What is Bug Bounty?
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
A reward offered to a perform who identifies an error or vulnerability in a computer program or system.
‘The company boosts security by offering a bug bounty’
|Bug Bounty – Image Source Google|
- bugsbounty.io https://bugsbounty.io
- bugbounty.jp https://www.bugbounty.jp
- bugbountyhq https://www.bugbountyhq.com/
- BugBountyzone https://www.bugbountyzone.com/en/
- bugcrowd https://www.bugcrowd.com
- Cobalt.io https://www.cobalt.io
- crowdshield https://crowdshield.com/
- getwhitehats getwhitehats.com
- hackerone https://www.hackerone.com
- Hacktrophy https://hacktrophy.com/en/
- integriti https://intigriti.be
- testbirds https://www.testbirds.com
- wavestone http://go.wavestone.com/bugbountyen
- Yogosha yogosha.com
- GeekPwn IoT devices security vulnerability contests http://2017.geekpwn.org/en/#anchor-rule
- Synack https://www.synack.com/
- Japan Bug bounty Program https://bugbounty.jp/
- Zerocopter https://zerocopter.com/
Some Books reading about Bug Hunting
There are some books for web application penetration testing methodology and hunting the web. Through this you learn the basics and essentials of penetration testing and bug hunting. Since bug bounties often include website targets, we’ll focus on getting you started with Web Hacking and later we’ll branch out.
- The Web Application Hacker’s Handbook
- OWASP Testing Guide
- Penetration Testing
- The Hacker Playbook
- Practical Guide to Penetration Testing
- The Tangled Web: A Guide to Securing Web Applications
- Jhaddix Bug Hunting Methodology
For our Mobile hacking friends:
Practice makes Perfect!
While you’re learning it’s important to make sure that you’re also understanding and retaining what you learn. Practicing on vulnerable applications and systems is a great way to test your skills in simulated environments. These will give you an idea of what you’ll run up against in the real world.
- Penetration Testing Practice Labs
- Damn Vulnerable iOS App (DVIA)
Read tech Vulnerabilities POCs (Proof of Concepts) and write-ups from other hackers
Now that you’ve got a baseline understanding of how to find and exploit security vulnerabilities, it’s time to start checking out what other hackers are finding in the wild. Luckily the security community is quite generous with sharing knowledge and we’ve collected a list of write-ups & tutorials:
- Bug Bounty write-ups and POC
- Awesome Bug Bounty
- SecurityBreached-BugBounty POC
- Facebook Hunting POC
- Bug Hunting Tutorials
- Hackerone POC Reports
- Bug Bounty POC
- Netsec on Reddit
- Bug Bounty World
Watch tutorials (Bug Hunting) on YouTube!
- JackkTutorials on YouTube
- DEFCON Conference videos on YouTube
- Hak5 on YouTube
- How To Shot Web — Jason Haddix, 2015
- Bug Bounty Hunting Methodology v2 — Jason Haddix, 2017
- Hunting for Top Bounties — Nicolas Grégoire, 2014
The Secret life of a Bug Bounty Hunter — Frans Rosén, 2016
- Finding Bugs with Burp Plugins & Bug Bounty 101 — Bugcrowd, 2014
- How to hack all the bug bounty things automagically reap the rewards profit — Mike Baker, 2016
Bugcrowd Approach for Bug Hunting
Okay, now you’re at the point where it’s almost time to start hunting for bounties. But first, let’s learn how bug bounties work and how to get started, just to make sure we maximize our chances of success.
- How to approach a target
Advice from other bug hunters that will help you find more success when approaching a bug bounty.
- How to write a Great Vulnerability Report
This will walk you through how to write a great vulnerability report. The better your report, the higher chance you will get a bounty!
- How to write a Proof of Concept
Proof of Concepts show the customer how your bug is exploited and that it works. This is crucial to being rewarded successfully.
- How to Report a Bug
Our walkthrough for reporting a bug via the Bugcrowd platform.
My Tips & Tricks
- Bug Bounty Hunting Tip #1- Always read the Source Code
- Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
- Bug Bounty Hunting Tip #3- Always check the Back-end CMS
- Bug Bounty Hunting Tip #4- Google Dorks is very helpful
- Bug Bounty Hunting Tip #5- Check each request and response
- Bug Bounty Hunting Tip #6- Active Mind – Out of Box Thinking 🙂
My Methodology for Bug Hunting
- First review the scope
- Perform reconnaissance to find valid targets
- Find sub-domains through various tools Sublist3, virus-total etc.
- Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
- Use google dorks for information gathering of a particular taget.
- Review all of the services, ports and applications.
- Fuzz for errors and to expose vulnerabilities
- Attack vulnerabilities to build proof-of-concepts
For Bug bounty programs, First I’m going to review the scope of the target. There’s a huge difference between a scope such as *.facebook.com versus a small company’s single application test environment.
If scope is big than they accepts submissions for any of their servers, I’m going to start doing reconnaissance using search engines such as Google, Shodan, Censys, ARIN, etc. to discover subdomains, endpoints, and server IP addresses. This is a mix of google dorking, scanning IP ranges owned by companies, servers ports scanning etc. Anything that gives me information on servers that may be owned by that company.
When I have a list of servers, I start to perform nmap port and banner scanning to see what type of servers are running. You may get some quick finds such as open SSH ports that allow password-based authentication. At this point I tend to stay away from reporting those smaller issues. I opt to spend more time looking for critical applications running on non-standard web ports such as Jenkins that may have weak default configuration or no authentication in front of them.
Before I hunt into the websites too deeply, I first do a quick run through the web servers looking for common applications such as WordPress ,Drupal , joomla etc . This is a mix of just browsing the sites manually or directory hunting by using wordlist, looking for sitemaps, looking at robots.txt, etc. Some open source plugins are typically poorly made and with some source review can lead to critical findings.
Then dig in to website, check each request and response and analysis that, I’m trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any).
Sometimes I use negative testing to through the error, this Error information is very helpful for me to finding internal paths of the website. I spend most of my time trying to understand the flow of the application to get a better idea of what type of vulnerabilities to look for.
Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for wordlist bruteforcing endpoints. This can help with finding new directories or folders that you may not have been able to find just using the website. This tends to be private admin panels, source repositories they forgot to remove such as /.git/ folders, or test/debug scripts. After that check each form of the website then try to push client side attacks. Use multiple payloads to bypass client side filters. Best tools for all over the Bug Bounty hunting is “BURP SUITE” 🙂
This is just the methodology for Bug bounty hunting and Penetration testing that seems to work for me 🙂
TOOLS , Wordlists , Patterns, Payloads , Blogs
Tools & OS :
- Chrome : http://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/
- Firefox : http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
Payloads for Hunting
- Payloads All The Things
- XSS Payloads
- XSS Payloads -2
- SQL Injection Payloads
- Google-Dorks Payloads
- Google-Dorks-2 Payloads
Information Security / Bug Hunting Blogs
“My daily inspiration are those who breaks their own limits and get success. “
- fin1te: Bug Bounty Participant
- Security & Code Blog
- Bug Crowd Forum
- ARNE SWINNEN’S SECURITY BLOG
- Daniel LeCheminant
- We Hack People
- IT-Securityguard Blog
- The misunderstood X-XSS-Protection
- Bug Bounty Findings by Meals
- Respect XSS
- Graceful Security!
- Fooling the Interpreter
- Klikki Oy