Why is programming so important in bug bounty?

4 months ago 47
BOOK THIS SPACE FOR AD
ARTICLE AD

Imad Husanovic

Before I even start, I have a platform on which I am publishing my book episode by episode. I will be releasing every single day something so make sure to visit my site at: https://hackrhub.com. You can already find this episode and much more on the website. And don’t worry, it is completely free!

Programming is very important in hacking. Without programming you cannot be an efficient bug bounty hunter let alone a hacker. In order to uncover majority of the bugs you must know at least basics of how to code. I would say that JavaScript and Python are mainly important in bug bounty.

Everything we use today that features technology has been built with code. For example let’s say a server has been built using JavaScript. So if we know how to make something in that language, we surely could know how to destroy something. If you know JavaScript in that scenario, you could potentially pinpoint where the weaknesses could be hiding and effectively exploit them. Let me show you an example!

app.get('/:file_name', (req, res) => {
file = req.params.file_name;
if (file.includes('.txt')) {
content = open(file);
res.send(content);
}
else if (file.includes('..')) {
res.send('Path traversal detected.');
}
})

Let’s say our target website has following route on it’s webserver. We can observe that it takes a file_name param and then it saves that param to the file variable. Since our goal is to find a vulnerability, we can obviously see that this route filters any file_name that includes two dots in it’s name. Therefore this is all safe, right? No, not really. See the first if statement checks if the file_name includes the .txt

if (file.includes('.txt')) {
content = open(file);
res.send(content);
}

Then we have an else if statement which actually checks if there is a path traversal.

else if (file.includes('..')) {
res.send('Path traversal detected.');
}

So the first if statement will execute before the filter, allowing us to bypass the filter and request pretty much any file we want to. Now we can try to request for example 1234.txt and see what happens.

But if we still cannot request any files other than .txt files, right? Again, no. See, the backend checks if the requested file contains the .txt.

file = req.params.file_name;
if (file.includes('.txt')) {
res.send(`Reading a file: ${file}`)
}

Now we can just request a test.txt.js and pretty much read a js file and bypass this restriction.

I would argue that every single successful bug bounty hunter is also an experienced programmer since it is very important skill to have in cybersecurity. I myself am a software developer and a full stack developer. I have made many projects myself like chrome extensions and even an online game, which you can check out on https://oddone.xyz/.

The point is that you must work on yourself, and luckily I will be dropping tomorrow a first lesson called “Programming for hackers”. I will teach you fundamentals of programming and how to use it to find vulnerabilities in code. Make sure to check out https://hackrhub.com since I will be releasing all of the episodes there under the “Book” section. Other than that, I will see you on Hackrhub every single day with a new hacking lesson!

Read Entire Article