Posted on

My bug bounty methodology and how I approach a target

my bug bounty methodology

Last time, I showed you the best resources I use to stay up to date in bug bounty hunting. Today, I will share with you my bug bounty methodology when I approach a target for the first time. This is going to be divided into several sections. First, I will show how I choose a bug bounty program. Then, I will dive into how I enumerate the assets. From there, I will explain how I pick a web application and how I test it. Finally, I will evaluate this bug bounty methodology by enumerating its pros and cons so that you know exactly what to expect from it. There are plenty of bug bounty tips and tricks along the way, so make sure to stick around until the end.

How I choose a bug bounty program

When I first started hacking, Hacker101 didn’t exist yet. I had to work on public programs which were tough to crack. In fact, there is simply a lot of competition on those programs with the level of expertise I had. Luckily, you don’t have to struggle as before. If you’ve seen my previous episodes, you have probably earned your first 26 points on Hacker101 by now and got your first private invite from a bug bounty program. If you haven’t done it yet, then you’re probably starting your bug bounty hunting journey on the wrong foot.

Anyways, let’s assume you have received some private invitations. How would you choose between them? What program would you pick to start hunting for bugs? On HackerOne where I primarily hunt for bugs, I choose a program based on key metrics shown to me during the invitation process.

HackerOne program displaying some metrics of its bug bounty program
HackerOne program displaying some metrics of its bug bounty program

Program launch date

First, I see where the bug bounty program was launched to have an idea of how old the program is. This tells me whether I should spend some time on low hanging fruits or dig deeper during my testing, because, unless there are new assets, most of the easy bugs would have already been found in an old program.

Program responsiveness

The second thing I look for is the response posture. In short, I see what is the average time to resolve a security issue. If the program takes a lot of time to resolve security issues, it means that there is a higher chance of getting duplicates. Usually, all other response metrics, such as time to first response, time to triage and time to bounty are lower than the resolution time, so the shorter it is, the better.
You can also see the percentage of the reports which have met those response metrics. If it is above 90%, I’d probably accept the invitation if the rest of the metrics is ok.

The scope of the bug bounty program

I usually prefer bigger scopes. For example, I would prefer wildcard domains over a single web application. It reduces competition because there is enough room to play with different assets, and it makes the target less boring. However, I might accept a program with a small scope program if they have a great response time or good rewards.

Bug bounty rewards

This is another criteria I look for. If I am investing my time looking for security bugs, I would like to have a bigger return on my investment. So I would prefer higher paying bug bounty programs. I usually avoid programs with no rewards not only because of money, but also because the reputation you get is significantly lower.

The business of the company

If all the previous metrics look good to me, I still have to check if the company’s business matches my values. If it doesn’t, I simply reject the invitation.

Alright, now that I have chosen the bug bounty program, how do I approach it? Well, I start with a light subdomain enumeration to gauge the public presence of the bug bounty program and quickly find something to work on. I used to do thorough enumeration, but I realized that it takes considerable time. Because this is my first interaction with the target, I feel it’s a bit early to perform a heavy enumeration.

What does my bug bounty methodology look like for subdomain enumeration?

I start my subdomain enumeration with Tomnomnom’s assetfinder tool. The command is straightforward, you just provide your in-scope wildcard domain name.

assetfinder --subs-only domain.name

The thing I love about this tool is that it’s blazingly fast! It provides me with a quick idea of the subdomains naming convention and gives me initial assets to work on.
I always avoid brute force at this stage. On the one hand, it takes more time which I prefer to invest in the next steps. On the other hand, I like to increase my success rate by bruteforcing with a custom wordlist tailored just for this domain.

