#bug-bounty

How to know if a cookie is sensitive or not? There are some reports on H1 stating httponly flag absence on sensitive cookies. I have found some cookies without httponly and cant figure out if they're sensitive or not

It usually depends on the application, a good common example is session IDs

these should always have httponly

Thank you @native token got your point

Gave +1 Rep to @native token

guys

any one here have a experience with subdomain takeover i need a help !!!

if xxe (many other vuln )can also give us reverse shell why injection is consider to be more severe ? mention me if u have any answer

Can you please elaborate a little?
For example, there was one report on HackerOne for spotify.
Because of one available to register heroku subdomain leading to subdomain takeover.

It would depend upon the type of XSS, website, it's users.
For example, if there is a site that stores private information or allows file downloads, ...
Then you can elevate XSS into a more severe issue, possibly leading to reverse shells in rare cases.

ok so mostly in rare cases it would happen

It is possible

in rare cases ?

if found would it be consider as a A1 vuln ?

or we would say it is vuln to injection

IIRC, there are a few rooms that allow this, XSS to leak keys or credentials.

If it can lead to unauthorised information disclosure then yes.
I am unsure about categorisation though

OWASP 2021 draft classes it as security misconfiguration

2017, it's it's own thing

and it classes xss and injection to injection

Witch website is good for found bug bounty?

Hi, I assume that you asking for the platform for bug bounty . There are many like hackerone, integriti, bugcrowd . There are BBP(Bug bounty program) which gives incentive and VDP(Vulnerability disclosure program) which serve for disclosing the vulnerability and you get public acknowledgement .
Many were running their private program where only invited people can test their application.
Answering which website is good for bug bounty is solely depends on you on where you are looking and approaching the target . If you are completely new , Check out the pinned resources.

Bypass using HTML encoding alert from where can i get more encoding like this

Aren't these HTML numbers?

nope

https://ascii.cl/htmlcodes.htm

thank you i got it

oh they are call html number

i got to no something new thank you

That's what the site says 😆
I consider it ASCII only, just different interpretations in different contexts🙂

ya when i cracked it he shows me ASCII

When looking at big bounty programs, many have rules that say things like no “Automated scanning of any kind”. Does that mean, for example, one can’t use things like nmap or gobuster ? It seems like it would be Very challenging to perform enumeration/scanning without those types of tools?

it usually means that you should not submit anything found by an automated tool

and also I think the mean tools more like owasp zap and stuff

Ok so an “all in on suite” that will potentially hamper a site with all potential known vulnerabilities is clearly out of bounds.But nmap looking for open ports is probably ok.

You don't really need to use gobuster for bug bounty 😂

If you're directory brute forcing you're doing it wrong

Good point - I’m just trying to distinguish what types of tools are or are not ok. Your opinion on how to interpret the “no automated scanning” based on your expertise? Im (clearly) new 😀 and have only tried some of the early rooms where nmap and gobuster were covered.

If a website is allowing registration only via business email, and I intercept the request and feeds it some personal email address like gmail. If the website accepts and allows sign up on personal address. Can this be impactful?

One more thing guys, I was playing with this sign up form and I intercepted the request and replaced the email field with an existing account to see if account takeover happens, when I submitted the form, a string appeared on the page "object Object" which shows JS execution at the backend. Can this be escalated in any way?

Yes, if you can find any private information like source disclosure or possible package names and their versions which are vulnerable

So, who of you are behind the recent nuclear-tier iOS exploit?

Curious about who made what amount of money from that one.

yoyoyo

@past hatch bout to DM U !

Sure, no problem

Then any alternative

no you don't need to directory brute force

Yeah dirsearch ffuf r good tool,as optional said in many case u won't need (atleast on main web app),but if its subdomain then worth a shot

Ok

@civic umbra whatever u wanna ask it here,for every vuln. that get resolved ,it get added on ur h1 public profile ,u receive rep. points and get more private invitation

Alright

@knotty hound This channel is for bug bounties

Bro do you earn money

No

What are the major differences between CTFs and bug bounties?

CTF - Come to Fast! You got to do fasting! Though from bug bounties you can eat a lot

Is anyone here familiar with exploiting __viewstate parameter??

I have this site, without anything.. But it has a viewstate parameter and it's value in source code... I did read quite a few articles and have general grasp of what it actually means.. But having a bit of trouble exploiting it...

hi everyone, anyone has a good reading on dockers? I'm executing a ctf and I was able to get access to all users of a host and then found out a docker container is running. I sshuttle and can reach the webpage...that is pretty empty, but it says vulnerable struts app. it only has port 8080 open and I do not have permission to run docker commands on the host and I'm not allowed to become root (out of scope)... where could I find some information. any tips or documentation would be much appreciated. thank you.

You can check out the docker rodeo room if haven't already
Maybe you will find something useful in it

Thank you, I'll have a look right away

Gave +1 Rep to @dusky urchin

just in case, jexboss script did the job. now I wonder if from the docker I can read my own files in the host ...

Lil self promo, but PyWhat will have 67 new bug bounty regex to help you find stuff you can make money from.

Some ideas:

• Download all public github repos of a company, search them with the bug bounty mode. Find API keys, Credentials, credit card info etc.
• Download all web pages and do the same
• Have it on a loop so the second a dev commits a secret, you know 👀

Looking for actual bug bounty people to take a look through and add / advise on stuff if possible 😄 Some of the regex have ways to exploit them (or check the API key is valid). Would be great to have some more and your name will be on an open source project 🔥

https://github.com/bee-san/pyWhat

Glad you found a solution

i want to become a bug bounty ethical hacker. you can tell me what i learn first. i mean first topic second topic. please help me

if you want to focus on web, then I'd say learn more about websites (frontend, backend), webserver software stacks, CDN's, the HTTP protocol, how TLS works on top of that and what different configurations you can have, set up your own webserver to experiment with all this, learn about cloud providers such as aws, cloudflare, etc.

without any details it's hard to give a good recommendation 🙂

but learning how things are supposed to work is generally a good plan, before learning about how things can be broken.

mod to aisle #bug-bounty

https://www.zdnet.com/article/hackerone-expands-internet-bug-bounty-project-to-tackle-open-source-bugs/

any good resources to start bug-bounty

Check pins

yup

-ban @still fern Asking for phishing tools, clearly unethical.

🔨 Banned Kalijay#4908 indefinitely

anybody suggest a good tool to detect subdomain takeover, I am trying to automate the detection with cron. Most of the tools I found on github are outdated and years old

anyone have any experience with tplmap ?

do it manually, you'll be glad

because its not updated anymore ? can`t seem to find the right parameter thought

tplmap was abandoned a couple years back so is stuck on py2 atm

due to how outdated it is, you're better off exploiting it manually...

@real marsh

Hey Everyone...!

