FFUF and my First Bug Bounty.

The beauty of leaked files

Bug bounty hunting is hard.

Especially when you start off, it’s extremely hard. Don’t believe me? Look at this:

Yes, I’ve found some really shitty vulnerabilities, including clickjacking on static pages. Yes, I’ve reported clickjacking without any significant impact. But, at the same time, my first actual valid report was SQL Injection, something definitely rare nowadays, at least in public programs. Guess that’s progress.

Luckily, I was able to find more bugs, and got even more points, just no bounty, yet.

So, what do I recommend?

XSS is huge right now, and it definitely should be one of the top 5 things you should test for along with stuff like IDORS, HTTP Request Smuggling and SQLi. My first bounty wasn’t for any of those. To be honest, there isn’t a single report on H1, at least in my knowledge and by hours of searching, for the vulnerability I found. So what does this mean? It’s probably something overlooked, considering it’s a P4 or P3. Although the overall classification itself is Sensitive Data Exposure, it’s at the following endpoint:

/debug/pprof/

These are basically leaking several server info, paths, source code and other files which isn’t supposed to be accessible.

So how are you supposed to find these types of vulnerabilities? Simple. First of all, compile a list of in-scope subdomains and save it as a .txt file. Then just use FFUF, a fast web fuzzer written in Go to go through the list and scan for subdomains with /debug/pprof/ and look for 200 responses. The link itself, mentioned below, has the source code of FFUF and the commands needed to execute the same.

That was it! After scanning, I found HUNDREDS of open /debug/pprof/ dirs under the same program.

So, discouraged with my countless fails, which most people don’t tend to notice, I received an email saying the issue has been changed to Unresolved. Interesting. Obviously I expected a couple points at best, all until I received an email that I got $300!

To be honest, $300 is quite less, considering the average payout is around $500-$2,000, with the highest P1 vulnerabilities reaching up to $75,000 (Yes, someone actually got $75,000 for a vulnerability) and even $100,000 to a million for other exclusive programs.

Currently I’m a little more into CTFs for further training, but I’ll definitely start in a couple days.

So, in summary, bug bounty hunting is hard, especially nowadays with such a huge surge with it’s exposure to the public. Try your best to participate in every program, be it with a bounty or not, since all of them reward points, which can be used to get invitations to private programs!

Good luck!