#bug-bounty

Thanks for this btw

Gave +1 Rep to @fast fable

Hey guys

I'm new to bug hunting and kinda stuck in the process of up skilling myself.
My problem is when I learn about some vulnerability from portswigger labs and then practise labs over there I understands the vuln but I don't understand how do I implement what I learn in the live website.

What should I do about it?

Also how do I improve my auto recon methodology
My hunting approach is:-
First I took a target
Then run sub finder & & httpx, to find active sub domains
Store those URL in a list
Run nuclei on that list
That's it

What else should I do in auto recon?

don't rely on automated recons

1. a lot of false positives
2. most bbs don't accept bugs from automated scanners
3. it'll miss things that have to be looked at manually; keep in mind that a bug bounty is public to everyone and the company will usually already have had a pentest done; 99% of the time anything from an automated scanner will have already been looked at

My advice would be to poke around for things like XSS, IDOR - these are the most commonly found vulnerabilities that aren't that hard to exploit. Your process of finding the subdomains is good, but just make sure they are within the scope first before looking at them.

You'll have to know that people spend months trying to find bugs. I'd personally say there's a lot of luck involved with these kinds of things (refer to point 3, you'll have to have found a bug that somehow went unnoticed by the internal pentests and everyone else doing the bb), it does happen of course, but don't go in expecting to find something immediately. I'm not trying to discourage you from doing bbs, it certainly was a great learning experience for me and of course, the added bonus of $$$. Just don't have high expectations going in

i found an endpoint on a website which should be vulnerable to CSRF. no preventative headers, no CSRF parameters, just the cookie. I have a post request with application/x-www-form-urlencoded content type, and I had burp generate the CSRF POC which should work, but when I click the CSRF POC link, it doesn't insert the one cookie needed to authenticate the request. Is this because it's a secure cookie? and is there anything I can do about that?

Have you heard about the samesite cookie flag?

@urban chasm that's gotta be it. I wonder if there's any bypasses to that

https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions

You have burp pro?

@fast fable yeah i've gone through their SameSite labs to see if there's any similarity in my situation, nothing yet.

Go to request where you get the Set-Cookie header from the server (likely on login page), and check what samesite attribute it gives.

If it is "Strict" then you can only exploit the csrf through XSS, which means the csrf isn't realy a vulnerability.

If it is LAX the action is only vulnerable if it allows for GET method, and requires some modification of the payload.

.

Hola

How woud recon work when no automation tools are allowed? especially if the web page is almost blank. like to access the page you need to login? 😂

check the page source to find out whether they use a cms, then using zap / burp for getting an idea of the structure, perhaps trying some known directories / files

sitemap, readme, htaccess etc pp

People from India. How many days does it take for you to receive the bounty in your bank? in Hackerone

hi guys
i am new to this domain i want to learn bug bounty from scratch how can i start my journey in this like some courses or some websites
plz tell me the right path to learn

You can #start-here

• read pinned messages in here

i did some rooms but some of its content is not free

That is correct, have you also read the pinned messages in this chat?

What about a company that does both bug bounties and extermination

Hello! I'm relatively new to the whole cybersecurity environment however I'd like to work towards my goal of becoming a bug bounty hunter, because I'm currently not capable of starting a full time job. I know that this is quite ambitious because I'm starting with relatively little experience, however I'd like to attempt it. Is there a certain path on THM that I'd be able to follow to learn more about the world of bounty hunting? Or how would I be able to work on this? Thank you in advance, have a great day!

Read #start-here and the pinned messages in this chat, what learning have you done so far?

Ah thank you, already read through #start-here however I didn't notice the pinned messages! So far I've mostly been busy with the basics, so: HTTP, DNS, and some other things. Just want to know if I'm heading on the right track, because it seems like quite a daunting task.

Gave +1 Rep to @shadow matrix

Yep, it's a long road, if you only want to be mediocre at best, you can start learning vulns and searching for them right away, but I belive that in order to be good in bb (I'm not good yet) you need to also understand the vulnerabilities and most importantly the application and how everything works, not just how to use it.

I totally agree, I'm just still searching on how to get to that point where I do actually understand the application and how everything works! Because there's no real defined path, I don't think, so it's a bit daunting to start on something not exactly knowing how to get to where you want to be. But I'll try my best and at least start by learning vulnerabilities and gain experience with bounty hunting that way so I can start to understand how to actually do it(if you understand what I mean), sounds good?

However is there a good path to follow on THM to learn it? Because I don't see that in the pinned messages or #start-here.

If you are willing to pay subscription, the official paths are pretty good, for bb, I would suggest going pre security->Jr pentester->Web Fundamentals
Some other great resources for web sec are:
Port swigger academy
Owasps official websites
Hackerone's academy
LiveOverFlow

Thank you both @shadow matrix @ember vigil ! I’ll try my best! The help is greatly appreciated.

Gave +1 Rep to @shadow matrix

You can have mine, thanks!

Gave +1 Rep to @ember vigil

If it's just a website you know, I'd suggest not going into it further and leave it as is, if it's a website that has a bug bounty/vulnerabilty disclosure program, then disregard my advice.

Not the best idea to report a bug/vuln to a site that has neither as you'll need to hope you won't get in trouble.

I have a question for those who do bug hunting , is THM enough for sharpening bug hunting skill?
in my eyes thm is best for pentesting They explained things very easily

please suggest me rooms for bug bounty's

Any bug bounty hunters here that can shed some lights on how you choose your programs?

Hlw

There’s a web learning path and you also got nahamsec bug bounty room

in linux server

my files got encrypted with ransomware attack
file looks like :- file.encypted.encrypted

how to know which ransomware it is and how we can decypt it

Can any help in this

This channel is for Bug bounty discussion chat for all things related to bug bounties

which channel is good for my issue

I am trying to test a website.
It has a wp-login.php page but wpscan says website not on WordPress

