveal verbose information about the underlying request, or even cause backend API keys to leak
5. A good wordlist to brute force paths in a blind secondary context is the Serverside variable names list in burp
6. When looking at directory structure think about the following:
- Are they using camelcase?
- Any separators between words?
