100 Bug Bounty Tips 💯

Invaluable tips...

Author

Tadi
February 23, 2024

Yoo. Welcome to Issue #05 of Navigating Security.

🍃Quote of the week:

Hackers are like artists, philosophers, and engineers all rolled into one. They challenge assumptions, seek flaws in systems, and reshape the world around them in unexpected ways

Kevin Mitnick

TLDWTR 🙄

  • More CVE hunting tips in case you missed them last time ⏳

  • An aspiring hacker’s web application penetration testing guide for 2024 by HTB’s 2023 MVP 🏆

  • 100 Bug Bounty Tips by @ArchAngelDDay 💯

⏱️ Incase you missed the previous issue, here you go:

You get a CVE, he gets a CVE, you all get CVEs

CVEs = Clout?

www.navigatingsecurity.net/p/you-get-a-cve-he-gets-a-cve-you-all

This Week’s YouTube Video:

More CVE Hunting

An aspiring hacker’s web application pentesting guide 🕸️

Hackthebox’s 2023 MVP wrote a rather lengthy guide on how to get into web application hacking in the year 2024. If you are just starting, this is a good read. He doesn’t spend the entire time promoting HTB, but gives some valuable advice. Here are some of the key takeaways:

  • Master web technologies: HTML, CSS, JavaScript, and server-side languages (e.g., PHP, Python).

  • Use specific tools: Burp Suite (web proxy), OWASP ZAP (vulnerability scanner), and Metasploit (penetration testing framework).

  • Practice on platforms like Hack The Box to gain real-world pentesting experience.

  • Understand both internal (within an organization) and external (from outside the organization) testing approaches.

  • Engage in the testing process, starting from contract and scope definition to reporting vulnerabilities.

100 Bug Bounty Tips 💯

You saw the title, I know you’re here for the tips so I won’t keep you waiting any longer. These are from Douglas Day’s X (formerly known as Twitter) so be sure to check out the original tweet linked at the end. Enjoy 😇 

  • Spend at least 30 minutes on a new target

  • Look for “No”s

  • Use Italics Tags in your inputs instead of XSS payloads

  • Focus on SaaS apps that are multi-tenant

  • Buy Burp Pro

  • On a new target go straight to the User Management section

  • See if inviting an existing user to your org exposes their name

  • See if inviting an existing user removes them from their own org

  • If the scope has a wildcard, use sub finder to find subdomains

  • Run HTTPX on the list of subdomains to narrow down alive targets

  • On an app you’re not familiar with, use it like a normal user first

  • If the docs say you can’t do X, but you can do X then you have a bug

  • Use match & replace rules to find new endpoints

  • Budget time into your week specifically for hacking

  • Give yourself a no-bug time limit. I do 3 hours.

  • Go back to old dupes and see if you can still reproduce.

  • Look for “+2” in your reputation log to find dupes that should be now.

  • Make your report a conversation, not a sales pitch

  • Accept & expect that dupes will happen

  • File & Forget

  • If an endpoint has “api/v2/“, try “api/v1/”

  • If an endpoint has “api/v2”, try removing the “v2” altogether

  • 6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs

  • Lows are still bugs that should be filed

  • Be kind to your triager

  • Say “thank you” when you get a bounty

  • If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.

  • If UUID IDORs exist, then look for an endpoint that exposes UUIDs

  • Pin your success on whether you followed your plan, not if you found bugs

  • A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit

  • Going deep will pay off

  • Working with new hackers will pay off in dividends

  • Don’t be jealous

  • Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your sanity

  • If you find a bug that’s OOS, still ask the customer if they care

  • There’s no end. Enjoy the journey

  • Have a hobby that’s not related to hacking

  • Have friends that don’t hack

  • Figure out what time of day you hack the best. Late nights aren’t for me.

  • Spend that extra 2 minutes to make your report look/read nice

  • “Subscribe” to programs that pay well and have good scope

  • Don’t whine on Twitter about a single report. Or at all for that matter.

  • IDORs and Privilege Escalations are a great place to start

  • Unmet expectations lead to disappointment

  • Teach someone else how to hack

  • Time spent reading/learning is time well spent

  • Focus on programs that you actually use in your day-to-day

  • Establish a relationship with the program

  • Try asking the program what types of bugs they want to see

  • Look at a program leaderboard to see who you should collab with

  • When collaborating, an even bounty split eliminates the hassle

  • Take a break when you stop having fun

  • At an LHE, start hacking ahead of time

  • Look for programs that are active in resolving reports

  • Look for programs that haven’t awarded a lot recently

  • Look for programs that have collaboration enabled

  • Look for programs that don’t list out a bunch of known issues

  • Look for programs that have a history of adding new scope

  • Change your strategy if you’ve gone a while without a finding

  • If you’re on a roll, keep doing what you’re doing

  • But don’t let success keep you from evolving/growing

  • Compare yourself against yourself from last year

  • Maintain online presence for new opportunities

  • Be thankful for failure

  • Read disclosed reports

  • Focus on one program at a time. Cycle if you get bored.

  • Don’t spray XSS payloads everywhere

  • If possible, work at a company that has a BBP

  • Spend bounty money on tools that will generate more bounties

  • Budget a specific amount of your bounties for fun. And stick to it.

  • When hacking a store, don’t be afraid to make small purchases

  • Look for changes in JS files to know when there may be new functionality

  • Look for references to subdomains in a company’s GH repo

  • Look for references to subdomains in employee’s GH repos

  • If the app uses Intercom, try booting it with another email

  • Look for second-degree IDORs

  • SSRFs exist when the app makes any external request. Look for these requests.

  • Look for actuator endpoints

  • Find hackers that hack differently than you.

  • Try hacking in a different room of the house

  • Try hacking at a different location altogether

  • If you find the same bug on different endpoints, file it as a different bugs

  • Try always having some pending bugs in your pipeline

  • Break your yearly bounty goal into monthly goals

  • Know when a bounty isn’t worth fighting over

  • Push back gently when a report gets downgraded

  • Use the leaderboard as motivation, not as comparison

  • Don’t reinvent the wheel when a tool exists

  • Don’t be afraid to build the wheel if the tool doesn’t

  • Try collabing in real time over video chat

  • Always ask why something works the way it does

  • When collabing, don’t be afraid to be the underperformer

  • When collabing, don’t get salty about being the overperformer

  • Use mediation, but use it sparingly

  • Be generous with your earnings

  • Hack for fun, not for a paycheck

  • LHEs are a privilege, not an expectation

  • Programs are your friend, not your adversary. Work with them

  • The platform is your friend, not your adversary. Work with them

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.