How to proceed

check the page if it's in scope

Yes it is

then have a look around

But why would wpscan say that

Either your using it wrong or it's a falsepositive

Unlikely to be the latter

Tried may times via 2 tools

wpscan --url target.com
```?

And I got rate limit now.
Clouldflare Banned me

rip

That's why mass automation tools aren't necessarily a good thing

Nice security 😂

I mean yeah...? Why wouldn't you ratelimit?

Coz it seems tool didn't even reach the site.
And I reached manually twice only

your tools might have sent a lot more requsts than you think

and yeah, that is good security, to block against botnets and potential DDoS attacks

Thank you! you can have one too, sorry :)

Gave +1 Rep to @ember vigil

443/tcp open  ssl/http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf

CVE-2014-3566

i have been trying to exploit it but nothing worked for me

i need someone's help who is good with cryptography and mitm attack

@young leaf help me sorry for ping

Do you have its prerequisities?

Also, avoid pinging others esp. moderators

unless its urgent

hello i want to learn bug bounty but i can understand yt tuturial anyone can teach me pls

where did i get that

@ember vigil

does anyone know about timthumb.php vulnerability, does it still work?

Prerequisites like what ?

Sorry for ping

As u can see I found it in nmap scan and now ig I just need a exploit

Did you take your time and research about what the exploit requires

Yeah but I didn't understand

Cuz I thought I have to run some xxs script from Clint side ? How is it possible?

Maybe don't try to do exploits you don't understand. You might end up breaking something for the company you are doing Bug Bounty.

Nan it's mitm attack what can it breaks ?

If I m able to capture cookies then I can submit it

I have been trying to complete this task for long but I m not able to do that I m looking for help

Can u help me ?

Do more research about the vuln, IMO its very hard to exploit bc it requires a lot of things to go right, else the attack just fails.

Yeah but it's about cryptographic and I m new to it that's y I need help

Wait

IMO, if you dont know it, dont try to exploit it

Do I have to inject XSS payload to clint server ?

There may be a chance you break something

? How

https://github.com/mpgn/poodle-PoC
Here is the repo if u wanna see

i read all the info about it but on the website i found it doesn’t use wordpress

I want start in bug bounty so can you pls help to buy giving suggestion and some resources to start like :

1 .Books
2. Web links
3. How to do bug bounty in sequecial way

read the pins

Where I can find pins I am new to discord

Hey I'm Trying to unlock some skins for my sniper in bot lobbies how do I do that

Sorry, can you elaborate?

Do you mean youre trying to cheat for some skins in game or something?

Ÿes

Mean like thats what the tik toķ said

you got refered to this server via a tiktok video? You're not the first one. We don't condone cheating ( or unethical or illegal hacking ), this server is strictly a learning platform to learn ethical hacking. We cant help you with that here

Shi mb have a good day sir

How polite

Can I get that video though?

I am interested to join you

Anybody doing bug bounties? I'm looking for someone to learn from, Ive done a ton of CTFs and studied alot of material but never anything real world. Not looking to take/split your pay either, just learn

feel the same

Does anyone know if there are any good resources out there for decoding URL parameters? I've run into a couple of issues on some Bug Bounty engagements and could really use some direction.

do you mean decoding URL encoded parameters?

If so, Burp has its own Decoder tab

Thanks! That's exactly what I mean but further more I'd like some resouces to practice with as I am having issues with idetifying what encoding is used and such

Gave +1 Rep to @lilac spindle

hey can a instagram basic api token disclosed cause any security issues

depends on what sort of permissions it has, obviously any API key shouldn't be disclosed anyway

i can access this kind of data of the companies insta

and also has the permission to reset the token

Is it in scope?

yea

Im guessing these are just data of the medias they post on their company Instagram

yeah but still i cud get many personal info of that account

like user secret,code etc

If its not customer data, it may be tagged lower

Demonstrating impact is always best

they basically use that api to display their insta feed on the website

so if i reset the token maybe it can break that?

I wouldn't recommend doing it

yea i wont do it

Hello house, pls I am having issues running gobuster on ubuntu and don't know if am doing somthing wrong... I can't check the version installed using gobuster version to see the version pls help... This is the error I get when I run the command in terminal... *worldlist (-w): must be specified (use -w for stdin)
*url/Dormain (-u): Must be specified

if you can post a pic of terminal, might help better

Hi guys
What are the ways to
1 -bypass 403 while brute force login via wpscan
2- add legit email and attacker email in password reset form
3- test websites hosted on Clouldflare bcoz it blocks almost all my automatic attacks

3- test websites hosted on Clouldflare bcoz it blocks almost all my automatic attacks
don't use automated scanners?

2- add legit email and attacker email in password reset form
create an actull account?

1 -bypass 403 while brute force login via wpscan
depends on how its implemented its rate limiting, if its through cloudflare - good luck

solid

All of this in general sounds like user testing which is the first thing I do when testing any website even the ones i make

yeah, i believe he has to download the wordlist or at least specify the path on his system. normally the docs if followed too closely cause this error if you dont know how to find your exact path

what version is your gobuster at?

you might need to update it

I ran gobuster version to see the version but keeps giving the error message... I will try to post a screen of my terminal pls

go install github.com/OJ/gobuster/v3@latest

I have been working through all of the THM content to further prepare myself for bug bounties along with starting a couple books. My question for people active in BB…are cve exploits relevant to bounty rewards if they are new and it covers in scope items? If they are not then I assume you are primarily looking for misconfigurations if you aren’t writing a new exploit.

There is a set time on when CVE exploits will be available as a bounty

Lets say you find Shell Shock, that is a valid one

But if its some new CVE, it might take a couple of months before it becomes valid as a bounty

@lilac spindle just to make sure I understand. Older cve’s can be claimed as bounties generally before brand new ones?

Better to check with the programme's rules of engagement, sometimes they don't take them at all l

@lilac spindle ok thank you. I wasn’t sure if I should focus much time on cve if they are not generally covered. I appreciate the information 🙏

Gave +1 Rep to @lilac spindle

Hello, is ssrf attack able to use the domain itself. For example the ABCD web is vulnerable to ssrf, the payload I use is "http://abcd.com:22" not "http://127.0.0.1:22"

for question two, a lot of times you can try to change the existing variable to an array. So lets say you have a password reset endpoint, and its a post request and the request body looks like such email=example@gmail.com you can try to make it an array like this email[]=example@gmail.com,attacker@gmail.com if it's a JSON endpoint, do the same in JSON format. if that doesn't work you can also always try putting the parameters in the URL itself instead of in the POST body

possibly but not like you think, keep in mind that abcd will likely just resolve to their public IP, but if you have full read you may be able to see differential responses and such, but it wont work like 127.0.0.1 because localhost and the actual resolved IP address of the public facing website will be different.

Hello everyone, I have been on THM for a little over year now and HTB for half a year, been wanting to start bug bounty and collected fair share of notes over the year

curious if you have any suggestions how to move forward , like specialize with one sort of vuln or be a jack of all trades moving on ? I have a hard time focusing which platform and where should I actually put my skills to the test

I recommend testing bugs or vulnerabilities you learned from THM,HTB with real target, do it right after you finish reading this text.
Try using on VDP first after you get the first bug, then moved to BBP.

Hello

Hi

hello im a beginner

i wanted to ask that how much time it will take for me to start bug bounty

This isn't a beginner thing...

ook but which path on thm are good for that

currently im on complete beginner

as most bug hunting happens on websites and web content shadow would assume you could guess using that info... but here it is spoilered if you can't be bothered to: || #web-fundamentals-path ||

thanks 🙂

Gave +1 Rep to @little meteor

Hello! A question: how much time would it take me to become good at bug bounty hunting considering I learn 3 hours everyday on tryhackme?

Probably around 3

Months or..? (excuse me if this is a stupid question, ive seen you can get good at bug bounty in a few months so a bit confused)

What is your metric in being a good bug bounty hunter?

uh dont know, i guess thats what im asking?

Its hard to measure how good a person is in bug bounty hunting as there may be multiple factors in play and not all of them can contribute to being let's say a good "bug bounty hunter". Do you think of being good in terms of reported bugs, or in breadth of knowledge related to web application security?

I'd say in my opinion, a good bug bounty hunter is someone who has good knowledge of web application security, is able to write good reports, and follows the Rules of Engagement at all times.

i cant really tell how "good" i am in terms of web application security, but i have completed the web fundamentals and web exploitation on tryhackme, but i dont know how good that makes me. but as far as im concerned i can identify common web application threats, and occasionally find bugs.

yeah so what im asking is how long it would take me to become an expert at the stuff youve mentioned if i continue learning on tryhackme and practise ctfs daily

I'd say you have a good foundation already. Try to learn how your tools can affect the infrastructure where you're testing and always follow RoE. Bug Bounty Hunting requires a little bit of luck so don't give up when trying to enumerate.

One thing that would make you stand out from the rest of other testers is report writing.

Ah okay, thank you ❤️

Gave +1 Rep to @lilac spindle

will try that every time i go bug hunting! thanks again

Isn't bruteforcing just a noisy way of saying "I guessed your password" ?

Check your contract/ the terms in the bug bounty program.

It will all be listed there

Gave +1 Rep to @lavish hollow

Hello! I am new here. Can anyone explain me about this?

OBJECTIVE
For this challenge, your goal is to use visual reconnaissance. You will need to find the website with the key in red.

VISUAL RECONNAISSANCE
For this challenge, the web applications are hosted under: 0x["%02x"].a.hackycorp.com as in:

0x00.a.hackycorp.com
0x01.a.hackycorp.com
...
0x0a.a.hackycorp.com
0x0b.a.hackycorp.com
...
If you haven't done visual reconnaissance before, you can try to use the tool Aquatone to get images that you can browse easily to find the right key.

Where did you get this challenge?

Ahhh I remember this challenge… just need to follow the hints the challenge has already gave you…. And find which website has the flag in red

@unborn ice Penetestlabs

@lilac bough Yeah thanks

