How To Quick Start Bug Bounty Hunting - First Attack Vectors Explained
Short & Basic Intro to Bug Bounty World - XSS, CSRF, BAC vulnerability overview
Anton
Video Edition is available on YouTube #shorts — https://youtu.be/vPG4IX9xIkU
I recommend registering on @BugCrowd, @Hacker0x01, @intigriti
Searching for bugs in the wild (not on a bug bounty platform) is great, but not for the start.
Bug bounty platforms can give you very interesting private invites over time.
Try focusing on programs that have a wide scope, where you can manage users (create roles), docs, images, etc.
And then start with a simple — create two users (one basic user & second admin), open two browsers, and start testing for BAC (Broken Access Control) vulnerability.
In short — this is the type of vulnerability, where a basic user can perform admin actions.
Some of these vulnerabilities can be found using direct links to sections/endpoints, but others will require you to modify requests that are sent to the browser
I recommend using @Burp_Suite for requests capture & modification. You can download Community Edition for Free.
Recommended Addon: Logger++
While you are testing the website/app for BAC bugs — you can highlight all GET requests to critical actions. E.g. /delete_user?id=1
Requests with critical actions that can be directly sent to a user are treated as a CSRF (Cross-Site Request Forgery) vulnerability
POST requests can be used too to perform CSRF attack, but usually has CSRF protection mechanism in place (like csrf_tokens
or referrer
check)
CSRF protection can be bypassed sometimes. Try to switch the POST method to GET or remove token value from a key — csrf_token=
With referrer protection, you can try to append your own domain to a referrer, like this http://example.com.yourdomain.com
Or if there is a check that domain should be at the end of referrer you can try this way: http://yourdomain.com/site.com
And the third basic rule while performing bug bounty hunting — is to put a basic payload in all possible inputs: qwe'"<X</
And just watch text reflection on a website. If you will see somewhere qwe'"
(without angle brackets) — this could be a chance of XSS
Additionally, search for qwe
text in the source code of the page. Use Developers Tools in the browser for this task.
Payloads can be reflected anywhere
1. In tag parameters:
<span>qwe'"<x</span>
2. In tag attributes:
<a class="qwe'"<x</">
3. In tag event attributes with location change logic:
<a onclick="location.href='qwe'">
Here you can try to inject javascript protocol. For example:
location.href='javascript:alert(1)'
4. Inside of a <script>
tag:
<script>let a = "qwe'"<x</"<script>
That’s all for now
I tweet & write about WebDev & InfoSec
Cheers, Happy Hunting 👍
Upvote
Anton
👋 Hi, I’m Anton (therceman) 💻 Web Developer and Bug Bounty Hunter 💬 I Am Sharing My Web Development & InfoSec Knowledge ... 🌐 www.therceman.dev 🐤 twitter.com/therceman 💼 linkedin.com/in/therceman 📷 instagram.com/therceman

Related Articles