Bug bounty methodology to enumerate web applications

Now that I have a list of assets, I filter only web applications using Tomnomnom’s httprobe. For now, all I’m interested in are ports 80 and 443. The command is again easy to run:

cat domains | httprobe

As a side note, if the program is new, I would probably use Shodan or perform a port scan using masscan to see if any web applications are running on non-standard open ports. These are ports greater than 1024.
Lastly, I run aquatone to screenshot the list of live web applications. There are two reasons I do that. On the one hand, I will be able to quickly spot any visual deviation from the common user interface. On the other hand, I will get a bird’s eye view of the different web application categories and technologies. This is possible because aquatone groups similar user interfaces together and displays the web applications’ technologies in the HTML results.

My bug bounty methodology when choosing a web application

Hopefully, I now have some web applications to choose from. I tend to choose the one which deviates from the herd. For example, if all web applications implement a centralized Single Sign-on authentication mechanism, I would look for any directly accessible asset. If I spot a user interface of common software such as monitoring tools, or known Content Management Systems, I would target them first. Another example is when the application discloses the name and the version of the software being used. In this case, I look online for any available exploits. If I am lucky, I might get easy issues to report.

For the other custom-made web applications, I will generally choose the one whose user interface deviates from the common company’s theme. If I don’t find one, I might repeat my previous steps with deeper enumeration. For instance, I would take the subdomains I found earlier and combine them with the name of the company to generate a custom wordlist. Then, I’d use tools like OWASP amass and brute force the subdomains using the wordlist I constructed.

How I approach a web application

Finally, the time comes for actually engaging with the web application and looking for security bugs. You must reduce the time between your first interaction with the program and this phase. Otherwise, you will be wasting your time doing only recon. In this phase, my bug bounty methodology consists of enumerating as much as possible to draw the largest attack surface possible.

Mapping the application features

This is where I open up my web browser and use the application as a normal user. If there is a signup feature, I create a user and I login. Then, I make sure to visit every tab, click on every link, fill up every form. If it’s an e-commerce website, I create an order using a fake credit card. Meanwhile, I’m capturing all the traffic with Burp.

It’s always tempting to switch between my web browser and Burp, but I find it distracting. Therefore, I do my best to focus on understanding the business features and making note of the interesting ones. For instance, I always look for file uploads, data export, rich text editors, etc.

Understanding the main application architecture and defense mechanisms

This is where I revise my Burp traffic to answer specific questions. How authentication is made? Does the application use a third-party for that? Is there any OAuth flow? Is there any CSRF protection? If yes, how is it implemented? Are there any resources referenced using numerical identifiers? If yes, is there any protection against IDOR vulnerabilities? Does the application use any API? How does the application fetch data? Does it use a front-end Framework? What JavaScript files contain calls to the API? Does it use a back-end Framework? If yes, what is it and which version is being used?

These are the kinds of questions I try to answer when I first interact with a web application. Having a clear idea of the architecture and the defense mechanisms help me make a better plan of attack. I might also find weaknesses right away, which are generally application-wide and have a high impact.

JavaScript enumeration

Whenever I have the opportunity to read some code, I make sure to do so. Since JavaScript files power the client-side of the web application, I like to collect and analyze them. I found many hidden endpoints, Cross-site scripting and broken access control vulnerabilities this way. Using tools like LinkFinder, I collect URLs which I cross-reference with the endpoints I have collected from the mapping exercise. Sometimes, I do it the other way around. In other words, I look for API endpoints in JavaScript files using the naming convention of the endpoints I have in Burp. This allows me to save all the API endpoints into a file. It becomes handy when I want to implement some automation to detect when the developers add new endpoints to the application.

Focusing on one feature at a time

This is where it starts to get really interesting! By now, I am comfortable navigating around and using the application normally, I understand most features. If you quit before this phase and jump to another asset or another totally different program, you will have lost all the time you have invested learning how the application works. In this step, I’m trying to focus on one feature at a time. My goal is to learn the flow in detail, tinker with every user input based on my assumptions. For instance, if the request seems to be fetching data from a database, I would try SQL injection. If the user input gets returned, I will try Cross-Site Scripting. It all depends on your experience, but a solid start would be the OWASP Top 10, which I already covered in much detail in a hands-on training.

