Step by Step Bug Bounty
Note: These are the steps which I am following, I cannot guarantee whether the same methods will work for you or not. I am Still Learning and I am not a Pro or Leet in it right now. Although I have picked this sword late but learning day and night to improve my skills. Keep trying and Never giveup
“ It is said that if I have 8 hours to chop down a tree. I will spend 6 hours sharpening my Axe.”
Step 1: It is most important to remember that nobody will teach you anything or everything. It doesn’t matter how friendly you are. You have to understand the technology and read through the writeups to experience this field. But exceptions can be there. ;)
It is a fascinating domain and everyone here wants to be famous and richer and richer. Bug Bounty is always a Bumpy ride where you want to keep control of your seat but it can disgust you and throw you out on the road if you are not prepared.
Step 2: Your Arsenal for the Race.
1. Your Attitude.
2. Your Hard work.
3. Your Plan.
4. Your Understanding of the Web Applications.
5. How much you are practicing.
6. Expect Cheaters, Back Stabbers, noobs, guys who show off.
7. If you do not know how to program like me, start working on it like I am doing it. I have given steps for it below also.
Step 3: Tighten your seat belts for the Bumpy ride
Start learning about the basics of the programming, protocols, what is request and what is a response. How the request works and how you can alter it to get a crafted response.
Web Development: Learn about the HTML, HTML5, PHP, SQL, Python, GoLang, HTTP, HTTPS, JS, Jquery, JSON, Bash etc.
https://www.udemy.com/courses/development/web-development/?search-query=web+development
Python tutorials are easily available on Youtube. You can search there.
Build a sample project to get on everything. I am building a short one for me these days using HTML, JS, JSON to grasp everything.
Now comes the Bash programming. It is important for you because when you have to give commands to the Linux systems then you must understand the File structure of the Linux Systems and this will help you understand that.
Linux commands: http://linuxcommand.org/
Step 4: Learn about Operating Systems.
This is very important because every server has an OS running at their backend, so as long as you do not know how to work with the OS, you cannot perform the attack based on the OS. It may be in front of you but you cannot notice. Actually, this point is for every step before and upcoming. And it happens, believe me, if you are a newbie. It has happened a lot with me and still happens.
Step 5: Start Learning about the Vulnerabilities.
Follow the bug bounty platforms blog for help.
e.g. h1.nobdd.de, Owasp top 10, bug crowd, medium writeups, follow peers on twitter.
Step 6: Choosing the Target
This is very important because to start attacking any target.com blindly will end up either getting negative points or at most duplicate. which is not at all acceptable at the beginning of your career. I did the same mistake but I learned.
So, first read out their documentation, understand the target functionalities, and try using the application for 1 day. To understand the application In and out. Like where is the upload function is available and what kind of file can be uploaded, subdomains of the target, user interaction points with the applications etc.
Step 7: Be ready for the Disappointments.
Even after all these preparation be ready for the disappointment. Do not expect that you went through everything, understand the application, Bug is correct so I will definitely get a reward. My experience told me when you submit a bug be ready for the surprise. So don’t waste your time, submit the bug, and start searching for the new one. Because first, it will help you try harder to get a reward, second you will learn more, and third in this way you can hunt more.
There are high chances that you can get a P1 bug after searching for a few hours and some days you cannot get an issue even after hunting for the whole day or a week. There are also chances that your triaged report could be changed as N/A or Duplicate. Try to accept your fate and move forward. Believe me, this is the most difficult part and very very frustrating for a hunter.
Books you can follow:
1. Web Application Hackers Handbook 2
2. The Tangled Web: A Guide to Securing Modern Web Applications
3. The Hacker Playbook 3
Some of the major vulnerabilities and related POC’s:
SQLi
POC’s:
1. https://medium.com/@mahitman1/hacking-a-crypto-debit-card-service-730f287aaee7
2. https://medium.com/@valeriyshevchenko/burpsuit-sqlmap-one-love-64451eb7b1e8
XSS
POC’s
1. https://medium.com/@jonathanbouman/persistent-xss-at-ah-nl-198fe7b4c781
2. https://medium.com/@jonathanbouman/reflected-client-xss-amazon-com-7b0d3cec787
3. https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c
SSRF
POC’s
1. https://hackerone.com/reports/115748
2. https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326
3. https://medium.com/@alyssa.o.herrera/wappalyzer-ssrf-write-up-2dab4df064ae
XXE
POC’s
1. https://medium.com/@jonathanbouman/xxe-at-bol-com-7d331186de54
2. https://medium.com/@mrnikhilsri/oob-xxe-in-prizmdoc-cve-2018-15805-dfb1e474345c
3. https://medium.com/@canavaroxum/xxe-on-windows-system-then-what-76d571d66745
Path Traversal
POC’s
1. https://medium.com/bugbountywriteup/bugbounty-api-keys-leakage-source-code-disclosure-in-indias-largest-e-commerce-health-care-c75967392c7e
2. https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f
Open Redirection
POC’s