1. I've to find the live sites of out the list of subdomains( it means there are many sites that will map to only one IP)
2. Now In the next step I've to find the IP of those live sites I get from the first step. This step is also done. I've also made the IP's file unique as there are many same IP's mapping to subdomains. For example:
   ww.example.com
   www.abc.example.com
   www.xyz.example.com
   www.def.example.com

All of these subdomains have only 1 ip and IP's file i got redundancy that's why I make IP file unique.

3. The next step where I"m stuck is to make sure that I've correct results. For this purpose, I've to map each IP to its subdomains that I've in my Live_sites.txt file. I don't know how to do this. Is there any tool for this.?

Sounds like homework to me.

You should check out jaeles and nuclei, they have subdomain takeover templates that you can use.

You should use httpx or amass, it will give you the subdomains with the IP address.

No its my final year project and this is just a beginning.

Thanks. I'll try this.

Gave +1 Rep to @somber grail

Yeah I've used httpx and amass to get live IPs and subfomains. But now there are same ip for multiple subdomains and this is the redundancy. I want to map each Ip to its subdomains like this:

Ip
192.168.72.1
Subdomains
Www.example.com
www.abc.example.com
Www.cde.example.com

Ip
127.123.13.13
Subdomains
...............

I want to map ip against its subdomains

Should probably look into coding something yourself. Do some research, httpx has a python lib iirc

Final year project is still schoolwork, and in general we don't help with schoolwork

(As that would be cheating)

I was searching there yeah most probably i should solve this by coding.
I just wanted to know if there is any tool. If there is no one. Than definitely i would go for coding.

Probably not one tool that will do exactly what you need

Okay thank you

Trying things that might seem silly and then laughing loudly when they work? Yeah

Sounds about like dev work too

wlan0 is on channel 0, but the AP uses channel 11 help ?

You are trying airmon-ng, right?

Or is it related to one of THM rooms?🙂

Probably not a thm room

Doesn't sound like bug bounty either though

Hi guys, would you say a vps (with a public ip) as attacking instance is mandatory or just something like a plus you can have for bug bounties?

Only time a vps is really needed is if you're running recon on a large scope, then it's nice but other than that it isn't fully needed

How large of a scope are we talking about? Like hundreds of subdomains?

I dunno. It’s nice to have disposable public facing VMs to use during recon, in case you trigger IP blocking or filtering. Ephemeral resources during recon is pretty inexpensive these days, and allow for parallel processing without b0rking your local network.

pretty solid difference between using disposable vms and a VPS depending on the provider

¯_(ツ)_/¯

VPS in bug bounty is whatever

I always attach a header so the target knows who I am (using a wearehackerone alias) so they can correlate the logs, but I almost always use a different IP during each stage of the analysis. But I have access to a ton of resources inside Azure to make this reasonable. No so sure I would do as much if I had to use DO droplets all the time.

But to each their own. After I accidentally blocked my entire office from the Microsoft Cloud during some PoC building against something I found in the Azure admin backplane I will never again NOT use ephemeral resources.

Hey EveryOne ..!
I'm confused about the screenshot part of the recon process.
I've used Eyewitness to take the screenshot of the 320000 hosts. It took almost 54 hours to complete this process. But I don't actually understand why would we take screenshots. I've googled it and I come to know that we took screenshots coz pictures spoke more than words plus we can look at different pages and identify w more accurately which host to hunt. In my case, I guess this is not possible to have a look at 32k screenshots. It would be more hectic.
Thanks

lmao why on earth are you hunting through so many hosts....

if you're on such a large scope and asking that question you probably shouldn't be doing it

I'm just asking for learning purposes and actually its is my personal project not an attack. I just want to know why we need to take screenshots.?

Bug bounties make me so incredibly frustrated.. someone I know gets a bounty every week

not full time, at all

and I'm over here doing test sessions of 3 hours a day

without any results for the past 3 weeks

Are you sure you're doing a bug bounty?

that's a 10.x.x.x IP considering logbase 2 of 320.000 gives like 18 which would mean 3 octets, which would be internal, or you're just randomly visiting public hosts, which you probably shouldn't

No I'm not doing bug bounty. Actually I'm doing a perimeter testing as my project.

So i was not able to understand why we need screen shorts of the sites. I'm not doing any pentesting. I'm just a beginner in cybersecurity.

As a heads up: doing anything to (including scanning) things that don't belong to you could end up with you getting prosecuted.

I would suggest that you don't, unless you have written, legally-watertight, permission from the owners of all devices.

Okay thanks got it. I'll take care of this

Gave +1 Rep to @hybrid orchid

hey am new here ; can anyone suggest how can i enhance my skills on Tryhackme

Pro tip: NEVER give your bug bounties to "influencers" because you think they can help you

I am posting this because I have received 9 DMs and 4 of them contain bugs I could just steal from you lol

https://www.youtube.com/watch?v=MEyyegfvhwM&t=471s

can the thm staff pls verify this does not work on their website, i doubt it since u all r experienced security professionals in charge of the site, and the reason i did not check myself is actually quite simple, i dont wanna get sued, idk if this will count in bug bounty or not and i very much do not like getting sued, so i didnt do anything but i request the thm staff to look into it

If it’s not against our bug bounty rules, you’re allowed to try it:)

!docs bug-bounty

not exactly sure if tht counts in those or not, and im sry but id rather not take the risk

Not gonna lie the word "any" that he used is probadly only there to drive in viewers

Dont think it can actually work on any website

Right!???

That is quite literally the most click-baity video going

I've watched like 2 minutes of it and there's so many vulnerabilities / bad practicies that need to be present for this to even remotely work

That sorta shit is exactly what's wrong with the infosec community

THM doesn't even use JWTs for auth 😆

if you trust a client to validate things like membership/access level and the sorts then you're just asking for trouble

ik tht

which is y i said " i doubt it since u all r experienced security professionals in charge of the site"

i was 90% sure tht those vuln wont be there but i just told just in case

Aye well then you've answered your own question (:

I was just simply stating why you were correct is all

i just thought id inform the staff but leave it up to em as they're wayyy smarter than me

lol, ty

Gave +1 Rep to @young spoke

np 😄

Appreciate the heads-up nonetheless

how was i supposed to know tht unless i tried it, and i didnt want to cause i wasnt sure if it would qualify in ur bug bounty or not and i didnt want to risk it

ty for not roasting me and understanding it was just a heads up

Gave +1 Rep to @young spoke

np

extra one but he deservers it ngl

np big man 😎

I have watched some of bis videos before and most of these are just click baits 🤷‍♂️

Loi Liang Yang is complete and utter trash who's only good at making clickbait 🤷‍♂️

Kinda like Networkchuck

agree

💯

Is he? Havent seen any of his vids but they looked interesting so I have a few on my watch list. Right now I only watch JH

Most of his stuff is clickbait imo you can try watching a few of his videos so you can form your own opinion

+1

video titles with "By A Pro Hacker" just sound so wannabe and complete clickbait

wht yt channels would u guys recommend?