Gave +1 Rep to @lilac bough

@lilac bough But do you know what "%02x" ?

Should just be the naming format of the subdomains. I don’t the exact meaning but I’m guessing it prints 2 characters after the 0x part of each subdomain..

Google will be your best friend

This is a pentest lab recon challenge, I did it

You should make all possible subdomains in a text file and launch aquatone (follow the subdomain number logic in order to enumerate them)

Hello there! I’m looking for some help on a PHP box

Anyone can help me?

Hello everyone! I'm going to perform my very first penetration test in about a month, and there are a few questions I'd like to ask:

1. Where do I start with recon? Do I make a list of all the subdomains, endpoints, etc? Whats the best way of gathering information?

2. Would it be ideal for me to spend some time navigating and exploring the core features of the website before getting on with recon?

Also do excuse me if some of the questions are patently stupid, after all I am just newbie*

The scope will explicitly say what URLs are supposed to be tested

I presume you've got a contract?

Ah no, that I havent. This is just a free bug bounty test im doing to practice with explicit permission of the website owner

@vocal folio

i have an oracle DB running on 172.12.0.2
now i running a Power BI on VM (i set up it in to the same ip 172.12.0.10). The problems is Oracle DB can ping into my Power BI VM its good but when the Power BI ping to ORacle DB (*Destination Host Unreachable)

some devices dont respond to pings by default

can i rent you to fix my problem *its just a basic network problem between VMs

but i dont have network knowledge good enough to fix

please reply me soon

I'm busy sorry

but just say what problems you have here and your configuration

ok

Oracle DB: 172.17.0.2 *running on docker inside localhost

VM Window: Installed with Power BI

now i want to make a connect from Power BI to my Oracle DB

but at the first, the VM Window configure outside the ip range of Oracle DB -> so i re-config it into the same zone with is: 172.17.0.10

then, on Oracle DB: ping 172.17.0.10 -> Worked Fine

on VM Window: ping 172.17.0.2 -> Destination Host unreachable

hey everyone
I'm working on a program and I need some advice
when I login a sessionid of 32 charavters is created each time contain random uppercase and lowcase letter
if I use any other session_id generated before of any account I would login successuflly even if the session id is generated a longtime ago
so what I did I created python code that can generate multiple session id same as the ones generated by the server and I tried to bruteforce with different long list of them but in vain
I think I miss smthg can anyone enlighten me please ?

Hello, I have a general question about CVEs. I found a few vulnerabilities in a commercial application, that requires to be a paying customer. The application is not available to download from the website. Is it still eligible for a CVE ?

32 lower/uppercase characters is still a giant space of possible combinations so you will likely hit combinations that aren't legitimate sessions. Unless there is something non-random about how the sessionid is generated, it's probably not very practical to exploit. Still, not invalidating sessionid's after a fixed period and not linking them to for example a source IP are still security risks.

Which vendor is this? If it's a big company then it's likely they are a CNA (CVE Numbering Authority) and you can report it to them regardless of you being a customer or not. If they are not a CNA or not willing to co-operate, you can always contact MITRE directly and work with them.

Thank you. I think I will need to talk to MITRE. Because in Greece there is no CNA. The company has about 30% marketshare of the industry, but its local to Greece.

Gave +1 Rep to @acoustic hearth

Might want to check with https://cert.grnet.gr/en/home/ then too.
Edit: https://www.nis.gr/en/national-cert/ looks more like the national CERT, the one above might not be applicable.

Ok Will do. Thank you for the quick responses!

anyone?

thanks!

Gave +1 Rep to @ember vigil

You'll get yourself in trouble without a contract

Do you have a contract?

#bug-bounty message

not if i dont damage anything + with explicit permission + when they have a program where they reward people for finding bugs

"if" is the keyword.

In ways, a bug bounty is different from a penetration test.

It is completely different

hey guys, i found a severe IDOR vulnerability on a website today which is not very difficult to recreate but i dont know how i should report it, im looking to earn a couple of bucks here but unfortunately the website doesnt have a bug bounty program or anything close, so i want your suggestions. Should I email them telling that ive found a severe idor vuln on their website which is easy to recreate and cause a big loss if discovered and ill be ready to show it to them for a good price? Which imo seems a bit malicious? Or maybe I should just show them how it can recreated right away then ask them for a reward? Really dont know what to do here, need an expert suggestion

If they don't have a bug bounty program, asking for a reward to show them how to replicate it isn't right imo.

I don't participate in bug bounties, @fast fable would love your input here

i see, thanks for your suggestion jabba!

Gave +1 Rep to @lavish hollow

Isn't that sort of "grey hat" territory?

"and I'll be ready to show it to them for a good price",

so you've actively looked for vulnerability on a site that doesn't have a bug bounty or vdp, and now you want money to disclose it? Definitely screams unethical to me @lavish hollow

My thoughts exactly 🙂

Yea you could get in trouble for reporting it especially if you didn’t have permission to be testing but if you wanted to report it ethically I wouldn’t expect a reward…

Now if they had a bug bounty program and you were still in scope than yea I would ask for a reward or swagger

It is borderline blackmail

Not borderline, it is.

Pay me y, and I'll tell you about x.

Depending on your wording in your report could be a lawsuit if the company takes it the wrong way .. cuz it sounds like extortion right now…. Then on the other hand you would have to report it to stay on the ethical side of things…

Cuz say you were the first one to find this, didn’t report it .. then later down the line someone malicious finds it and does something with it … you could also be considered part of the malicious attack since the first traces of the incident would lead back to you..

hmm ok, thanks yall

And this is why you make sure the company has a bbp/vdp before trying anything

I would still write a report, explaining what you’ve found, Exactly how to replicate your findings, the impact of this bug, offer a way to fix said bug, and offer to retest for the bug after they implemented a fix … then after all that you might be able to slide in hey do you think I could get a reward for this finding…. And if they say no then 🤷‍♂️ lesson learned hunt on companies with bbp/vdp like jay mentioned .

yep just did that, thanks a lot!

Gave +1 Rep to @lilac bough

This definitely fits the definition of a gray hat hacker. Your intent is good but asking for money in this situation is unethical. Instead, if I was in your situation, I’d tell the website owner that I’ve found this vulnerability (walking them through how to recreate it) and ask them for permission to write about it publicly once it’s fixed. In the writeup I would not disclose any information that could identify the target. Just my 2c!

I emailed them today showing them the whole process of how it can be replicated, and yeah would be a good idea to ask them for permission to write a blog on it. Anyhow, thanks for the suggestion, appreciate it!

Gave +1 Rep to @jagged hedge

np! although, even with permission to write a blog on it, I would consult a lawyer and ask what kind of legal trouble the post could land me in (laws vary a lot depending on region). If I'd be safe on the legal side of things, I'd also ask the website owner to review the post before publishing it.
And, like mentioned by others, in the future I'd steer clear of websites/systems I do not have explicit permission to hack on.

also theres a website that offers free membership to anyone who finds a bug on their site, so technically thats a bug bounty program?

sure

ah ok, that works then

Hi who can help me I wish to become bugbountu

Which one do you think is a better buy?

https://in.store.asus.com/90nr0dg4-m00250-rog-zephyrus-g14.html?qty=3

https://www.lenovo.com/in/en/laptops/legion-laptops/legion-5-series/Legion-Pro-5i-Gen-8-16-inch-Intel/p/82WKCTO1WWENIN0/customize?guid=123bda11-70a4-43eb-a006-0e2bbb4b35ba&options_2002=2YWARRANTY2YLUS3YADP&options_2022=GX41C86982&options_11=&options_12=5WS1G38108&options_13=5WS0X58669&fromEdit=true&transMessageFlag=true

I think you just postet the wrong link to the Apple Macbook

m1 pro?

I am using a Macbook Air M1 (2021), until now it is absolutely satisfying

I'm using Air M1 2020

Asus always
I actually have the G14 and am happy with it

Lenovo is usually a solid choice too

any update, did they ever respond?

nope not yet

I got a bug on a website too recently, which didn't have a VDP, i just emailed them a report including steps to reproduce, and they were cool about it and sent me some swags. I think any manual testing doesn't hurt, it's just the automated testing that goes over the line.

exactly, people say even manual testing on websites without a bug bounty program is illegal, and i dont get it because im not really causing any harm

btw, @quick berry they emailed me today

said they forwarded it to their technical team

That's what you think, that would not always be the case coming from a company's POV

Always exercise caution, I don't recommend doing any type of testing for websites without a BBP, the bottomline is you don't know how they'd react.

Also think of local laws applicable in your country, you might think its not illegal but the law may say otherwise

point

@fallen palm thanks for the update, but mknukn is right. From our perspective we are doing a good thing, and nowadays it's not as bad as it used to be. But some companies are still super skeptical and could even throw legal action at you. It gets to the point where it may not even be worth it.

Gave +1 Rep to @surreal whale

it really just comes down to discernment

sadly that's not how it works in the real word

When it comes to using the nuclei scanner, Is there somewhere else than the github repo where I can easily view what each template is looking/checking/testing for and what it is that it finds when it does find something. Theres a whole bunch of things that get spat out and I dont understand what they are.

hi

there is this login page it shows input value in response. so i tried xss. input value comes in <input> tag in response and among the special characters only the " and < get html encoded. so when i try something like this <7> in response it shows as <7> this. is it possible for reflected xss. what are the automation tools to check this for. thanks

if it's being encoded then no

yeah it is not all the characters only " and < and ' thanks

Well you can't escape it because you can't start a new tag without < and you can't escape attributes without "

Hey there 🙂 Maybe can somebody has an idea: Currently hunting on a VDP. Some months ago I used a guest checkout for Comapny XYZ.

Today I decided to look into their site from a Hunter perspective.

When I created an example account with the same email that was used (ONLY!) for guest orders, I could see all the payment info, address etc. for prior orders. I created an account with "Register" didn´t get any "User already exists" and when I logged in I could see it

