Hi, this is my first blog post on Bug Bounties. As I am new to bug hunting myself, this post is basically a beginner's advice for beginners starting on VRPs (Vulnerability Reward Programs). These are my views and it may or may not resonate with what you think!
I love The Office so let's begin with a quote from the show :D
Things I would cover in this post:
- Where to hunt?
- How to pick programs?
- Why to stick with programs?
- What to Hunt?
- Reporting
- Some of my initial valid submissions
There are a lot of Crowd-Sourced Platforms and companies that host their programs on their websites.
and the list goes on...
As of now, I have only tried looking at programs from Bugcrowd, Hackerone and Intigriti and Bug Bounty Jp. My advice to a beginner will be to opt for Bugcrowd initially. This is because of the Bugcrowd support team. There are several channels such as chat support, discord group and hidden twitter support as the last option. If you feel violated and unheard only then opt for the last option.
Twitter hidden support is basically Bugcrowd legends like Hakluke, Vortex, Codingo, etc available with their DMs open where you can politely explain your issue with your bug report reference ID. I am sure someone will definitely help you out!
My reasons to initially avoid other platforms and company-hosted programs is:
- Might find the triagers harsh and unfriendly.
- The zone specific bounty programs might be in native languages (japanese, chinese, danish, swedish) which you might find hard to work on in the early days.
- The self-hosted programs are dicey, they may ignore your report or even fix the issue without replying you back and you won't have anyone to complain.
Therefore going to a reliable Crowd-sourced platform with friendly triager support is important when starting and I will recommend to start with Bugcrowd.
There are different types of programs:
- Public
- Points only
- Reward
- Joinable
- Private invites
The initial goal is to cut the crowd as much as possible.
I am assuming that you have not yet been invited to a private program therefore the best option you have is to opt for joinable programs.
Go through all those programs (would be initially around 30) and sort them according to the payouts. Pick 8-10 joinable programs with lowest payouts. Read the scope for all of those programs and even visit the applications that are in-scope.
These will be the probable choices:
- Thick-client applications
- API Testing
- Web Application
- Android Apps
Everyone has a liking for type of applications they wish to hunt. I like API testing, so I further filtered them out to 4-5 programs that had API testing in-scope. Do check request-responses of the traffic and see which programs you are more comfortable with.
Further, check the scope and the validation time (lower the validation point, the better) and pick 3 programs.
Why to pick 3 programs?
There would be times you are bored seeing the same interface again and again, therefore keep on rotating between limited set of programs.
Initially everyone has the mindset "The program has X no. of resolved reports" and therefore they won't find anything. You should completely avoid this mindset as the company has not halted their development cycle and is continuously pushing new code everyday. Checking Web archives for a website, you will understand that the structure might have completely changed as compared to what it looks at present.
Approach it as:
Old Program → Less Crowd → New Code → New vulnerabilities → 💰💰💰
Therefore, avoid looking at other programs for atleast 2-3 weeks and only focus on these programs.
Once you stick on a program and have enumerated it multiple times, you will see changes in code, functionalities that has been recently added, stuff that has been removed and so on. This really helps to understand how developers are progressing with the application + you will have an advantage over new hunters (they won't know the recent update timeline).
You might be good at CTFs or maybe practicing on Juice Shop, etc but hey it won't be that easy. Companies are paying you money for the issues that weren't resolved after several rounds of traditional pentesting.
Firstly, read the VRT and understand what to ignore and what to report.
Next, opt for easy bugs such as:
- CSRF (Cross-site request forgery)
- IDORs (Indirect Object Reference)
How to Hunt for these bugs?
-
Read about these bugs from Real-World Bug Hunting: A Field Guide to Web Hacking and watch InsiderPhD's series: Finding your first bug
-
Practice CSRF on Portswigger Academy.
-
Read lots of bug bounty reports from:
This is the most important part while submitting your bugs. Keep it as detailed and simple as possible, so that it's easier for the triager to understand the impact and triage the bug as quickly as possible.
- Follow a structure on any type of bug you report.
Something like:
## Description
Explain the bug-type in 2-3 lines
## Impact
Explain the damage in 1-2 lines
## Steps to Reproduce
Instead of writing a paragraph, add bullet points with screenshots of as many steps
as possible.
- Add curl commands if possible.
- Be humble to triagers.
So I picked a program which was 2 years old with API-Testing in Scope. I Started looking at the program on 20th June 2020. All the bugs found were on the main domain. No fancy recon tools were used to hunt these bugs. Simple community edition burpsuite and some basics were sufficient.
The result are as follows:
I got a not-applicable (NA).
Submitted a bug as soon as I saw something interesting (Don't do this mistake, understand the problem completely before reporting it)
P3 (Duplicate + Won't Fix)
I started understanding the application and got a duplicate. Yes, they are not fixing it but it is still a valid bug!
P3 (IDOR: 500$)
Got my first bounty on Bugcrowd! I was able to downgrade an admin to a low-priviledged user. I used the trick explained in InsiderPhD's API Testing video. At this point of time I had understood what I was doing and the structure of the main application.
P3 (IDOR: 450$)
While testing a different approach I mistakenly made a payment of 10$. This provided me access to a broader scope on the main application. Ended up finding sensitive information disclosure.
P4 (Repudiation: 200$)
This was rather a conceptual and simple bug. I was able to make changes on my team-group (specific function on the program) without generating logs about it in the backend. Basically, I could generate tokens for new team members and could initiate requests that should not be allowed. It was not considered a low severity issue because I needed a priviledged user to conduct this attack.
To sum up, I opted this specific program for 2+ weeks and I started getting results! I hope this helps you to find your first bounty.
Thanks! Do leave a comment if you find this interesting :)
This blog post was for beginners targetting how, where, what to do when starting with bug bounties. In the last section, I briefly explained how I used the same methodology to find some easy bugs.