Here is a small list of YouTube channels to check out (in no particular order):

• Codingo: https://www.youtube.com/c/codingo
• Christi: https://www.youtube.com/c/CristiVladZ
• Cryptocat: https://www.youtube.com/c/CryptoCat23
• Nahamsec: https://www.youtube.com/channel/UCCZDt7MuC3Hzs6IH4xODLBw
• SilverStr: https://www.youtube.com/channel/UClZX8GoY43jvMukwnto-BLg
• LiveOverflow: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
• IPPSec: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
• JohnHammond: https://www.youtube.com/user/RootOfTheNull
• STOK: https://www.youtube.com/channel/UCQN2DsjnYH60SFBIA6IkNwg
• Red Team Village: https://www.youtube.com/channel/UC8nq3PX9coMiqgKH6fw-VCQ
• HackerSploit: https://www.youtube.com/c/HackerSploit
• Hak5: https://www.youtube.com/c/hak5
• InsiderPHD: https://www.youtube.com/c/InsiderPhD
• JHaddix: https://www.youtube.com/c/jhaddix
• PinkDraconian: https://www.youtube.com/c/PinkDraconian
• PwnFunction: https://www.youtube.com/c/PwnFunction
• Reconnless: https://www.youtube.com/channel/UCCp25j1Zh9vc_WFm-nB9fhQ
• TomNomNom: https://www.youtube.com/user/TomNomNomDotCom
• TheCyberMentor: https://www.youtube.com/c/TheCyberMentor
• TheHackerish: https://www.youtube.com/channel/UCIXot2vRgeM5alhAlpTbhQA
• zseano: https://www.youtube.com/c/zseano
• zsecurity: https://www.youtube.com/c/zSecurity

Thx

Gave +1 Rep to @swift grotto

NP

Hello Guys any good resource about wordless bug bounty

WordPress

Go through its code available on GitHub 😃
https://github.com/WordPress/WordPress

Thanks

Gave +1 Rep to @dusty pasture

Hello

Can someone pls suggest me from your personal experience how to approach but bounty

Heyy guyss, I got this weird error at the end of the scan while using nmap with decoys 'Unknown address family 0 in build_packet.'
Command used: nmap -A -D RND:54 <domain-name>
Any idea how to solve this?

Would you be able to copy this and message it to me? (Can’t message myself 😦 sorry)

In Discord you can long press on it (mobile) or right click and select “Copy Text”

I meant I can’t message it to myself in discord

Oh wait I can open discord o ln my computer and past it in a txt file I guess

Create your own discord server

@fathom heath are you allowed to disclose this ?

Yes

You have explicit permission from the company to move to full public disclosure?

The bug is solved, they tell you can create Writeups

Wonderful :)

But report is not disclosed

https://youtu.be/5jHIUTEdpvI

hey guys!! i am new to this bug bounty program...can somone guide me how to get started and the resources needed to begin with...sorry in advance if my question is stupid

you could start on working the THM paths, pre-security, begginer path and the web fundaments, and from there you should have an idea what to do

Hello! Can someone help me with finding an XXE in a SOAP implementation in a public program? I am having some difficulties

Hi guys, Is there any way to bypass SSTI with below blacklist?

blacklist = ["'", '"', "request", "readlines", "+", "%2b", "%22", '%27', "linecache", "add", "join"]

There's likely plenty of ways to bypass that, you just have to find them

there's some good papers around for SSTI

SSTI for which template engine?
Jinja, Twig, ...?

Use of blacklist isn't a good idea. Whitelist is better😄

the correct terms are now "blocked list" and "allow list"

i was corrected in a briefing 2 weeks ago, and sure enough, if you google it it says they changed it to blocked and allow.

I mean, they're both correct from a technical standpoint.
Just that modern political correctness dictates that the use of "black" and "white" when describing allow/deny lists is a no-no. The use of white/black list is something that will no doubt be pushed out with time, but they are no less accurate technically than they were before 🤷‍♂️

Hello folks, I found an unclaimed Cloudfront instance on a subdomain I was testing. However when I went to create a new Cloudfront distribution with the URL as the CNAME it didn’t work, it showed an error explaining how you need to upload a trusted cert from a CA.

Btw the cert can’t be self-signed

LetsEncrypt?

What ??

Look into it.

Real certs, for free.

Amazon CloudFront?

sadly

the bane of my life

Amazon "I'll take 45 minutes to update a single word on your website" CloudFront

Slowness Optimization Utilization™️ 😂

I was doing something for fun, but I have permission to do it serious

Someone wanna join me?

Hello guys, one question. If I had for example meta-data of a pdf file, can I convert that metadata to a functioning pdf file? And what could I do with such data?

No. Metadata describes data

It doesn't contain the data that it describes

Sorry wrong room! 🤦‍♂️

Thank you very much for answering.

Also, I have another question.
Is this a XSS vulnerability? I tried to upload a profile picture with .svg extension and in it was a payload that would present a red rectangle and pop a alert box.
Payload:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS!");
</script>
</svg>

I thought maybe the JS popup is blocked but didn't find a solution for it.

So, did it work and you got an alert pop-up?
If so, you can apply proper CSP headers to prevent such vulnerabilities
That is direct view of malicious SVG file

I did not get the alert pop up, on the main site it is blocked probably but the rectangle is represented clearly.
I right clicked on the rect. and pasted the url in the browser, it was in this format: data:image/svg+xml;base64, {base64 encoded string}
When decoded, it of course shows the payload.

When I visit the url I copied, then I get the popup

I'll screenshot it, just a moment.

Yeah, that is direct view
Accessing the file from its URL

So, it is a vulnerability? I've never encountered this ever.