So if I knew the email of somebody who ordered at site XYZ as a guest I could obtain their personal data. I wonder if this scenario is too unlikely or if I should report it anyway?

I'd definitely report that

Clear loss of confidentiality

Even though it might be a difficult constraint for an attacker to obtain emails of someone who ordered as guest? Would you report it as Information Disclosure? Or improper Access control?

Improper access control

Thanks a lot! I´ll test some more and write a report this evening

@vocal folio would this be AC high for requiring to know the users email, right?

id give it AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:C

Ah I guess AC would be low

As no requirements for the server

Thanks 🙂

I just confirmed it for a second time with a friend. Really working (unfortunately I guess xD) thanks for being part of my first ever vulnerability report

Nice find 🙂

I think its funny because it was an accident as I just wanted to create a user account to START hunting and while setting up I found it hehe. Unfortunate that it´s just a VDP but still a personal success

Hi guys, i've a question, i've signed up to a known bugbounty website,(idk if I can write names), i've been doing CTF there to get some practice, and I got enough points that I was invited to a private bugbounty program....
now.. this program has a few endpoints but none of them are eligible for a bounty, apart for making some practice(?), do you believe it make any sense that I was invited in such a program or to spend time trying stuff there?

do you value recognition or do you value money

good point, I guess both, but maybe finding something for "free"&practice could bring me something better on the long run
I thought no bounty also meant no recognition

then imo don’t do it

that’s literal free work

you can say what bb platform you are on but because it is a private program you cannot disclose the program(the actual company/product you are hacking), so saying Hackerone is fine but saying (as an example) Netflix or Amazon or Mastercard is not ok.

Thank you for your detailed email, below, and thank you for not attempting to exploit the identified vulnerabilities.

We were aware of these through external vulnerability assessments, and work was already underway to address them. Having to migrate multiple hosted applications, databases and webservices from one server to another takes time, particularly when one of those applications is the T&A site, and we have moved several generations ahead with our [VULNERABLE SOFTWARE].

The T&A has now been moved onto a new server, and so, if you are interested, I’d like to invite you to re-run your assessments against that website, and report any findings to me. If you would like to do this, could you please remember to include [REDACTED] in any emails sent to me.```

Context: I do Sea Cadets (UK Version of Navy Scouts/JROTC to a degree) and managed to find vulnerabilities in one of their websites. Recieved this approx 1hr ago from their head of IT for the whole organisation.

Army cadets >>

But well done! That’s some good responsible disclosure 🙂

Well done!

Well done :)

Awesome stuff

do you get paid?

Probs not

Nah Sea Cadets >>

Hell yeah brother

cool

Can anyone help with bypassing

Unauthorised API call
It's behind AWS elastic load balancer/2.0

There can be a lot of variables in place with this. Maybe you can rephrase your question to include things you've done, troubleshooting steps you've undertaken, issues that you've encountered, and generally what you want to accomplish.

I found a subdomain using permutaion methond, then I tried to visit that subdoamin and it shows this on browser

{"status":{"error_code":"UNAUTHORIZED_API_CALL","status":"ERROR","message":"","response_code":"UNAUTHORIZED_API_CALL","operation_id":"4145235......................63647."}}

Have you tried searching this particular error message ?

So I am about to throw in the towel with trying to escalate the severity of this XSS that I found as part of a bug bounty program. On the search bar of the target website, if you search particular text, you can escape some HTML. The problem is that there is a WAF on this website that blocks any meaningful payload. My XSS injection text is:

" onmouseover=alert(5)

Which would trigger (after doing a bunch of trial and error) if there was no WAF. I have tried a bunch of techniques to bypass including different event handlers, different casing, whitespaces, unicode encoding, etc, but the WAF (GoDaddy Sucuri) keeps on doing its job too well.

The best I've gotten is to harvest user IPs via triggering a background image load to listening site:

" style="background:url('https://webhook.site/1ef0228f-9cf6-49ee-b7f6-4f27b473ed22')"

But reporting that marks my report as "informational" only. The lastest thing I have tried but doesn't work:

" onmouseover/=[7].map(alert)

That doesn't work because the / causes a whitespace between the onmouseover and equals sign, bypassing the WAF but doesn't result in a valid HTML injection (below is the relevant HTML content).

<input type="text" name="Search" value=" " onmouseover="" =[7].map(alert)"="" title="Search" id="txtSearch" class="name" style="width: 500px;" onclick="return ValidateSearch();">

Any suggestions anyone has before I just give up and move on?

Oh perhaps I should add a bit of the WAF behaviour, from trial and error I think this is what happens:

• onmouseover=bananas gets blocked because it matches a onxxxxxx= regex filter
• testFunction() gets blocked because of circular brackets regex matching
• Mixed casing doesn't bypass
• URL encoding doesn't bypass
• Null bytes and other funny white spaces doesn't bypass
• HTML encoding < gets blocked
• The application crashes when I try to add a new HTML entity (e.g. > <img src=x> <) and I can't find my way around that

The best I've gotten is to harvest user IPs via triggering a background image load to listening site:
see if you can utilise this for OSRF

can you get it reflected? or just self XSS? (i.e will it trigged from a URL, or does that user have to enter manually the payload)

if it's self XSS then I'm not sure its worth all this effort

Yes

Update to mine:

Their writing me a testimonial & allowing me to post about it on linkedin tagging them 😎 hell yeah.

Damn thats awesome, depending on your current career status might even be better than a bounty 😉

Am 17 yr's old, and work part time as cyber security assistant

Wow! Then with 17 years old you‘re defo on the right track!

Man I just turned 22 some days ago I feel so fricken old already 😂

same here felt like I have never learn't that much

same here 17, Full time Penetration tester on a privat company

You're not in education?

Am assuming your not from UK?

Ehhh your not that old 😂 and ty for the kind words.

Gave +1 Rep to @wind coral

I am

No no

I started on this company since 16

I did an interview

I got accepted cuz i had knowledge in cyber

then how are you full time

When it was school i worked 5 hours

Now that its summer vacation

Full time

ah nice, I presume in office?

Yes

I also work full time but like you, just during holidays

Just with no papers sadly

Well I presume you needed to sign an NDA

Soo until i make 18 like its like i never worked

No experience paper

But idc i want knowledge

nice, so UK?

Nah i didnt sign shit😂

No no

Balkan

Not even an NDA? For pentesting?

Only in balkan those things happens😂

Like if people ask they will tell that am training or doing internship yk

well, either way - nice work! indeed you learn a lot

Yes yes i have build a nice network so far

I have the resources

I learned web app pentesting

Did CTF a lot

And now learning API pentesting

The only thing left is time

I assume by the new year 2024 the API is done

I want to learn it good before i turn 18 in march

Nicely done dude, I ain’t pentesting or that. Just doing development and other cyber tasks. Whilst doing personal study towards certs

I am really struggling between just going all in on Pentesting & Bounties or doing a research master in my uni security lab

LinkedIn offers in Germany are crazy right so I‘m super tempted

just thought of Bounty the paper towel company, they should be sponsors

😂

i say do both, Vickie Lie did that , she wrote Bug Bounty book

weekend find bugs

weekday uni stuff

I will probably decide very shortly before a masters would start because I want to wait how my bachelor thesis turns out^^ Like there is no sense in doing a research master if ur bad at writing papers 😂

bug bounties require great writing as well

every professional hacker says so

No problem with writing at all, I‘d actuall consider myself a very good storyteller. But for me there is a big difference between a report and all the quotation, methodology etc.

I feel its more strict. In Bug Bounty you just have to make other people understand the issue (and be professional) but academic research is tougher

imo

yea, i remember academic writing, i loaded my papers with references galore just to make it very clear that im not breaking rules

bug bounty reports would be using analogies to get the point across

ye exactly 😂 I am a free soul, I like to express myself and not put a gazillion [xyz et al.]

according to the Intro to Pentesting book, the non-tech stuff goes into the Executive summary,

i ordered my hacking API book so , i hope soon to start

what kind of bugs are you interested in?

Broken Access Control (e.g IDOR) + and stuff like XSS, SSRF

I think those are quite interesting. I am currently working on the Bug Bounty path of another learning site, after I completed Web Fundamentals on THM

Still got a lot to learn

My background is no compsci at all and now I do automotive security, crypto & ISO stuff

local file inclusion don't fall inside broken access control???

genuine question... not sure where it is classified

https://bugbeat.tech/ is this site legit ? (found it on a dodgy medium article so wanna make sure)

Eeeehh

Why not just use hackerone

Yeaa trueee

it is less then 4 months old

sooooo maybe

Yeaa ill see if more ppl start posting about it

how to start with bug bounty

any tips?

Learn skills, follow scopes.

learn owasp top 10

Hey guys I am getting this issue while ruuning a outlook webapp website on firefox

To use Outlook Web App, browser settings must allow scripts to run. For information about how to allow scripts, consult the Help for your browser. If your browser doesn't support scripts, you can download

anyone knows how to solve this in kali in firefox?

That's a weird error, especially as it's Firefox which is a very Morden browser

Can you try opening it in an incognito window?

Yup I tried, but same issue

https://www.whatismybrowser.com/detect/is-javascript-enabled

guys any road map for learning bug bounty

Check the pinned messages

ty

Gave +1 Rep to @lilac spindle

hallo there , Iam kind of new here. can you please guide me how to start bug bounty programs

!docs bug-bounty

@fallen palm
Thank you

Gave +1 Rep to @merry solstice

that has nothing to do with learning bug bounty?

@keen crystal Check the pinned messages here for some pointers

thanks for replying. any alternative

Gave +1 Rep to @fast fable

...

Hey, I'm not sure if this is the right chat, but out of curiosity, I have a few questions:

1. How many people here actually practice bug bounty hunting?
2. How many hours do you typically do it per week?
   How much do you make on average?
3. How LONG have you been doing it?

hey everyone

I was messing with a hackerone program and I found an IDOR that messed up the profile picture on a website. Is this enough to report?
is made the picture look like this:

heres the original for your reference:

try to go further

in your place I would have taken that as a starting point rather than an end one

That doesn't have any impact

Latest Update to mine:

@wind coral @lavish hollow

Oh shiiiiiit