1. https://medium.com/bugbountywriteup/bugbounty-linkedln-how-i-was-able-to-bypass-open-redirection-protection-2e143eb36941
2. https://medium.com/@rishabh/open-redirect-to-account-takeover-e939006a9f24
Account Takeover
POC’s
1. https://medium.com/@injector.pca_87232/account-takeover-worth-900-cacbe10de58e
2. https://medium.com/@y.shahinzadeh/1-click-account-takeover-in-virgool-io-a-nice-case-study-6bfc3cb98ef2
Remote code execution
POC’s
1. https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-bypass-firewall-to-get-rce-and-then-went-from-server-shell-to-get-783f71131b94
2. https://medium.com/bugbountywriteup/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899
3. https://parsiya.net/blog/2019-06-18-chaining-three-bugs-to-get-rce-in-microsoft-attacksurfaceanalyzer/
IDOR
POC’s
1. https://medium.com/@logicbomb_1/bugbounty-how-naaptol-indias-popular-home-shopping-company-kept-their-millions-of-user-data-e414cd4151c
2. https://medium.com/@logicbomb_1/bugbounty-paytm-customer-information-is-at-risk-indias-largest-digital-wallet-company-6f7116d4b2d5
3. https://medium.com/bugbountywriteup/bugbounty-how-i-was-able-to-read-chat-of-users-in-an-online-travel-portal-c55a1787f999
4. https://medium.com/bugbountywriteup/bugbounty-how-i-was-able-to-delete-anyones-account-in-an-online-car-rental-company-8a4022cc611
CSRF
POC’s
1. https://medium.com/bugbountywriteup/content-negotiation-with-csrf-969e639d6a1a
2. https://shahmeeramir.com/methods-to-bypass-csrf-protection-on-a-web-application-3198093f6599
3. https://medium.com/bugbountywriteup/account-take-over-vulnerability-in-google-acquisition-famebit-e93b1a0a7af9
4. http://yasserali.com/hacking-paypal-accounts-with-one-click/
Following are the list of the issues which you should think about exploring yourself:
1. OS Code Injection
2. Path Traversal
3. Python Code Injection
4. XPATH Injection
5. HTTP Header Injection
6. Subdomain Takeover
7. Authentication Bypass
8. Host Header Injection
Blogs to follow:
1. http://brutelogic.com.br/blog/
2. https://blog.detectify.com/2016/05/01/owasp/
3. https://www.bugcrowd.com/blog/
4. https://gauravnarwani.com/blog/
Twitter account to follow:
1. Emad Shanab: https://twitter.com/Alra3ees
2. Ben Sadeghipour: https://twitter.com/NahamSec
3. XSS Payloads: https://twitter.com/XssPayloads
4. Vikash Chaudhary: https://twitter.com/OffensiveHunter
5. STOK: https://twitter.com/stokfredrik
6. Gaurav Narwani: https://twitter.com/gauravnarwani97
7. Zseano: https://twitter.com/zseano
8. Nishant Sinha: https://twitter.com/inishantsinha
9. Arbaaz Hussain: https://twitter.com/ArbazKiraak
10. Brute Logic: https://twitter.com/brutelogic
There are 100’s of tools:
I use only 5 or 6 out of these. Rest I have mentioned from different writeups for the sake of this writeup.
dnscan https://github.com/rbsec/dnscan
Knockpy https://github.com/guelfoweb/knock
Sublist3r https://github.com/aboul3la/Sublist3r
massdns https://github.com/blechschmidt/massdns
nmap https://nmap.org
masscan https://github.com/robertdavidgraham/masscan
EyeWitness https://github.com/ChrisTruncer/EyeWitness
DirBuster https://sourceforge.net/projects/dirbuster/
dirsearch https://github.com/maurosoria/dirsearch
Gitrob https://github.com/michenriksen/gitrob
git-secrets https://github.com/awslabs/git-secrets
sandcastle https://github.com/yasinS/sandcastle
bucket_finder https://digi.ninja/projects/bucket_finder.php
GoogD0rker https://github.com/ZephrFish/GoogD0rker/
Wayback Machine https://web.archive.org
waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050 Sn1per https://github.com/1N3/Sn1per/
XRay https://github.com/evilsocket/xray
wfuzz https://github.com/xmendez/wfuzz/
patator https://github.com/lanjelot/patator
datasploit https://github.com/DataSploit/datasploit
hydra https://github.com/vanhauser-thc/thc-hydra
changeme https://github.com/ztgrace/changeme
MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/ Apktool https://github.com/iBotPeaches/Apktool
dex2jar https://sourceforge.net/projects/dex2jar/
sqlmap http://sqlmap.org/
oxml_xxe https://github.com/BuffaloWill/oxml_xxe/
XXE Injector https://github.com/enjoiz/XXEinjector
The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool
ground-control https://github.com/jobertabma/ground-control
ssrfDetector https://github.com/JacobReynolds/ssrfDetector
LFISuit https://github.com/D35m0nd142/LFISuite
GitTools https://github.com/internetwache/GitTools
dvcs-ripper https://github.com/kost/dvcs-ripper
tko-subs https://github.com/anshumanbh/tko-subs
HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer Race the Web https://github.com/insp3ctre/race-the-web
ysoserial https://github.com/GoSecure/ysoserial
PHPGGC https://github.com/ambionics/phpggc
CORStest https://github.com/RUB-NDS/CORStest
retire-js https://github.com/RetireJS/retire.js
getsploit https://github.com/vulnersCom/getsploit
Findsploit https://github.com/1N3/Findsploit
bfac https://github.com/mazen160/bfac
WPScan https://wpscan.org/
CMSMap https://github.com/Dionach/CMSmap
Amass https://github.com/OWASP/Amass
To wrap up the writeup, I am still learning and will continue updating this writeup on time to time. For the sake of making everyone learn along who are interested in Web Application Security.
I will update you shortly on Mobile Application Security.
If you liked the writeup or have any recommendations. Please do not hesitate to comment. You can follow me on Twitter and LinkedIn, I have mentioned my Twitter Handle and LinkedIn ID below.
Twitter: https://twitter.com/inishantsinha
LinkedIn: https://www.linkedin.com/in/nishantsaurav/
Thanks for reading.
:)