To prevent this, server hosting that SVG file should also send CSP headers like

default-src: 'self'
```Or

img-src: 'self'

I'll send them that as an advice on how to fix it.
Thank you very much!

Here you go🙂
https://svg.digi.ninja/index.php

<@&612305984752451594> Discord scam ^

@hybrid orchid ⬆️

That doesn't work here

oh. well I tried

Hi I am not good at DOM BASED xss but burp got me that is there is any potential dom here

How do y'all deal with platforms that require a creditcard to sign up (like cloud providers), in order to test vulns?

Stick a credit card in...

If it's a legitimate bug bounty then there's no issue, is there now?

Well, for me there is considering I'm underage thus have none

Are you legally allowed to participate in the programme then?

Fair enough. Ig I should wait with this stuff

They're usually fine with debit cards

Hello

I ran an nmap scan and found most of the ports are open. I was under the impression that it is bad to leave ports open. What am I missing? (n00b here)

Don’t port scan for bug bounty, it’s never in scope

Thanks! I scanned a URL that is in-scope. Is that not okay?

Gave +1 Rep to @native token

No

The underlying infrastructure is not a url

I get that, but how do you id the technology stack?

Http headers, if not you don’t

Okay, thanks again! I guess it's back to the training... 🙂

Gave +1 Rep to @native token

Hii

Hi

I need help

Dont

Ask

To

Ask

Just

Ask

Your

Question

hey i need help

Umm, I want to someday submit my first bug bounty and I know how the web works in practice but I have no idea how to test for vulns...is it just spraying and praying or should I try finding one bug in a specific place? Or a balance of these?

I just noticed in a social media app that if you click the the login button from a certain directory, it leads to an error, is this reportable? Ping me when you reply?

Is there any impact to that? Can it be exploited? Does it leak information? At best it seems to me like a bad practice, I wouldn’t report it unless you find something further

Hmmm. Will see, Thanks

unless there's some verbose erroring that discloses potentially dangerous info then it's unlikely it is anything more than informational in a bug bounty context.

Have fun.
https://github.com/tanprathan/OWASP-Testing-Checklist

Sleepy, this is like getting secret information that I shouldn't have gotten. Thank you so much. This will definitely help me.

if html comments ends by this --> then how is this executing

you are closing the comment with --!> and then alert is executing

html just errors, will display what works and the other doesnt really care

Hi there 🙂
What would be the top 3 tips you would give someone that wants to start doing bug bounties?

hi @dry slate I think the main tip is start from basic to advance and not pretend start hunt asap , its due i started few months ago and stilllearning a lot things its large learning curve

If anyone its on the path i like exchange resources and knowledge .

Thanks 🙂
Yeah I'm not taking it too serious to begin with anyways. I'm not that good. Just want to start out to play around with a live target.

Gave +1 Rep to @obsidian goblet

Just whatever you do, don't expect to make money. If you're doing it to make money, you're going to be stung.

Which platforms (ex. hackerone, bugcrowd) do you guys prefer (or maybe think are good for noobs)

what are bug bounties?

What preparation and prerequisite should be enough to atleast get started with bug hunting in public programs

payments for hacking web pages applications servers or even giving crucial information of some impact

@vernal plover More specifically, it's a crowdsourced vulnerability assessment. "Payments for hacking web pages applications servers..." misses out the fact that bug bounties are legal...

Bug bounties are when a business explicitly states that they are open to ethical hackers finding and responsibly disclosing security bugs in exchange for payment (usually money). There is always a scope assigned (as there would be in a pentest), and it is all legal, as long as you stay within scope.

but the vulnerablties they are very hard to find 😭😭😭

many people do it like a side freelance earning.. and mostly as full time.

If you do it full time then prepare to be disappointed. It's not steady work. Sometimes you make money, often you don't. The effort rarely justifies the reward, which is why most people do it as a hobby.

That sounds like a "you" problem. :)

I know I am noob

Crowd-sourced pentesting. In a saturated market segment this often leads to high-effort and low probability of reward. 😄

That sounds really damn fun

Does it pay well?

Depends how well you do. It doesn't pay consistently, and if you get it wrong, you may be in big trouble.

But, if you get it right and if you find something serious in a big company, it can pay tens or hundreds of thousands.

ok so think of it as extra cash in free time, not a main source of income

Exactly

https://www.youtube.com/watch?v=qme4rAD2mlM

Extra cash is a stretch

Oof

Damn savage XD

found an unrestricted file upload and the company says "our server is hardened enough so file upload dont matter"

🤔

Why not just prevent wrong file types in the first place

Can you access the files after uploading them?

@hybrid orchid Yes and no.. I get the link to it, but it's not executing, just downloading it

so it's definately on the server

Well, that's enough

Tell them you have access to turn their site into a malware distribution network / place to store stolen goods

Which you technically do

You might not be able to use it to gain further access, but being able to arbitrarily store files on their servers won't end well for them

@hybrid orchid Good point, I'll let them know. Thanks

Gave +1 Rep to @hybrid orchid

Can someone hack me?

That's not what we do here.

you have too much open surface to get hacked. next time ask this question very wisely

What do you mean?

i sent you private message

-ban @fallen palm Dropping doxx in DMs.

🔨 Banned 0x11c11e#5093 indefinitely

he walked right into that one

😭 😭 😂

He took the bait

😹😹😹😹😭😭😭😭 lmao

What would you even do that

Lmao

Oof

What the fuck did I just witness

damn LMFO

what is doxx?

Ex. Publicly revealing your name, face, and address

Something people with no real skills do to look cool

Even though they just look like a kid

Just to be clear, revealing someone elses* not ur own lol

Just absolute clarity since that was confusingly worded to me

No, you can accidentally doxx your self as well

Hello to everyone,
I just started Bug Bounty and I have a question for you.
After logging into the website with the hacker user, while sending an HTTP request to see the account balance of the hacker account, if I can see the account balance of the victim user's account by replacing the Cookie information in the outgoing request with the Cookie information of the victim user's account, is this an IDOR vulnerability?

If you can read users information when you're not supposed to (by changing information) then yes

Not unless you also have a session stealing vulnerability

Obtaining classified information for another account using a cookie you have legitimately isn't a vuln -- that's just how the web works.

Thanks a lot for your answers

IDOR would be if you could do it without the victim cookie

Please read through the message before answering William 😆
Subbing in another cookie ain't a vuln unless you managed to nick the cookie through another vuln in the site

Although if you were using computers in two different locations, you could argue that the session security is lax.

Not sure if a bug bounty would accept that. I would definitely put it in a pentest report.

My reason for sending the report is because it does not check whether the cookie information belongs to the logged in user or not. But now I understand the situation more clearly.😄

So, which security vulnerabilities do you think would be the right thing to focus on for a start?

I continue by following the learning path in Portswigger Academy and since one of the first taught there is Access control, I have chosen such vulnerabilities as my target now. Do you think it is the right choice to start with, or would it be better to focus on XSS or other vulnerabilities?