Congrats, that's amazing

You will have ultimate cadets bragging rights

ikkkk, its getting blasted on social media soon LMAO knowing my luck.

Looking online that type of reccomendation is reserved almost exclusively to units and very select senior volunteers.... oops

Big boss boy...

GO CONNOR GO!

https://tenor.com/view/whoo-hoo-yeah-minons-gif-13775307

As soon as I have the certificate may post it obfuscated here as some sort of finale LOL

Such a shame it's sea cadets and not army cadets /s 😆

stfu Sea Cadets are better LOL

Just WOW

Congratulations! You better show up at that parade haha

Yup 😅 my parents are volunteers at the unit anyway so even if I was on deaths door they’d drag me up 😂, now to make sure my uniform is 🤌

That's really really cool

1. I'm almost full time. 2) Totally depends, sometimes 50, sometimes 0. 3) on average, for the last few months, 5k+ a month. 4) A bit over a year

I really appreciate the response. I've been trying to gage whether or not it's an actually lucrative side gig, how lucrative, or if things get discovered so quickly that it's more of a hobby than anything else..

I definitely want to continue, sounds like an enjoyable thing to do while also learning, but you know... Questions 😊

At the end of the day, it's not a reliable source of income

It's not reliable for sure. But once you get good enough to achieve an acceptable minimum income with relative ease, you can likely take it on full time. Depends on the lifestyle you want too. I wanted to be able to travel so I taught myself how to hack. @shut rapids

Freedom of movement sounds pretty amazing to me. For me primarily, it is a way to learn, have fun, and also generate revenue as a side gig. Plus, I was contemplating doing it while going to school. If I'm able to pull that off, I'd be pretty happy

go for it

That's fair, my point is that it doesn't give you the security that a proper job would - if something happens and you get unlucky or just don't find any bugs then your very much screwed

Hey, mind if I DM for u some help ? I’m trying to get into BB too & have been learning about it for 3 months

I've a question for you guys: how do you test for programs that have in the scope the official production domain? Meaning do you use vpns or something?
I don't understand how would someone from that program realise that the SQLinjection that they're reading in a log (for example) is coming from a legit tester and do not come after you 😅

do any of your use Shodan for bug bounty?

True, but I would say that with many layoffs occurring (especially in tech fields), jobs aren't necessarily reliable either. Kinda hard to actually find a reliable job to be honest lol...

@dapper lintel I just started learning, honestly if you are looking for someone to share information with I wouldn't mind the collaboration. Up to you though

Not really the same. With a job you get a contract and have a guaranteed salary, with a bug bounty you are not guaranteed to get anything. Plus you don't get any of the other benefits like a pension etc.

Bug bounty should not be comparable to a job, imho.

I'm not saying don't do it, by all means, its good as a side income but do not see it as an actull job

Hi everyone, i'm having a problem in tryhackme and i hope some of you can help me. When i start the AttackBox, every five seconds it says me "Disconnected" and i can't do anything. Can someone explain to me how to solve this?

Thank you so much for the answer

hey guys have a small doubt
lets say I want do a web app pentest to a client and the web app is using cloudflare should I do pentest on it or should I ask for a env that isn't behind cloudflare

I've been wondering the same thing...

Of course you should do it against cloudflare

but how do people find vulns against cloudflare or any other waf? ofcourse there could be Bypasses but this is a pentest not bugbounty, we dont have time to go and try the bypasses right?

Did you solve it? Maybe try to log out and back in again

Sometimes a company will offer a severance package when laying people off. It happened at my job. So there's also that bit of safety with a job

That's good

If you ask an environment that does not have cloudflare, it will require additional resources on the client’s behalf. An attack against their website behind a WAF simulates a real life threat actor where they can be sure their mitigating controls work.

Of course if they have a staging environment, you could do it agains that, but its always good to know your defenses work since you have a WAF. That doesn’t help them against other vulnerabilities like logic-based or information leak.

@wind compass no, unfortunately i have not been able to solve the problem. Anyone else got an idea?

You could try asking in #site-support , bug bounty is not a good channel to get help with this kind of problem.

Is there have a someone bug hunter ?

can anyone tell me...which tool is used for finding subdomains

Have you tried searching this into Google?

yes the result is amass, subfinder etc

but info is not that much good

did you suggest any tool

I suggest reading into how those tools work

There are many resources about them

okey i will try

so now i am going with amass

amass is probably the best one

Hey, I have studied bug bounty hunting, about the vulnerabilities, how websites work, etc. But the thing is I'm not able to find any bugs and when I look for any solution I come to know that there are a lot of things that I don't Know!!!
So, how can I improve my knowledge ?

Learn?

Really learning is the only way you'll get knowledge.

Any Resources?

!website

you can solve DVWA and juice shop and portswigger lab

!help

!skidy

#bot-commands

guys, I am new here, what is bug-bounty? You are looking for a bugs on specific sites or just choose any and notify them in case you have found something?

No It's not random, there are scopes and out-of-scopes. You can find bug bounty programs from platforms like:
https://www.bugcrowd.com/

Isn't hackerone better?

😄

depends on the person. I like H1

thank you for sharing the link @shrewd ocean , so it those applications which officially proposed their apps for bug hunting, as I understand

Gave +1 Rep to @shrewd ocean

Yes, there are also vulnerability disclosure programs for other platforms that may not be directly in BB platforms so better check those out

Portswigger academy

hi

yep, I like HackerOne, but both are great for getting a good reputation! value rep over bounties starting out!

should you pay a bug bounty hunter for an XSS they found through bypassing security products and/or libraries (DOMPurify js and Akamai WAF for example)

I think if it affected your service, or has the ability to affect your service, and it is not touching something labeled out of scope, I’d say yes

but, that’s also coming from the bug hunter perspective

What are your strengths, and just as important, what are your weaknesses? A lot of times people 'get' the general idea, but then when faced with an actual problem to solve they have no idea (it's okay, it doesn't mean your dumb, just new).

A perfect example of this is me with python. I can read python well enough to debug existing scripts, but my ability to functionally deploy scripts is extremely beginner.

On the other hand I'm quite comfy with bash

I want start bug bounty so please name some platforms for beginners

I wouldn’t say there is one really for beginners or not, but HackerOne does have hacker101 built in, meant to help teach you to find bugs in the real world

Thank you

Nahamsec and John Hammond also just released this site https://app.hackinghub.io it’s a ctf style but with actual bugs they’ve recently found on some bb programs

a question came in my mind, why are 'Dos' Vulnerabilities out of scope for most Orgs?

if it can't potentially harm the Org's reputation or cause financial loss then why is it out of scope

because dos affects their availability and time is money

But how do they protect them selves against it?

internal testing and/or contracted pen testing

Aha makes sense tysm 🩵

Because they're not really interested in that sort of thing specifically for the bug bounty

DoS is a very common issue and it's not something that should be awarded bounty for

And trying to test a DoS attack will not be good for their availability like snoower said and would be seen as malicious

there can be lots of ways to defend against a DoS attack, one way is WAF

Thanks to all of u

with contracted pen-testing, they can also limit potential downtime (affecting the availability aspect like snoower said) to only happen during the lowest point of any work/sales

hey, guys , theres this endpoint that i i used arjun to look for hidden params, and i got 'class' but whenever i use the param i got 500 internal server error, does that ring any bell?

Hy guys is exposed Google recaptcha v3 api key or amplitude api key an information disclosure to report?

its saying site crashed so i dont really know about it, it could be because the server was not able to handle the request/site down temporarily/theres actually something in the server which is causing that to happen. there was a room similar to about this error if i remember correctly (but i forgot what it was)

I'm just curious on how others nuclei's config.yaml looks like. Could any active BB hunter could mind share.?

If someone has a working (private) exploit for CVE-2022-37434 leading to RCE and they can share it, please reach out. I will treat with utmost confidentiality.
Needs to be working against
MySQL-5.7.39 on Linux.

Why not make the exploit yourself? Would be pretty cool

hy guys. im new to bugbounty and hacking can u suggest me any github repo for good tools and learning resources please

Check the pinned messages in this channel

sure thanks 🙏🏼

Because I am way to badly versed in this whole are of exploit development

hmmm @analog glen

Exploit dev is only allowed to be talked about in specific role locked channels

And, you do not need a working exploit if you can demonstrate vulnerability

@worthy folio

AT&T's scope on hackerone says *.sky.com.mx is out of scope. Can I still poke at sky.mx.com?

hi guys
i need help
subdomain takeover
iget
what should I do

can you guys help me to decode this TGUE?O·S·K·MTUEGI·SYENFE·TOI···SRO·T·SF·OYT···O·T·KUMH·I·AE·NMK··

is this from a current ctf?

yes room name Theseus

How to get started in bug bounty? I have done a Intro to Bug bounty course by zSecurity but I don't know what to do next.
I mean how do you get started on a live website

({ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." })

Potential vuln?

telerik

Oh cannot help then

It is from THM room that says do not post any writeups. so i think it will be against that rule to solve for some. you might go to #room-hints to ask for hints

you can use cyberchef to decode it
https://gchq.github.io/CyberChef/

Ohh.. took a peek and it is an Insane rated room..

Hello guys I have just started out and struggling to find the entry point I have done about 60% of protswigfer academy but that wasn't any help when I tried in big bounty I was like in a whole different world so I learned djago in python to get a good idea of websites but as it is a framework it wasn't that helpful now I am learning networks and then imma switch back to web pentesting need help!!!

#start-here

I haven't done that bug bounty course by zSecurity, but by glancing over what I think is the course, it looks like Zaid goes over a variety of vuln types and uses PortSwigger's Web Sec Academy to demo.

I'm curious, what did Zaid use for the 2 hours of live bug hunting? OWASP Juice Shop? A custom web app? Something else?

If bug bounty hunting is your goal, I would suggest you just set aside some time for bug bounty daily or on certain days of the week that work for you.

