.png)
3 years ago
566 BOOK THIS SPACE FOR AD
ARTICLE AD
In this write up I am going to describe the path I walked through the bug hunting from the beginner level. This write-up is purely for new comers to the bug bounty community. And I hope this will help you to understand that how a researcher or bug hunter find bug in Web-Application.
lets Start With The Intro Of Bug Bounty:
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
Note: Here I have added some tools and useful Links which i use while hunting the bugs.
These are the tools & tips which I use daily for hunt a bug.
Useful YouTube Channels for learning
LiveOverflowBugcrowdJackkTutorialsNahamsecSTÖKSecurityIdiotsRequired Skills Before Hunting:Linux basics, Networking basics, programming (require when you code)
Basic idea about the HTTP protocols and its headers(Request and Response)
Burpsuite, Metasploit , SqlMap , Nmap etc.
Bug Bounty Platforms
Bugcrowdhttps://www.bugcrowd.com/Hackerone
https://www.hackerone.com/Synack
https://www.synack.com/Japan Bug bounty Program
https://bugbounty.jp/Cobalt
https://cobalt.io/Zerocopter
https://zerocopter.com/Hackenproof
https://hackenproof.com/BountyFactory
https://bountyfactory.ioBug Bounty Programs List
https://www.bugcrowd.com/bug-bounty-list/AntiHack
https://www.antihack.me/
Or we can find targets from the google by searching for responsible disclosure policy of a website. I recommend to start with responsible disclosure , so there are more chances for acceptence of report. And then after a experience start with Bug Bounty Platform.
We have a target then how to start ??If you have chosen your target, then you should start finding the subdomain of the target.
or we can start with the IP blocks of the targets which we can get from the ASN (some of the websites are mentioned in below)
Why we need subdomain?
Sometimes targeting the main domain is not possible to find bugs which will frustrated to the noobs. Because the top or other researchers are already found and reported the bugs to the target. For newbie should start with the other subdomains. (its true that most common vulnerabilities are already reported by the researcher so keep in mind that we have to find a unique target and unique bug.)
How to find Sub-domains?As per my recon I am using the following tools to find the sub-domains for the target.
SubfinderAmassSublist3rAquatoneKnockpyWe can also find sub-domain via online recon tools. (sites are given below)
Virustotal ( Use its API in tools)DnsdumpsterFindsubdomainsPentest-toolsHackertargetSub-domain Takeover Vulnerability:Goto this link and learn about some basics to advance concepts of Subdomain takeover vulnerability.
https://github.com/EdOverflow/can-i-take-over-xyz
Discovering Target Using ASN (IP Blocks):https://whois.arin.net/ui/query.do
Discovering Target Using Shodanhttps://www.shodan.io/search?query=org%3A%22Tesla+Motors%22
Brand / TLD Discovery:This will increase the target scope by searching for a Aquiasition of a target
Acquisition — -> crunchbase, wikipedia
link discovery — ->burp spidering
weighted& reverse tracker → domlink, builtwith
Trademark In Google: ” “Tesla © 2018” “Tesla © 2019” “Tesla © 2020” inurl:teslaSubfinderGobusterAquatoneSubdomain Enumberation:Here you can find the original scripts https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
Note: Kindly replace the API key used inside the scripts which may be an invalid which results in less amount of subdomains (I recommend to use virustotal API key)
Presentation:Slides are available at: https://speakerdeck.com/yamakira/esoteric-sub-domain-enumeration-techniques
Subdomain Enumeration with the SPF recordUsing CSPDNSreconALTDNSZone transfer using digDNSSECZone walking NSEC — LDNSPort Scanning:The port scanning is very important to find the target which is running in non-standard or standard ports.
For port scanning I have used NMAP and Masscan and Aquatone scan.
Then some researcher start checking for sub-domain takeover vulnerability once they found sub-domains which running on the standard or non-standard ports.
Enumerating Targets(Port Scanning)NMAPVisual IdentificationThis part will help us to find a application which is running on standard or non-standard ports on the target machine.
The following tools are grabbing banner if they found on the target machine which is running on specific ports. That will help us to sort list our target sub-domains.
EyewitnessWayback Enumeration →> waybackurlThis technology will help us if we seen any one of the HTTP responses like 401,403,404. This will show you the old stored data using Archive.
Here we can find some sensitive information even the target page is not currently accessible.
https://archieve.org/web
Parsing JS is very useful to find the directories which is used by the target. we can use these type of tools instead of brute-forcing the directory list on the target
Note: Brute-Forcing of directory also good thing to do. Always use the multiple techniques to find the directory from the targets(I found Hotsar Aws Credentials with Directory Buster & Burp Intruder)
linkfinderDIRsearchDirbContent Discovery: “ Gobuster”Credential Bruteforce: “BrutesprayBrutespray”These tools are having the ability to brute-force the different type of protocols like http, ssh,smtp, etc
Technology Identification and Vulnerability findings:Here I used Wappalyzer and build with addons on the browsers. Whatweb tool also I used to find the what technologies they used on the target.
The following tools to find technologies and technology based vulnerabilities on the target.
WPScanCmsmapBefore start testing I recommend this book for bug hunter bcoz it help a lot to understand & Exploit the bug!The testing is based on our opinion. some of them start with the xss and other vulnerabilities which we can easily found from the target.
Still you are stuck with the testing for a bug means you can start reading the following books which always helpful for Bug hunter or Application Penetration Tester.
https://www.amazon.in/Web-Application-Hackers-Handbook-Exploiting/dp/8126533404https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contentshttps://leanpub.com/web-hacking-101And for our Mobile hacking friends:
The Mobile Application Hacker’s HandbookiOS Application SecurityOwasp Mobile AppSecI hope these books are very helpful for how to test for a bugs
CheatSheet
SQL Injection Cheat-SheetXSS Cheat-SheetXXE PayloadPen Testing Methodologies
Penetration Testing FrameworkThe Penetration Testing Execution StandardThe WASC Threat ClassificationOWASP Top Ten ProjectThe Social Engineering FrameworkPopular Google Dorks Use(finding Bug Bounty Websites)
Browsers Plugins
Chrome : http://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/Firefox : http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/My Tips & TricksBug Bounty Hunting Tip #1- Always read the Source CodeBug Bounty Hunting Tip #2- Try to Hunt SubdomainsBug Bounty Hunting Tip #3- Always check the Back-end CMS & backend languageBug Bounty Hunting Tip #4- Google Dorks is very helpfulBug Bounty Hunting Tip #5- Active Mind — Out of Box Thinking ; )
“Special Thanks To Jhaddix For Sharing This Methodology With Us”
Twitter: https://twitter.com/Mah3Sec_
Bengali (Bangladesh) · 
English (United States) ·