Bug Bounty Hunting: How the Internet Works

In this blog, I will cover the essentials to grasp the fundamental workings of the internet. The Internet is a massive network of interconnected computers that communicate using standardized protocols.

Every device connected to the Internet has an Internet Protocol (IP) address, which serves as its unique identifier. However, remembering numerical addresses 192.168.1.1 isn’t practical. That’s where the Domain Name System (DNS) comes in, converting domain names (e.g., example.com) into IP addresses. Why It Matters for Bug Bounty Hunters, Because DNS misconfigurations can lead to subdomain takeovers. and Exposed IP addresses might reveal vulnerable servers.

Web communication primarily happens over Hypertext Transfer Protocol (HTTP) or its secure counterpart, HTTPS. These protocols define how data is requested and delivered between a client (browser) and a server, the security considerations are Missing HTTPS can lead to Man-in-the-Middle (MITM) attacks, and Improperly configured headers can result in vulnerabilities like Clickjacking and XSS (Cross-Site Scripting).

Web applications rely on HTTP methods such as:

GET: Retrieves data (e.g., loading a webpage).POST: Submits data (e.g., login forms).PUT/DELETE: Used in API communications.Cookies store user session data, authentication tokens, and tracking information. Misconfigured cookies can lead to session hijacking or privilege escalation.Websites run on servers using different technologies like Apache, Nginx, Node.js, PHP, Python, and more. Knowing what technology a site uses helps in identifying potential weaknesses.Web Application Firewalls (WAFs) and security policies protect websites from malicious traffic. Understanding how they work allows you to craft better payloads that bypass security filters.

Bypassing Techniques:

Using encoding techniques (Base64, URL encoding).Finding WAF rules and evading them using alternative payloads.

A good bug bounty hunter doesn’t just run automated scans. They understand how web applications interact and where vulnerabilities might arise. Mastering internet fundamentals helps in:

Identifying attack surfaces.Crafting effective payloads.Avoiding common detection mechanisms.

1. Insecure API Endpoints:

IDOR (Insecure Direct Object References): Modify request parameters to access unauthorized data.Broken Authentication: Look for exposed session tokens or API keys in responses.Rate Limiting Issues: Flood requests to test for DoS vulnerabilities.

2. DNS Reconnaissance: Finding Hidden Assets

The Domain Name System (DNS) is a goldmine for bug bounty hunters. Hidden subdomains often run outdated software or expose misconfigurations.

Subdomain Enumeration: Use dnsrecon or amass to discover forgotten subdomains.Zone Transfers (AXFR): If misconfigured, attackers can retrieve full DNS records.dnsrecon -d target.com -t axfrCNAME Misconfigurations: Check if subdomains point to abandoned cloud services (AWS, Azure, etc.), leading to subdomain takeovers.

3. HTTP Requests & Responses: Exploiting Web Communication

Understanding HTTP methods, headers, and responses can help identify security flaws.

HTTP Methods Abuse:

Modify GET/POST parameters to test for IDOR, SQL injection, or XSS.Check if PUT/DELETE are enabled to allow unauthorized modifications.

HTTP Headers Misconfigurations:

CORS Issues: If Access-Control-Allow-Origin: *, attackers can steal user data.Security Headers Missing: Lack of Content-Security-Policy (CSP) or Strict-Transport-Security (HSTS) increases risk.

4. JWT & Session Token Exploitation

JWTs and session tokens are widely used for authentication — but poorly implemented ones are vulnerable.

JWT Brute-Forcing: Weak signing keys can be cracked with jwt_tool.Algorithm Confusion Attacks: If alg: none is accepted, an attacker can forge tokens without verification.Session Hijacking: Check for missing HttpOnly, Secure, or SameSite flags in cookies. Test if expired tokens still work due to improper validation.

5. Bypassing Same-Origin Policy (SOP)

SOP prevents scripts from making unauthorized cross-origin requests, but bypasses exist:

XSS (Cross-Site Scripting): Inject malicious scripts to steal session cookies or execute actions.CSRF (Cross-Site Request Forgery): Trick users into making unintended actions on authenticated sites.<img src="https://target.com/delete-account" />CORS Exploits: If Access-Control-Allow-Origin: * is set, attackers can steal sensitive data from API responses.