Then, split time between studying/learning about something and actively hunting. Depending on your knowledge and experience, you may spend more time studying than hunting. Come up with a split (e.g. 60:40) and adjust as needed.

At least for part of the hunting time, work on applying or trying out what you are studying.

This can also help bring focus to your hunting sessions and help with filtering all the overwhelming information into something more manageable.

I believe continued improvement should be the primary goal, since that's more under one's control. Theoretically, bugs will come, but focusing too much on the need to find bugs in the beginning may lead to frustration and burnout more easily.

Read disclosed reports on things like HackerOne's Hacktivity and write-ups of people's hunting experience. Sometimes people don't really know what they're talking about even if they found a valid bug, and sometimes people fake things in blog posts. Don't worry, but just be aware this happens.

Some resources:

• https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
• https://github.com/bobby-lin/study-bug-bounty
• https://pentester.land/writeups/
• 2023 Path to Hacking Success: Top 3 Bug Bounty Tips (https://youtu.be/KXQ_MUe6wKo?si=-7UyDaBb9gMT-ao8)

If you've done 60% of the PortSwigger web sec academy labs, then I figure you have enough of a jumping off point.

See my other reply above, but I think what you need to do is pick a program, stick to it for a predetermined amount of time (e.g. 50 or 100 hours), and focus on improving things incrementally to gradually build out a methodology and experience that eventually leads to that "intuition".

Experiment with note-taking methods and find something that works for you.

You may also need to work on, in your mind, filtering all the info flying around in requests and responses down to a single thing to focus on at a time.

Thanks @vital swallow . This is really really helpful

Gave +1 Rep to @vital swallow

No problem; hope it helps
Happy hacking! ⌨️

Researching CVEs has become a real interest of mine!
Only a quick write-up about the latest IOS update 17.0.3 and what security vulnerability it addresses!
https://medium.com/@CtrlAltT0m/apple-iphone-ios-17-0-3-update-d54f6ef3158d

hey i am testing for an XSS and when i turn to the source code i see that it encode it as html is it possible to bypass it ?

if its being encoded probably not

Thanx

Hey guys, Suman here. I am new to bug Bounty. And I would really appreciate it if you guys can guide me on my journey. I hope to learn things from you guys after spending a lot of time in TryHackMe and HackTheBox, I tried to do bug Bounty and it seems that it's a very challenging thing to pull off. It felt like I tried to bite off more than I can chew, especially getting discouraged when I see an app behind cloudflare and akamai. Cannot think straight after that, I don't know how I should approach this. Am I missing methodology/knowledge etc...? If you guys have your own story on how you guys started, please feel free to share.

Even if it's a VDP I tell myself that I need to find one valid bug to prove that I learnt things correctly. Just to jumpstart my career.

Would greatly appreciate your advice

Don’t think of bug bounty like that. Many bb hunters don’t find stuff for weeks, or months even.

Bug bounty is an added security later on top of a company’s existing ones such as pentesting, secure SDLC, etc.

Its kinda like picking off the meat from the bones.

Approach bug bounty from logic-based side. A lot of those cannot be picked up by WAFs

👍🏼

a

Ha

Anyone interested in doing bug bounty?

Hello guys,

I'm new to bug hunting and find myself left quite confused, after I thought I found my very first, little issue on a VDP:

From time to time I read through the hacktivity stream and see what other hackers report on the different programs. It feels like this gives some good inspiration. And in fact, It didn't take that much time until I noticed some very similar issue on a VDP I started hacking on:
The "reset-password-link" sent to a user's mailbox, after clicking on "forgot password", started with a plaintext http URL-schema, rather than using https for TLS. Obviously this allows an attacker to sniff on the network, perform a MITM attack when a user resets the password and clicks on the plain text link. It can result in a complete account takeover.

A very same issue was reported recently on another program (BBP) by someone else. It was rated as HIGH and the hacker was was rewarded with 750$;

To my full surprise my report was closed as just "informative", by a platform triager (does not seem to work for the VDP's company), stating that this does not have any security impact and that it is not mandatory and just "best practice" so SSL encrypt password resets tokens during transmission.
I find this argument quite weak and wrong. So I decided to write a little tool and record a video showing the impact:
My little go tool uses libpcap to sniff on the network and perform a full account takeover when detecting the plaintext password link "on the wire" in plaintext.

Still the issue is closed and I got no answer so far :/ Is it common that issues are deemphasized? Did I wasted my time? Is this maybe VDP related and should I go for BBP instead?

TL;DR: Why is someone rewarded with a 750$ bounty on a BBP while my same finding on a VDP is closed as informative by a triager?

Yeah that can happen, different companies and platforms have different requirements and its also dependent on their assessment.

You've done your part reporting it, now its their responsibility

Yes, I understand that in general; although It's bit disappointing, because this was my first report ever.
Anyway, at least I had some fun playing around with libpcap 🙂

Yes, true! I should not let this demotivate myself and just keep going.

Hey, you've now learnt something so you haven't left empty handed!

Yes, thanks. That's true 👍

what was the best place to learn and practice bug bounty hunting and web hacking ?

TryHackMe has a lot of good content on web application hacking. There is also HTB's Certified Bug Bounty Hunter path, PortSwigger Academy. All of these platforms offer challenge labs which allows you to practically apply knowledge on web application hacking.

Hey guys does anyone know wso webshell; I have some questions

What kind of filters to people use in Logger++ in Burp? I wanna get better at using my extensions in Burp Pro

I did CBBH on HTB but still feel as clueless as before xD

What should I learn first as a beginner in Bug Bounty?

Check the pinned messages here.

I might be close to getting a CSRF on the users account settings of a web app. However using Burp Suites CORS PoC and executing it in my Browser logs the following CORS notification: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <REDACTED> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Any go-to bypasses that could work that you recommend?

Try reading Burp's module on this.

Hey ya'll! If you're having trouble doing write-ups for bug bounty programs, feel free to contact me. I've ran a couple bug bounty programs before and I'd be glad to show you the ropes of what we really want to see in your write ups. DM me if you're interested. ❤️

Anyone got any tips on how to start finding bugs in choosing targets and finding web-application bugs?

One thing that works is focusing on improving your methodology on how you’d test things.

But other than that, there’s no magical tip to help you find bugs

A lot of luck involved in finding a good target

love cyberchef

Hi
Can someone help me, i want to enter bug bounty hunting and i feel lost. recon? vuln discovery?
Exploitation ? PoC?Reporting?
If someone can help me by providing sources on how to learn these and then the methodology behind it. Like channels to watch, live recon, poc… etc. even if you have thm rooms to complete 🙂

Check the pinned messages in this channel

Also take time to watch videos from TCM Security

bro rn they're offering 50% off on membership

I am a newbie in bug bounty hunting.. Any experienced person here to tell what I need to do.
Like I have learned about the vulnerabilities, OWASP TOP 10, solved pico/thm/htb/hacker101ctfs, been in many ctfs competitions, but still I am struggling hunt bugs..

It will be great if anyone will help me..

Cheers 🥂

Hey everyone. I'm an entry level red tamer and I want to join bug bounty team, how can I do it?

Look for a team recruiting?

where can I find it?

Can someone help me with payment issue of shodan

Shodan would give you better helpm

Ok

https://ajxchapman.github.io/bugbounty/2020/02/10/on-full-time-bug-bounty-hunting.html

Great article

Have y'all ever hacked on a website that doesn't let you use a proxy like Burp? Are there any common work arounds?

maybe try ffuf?

Is it due to HSTS?

You can apply with the Synack Red Team. They’ll invite you to take their assesment. But it is tough, as it is equivalent to the OSCP.

An alternative would be subscribe to TCM Security Academy and enroll in their Bug Bounty course. You'll be invited to the Intigriti Bug Bounty Program upon course completion.

just completed my first bounty, I reported it 1 month ago and only now it's been closed

I didn't win any money

just 2 rep points

hooray

get used to that

it takes a lot to have success in bug bounties. Anything good will come from private programs though, so the Rep could help

Are this tokens a problem if are exposed?

gotta find out where they are used

and a red scribble isn't a great job at censoring them

can you explain me why?

i thought that to blurr is not a good idea

Sure, over 80% of it is exposed

Something like that is better

aha, ok thx 🙂

I found these tokens exposed, and now Im searching if these are sensitive datas or not

Hi i wanna learn bug bounty hunt and get my first bug, and i heard portswiggger is great resource to learn bug bounty, is there any another great resource ? Like YouTube channel or something like that

Hi, while I do agree that Portswigger is a great resource, this is meant for web application security, not bug bounty in general. I’d like to include resources such as Jhaddix, Intigriti, Tib3rius, NahamSec, and InsiderPhD to be people who make good content on this particular topic. There are also books like Bug Bounty Bootcamp, Web Application Hacker’s handbook, and Web Hacking 101. Disclosed bug reports on BBP platforms are also a great way to learn methodologies and understanding bug impact and report writing.

If you like paid content, the bug bounty course from TCM and HTB are something you can look at.

Most of the resources I suggested are largely related to web application security as that is the scope I’m usually accustomed with. If you need resources for other types, you can ping me.

Ohh I see, alright ty

@quick berry I saw your msg, you do bug hunting full time.
I have some question's, I've been learning web security for quite some time now but still I haven't started bug hunting. because I don't understand vulnerabilities. Like everyone refers to Owasp Top 10 and say read this and understand well the thing is I don't understand because everything in the owasp is some written English text explaining what is a vulnerability, what is broken access control or cyptographic failure's etc.
So it does not make sense to me cuz in the Portswigger academy labs we intercept a request tinker with the request and response and I think it's more sensible and I'm able grasp what security is.
So what you guys would recommend me to do after solving the beginner level labs on portswigger should I read the owasp testing guide or do some more labs like intermediate one's or like do some more labs of PentesterLabs or what like how and when should I start bug hunting.
Thanks and sorry for troubling you!

I'm thinking of enrolling in UNDERSTANDING THE OWASP® TOP 10 SECURITY THREATS (SKF100) by linuxfoundation.org, cuz it's free