By changing the cookie, you change the logged in user. The cookie is the only thing that identifies what user is logged in.

I would start by learning how the web works, to be honest. There's a good THM module for that

thanks for your help. I already have a THM account, I'm starting now. 😄

Enjoy :)

@hybrid orchid can I please dm you about something?

With regards to?

@hybrid orchid bug bounties

but I would like to ask you in private if possible

I'm not the one to ask about bug bounties -- my "real world" stuff is all pentesting 🙂

@hybrid orchid then who should i ask?

Best thing to do would be taking a look at the hackerone or similar leaderboards and reaching out to the top rated hunters somehow. Although you're probably not the only one who thought of that so don't be surprised if they don't answer

Ok.Thanks @echo warren

There's also Drago.

Has anyone submitted a vuln to Microsoft's MSRC before? If so, how long did it take for initial response? I've had one in for a week now even with a follow-up...

https://tenor.com/view/pout-girl-sad-cry-little-girl-gif-20041802

Prepare for a month's worth of waiting.

Ok thanks

Gave +1 Rep to @echo warren

how do i check if the host has ssl enabled or not?
i know its https with url on port 443. I want to check this by command if there is any tool....!

So I have ben using THM for a while now, I love the guided rooms like complete beginner, cyber defense, etc. I wish there was a path set fourth for bug bounties. I am open to suggestions on what rooms to complete to feel confident enough to start

Cant you just try making a request with curl on https and see if it fails or succeeds?

Sslscan

#general message

Yeah its getting failed so it means there is no ssl right?

I'm using ssl but don't figure it out how do i know if the site is using ssl or not. I've tested it gives me error on site it means there is no ssl . Am i correct

@native token is it still possible if some site using ssl i can see from browser but the tools openssl,sslscan,sslyze gives me the error for not having the ssl. I'm just surpirse why these 3 tools gives me incorrect result or there is something else?

How exactly do people discover 0days? Do they just try a bunch of routine stuff and discover it by accident?

You can go hunting for them if you're skilled

Or you can stumble upon them by accident

How does one hunt for them? I would like an example of how one discovers a 0 day NOT by accident

Find an interesting installable server product you like. Load it in IDA and ensure you can set flow tracking and breakpoints. Now construct a client that talks to it and inspect how the data flows through the server. If you can track everything you can start to look for suspicious paths where you might be able to manipulate logic to make it do things it shouldn’t. Like state mismanagement. Stack and heap overflows etc. Logic bugs in the code. Over time, you may find a way to manipulate the server to get the control you want. Eventually the vuln you find will lead you to build an impactful PoC exploit … your zero day.

Replace server product with OS, Cloud Stack, Framework etc. Anything that lets you control the flow and debug through.

There is no magic os/script/methodology that will let you run and detect a zero day. It’s hard, manual work (usually). Quite gratifying when you find it though.

As a caveat, know that MOST bug-bounty programs won’t reward you greatly on a zero day. You’ll usually max out their program at the PoC of the original vuln. The extra effort to craft the zero day payload itself doesn’t net you much more payout. This is where zero days brokerages like Zerodium come into play. They usually offer much more for a stable zero day. But there is a moral/ethical dilemma you need to consider in working with brokers like this; who are they selling it TO? How will it be used? Will the vendor be notified in a timely manner?

Also worth remembering that not all software is compiled -- and a lot is open source either way. The reverse engineering route is definitely one way to go (and is the tougher field by far), but if you prefer to go with source code analysis, just read through the code for a project and look for vulns that way.

How many bug bounty programs have you seen where their product is open source and freely available? Not discounting the value of source code analysis; it should be go to if available. But so little of it is available without some sort of reverse engineering/decompiling.

You don’t only try to find 0days for money, many people try to find 0days to get a CVE on their name

Fair point I guess if someone feels they need the cred. Lots of work in either case. Has to be some goal to it.

https://www.blackhat.com/presentations/bh-usa-07/Maynor_and_Graham/Whitepaper/bh-usa-07-maynor_and_graham-WP.pdf
For more of the above

Also there was a recent contest in China for finding 0days in all the software

There's also pwn2own

Generally speaking if you're going for 0day vulnerabilities in software, you're more likely to be after CVEs than bug bounties.

Although admittedly the fact the question was asked in #bug-bounty is a slight counter to that argument.

i got the sites wpdm-cache dir it has session-hash.txt can i exploit it or its common thing

plz tell anyone

Let me guess, wpscan or wordfence is alerting you that these are malicious?

In any case @outer roost you are going to need to figure out WHAT and HOW Wordpress Download Manager manages those file. (Quick google clears up what wpdm-cache is for). If your google dorking is subpar, start here: https://plugins.trac.wordpress.org/browser/download-manager/

I was curious. You will find the exact code in https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/__/Session.php @outer roost

Next thing you are gonna ask is how do you decrypt the contents of the session files you found: https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/__/Crypt.php

Finally, you want to manipulate the "deviceId". Part of the code in the Session class is:

$agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
$deviceID = md5(__::get_client_ip() . $agent);

If you look in get_client_ip() you will see it checks for headers to resolve in the following order: HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_FORWARDED, REMOTE_ADDR. So if you set HTTP_CLIENT_IP yourself you should be able to spoof the deviceId to route your to whichever session file you want.

I am NOT saying this is vulnerable to anything, I haven't debugged this at all.

But if the logic for the session files has any sort of flaw, you have a pretty clear path forward. You know the code where these session files are read and written to/from, how to (en|de)crypt the session (and the requirements you have to get the __wpdm_enc_key) and how to manipulate the request to utilize which session. Lots of work ahead, but that should be everything you need to build on.

Good luck.

that's lot of info thank you i will surly try it

Gave +1 Rep to @swift grotto

!rank

Is it worth it to try and crack JWT tokens?

I don't imagine orgnizations using sha256 privkeys with less than a hundrer chars

Do i need competitive programming for hacking?

No

Thanks muiri

Gave +1 Rep to @hybrid orchid

Scripting and programming will be very useful -- you can hack without them, but you will always be limited.
You don't have to be at a competitive level with them though.

As long as you can code and understand how it all works, you'll be good to go

Competitive programming is needed mainly for competitive programming.

Understanding code is, in many ways, more important than writing it in hacking

this is something i've heard from someone who coaches high school students for competitive programming: they noticed that some students could perform really well in these competitions and win awards, but what's shocking is that they don't understand why the algorithms they've chosen for solving problems work, nor could they explain the theory behind those algorithms

i've also heard something similar from math teachers who prepare students for math olympiads

instead of focusing on the end result, i think one should focus on understanding and learning the material