Pros and cons of this bug bounty methodology

This bug bounty methodology is powerful in many ways. However, by no means this is the perfect one. It has its limitations as well.

Pros of this bug bounty methodology

Here are the pros of this methodology.

  • Simple and minimal: It is a simple approach which requires minimal tools to yield the best initial results.
  • Speed: One of the best things I love when following this bug bounty methodology is the speed it provides. I can get a general view of the entire program in less than an hour. If the program is big, it takes just a few hours.
  • Low hanging bugs: Using this approach, you can easily find low hanging fruits if the program is new. It doesn’t require a lot of digging and effort. And if the program is old, you can still get a general idea of the company’s cyber presence.

Cons of this bug bounty methodology

These are the limitations of this approach.

  • It doesn’t cover the road less traveled: Because I’m using well-known tools with the default options, without any great deal of deep digging, I don’t expect to stumble upon a hidden asset or a less traveled road. That’s ok for me at this stage because this is my first interaction with the program. Usually, you won’t find easy bugs with it.
  • It doesn’t cover programs with IP ranges: If there is a program which has IP ranges in scope, this methodology wouldn’t work 100%. You need to still perform a port scan, which you can easily do with masscan.

Conclusion

There you have it! An end-to-end bug bounty methodology that you can use when you interact with a program for the first time. Rather than spending a lot of time doing extensive recon upfront, I find it more efficient to first assess the program’s IT infrastructure while focusing on one or two web applications.

I’d love to hear your thoughts and opinions on this bug bounty methodology. If you have any ideas on how to improve it, I encourage you to leave a comment describing how to do it. If you follow a different methodology, I’d love to know how you approach your bug bounty programs.

I hope you found this episode helpful. If you did, then I’d appreciate you liking and sharing it. If you’re not subscribed yet, join us to get updates whenever I publish new content. You’ll find all the social links in the description. Until then, stay curious, keep learning and go find some bugs!

Posted on

The top 9 bug bounty resources to stay up to date

top bug bounty resources to stay up to date

Last time we talked about how bad habits lead to burnout. In this episode, we will explore the best bug bounty resources and how you can properly use them to efficiently stay up to date. Some are robust resources provided by the bug bounty platforms and the community. Others are general websites which you can customize to fit your bug bounty needs.

Why and how should you stay up to date in bug bounty hunting?

I can’t stress it enough, but staying up to date is essential in this career. As we saw in the first episode where we discussed the bug bounty ecosystem, the community here is so active! Every day, it produces new tools, discloses new reports, publishes new videos, tweets about all kinds of bug bounty tips, and the list goes on and on forever.

It’s easy to get lost in the huge amount of information. That’s why it’s important to be strategic in your choices. The idea is to maximize your return on the time you invest. Besides, you should pick the channels that suit your taste. Some prefer to engage in forums, others like to use social networks, while other bug bounty hunters combine them all. It all depends on your favourite style of learning.

Hacktivity is your first bug bounty resource

What’s better than reading findings of other bug bounty hunters? They can teach you a lot in one shot. Firstly, you learn how to practically exploit a vulnerability. Secondly, you understand the hacker’s thinking process. Finally, you get to know how to write a good report. Well, this is all possible thanks to Hackerone’s Hacktivity.

What is Hacktivity?

This awesome feature allows the bug bounty hunter and the hacked program to agree on disclosing the report to the public. When they do, the report automatically gets published on Hacktivity. You can sort them by popularity or age, filter them or search through them using keywords. You can even vote for the reports you like to increase their popularity!

The Hacktivity is a great bug bounty resource
The Hacktivity is a great bug bounty resource

How do I use Hacktivity?

By default, Hacktivity shows you all popular disclosed reports, which are not necessarily the latest. That’s why you can sort by age to see the latest reports first. However, this can result in irrelevant reports.

