Bounty Hunter’s Handbook: Practical Tips for Bug Hunting

❓As a security researcher, how can we achieve precise searches, in-depth exploration, and find high-quality vulnerability reports?

✔️Today, several outstanding researchers from the TECNO Security Response Center will share their hunting experiences, and we hope this can provide you with some inspiration.

① Understand Common Vulnerabilities

• SQL Injection (SQLi): This is an attack technique where attackers manipulate database queries by inserting malicious SQL code into an application. This can lead to data leaks, data tampering, or the execution of unauthorized actions.

• Cross-Site Scripting (XSS): When a web application fails to filter data submitted by users properly, attackers can inject malicious script code into web pages. This allows attackers to control a user’s browser and carry out actions such as stealing session information or initiating clickjacking.

• Cross-Site Request Forgery (CSRF): This is an attack that exploits a user’s identity to perform unauthorized actions. Attackers construct a URL link that, when clicked by a user, executes sensitive operations without the user’s knowledge, such as changing account settings or transferring funds.

• Remote Code Execution (RCE): When an application has security vulnerabilities, attackers can execute arbitrary code on the target system by sending specific requests or parameters, thereby gaining complete control over the system.

• File Inclusion Vulnerabilities: This refers to when an application fails to properly validate and filter user-provided file paths, leading to attackers being able to control the content of included files. This could allow attackers to read, modify, or delete sensitive files, or even execute malicious code.

② Use Hacking Tools

• Nessus: Nessus is a widely used vulnerability scanner that can automatically detect hosts on a network and identify various operating systems, services, and configuration errors. Nessus supports multiple scanning strategies, including port scanning, operating system fingerprinting, weak password detection, and more.

• OpenVAS: OpenVAS is an open-source vulnerability assessment system that provides a complete solution from vulnerability scanning to risk analysis. It includes a powerful scanning engine, a vulnerability database, and a user interface for managing scan tasks and reports.

• Burp Suite: Burp Suite is a popular web application security testing tool suitable for manual and automated penetration tests. It integrates multiple modules, such as a proxy server, scanner, and vulnerability detector, which can help testers discover and exploit vulnerabilities in web applications.

• Metasploit: Metasploit is a powerful penetration testing framework that contains a large number of known vulnerability exploits, as well as supports the creation of custom exploit codes. It also includes a payload generator, a vulnerability scanner, and tools for managing penetration testing projects.

• OWASP ZAP (Zed Attack Proxy): OWASP ZAP is a free, open-source web application security testing tool. It combines a proxy server, scanner, and vulnerability reporting features, which can help testers identify and fix security issues in web applications.

• Acunetix: Acunetix is a commercialized web application security scanning tool that offers comprehensive web security assessment capabilities. It supports various scanning technologies, including dynamic and static analysis, as well as in-depth code review.

• Hakrawler: Hakrawler is a lightweight penetration testing tool focused on the automated discovery of vulnerabilities in web applications. It uses machine learning technology to identify potential security issues.

• Gobuster: Gobuster is a tool for brute-forcing directories and files, particularly suitable for HTTP and FTP protocols. It can help discover hidden resources and potential vulnerabilities.

• Sqlmap: Sqlmap is a tool specifically designed for SQL injection attacks. It can automatically detect and exploit SQL injection vulnerabilities. It supports a variety of database systems, such as MySQL, PostgreSQL, and others.

③ Mastering Security Technical Knowledge

→ Programming Languages

· Fundamental Languages: Be proficient in at least one programming language, such as Python, Java, or C/C++, for scripting, tool development, or reverse engineering.

· Web Development Languages: Be familiar with HTML, CSS, JavaScript, etc., to understand the workings of web applications and conduct penetration testing.

→ Networking Security Basics

· Network Protocols: Understand the workings of TCP/IP, HTTP, HTTPS, SSL/TLS, and other protocols.

· Network Architecture: Know common network architectures and security models, such as the OSI model, TCP/IP model, etc.

→ Operating Systems and System Security

· Linux/Unix: Be proficient in operating Linux/Unix systems and understand their security features.

· Windows Security: Understand the security configurations and management of Windows systems.

→ Web Application Security

· Penetration Testing: Master the process and techniques of web application penetration testing, including but not limited to attacks like SQL injection, XSS, CSRF, etc.

· Code Auditing: Be able to identify and fix security vulnerabilities in web applications.

→ Mobile Application Security

· Android/iOS Security: Understand the development environment and security features of mobile applications, including code auditing, reverse engineering, etc.

Don’t Start Web Hacking Now, Begin from YESTERDAY! Get Ready for Bug Bounty in Just 4 Steps:

① In the next two months, whenever you start using a browser, always intercept all traffic through Burp.

② Start learning from https://portswigger.net/web-security by selecting a particular bug type e.g. Broken Access Control

③ Keep reading disclosed reports from https://hackerone.com/hacktivity/

④ Don’t fall into the learning loop, start hacking today!

Begin with dynamic analysis first(it makes the starting easy). Almost 50% of Android apps can be intercepted without SSL Pinning starts without the fear of that.

Then, look for access control issues e.g., IDOR first — APK are more likely to be vulnerable to BAC. Finally, put your XSS payload on the Android APP and check whether it reflects on its Web App — I’ve found many

Bonus Tip: Don’t put your XSS payload on APK GUI directly, insert it through Burp via intercepting — Sometimes App filter replaces the malicious code. [My first Android bounty came from this approach]

When you’re on the lookout for the latest CVEs, start by creating a comprehensive dataset that includes all the reconnaissance data from your programs. This will serve as your reference point.