My own perspective on understanding vs doing, is that one does not understand something unless they can produce and replicate it. Being able to read code isn't the same thing as knowing how code functions.

I agree with Juun. I've taken steps to learn programming because being able to read code wasn't enough. I needed to understand how it functioned for reverse engineering and smart contract exploitation. Automating sone of my workflow and creating custom scripts didn't sound too bad either

I highly agree with you....

THM should have bug bounty rooms..... both for free and paid subscription

We do, but they're not called "bug bounty" because that's not what we promote:)

I'm using openssl to check if there is tlsv1.3 support or not over the list of domains. I've write the script but the script doesn't get stopped its waits for me to press CTRL+D than it gives me a result. I've been stuck from 4 to 5 days .Here is the scirpt

!/usr/bin/env bash
filename='domains.txt'
while read line;do
domain=$line

if openssl s_client -connect $domain:443 -tls1_3 2>/dev/null | grep -q 'Protocol  : TLSv1.3'; then
  echo "tls V 1.3 being used "
else
 echo "tls v 1.3 not begin used"
fi
done <$filename

I've also used echo with openssl like this

echo "x" | openssl s_client -connect www.example.com:443 -tls1_3 2>/dev/null | grep  'Protocol  : TLSv1.3'

**NOTE: When i run the command on terminal for individual site i get the result without typing CRTL+D but when i used it in script using loop and if statement its waits for me to press CTRL+D. Its really strange.
**

Thanks

Found a triple-parameter reflected XSS

hey guys how much success i can get in bug bounty if i practice on tryhackme and solved most of the labs.

Bug bounties incomes can't be measured with precision as it's depends on your luck & the website's scope you're targeting, I don't really know if we can easily quantify that

TL;DR It's not "stable" enough to give an objective answer

Hi

hi @prime river what's your terminating condition? also it might have something to do with your file input (lines of URLs with "/" characters + leading or trailing whitespace). this may help on the file reading part of your script. https://www.cyberciti.biz/faq/unix-howto-read-line-by-line-from-file/.

your hashbang seems off too. isn't it supposed to be #!/usr/bin/env bash?

This issue have been resolved. thanks
just avoid grep in if condition it will works perfectly

#!/usr/bin/env bash
for i in `cat domain.txt`; do 
echo $i
if echo Q | timeout 3 openssl s_client -connect $i:443 -tls1_3 2>/dev/null; then
  echo "$i" "tlsv1.3 enabled" >>output.txt
else
echo "$i" "tlsv1.3 disabled" >>output.txt
fi
done

Gave +1 Rep to @lilac mica

Hello

I am new here. Future bug-bounty hunter here.

One message removed from a suspended account.

Something like that

Technically all bugs are Zer0 Days until they are reported right?

One message removed from a suspended account.

He's a famous Pen Tester

One message removed from a suspended account.

One message removed from a suspended account.

Haha yea

One message removed from a suspended account.

Hello anyone here

I need help about something is make me crazy

I subscribe now and I can't connect to the vpn as well I was on free board I tried vpn and tried tor and proxychains and changing the kali machine and delete openvpn and install it again

did you download a new configuration file?

Maybe try to killall instances of the vpn then restart

Also #site-support please.

just breaking into bug bounty hi all

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://10.10.83.66:8000/.

how to get arround this ?

You'll need to configure Access-Control-Allow-Origin header in your server.

Oh, bug-bounty. Then you need to use a client that doesn't care about cross-origin requests. Most browsers are pretty strict on that.

But then again, that wouldn't likely be something that would get you a bounty, as it'd require the user to disable security features from their browser.

Can anyone explain me how is this request ``` POST / HTTP/1.1
Host: ac8b1f841ea3b47ac093505300bb00a1.web-security-academy.net
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
tRANSFER-ENCODING: chunked

3
x=y
0 ```

Causing timeout? Considering its CL-TE vulnerability, I mean, the frontend passes the whole request as is to the backend and as backend is processing transfer encoding, it will first see 3 and then 3 characters, then 0 to terminate the connection, it looks a pretty fine request to me, why is it causing timeout?

href="javascript:alert(1)"
Bug bounty tips with ninja. See it you can add a link with JavaScript content like that. Impact is a little lower than standard stored XSS as they need to click it, but I've seen it a few times.
Especially with input fields where you can specify a link - rich text editors!

Also remember to check what the editor is sending to the server when you press save, if it's HTML then have fun with it

I found a bug in a website registrar which allows for bypassing the http/https only redirect filter in the web UI
but on the web UI and on the redirected website it still concatenates http:// in front of it
does anyone know how I can "exploit" this further (perhaps to get a bug bounty)?
this would usually be "url":"http://test.nice"

that redirects to http://ftp://test.nice

Hi! I try doing the OhSINT room. Is this the right pic what is linked with the task file? I'll get the background picture from Windows XP.

Lets move this to #room-help

.

guys any idea how to steal httponly cookie via xss?

Do you understand httponly?

Yes

I read somewhere http only cookie reflect in response body

Ok, so you understand that httponly cookies are not accessible to JavaScript, right? @onyx nebula

Yes

So you can therefore understand that httponly prevents you stealing that cookie using javascript.

That's the whole purpose.

JavaScript cannot touch the cookie at all

https://medium.com/@yassergersy/xss-to-session-hijack-6039e11e6a81

Can you explain this in simple language?

See how it's duplicated?

You could read it from the request body (NOT THE HEADERS!) using JS if you make the request. You couldn't read it from the cookie itself.

Can i make an xhr request and just redirect response to my machine

No.

That article was a very specific case for an application with a specific flaw.

How much do you know about how webapps, HTTP, and session handling?

Because those are some very very useful things to learn before starting in bug bounty.
You absolutely need a strong understanding of what you're doing and how the systems work.

you need a cors misconfig for that

The domain doesn't have any

Even with a CORS mis-configuration, why would the browser give the Cookies of one domain to another?🤷‍♂️

Like the browser has some session cookies for https://example.ex

Visiting https://should-not-be-visited.ex will not send those Cookies

Correct me if I am wrong😄

As an extension to that, CORS would be at the attacker's side -- it's a server response header that determines whether your browser will allow the content to load.

i.e. it's you who would need to "misconfigure" CORS -- not the developer of the application you're attacking

I belive I found sql injection bit I having trouble testing it

I have an error illegal character space

Ok thank you

I read that. Thank you for your help

i m getting this error while testing an api point SyntaxError: Unexpected token } in JSON at position 22

is there any way to exploit it

or its just as error

It will hardly be exploitable.
Unless the JSON parser used has some issue, which is very unlikely.

IIRC, there was a room on THM (one of vulnet series) about node-serialize which deserializes user input and allows for method execution 👍

oh

i will try it then

It's just a parsing error meaning there's an extra } that it didn't expect

okay i get this also in the error (/home/ubuntu/||supplier-panel/supplier_panel_v2_node/node_modules/raw-body||/index.js can i some how travel the dir or its still remain for some part of information gaining

Nah, raw-body isn't vulnerable I guess🤔

As optional mentioned as well, it is just a parsing error😄

okay, then I look for other requests

Is it illegal to run sqlmap in bugbounties without dumping the db?

Firstly, you’ll probably get rate limited very quickly, secondly, it’s not necessary, you only need steps to reproduce and there being an actual sqli for bounty.