If I’m looking for inspiration, I search for specific keywords, like SQL injection or Sensitive data exposure. When I find a great report, I usually follow the bug bounty hunter. Next time I use Hacktivity, I sort the reports by age and filter only the hackers I follow to see just the new best reports. This will reduce the noise significantly.

Bug bounty resources for real-time interactions between hackers

If you feel alone when you hunt for bugs, one of the great ways to get updates and combat loneliness is to engage with the bug bounty community. There are many ways you can do that.

For instance, the Hacker101 Discord server allows you to connect in real-time with nearly two thousand active members in the bug bounty community. You can ask questions, read new posts, chat with specific bug bounty hunters, and many more. The topics are not restricted to bug bounty hunting only but cover hacking in general. Who knows, you might find your hacking buddy there!

You can find many bug bounty resources and meet hackers on the Hacker101 Discord
You can find many bug bounty resources and meet hackers on the Hacker101 Discord

Another place you can engage with the bug bounty community is Bugcrowd’s forum. If you enjoy learning and interacting using forums, this one is full of bug bounty topics. From how to get started to how to report a bug, it’s all there!

Bugcrowd's forum is full of bug bounty resources
Bugcrowd’s forum is full of bug bounty resources

Turning Twitter into a Bug bounty resource

Although I’m not a big fan of social networks, I use Twitter every day. That’s because I think most of the bug bounty community is active there. When I first started using Twitter, I followed big names in bug bounties and my feed got flooded with tweets. However, most of them were noise and I realized that I’m spending too much time and effort reading irrelevant tweets.

If you are struggling as I did, I got you covered! First, unfollow all the accounts which generate noise. Then, create a list where you add only the tweets related to bug bounty tips. There are many bots which collect tweets based on such hashtags. For instance, I am using @TheBugBot. Finally, add blacklist expressions to filter out any patterns of irrelevant tweets which you don’t find interesting. For example, Hackerone allows you to tweet about your bounties when you get one. They use a pattern like “Yay! I was awarded X amount of money”. So I just blacklist the expression “Yay! I was awarded”.

The Bug Bot collects bug bounty resources into a single feed
The Bug Bot collects bug bounty resources into a single feed

Bug bounty newsletters are great resources

If you get overwhelmed with online discussion spaces and forums, you might prefer subscribing to newsletters instead and receive updates about bug bounty content directly to your email inbox. Rest assured, the community has your back here as well.

For example, the Pentester Land’s newsletter is one of the best newsletters in the bug bounty world! It sends you a weekly curated list of the best bug bounty content. I recommend you give it a try and take your time reading most of the content you receive. Trust me when I tell you that it’s worth it!

If you want to see through the eyes of a bug bounty hunter, you can also subscribe to thehackerish newsletter and get updates about bug bounty related topics from my humble experience.

Bug bounty resources for practice

Reading bug bounty content is good, but developing new skills through practice is far better. After all, you can’t find a security flaw in a bug bounty program without knowing how to practically exploit them. Guess what, the community shines in this area as well!

Portswigger Academy as a bug bounty resource

This online learning platform is a gold mine for every bug bounty hunter! Developed by the creators of the famous BurpSuite web proxy, it teaches you security vulnerabilities and bug bounty step by step, both in theory and practice. The best part is that it’s free!

If you want to learn a new security vulnerability, make sure to check if they have it there first. You will thank me later.

The great Hacker101 bug bounty resource

There are many online hacking platforms, which we will explore on another occasion. However, the most relevant in the context of this episode is the Hacker101 platform. In fact, it’s a great bug bounty training resource which offers great bug bounty tutorials in the form of videos, as well as a free playground for hackers to practice their skills. The idea is simple, you solve challenges and collect points based on the level of difficulty. When you accumulate a certain number of points, you earn a private invite from a bug bounty program. This is your best go-to if you’re wondering how to start bug bounty in Hackerone.