Then, each time a new CVE is released, sift through your dataset to identify any technologies or products that could be vulnerable. You can do this by using tech detect tools like httpx can do it then search for the specific technology or product mentioned in the CVE.

Once you’ve identified potential instances, the next step is to develop an exploit. This could be a script or a template that’s designed to take advantage of the CVE. Run this exploit on the vulnerable technologies or products to see if they’re susceptible to the CVE.

Never skip OAuth or SAML-based Authentication. Most of the researchers overlook them due to their complexity. Even developers find it hard to properly set them. That’s why they are most vulnerable. You can find some good Authentication Bypass and avoid dupes too.

① Secure Coding Practices

→ Input Validation and Output Sanitization

· Input Validation: Perform strict validation of all user inputs to ensure the data meets the expected format and range. Avoid trusting user input, even in seemingly secure environments.

· Output Sanitization: Sanitize and encode all outputs properly to prevent cross-site scripting (XSS) attacks. For instance, escape HTML, JavaScript, and other scripts.

→ Principle of Least Privilege

· Privilege Minimization: Assign the least amount of privileges necessary to components for performing specific tasks. Avoid running non-administrative tasks with administrative privileges.

· Separation of Privileges: Ensure different functional modules have different privileges to avoid a vulnerability in one module impacting the entire system.

→ Using Secure Libraries and Frameworks

· Choice of Libraries and Frameworks: Give preference to libraries and frameworks with good security track records. Regularly update dependencies to obtain the latest security patches.

· Code Review: Conduct code reviews to check for known security vulnerabilities or unsafe coding practices.

→ Secure Coding Standards

· Adhere to Coding Standards: Follow secure coding standards recognized in the industry, such as the OWASP Secure Coding Guidelines.

· Code Review: Implement a code review process to ensure the code adheres to security best practices.

② Use Web Security Testing Frameworks

· OWASP Top Ten: A standard awareness document for developers and web application security.

· SANS CWE Top 25: A list of the most dangerous software errors.

③ Explore Bug Bounty Programs

· Participate in platforms like HackerOne, Bugcrowd, and Synack to legally test and earn rewards for finding vulnerabilities.

④ Regularly Update Knowledge

• Stay informed about the latest vulnerabilities and hacking techniques by following security blogs, attending conferences, and participating in hacking communities.

⑤ Ethical Considerations

• Always have explicit permission before testing a web application.

• Report vulnerabilities responsibly to avoid legal issues and help improve security.

⑥ Practice and Experiment

• Set up your own lab environment to test and exploit vulnerabilities safely. By understanding these principles and continuously learning, you can effectively secure web applications and responsibly engage in ethical hacking.

Add this to your word list, don’t miss out :

/Signup

/Sign_up

/registration

/join

/enroll

/subscribe

/register

/Sign-Up

/v1/signup

Found internal penal only for employees, asking for employee credentials → fuzz → found sign-up endpoint →signup as employe 1/2.

Don’t Use Burp Suite Like Mediocre — Some Burp Suite Shortcuts for Your Efficient Hacking! (Which I use daily — Portswigger featured my tips: 20 Burp Suite tips from the Burp user community)

• Ctrl+R Send a request to the ‘Repeater’ tab

• Ctrl+Shift+R Jump to the ‘Repeater’ tab

• Ctrl+Space Send the request to the server from the ‘Repeater’ tab)

• Ctrl+U URL Encode your selected text in Repeater

① Use History URLs to find bugs

Use automated tools to gather historical URLs from various sources, Commands:

• Waybackurls: echo “http://example.com" | waybackurls > waybackurls.txt

• gau (Get All URLs): gau http://example.comgau_urls.txt

• Waymore: waymore -i http://example.com -mode U -oU output.txt

• Combine and Remove Duplicates: cat waybackurls.txt gau_urls.txt waymore_urls.txt | sort -u > all_urls.txt

Manually review the collected URLs to identify unique and potentially interesting endpoints.

Use grep to categorize URLs based on specific keywords such as API endpoints, JavaScript files, PHP files, configuration files, etc.

• grep -i “/api/” all_urls.txt > api_urls.txt

• grep -i “\.js$” all_urls.txt > js_files.txt

• grep -i “\.php$” all_urls.txt > php_files.txt

• grep -i “\.config$” all_urls.txt > config_files.txt

Inspect categorized URLs for potential vulnerabilities like PII leaks, sensitive information in JavaScript files, etc.

API Endpoints: Review api_urls.txt for endpoints that might reveal PII or other sensitive data. Look for exposed parameters that might be manipulated for IDOR or other access control issues. Check js_files.txt for any hardcoded credentials, API keys, or sensitive information.

Test the reviewed URLs for common vulnerabilities such as Insecure Direct Object References (IDOR), Broken Access Control (BAC), and others.

② Using BurpJSLinkFinder for Finding Critical Bugs

• Install BurpJSLinkFinder from Burp Suite Extender Tab (Professional Version);

• By configuring burp proxy open the target web application in your browser and click on every possible link, button, and interactive element;

• Now go to BurpJSLinkFinder and analyze the collected js files and endpoints found within the js files;

• Look through the list of endpoints provided by BurpJSLinkFinder and identify interesting endpoints such as APIs, admin panels, configuration files, and other potentially sensitive URLs;

• Open the interesting endpoints in your browser or Burp’s Repeater and observe the behavior of each endpoint.

By analyzing those URLs you can find IDOR, BAC, Information Disclosure, XSS, CSRF, and many more bugs.

Finally, thanks to the researchers who contributed their hacking tips to us! They are: @mhsD5GJd, @Rashedul, @Rootxkraken17, @L3onid1s, @Sam, and @3EyedRaven! They all received security credits, which can be exchanged for cash in the TECNO Swagshop!