its not illegal, alot of bug hunters do use it

Check the program, I believe they should tell you what they require. Most just need a PoC or steps to reproduce and not actually have any physical evidence of penetration. but I’m not expert, this is just what I have picked up from being around

For autorize if it 0 0 0 for the len. Did ot fail?

hey now

What is the roadmap for bugbounty

Portswigger Academy. 👀

Advanced then

Not to be rude but if you're looking to be "more" advanced than Portswigger's material then you shouldn't be wasting time on bug bounties.

The only thing I can think of that's "more" advanced than Portswigger is OSWE

OSWE is white box. eWPT(X) is more black box.

Can you explain why?

Because that's how they were written?
OSWE teaches you how to analyse source code. eWPT(X) teaches you how to target externally. It's like asking why a language class doesn't teach you to sew 😆

😍

OSWA seems to be good 🙂

Pretty sure not many would be happy shelling out 2k when you could do a cheaper alt then go directly for OSWE and still have the total cost be less than 2k lmao

Is the chance of exploitation of open redirect low, medium or high? Same goes with the chance of damage

I assume low and medium right?

Because it can be used for phishing

Is the chance of exploitation of open redirect low, medium or high? That's gonna depend on the app. If any user can exploit it, it's more serious than if only admins can use it, etc.

And yeah, the impact is largely phishing

Yeah its exploitable while not being logged in

I'd argue it's especially bad if they're prompted to log in with the site before they're redirected, because you can show them an identical prompt but with "Incorrect creds" message on the page

Why is that?

Clarified

IDK how hard you'll have to argue impact as I don't do bug bounty

Ohhh yeah indeed

HI all,
I wanted to start my journey in bug bounty hunting.
Any suggestion?

THM's web hacking fundamentals/portswigger

Open redirect in bug bounty also depends heavily on context, most of the time it's a low, which is why a lot of people keep hold of them until they find something that can chain with it; e.g. SSRF

A nice way of increasing impact is you can use open redirects to bypass email filtering with malicious links so can further expand with that

https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters this is a great resource for starters

dont forget oauth when you get an open redirect

also spray that parameter to forget password link

Portswigger seems a bit tough.
Do you prefer watching walkthrough first or read the material first?

Woah, this is a great resource. Thanks @soft terrace

Gave +1 Rep to @soft terrace

Compared to bug bounty portswigger is deemed easy and fundamental so you'll wanna go through it regardless if your goal is bug bounty

You are welcome :)

I always read the walkthrough first to get familiar with the material then read it to gain a more in depth understanding and finally complete all the labs for practice

Absolute valid point, I would have to start somewhere.

Yeah man, It's normal that it looks hard. No one would pay for something easy

https://bugcrowd.com/asana/updates/fec4276b-995d-4a11-8c20-dc293ebbd6d8

25k to see if they forgot to patch anything for log4j

https://infosecwriteups.com/broken-link-hijacking-404-google-play-store-xxx-bounty-96e79a8dfd71 sheesh

OSWA vs OSCP?

Web Cert vs Pentesting Cert

Do web cert if you want to do web stuff. Do pentesting cert if you want to keep things generalised

It's comparing apples to oranges 🤷‍♂️

true & oranges > apples btw

each

Hello everyone i am new to this bug bounty Can someone teach me how to do this ?can someone give me books refrences.

https://nahamsec.com/getting-started-in-bug-bounty

thanks

Gave +1 Rep to @neon spade

I hope will be rewarded :S

Doubt it, google maps API keys tend to be refunded by google if they are reported as misused

Can't remember the exact process but Google have thought of it as they know it's difficult to lock them down, something along the lines of damage control

I notice so much reward about google api keys i hope a little reward xD

Idk is first time i reported api key disclosed to google

Yeah maps is a coin flip, it does occasionally get rewarded. However, 75% of the time it’s an NA

🤡is anyone interested in making a team?

Like I know essential and lower medium

Looking for a team to join in

thinking about it

did anybody here complete the web fundamentals path and went straight into bounties ?

Is bounties a path?

bug bounties

i.e get paid to report bugs in scope to target websites

I would doubt that. Web fundamentals path is super basic

well sometimes the errors are super basic too but still slipped through

What I wonder is how you find these bugs on commercial sites without looking like an attacker

Some programs require you to add a custom header for example x-hackerone: <USERNAME> . Others have it as an accepted risk

Does the header redirect you to a non production box or something?

Why wouldn’t real hackers just use the header haha

Nope it just means they can log and verify whether the traffic is from their bounty program

Because "real" hackers likely don't look at bounty programs

"Likely"

Honestly, trawling through random Hackerone usernames, grabbing one and setting it as a header, then going on a rampage seems like a great way to incriminate someone else with that system 🤷‍♂️

Sounds about right

Fairly unlikely- fundamentals will give you the basic building blocks of knowledge, but there's still a massive gap between that path and finding those bugs in commercial systems. I'd imagine you could take that information, combine it with something like Portswiggers academy (Tis free ) and then start reading up on disclosed bounty reports.

Hackerone has a full page called Hacktivity which shows any bounty reports that they have disclosed. Can be a great resource too, especially to give an idea as to what is being reported

that's exactly what i'm doing in the first part
second part is new to me but seems really helpful thanks

Gave +1 Rep to @native token

Does anyone know how to use the alias email for hackerone. I read the article on it. I tried to create an account woth one the aliases but I am not getting any emails

https://docs.hackerone.com/hackers/hacker-email-alias.html

So it's just yourusername@wearehackerone.com and if you've signed up to any websites with this then the emails will be forwarded to your actual email address if you use gmail or outlook(or other).
Having said that it's just a matter of waiting.

you just have to worry about any typos when you enter the wearehackerone.com email.

but also check your spam filter just incase.

I've had problems getting emails when using the alias in the past, so I recommend contacting HackerOne support to troubleshoot the issue if you know you're using it correctly

you nepali?

quick question that's really stupid about this stuff.
i got told something has a bug bounty programme and im pretty sure its vulnerable to Nginx HTTP Server 1.3.9 Chunked Encoding Stack Buffer Overflow becuase it runs NGINX on port 80 HTTP, But you do gotta get like permission to find out if something IS vulnerable to just say for bugbounty or however it works or can you just test if it is and if it is then report it to them?? I really don't know how this stuff works and its kinda confusing to figure out what I can and can't do?

usually the program brief says what is out of scope or not within rules of engagement and that is usually 1) Dont mess with data that isn't yours, 2) if you end up accessing data that isn't yours and that you don't have access to then stop what you are doing and report immediately, 3) don't modify anything on a system that isn't yours in case you do end up getting a shell on remote target

With reports you are expected to demonstrate security impact and that is accompanied with showing proof of the vulnerability you say exists.

So if you're theorizing what might be there in your report and don't show proof then I don't think it will be valid.

noice

couls someone show me any link that would help me about archiving my fiest bug
i learnt a lot about business logic vulns but never actually got any bug