PentesterLab membership

If you’d like to invest in yourself, PentesterLab is a great bug bounty resource. In fact, it’s a membership platform which teaches you hacking skills through pragmatic bug bounty-like challenges. There are some free topics which you can learn from. However, the Pro version provides you with ready-to-use labs and more interesting bug bounty tips.

Conclusion

As you might have noticed, there are so many bug bounty resources you can choose from to stay at the edge of your career and continue to find meaningful bugs. I’m sure there are other resources, but I feel these are the most important ones in my opinion.

If you use other interesting bug bounty resources and you’d like to share them with the community, feel free to drop a comment. I’ll make sure to include them in my next episode. Until then, stay curious, keep learning, and go find some bugs!

Posted on

Bug bounty burnout and your mental health

Bug bounty burnout and your mental health

Last time, we gained a bird’s eye view of the landscape of bug bounties. We concluded that they have many benefits, but can also lead to bug bounty burnout. Today, we explore what causes burnout and suggest ways to heal from it and preserve your mental health while still doing what you’re passionate about: Hacking!
As a side note, although burnout and depression share some symptoms, they are different. If you suffer from depression, you should visit a mental health professional. These suggestions reflect what worked with my own burnout experience. They are not based on scientific facts and don’t replace your doctor’s intervention.

Burnout and bug bounty mental health

I am not a mental health specialist. However, according to a medically reviewed post on verywell mind, burnout happens when you feel exhausted, start to hate your job, and begin to feel less capable at work. Other factors like your personality traits and thought patterns, such as perfectionism and pessimism, can contribute to burnout as well.

That’s exactly what is happening to many of us in bug bounty hunting. But why is burnout common in our community?

How exhaustion leads to burnout in bug bounty hunting?

As we saw in the previous episode, the majority of hackers do bug bounty hunting part-time. This means that besides a 9 to 5 job or a day of studies, we dedicate yet another chunk of our daily hours looking for vulnerabilities on bug bounty programs. Guess what, it takes time and energy to first understand how targets work, then analyze and test the different features. Besides, doing it every day is exhausting. In the end, we’re not even sure that we will find a vulnerability or not!

Bug bounties and duplicates

You might think that full-time bug bounty hunters don’t suffer from burnout because they have all the time available, and you’d be right, partially! In fact, they might not find vulnerabilities for days or even weeks, or report duplicate vulnerabilities and get nothing in return. As we saw in the previous episode, a bug bounty hunter gets rewarded only if he or she is the first to report a valid bug. This adds frustration and a sense of instability because bug bounties are a main income for them. So, while part-time hunters spend more working hours and get exhausted over time, full-timers might have troubles keeping a steady salary from an unstable source of income. You might also find full-time bug bounty hunters who are also exhausted, which make things even worse.

Lack of a organization

In my opinion, this is one of the most important factors of burnout from my humble experience. If you’re not organized, you will always achieve less and feel that you are behind your goals.

  • Lack of focus: In fact, with the growing number of programs joining bug bounty platforms, it’s easy to get lost jumping from one program to another and wasting your valuable time doing nothing but shallow testing. 
  • Physical health: During the whole time of your bug bounty hunting, you are probably sitting on a chair, maybe drinking energy sodas and perhaps skipping meals in favour of delivered snacks. If you’re doing some or all of this, you should ask serious questions about your physical health routine.

Over time, a growing voice inside you starts telling you that your life is unbalanced. Your relationships might be declining while not finding any bugs. In other words, you feel disturbed, unfocused and less capable in bug bounty hunting.

Comparison

If you use Twitter like most of the bug bounty community members, chances are that your feed is full of bug bounty tweets and hacking content. Well, you surely stumbled across tweets showing off bounty rewards. You might even have seen tweets about payment statements of hundreds or even thousands of dollars in one single day. You then start questioning your abilities and comparing yourself, which has only one outcome; feeling incompetent, jealous, and even pessimistic!

You have burned out, what to do now?