Gave +1 Rep to @quick berry

and I've been thinking of focusing on a single vulnerability and excelling in it like gonna go and read about broken access control every single blog, report, solving a lab or ctf's etc.
is this good??

I've read where folks do concentrate on one vulnerability across multiple bug bounty programs.

I can't recall how was it money-wise though.

No in order to learn properly with focus. That's why I wanna focus on one. So should I do??

I'm not thinking of money at the moment.

I’d say focus on the one to learn, like you are, and once you have that one down REALLY good, then you can move on to the next one, then rinse and repeat

Thanks🙂

Anyone who want to collaborate iam new to bug bounty but not cybersec have average skills but if we collab I would say we can achieve great things

Sorry
I think I'm being rude here, with the "No"

Nah, no offense taken.

😇

Can I use XSS using ' instead of "

When I use " in Burp it collade with the syntax

Have you tried googling this?

I mean <script>alert('xss')</script> is the same as <script>alert("XSS")</script>

Yeah, but im not sure

well they are the same type so noone is stopping you

yeah man let's do it, i too am new to bug bounty.

I'm very new to this field. I recently got my first computer. so would you guys suggest me from where I can start.

could u help me with wp-login bypass?
i alr have the username
tried various premade wordlists as well as made a custom one using cewl
but none of them worked while burte forcing
any tips what i shld do next?

have you tried wpscan?

not yet, what shall i particularly look for in wpscan?

Read it's document on github or the manual. There is so much you can do.

found quite a lot of vulnerabilities, include DOM XSS(CVE-2021-24891 - https://www.jbelamor.com/xss-elementor-lightox.html) and Unauthorised XSS, however when i use the payload in the article it doesnt work

Yes, most of it would be false positive. Plus, sometimes you have to perform some tweaks in the payload. It won't be always straight forward. Hope this helps.

Try learning paths from TryHackMe. https://tryhackme.com/hacktivities

"Add a custom HTTP header to all your traffic. Let us know which header you are setting so we can easily identify it. Since our SOC Team is constantly analyzing traffic, if you do not set this header you may be blocked." ⁉️ Since I can't do this simple thing, I would appreciate it if someone could shed some light on it. I constantly get banned while doing bug bounty...

how do u determine a flase positive??

you test to see if it works

i ran xsstrike over my target and it gave me quite a few payloads, now how do i use them?

    XSStrike v3.1.5

[~] Checking for DOM vulnerabilities 
[+] Potentially vulnerable objects found 
------------------------------------------------------------
9   ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://w1   window.jQuery || document.write('<script src="https://target.com/wp-content/themes/twentyten/js/libs/jquery-1.7.min.js">\x3C/script>')
------------------------------------------------------------
[-] WAF detected: ModSecurity: Open Source Web Application Firewall (Trustwave) 
[!] Testing parameter: s 
[!] Reflections found: 4 
[~] Analysing reflections 
[~] Generating payloads 
[!] Payloads generated: 1536 
------------------------------------------------------------
[+] Payload: <a%0aONPOINtEREntER+=+(confirm)()%0dx//v3dm0s 
[!] Efficiency: 93 
[!] Confidence: 10 
------------------------------------------------------------
[+] Payload: <deTaIlS%0dONpOiNtERENter%09=%09(confirm)()// 
[!] Efficiency: 93 
[!] Confidence: 10 
------------------------------------------------------------
[+] Payload: <D3v%0donPoinTerentER%0a=%0a(prompt)``%0dx//v3dm0s 
[!] Efficiency: 93 
[!] Confidence: 10 
------------------------------------------------------------
...

also what does the efficiency and confidence mean?

Well efficiency is how well it should work and confidence is how much of a chance it will work against what you're scanning. I've never used the payloads it gives me only really look into the code it displays as potentially vulnerable as well as if it finds any CVEs

You're probably best of using burp and fuzzing to see which characters aren't and are allowed and then trying to make your own xss payload a lot of the time in bug bounty you'll get a dupe cos others done it too with automated tools

Have not used the attack box for 1 hour but it will not allow me to use the attack box.

I think that it's either one hour or one time of you launching it, so if you close it earlier, you won't have access to it for the day.

Why though?

https://help.tryhackme.com/en/articles/6721845-the-attackbox-explained

At work I have the next 35 days to do basically whatever I want. Would taking Codecademy's full-stack engineer course (150 hours estimated completion) be beneficial in the long run for bug bounties or a waste of time? (currently have oscp and htb cbbh)

I found Ars0n's framework and just starting in learning bug hunting would this be a good beginner tools to start fuzzings exploring or should i learn with something else?

Try the browser inside Burp, instead of using another browser and the proxy. That lets you visit the site without messing around with the certificates (which is probably what the site doesn't like), and it's not a proxy any longer.

I think it depends on where you are in your pentesting journey. Since you are doing the course to forward your bug bounty abilities and not your full-stack development abilities, in order for you to get the most out of the course you should have a good amount of security experience so that you can view the coursework with a critical for how to apply your knowledge. If you're still early in your path, taking this course should be done only if you will practice and maintain the skills you learned in it, while you bring your security skills up to understand the security implications

Wut

Neither of those statements are correct.

1. The inbuilt browser still uses Burp's certificates -- they're just pre-installed.
2. As far as the site is concerned, you're connecting with its TLS cert. That's how a proxy works. You connect to the proxy (with whatever cert it decides to serve you), then it makes a connection to the target on your behalf and sends you the response.
3. It's very definitely still a proxy lmfao. Again, just preconfigured in the Burp Browser so that you don't need to do it yourself.

Oops.

What do you think is making the site not work through Burp?

Would be difficult to debug without looking at the error, honestly. We have virtually zero information to go on from that statement.
It might not even be a technical problem -- could be something in the scope of the bug bounty programme rules which state you're not allowed to use a debugging proxy.

On a technical level you'd struggle to detect it from the server side. Delayed execution between multiple requests designed to fire in quick succession would do it (basically a trap), but I've never seen anyone go to that trouble.

If it's a technical issue then I'd wager it's at the client side. Issue with the Burp cert or configuration. It's a bug bounty target rather than an in house application, so it's unlikely to be something like MATLS or SPNEGO failure, both of which are reasonably common to debug on a pentest

have u made any changes to burp recently? i always get this when i configure an upstream proxy on a previous test, and then the next test it takes me ages to realise i need to remove it

You know you can set that per project, right?

i did not

🤣

I've actually had this happen in a project recently, I couldn't figure it out what caused it and the clients didn't really care to look into it as we were on the tail end of the project and just finishing up things.
The circumstances were slightly different though as we weren't testing directly from our VMs/Host Machines, we used a VPN and RDP'd onto their machines and installed tools there. We were able to communicate to the web application without a problem using any regular browser and the browser through Burp, but when trying to use foxy proxy for example to relay information to Burp it didn't work. Still puzzled why and how but it is what it is.

The location of Burp shouldn't make a difference there (your machine / their machine), unless there was something whacky with their machine which blocked you from adding / changing the proxy.
Again, without seeing it there's no easy way to debug. At a guess upstream proxy though -- assuming that's the first thing you checked?

Oh, hang on, burp browser worked but it didn't work through Foxy Proxy?
That is weird.

Would suggest that it's something either in the browser setup, or an issue with Foxy Proxy honestly. Did it work if you just changed the proxy settings in the browser rather than using the extension?

The latest update of foxy proxy is known to cause issues for many, reverting to the old one solves it

Yeah, been noticing that this morning

Exactly why the inbuilt browser is so convenient

It is until you get into enterprise SSO lmao

I'm not sure what sorts of testing isn't working through the proxy, but I've been wondering if a headless browser running in node would be a good option. You could manipulate a great deal without a proxy. You'd have to write scripts instead of being hands-on.

Of course, using curl in a script is pretty similar or better if you don't need anything from the DOM.

What led me to my super wrong statements about the inbuilt browser not being a proxy: I don't see why it would need to be, if it were implemented differently. By being the browser, technically it could use the signed certs, etc.
This imaginary browser probably wouldn't solve your problem, as who knows what the root issue is

For subdomain bruteforcing and resolving.... Which tools do u guys use?

I use a few actually.

Even incorporated some AI to help determine the potential exploitability of subdomains found.

I wrote about it on my blog a few weeks back. DM if you want a link to the article., or Google “API Recon Tip: Using AI to “Eyeball” your targets”.

THM mods won’t let me share the links directly on Discord any more.

death to the mods

??????

really wildin

Don't blame the mods. They're just doing their job. They just don't have an "intelligence filter" for knowledge sharing vs self-promotion. I don't blame them. It's a thankless job managing Discord. So they gotta use somewhat blind rules; they can't read every article to see if its helpful or not.

Hey are you good?

Hey @swift grotto I’d love a response

About what?

I'm good if thats what yer asking

Any reason why you’re making false comments about moderation instead of reporting it via the correct channels as per the rules?

False comments about moderation? That's a strong statement. Perhaps we should take this private. Or better yet, maybe you can ask @modest vector for some backstory.

I’m well aware of the backstory.

I literally stopped helping in THM Discord because of this. I pop my head up to help someone here, and we are going down that path again

I was saying not to blame the mods. No "death to mods" comments are needed.

Jabba, out of genuine interest and because this really doesn't look good with no context,
A) Which part of that was false, and
B) How should that be reported?

Or rather, what is there to report?

Just to break that down:

• Don't blame the mods. They're just doing their job. Volunteering, but true
• They just don't have an "intelligence filter" for knowledge sharing vs self-promotion. Also true, last I checked -- unless the new bot code base has some fancy LLM model backing it to check links for usefulness?
• I don't blame them. It's a thankless job managing Discord. Reckon we can agree on that one
