Bug Bounty Diaries #1

Hi guys! I have a lot of things to say on this blog and the truth is that I didn’t try to exploit anything because WOW!

Goal: Spend the next four hours trying to understand the program and the target

Today I learn a lot of things about web and I can’t say a lot but this day show me a lot about information gathering, because this is one of the most important steps on penetration testing!

Program

Before start trying payloads like I said, we need to understand the program because imagine that you try a XSS payload and this payloads are out of the scope.

To understand the program we need to answer to questions like this:

What is my target?What are they doing?What can we do and what CAN’T?What is in the scope?

Once we answer this questions we can start thinking about the target itself!

Information gathering

Now we need to understand the target with this questions (you can add more):

Technologies in useManual mappingUse a proxy (like burp)

Just as an example, your target is using MySQL, PHP and wordpress with this I could say that it’s a good idea to look for SQL injections! That’s why is so important to understand the target before just lauching payloads and wait for a response.

In my case they give us a bug bounty email to test their sites without any problem and that’s great!

My methodology

With the things I learn today my meth now looks like this:

Understand the programUnderstand the targetIdentify technologiesStart thinking on attacks (like SQLi or XSS)

What I learn today?

WOW! Thanks to this, I now have greater certainty of what awaits me in the future, it is great to know that this is what is experienced day by day in a real test, the importance of defining what you can and cannot do, besides, I did not have idea (or was not aware) of the amount of technologies that are used in a company and the amount of sites that can be obtained with a simple manual mapping and burp

Tips:

Write in a blog of notes EVERYTHING that catches your attentionWrite down the things you plan to do with certain technologiesTake screenshots of everything that catches your eye

Today was a great day full of learning for me, please follow me so you don’t lose any details about this, I hope this is useful for someone and thank you very much for your time.