The first thing to do when you have a burnout during bug bounty hunting is to actually realize that you have one. That sounds obvious, but not many hunters ignore the symptoms. Once you are aware of it, there are many things you can do about it.

Stop hacking immediately

You should eliminate exhaustion by giving yourself some rest. The good thing about bug bounty hunting is the time flexibility it provides, so take advantage of it! Go out with some friends, watch a movie, spend some meaningful time with your family, do some exercise, or simply get some sleep. Life has a lot to offer than just the rush of finding a bug or getting paid. Stay away from hacking until you cool down and feel rested. For me, that was about a year.

Adapt your mindset and expectations

If you recall from the first part of this episode, burnout can be amplified with personality traits. For example, if you tend to compare yourself with others and get jealous when they earn bug bounties, maybe you should get inspired from them instead. Remember that you only see the results, not the amount of hours and effort which led to finding those bugs in the first place.

Another important aspect to consider is the reason why you hunt for bugs. If it is mainly for money, you will definitely feel low sooner or later. Instead, why don’t you consider each bug bounty hunting session as an opportunity to understand how your target works, to learn the new technologies it uses and how the features work together. With this approach, you’re not only moving the money problem away, but you’re also increasing your chances of finding deep security bugs. Even if you don’t find any bugs, which is less likely to happen, you would still have learned many new things which would help you in future targets.

Solve small bug bounty challenges

Have you left bug bounty hunting for months but still don’t have the mood to go back? In this case, try to solve mini security challenges. For example, the hacker101 platform provides real-world challenges from a range of difficulty levels. This will have two positive effects. First, your mind will produce adrenaline that will boost your mood. Secondly, you will get private invites from HackerOne. Pretty cool huh?!

Consult a doctor

If you’re still suffering from burnout even after applying the suggestions above, or if it’s starting to affect other parts of your life such as your work or your close relationships, I would highly recommend you visit your doctor. It might be that you’re heading towards a depression.

How to avoid burnout in bug bounty hunting?

Rather than suffering from burnout and then try to heal from it, wouldn’t it be better if you could prevent it from happening in the first place? Let’s explore proactive ways you can apply to stay healthy while hacking on your favourite bug bounty platform.

Lower you bug bounties expectations

If you start your hacking session willing to find a vulnerability right away, you will have a hard time meeting your expectation, unless you are lucky enough, which doesn’t happen all the time. Understand that bug bounty hunting takes time and effort. The more time you spend enumerating your target, the higher your chances of finding interesting bugs will be. If you’ve done your best effort and poked around every corner of your target without finding anything, just move on to another one. It doesn’t necessarily mean that you are incompetent.

Level up your bug bounty hunting skills

If you want to expand your attack surface, you have to learn new hacking techniques. There are many resources you can learn from. For instance, follow other hackers who share their techniques, read the HackerOne Hacktivity which discloses published bug bounty reports, subscribe to security feeds like the PentesterLand’s newsletter. With time, you will find that you can exploit more vulnerabilities.

Develop a healthy schedule

I bet you have other responsibilities in your life. Well, failing to manage them in the favour of bug bounty hunting is a bad idea. As you continue to ignore them, they will keep growing until they affect your productivity. You must have a schedule which helps you fulfill them. You daily routine should include healthy meals, break time, room for other duties, etc. The idea is to avoid exhaustion by keeping your life balanced.

Have a hacking buddy

This depends on your personality, but if you feel uncomfortable being isolated in your room hunting for bugs, then it’s good to have a bug bounty friend you can collaborate with. That way, you will combat loneliness and exchange hacking ideas and attack vectors with each other. Sometimes, all you need is a small hint from another perspective to achieve your exploitation, and your buddy can give you just that!

Bug bounty hunting doesn’t have to be painful. With the right mindset and healthy attitudes, you can definitely stay passionately motivated while hunting for security bugs. So that’s it! Let me know how you deal with burnout in the comments. I’d love to hear what you do to overcome it.