• So they gotta use somewhat blind rules: they can't read every article to see if its helpful or not. Again, we sure as heck couldn't do that when I left. Is there someone on staff who does read every article to see if it's helpful or not now?

They were told they can post their resources if they decide to interact with the community 🙂

Instead of posting every new article they write in the resources channel. They were aware of the terms

Funnily, moderators did actually read their articles, just as I do with most user-shared blogs in the resources channel :)

Helpful background context, but there's still nothing reportable or inaccurate about the statement you objected to there, unless I'm missing something? 😄

Fair enough!

It sounded like they were complaining, if they have an issue they can go to the email posted in #rules, otherwise we want to keep the discord as drama free

There we go 😆

Hello, I do I get into bug hunting ? Lets say I find an exploitable wordpress vulnerabilties on websites can I report it to a bug bounty or do I just advise the owner ?

Owner

First, you need to check if they have a corresponding bug bounty program or vulnerability disclosure program. If they don't, I would honestly not report it as there may be legal ramifications about finding an exploitable bug but there is also the act of responsible disclosure where you do let them know that a bug exists on their website. Please take a similar approach and do not under any circumstance ask for any bounties as they may seem like extortion on their part, if they reward you that's nice but if they don't, do not chase for any.

All bug bounty should be done through proper bug bounty and/or vulnerability disclosure programs through the proper channels.

Also, don't advise the owner. You'd most likely contact them and ask if you can be transferred to their security or IT department to responsibly disclose the bug. You don't send everything through their customer support marketing email.

Tanks for the quick an complete answer.

So what are the proper channels to get into it ?

HackerOne and BugCrowd comes to mind. There are also softwares that do have vulnerability disclosure programs, off the top of my mind is Qualys I think.

tanks

How can i know which 3rd party integration is the site using for different functionalites? Like for file upload, forum, etc?

Fingerprinting, Wappalyzer, guessing, etc.

So maybe by the end of January, I’ll finally take the leap and work for Bugcrowd. Not gonna lie, I’m a bit nervous. I’ve worked heavily with CTF’s, and I feel like the walkthroughs have held my hand long enough.

For those of you that have worked on bug bounties, are there any tips or advice y’all can share with me to help make my transition from CTF to real world projects a bit easier?

https://medium.com/@ozomarzu/open-redirect-validation-bypass-leads-to-account-take-over-ato-5166b3416e3f

if I have a config.php but when access is blank space, is sth that I can do?

It is probably because you don't have access to it that's why it only shows a blank page.

Not technically also. Sometimes it may have just run PHP code where it doesn’t print anything to the frontend.

Kind of out of ideas for this one so if anyone can help out i'd appreciate it. Currently working on an XSS with a pretty strict CSP in place.

script-src 'self' https://redacted.com https://*.redacted.com

I was able to bypass their waf but now just dealing with CSP. my current payload is:

<img src=x onerror=alert%0A%0D`1`>

One thing i noticed is that they have a few subdomains hosting wordpress sites so I was thinking maybe using JSONP, but my sink is innerHTML so script tags wont execute. It's a popular social media site so I was banging my head against image uploads to try and get some JS through but strict validation so no luck. Thinking about reporting as HTML injection and moving on, 8 of their pages are handling input the same way so JS execution would be noice. If you guys have any last minute ideas before i report let me know, thanks!

probably this 🙂

Hi everyone,

I have intermediate level knowledge on web app bugs. I want to start bug hunting on platforms like BugCrowd , HackerOne, but whenever I try to go through any program I always have feelings like these programs are being tested by very experienced and huge number of testers so I won't find anything here. Because of this competition I am not able to start my bug hunting journey, any guidance to overcome this and any other tips will be highly appreciated. Also please mention any resources, from where if I learn can make someone like me standout.

Thanks

That is the truth to bug hunting. Welcome to the real world.

Keep hunting till you find something.

The people posting those big bounties aren’t finding them usually on public programs. They are invited to private programs usually after building some reputation in public programs.

I am listening to Cristi Vlad's recon course in Udemy and one of his tips when you are starting out in bug bounty is to select programs which do not pay a bounty or those where you earn reputation points only as the number of participants won't be the same that do pay. It will allow you to build your portfolio and reputation to get invited to private programs However, I haven't started doing bug bounty myself so I have yet to confirm how accurate that is.

Thanks for the info and encouraging words

Gave +1 Rep to @lilac spindle

Thanks for sharing the tip.

You'd be surprised what can be easily missed (not saying it's the norm, but it's always worth trying)

I've found XSS on huge sites (millions of users) which you'd think have been tested extensively already

Sure, some of it is luck that they didn't find out but I wouldn't automatically rule out a program just because of other testers on it

Got it @fast fable , thanks 👍

Gave +1 Rep to @fast fable

Hey all,

Does anyone know how to limit the number of requests per second for Hakrawler, the web application I am testing allows only 5 req/sec.

Thanks

any one know good bug hunting live stream ?

You can change threads with -t, not not sure what number would work for you. Default is 8. doesn't looks like you can set by req/sec... maybe find a different web crawler?

Any cert that would be a good start a journey in bug bounty?

Have you looked at HTB'w CBBH?

That's a good one, I think TCM Security put out a bug bounty cert a little bit ago as well. Pjwt is what I think it is called

Ohk, thanks

Gave +1 Rep to @south bluff

Thank you found it

Genuinely question what’s the point of a certificate in bug bounty

Genuine

So get it to get into a program?

If you mean certifications, there are platforms that let you add them to your profile to boost your marketing, kinda like LinkedIn. There are also platforms like SynAck that use certifications as a way to “accelerate” their application into the platform itself.

Okay so why not get an ethical hacker cert which would help you in more areas like an actual pentesting job as well as bug bounty

Or is the bug bounty cert what’s needed

Probably in reference to the CBBH or whatever it's called

Do you know any bug bounty metodologies and where to find them? When I try testing, I catch myself on doing random stuff for a very long time and nothing really productive.

get some basics certs first @blissful ravine

yea ik i was just curious on what was the point of them to begin with

fundamentals , Jr pentester , basics of security

I'd say the way it looks at for security consulting companies is the same with bug bounty. Its a big marketing factor. If you've ever had someone vouch for you, this feels the same way. Clients would often want to do business with people with credentials and experience.

no bro ik what im doing lol, you are misunderstanding what im saying

To those who have found bug bounties for money, how good of a hacker do you need to be to find bugs? Like whats the likelihood that I even make a dime on hackerone after completing the tryhackme pentesting pathway for example? Im very new to all of this so I apologize if the question is a little elementary.

Bug bounty is mostly luck and persistence.

Of course, you need to be equipped with the proper methodology and a keen eye for seeing possible issues to capitalize on this.

Also, a "good" hacker is very subjective. I see people who only know IDORs and have found tons of bugs related to them. I'd say if you want to be a "good" hacker, you need to have a proper methodology. Not just throw shit at the assets in scope hoping something will hit.

Hi all,

Goal: manipulate form inputs after intercepting the request through burp as there arr front end side restrictions for special characters.

I am trying to submit a form on a website. When I don't use burp proxy then I am able to submit the form without any errors. But when I use proxy and manipulate the values It gives me Captcha Failed error in response to that request. Even without manipulating the parameters I am getting that Captcha Failed error.

There's invisible captcha and not the interactive one.

Any solution?

Good luck to everyone; Is it a vulnerability or the beginning of a vulnerability to make changes to the request with Burp and get server name information in the response?

does anyone do bug bounty from australia?

If you can escalate using this information, else not really

How much truth is there to this comment?

Question for context was "Is it worth starting bug bounty?" which is prob a very common question.

Not into bug bounty enough to know if the stuff about selling automated scripts holds any weight, but I do agree that it is generally not worth it for most people. You're going to be competing against much better people for sure and your time invested to payout ratio (if you ever even get any payouts) is going to be terrible 99% of the time.

I would figure the main goal from bug bounty is to gain a form of recognition and then put it on the resume to improve chances of a job.

That was the main reason of being worried about automated scripts since that would basicly mean everything has already been checked except for zero days that the script would not of been programed for.

I would also assume that if the person is good enought to find zero days consistently enought for an income then they wouldnt be doing bug bounty for a pittance.

Well it is a good rule of thumb that anything on the internet can and will be scanned for various reasons by various people. I do certainly think all of the low hanging fruit would be taken before you could get to it for sure. As for the goal of bug bounty that is different for everyone. I am not sure how useful bug bounty is on a resume, I would personally look for other ways to gain recognition like certifications, CTF's, volunteer work, a blog, etc, but to each their own, it certainly wouldn't hurt to have on a resume.

Out of all of your examples only one of them is experience

I know that, I wasn't saying that they were experience, just that they probably look better on a resume than bug bounty and/or are things I think you get more reward for your time invested

The CTF's makes sense thought since if it is in person that might provide networking opportunities.

Hi, i have been doing cybersecurity and ctfs for the better part of a year now and i have just recently made my mind up to start bug huntig on intrigriti, but what i have relisef is that the hole thing is very hard and confusing, so i am writing this message to maby get some tips and tricks and also to connect with somebody that is willing to hep me

On Burp
Error
No route to host

Any help?

Are you connected on the same network as the target?

Yes @fading sky

On virtualbox, I am running one vulnhub machine and burp running on kali in same network
burp able to capture normal request but unable to capture the vulnhub machine request

can you connect to the vulnhub machine on kali without burp?

Is the vulnhub machine set to bridged or nat?