i need to learn how to pick a program, and for how many days do i need to constantly be searching in that specific program

An application is not necessarily vulnerable or misconfigured. You can try other.

yep but when do i know if its no bulnerable

i need to learn how to pick a program, and for how many days do i need to constantly be searching in that specific program
Remember private programs will hopefully have less people looking.
You cannot possibly know how many hours you need to sink in to a program before you make money, you could sink 3 weeks and find nothing.

ye i know you cant be exact in that

Learning when to move on is something I think you need to get a feel for, in pentesting or bug bounty.

I started watching alot of @spring knoll 's videos, I'm trying to get into the game as well. Ive spent a few hours on her youtube 😅

would you recommend insiderphd?

No clue

what would you recommend me to study?

You need to remember that bug bounty isn't immediate income.
You hear about the people who make lots of money off it. You don't hear about the people who make nothing.

i know man but i rlly love it and would like to start out

wouldnt you think in about 6 months wont it make me money?

Maybe. Maybe not

It's a lot of effort for no guarantee of return

It might pan out, or it might not -- bit like sifting for gold in river beds.

You might find get lucky and something big, or you might spend hundreds of hours and find nothing

Please suggest good resources to start with bug bounties

check pinned messages.

portswigger

https://twitter.com/sw33tlie/status/1277341893500833795

My go to subdomain enumeration workflow that I picked up from sw33tlie. He's awesome for this.

https://twitter.com/0xJin/status/1470748925963513863

https://twitter.com/0xJin/status/1445672408308805635

this is too is a good finding i was rewarded 3 times with that. Ignore the "crawl" that is useless. But add --forms

this is another good tips for CI

https://twitter.com/0xJin/status/1447158357547233282

whats the avg $ for a find like these? @old umbra

Just wanted to share my weird bug-bounty experience.
||I submitted a descriptive bug bounty report for a crypto-trading platform. I believe the bug was serious one. User can exploit the application logic flaw and withdraw more money that his balance and make wallet balance as negative.
And, I got the response saying that it is one of the feature of our platform and after that it was fixed.||

Should have abused the hell out of the bug and then reported it. And only given it back if they rewarded you for the find 😀

I mean, no, because that's still unethical

Very unethical, and highly illegal, for that matter

Companies being shady f*ckers is an unfortunate aspect of bug bounty, and there doesn't really seem to be much recourse for it other than reporting it to the bounty programme and hoping for the best.
That's all you can do. If they screw you over, just don't do anything else for them, and encourage any others you know who are working on it to ignore them. Drag their name through the dirt with the ethical hacking community.

Then the only people finding bugs are the blackhats who will simply clean them out 🤷‍♂️

On lighter note atleast I should have leaked that info to one of the news channel, I would have been sitting in some anti-country embassy or in other country. 😄

With that attitude you should probably avoid bug bounty

What do u mean?

From what I read, platforms tried(and still trying) their best to show hackers are not just bad guys, and they are willing to make companies, internet safer with appropriate pay. If you abuse what's given to you then you are only making platform's job harder(exponentially harder 'cause people tend to believe hackers are criminals). Of course this is my opinion...

Depends from the programs, all programs are different

Hello

Yeah bro i know!!! I can understand you!!

After how many months of work could I, as a beginner, expect results in bug bounties?

I lost 15k$ for fukin mail ru

Are we talking half a year or 2 years+, in general..

@glad cairn I don't think anyone can give exact time

All known people, see my report in private.. And fk hackerone is a scam!! They pay only known people

They scam me for 15k$

https://0xjin.medium.com/bug-bounty-story-of-a-not-applicable-sql-injection-worth-15-000-ed4bd3b2f09c

This is my writeup about that

@old umbra Isn't this program specific thing ?

||It's hard to believe but luck is kinda big factor in getting paid by bug bounties. You can get paid heavily if you luckily run across any zero day or it will take long nights just to find a small bug.||

Sqli = 15k$ they said me ti find the columns… Lol after reply the fixed the bug and the parameter was sanitized

I shared privately to all the most famous people about hackerone and as a bug hunter. And everyone told me they scammed me. and I am completely right

Again. Bug bounty is not a sure-fire source of income, and there are plenty of unscrupulous companies around.
You took a gamble and it didn't pay off. Warn others about doing the same, but there's no point in being sore about it.
Yes, it's annoying as hell, but it's not a good look to stay bitter over it.

Or, to put it another way: unlike pentesting, bug bounty is never "worth" anything until you're paid the money.
If you're a pentester you know you'll get paid for the work you do because you're contracted to do it. If you're trying to make money out of bug bounties, you don't actually own the money until it's in your account, and you have no legal fallback to claim it.
It is entirely up to the company whether they accept your bugs, and indeed whether they pay you.
Them's the rules 🤷‍♂️

They told me that if I find something big, again, pass the vulnerability to them. They will create the report for me. some I know well and can trust. But they have to do it for me. because they are known and pay to them.

trust chain

I mean

Can't you add that company to your blacklist

and move on

Exactly. That's the consequence for the companies if they screw people over -- they lose trust with the bug bounty community and gain a bad reputation.

That's it 🤷‍♂️

Because you were qualified enough to find that bug. It's a high chance that you can find something equivalent in future

Isn't that just trading on margin?

Like that's a pretty standard trading feature

This was just a joke lol, should have added /s to it. I didn't mean to get some of you riled up

Whitehat all the way

No, it was spot trade. And, during margin trade it can happen cauz trader had borrowed the asset beforehand.

What bug bounty platform did you use to send in the report?

If it was Immunefi, then you can send in a complaint and have them booted off the platform

Sadly communication happened via their official website (Ticket system).

That was your first mistake.

Always try to submit it through a third party like Immunefi. Their will fight to get you paid because that's how they get a cut

I know but that site isn't tied up with any bug bounty site.

Thanks, I will keep that in mind.

Gave +1 Rep to @echo warren

You can still ask a bug bounty platform to act as an intermediary. Helps avoid things like this and being blamed as a scape goat when things go wrong

hi i am new to this! 🙂 but i am super interested: how do people work on sth like this: https://www.state.gov/reward-offers-for-information-to-bring-darkside-ransomware-variant-co-conspirators-to-justice/

?????????

i would imagine you start by getting a hold of the software they use so you can RE, combine that with some OSINT and knowledge of who's who and what's what in the criminal world, that would get you started

hmm, sounds good to me! is anyone particulary watching whats happning in that case?

someone with more knowledge can probably give you better info lol I am just making some educated guesses

by anyone you mean? like anyone here? or...

yeah here

🙂

New people won't get this info quickly

People that posted about the last re:evil guy were involved in the community for many years before getting information

Wocky right, it's combination of RE, osint, social engineering and just general exposure

Yup this is

thx, i know it is not a piece of cake and nobody accidently put some pics on insta saying "- hi! hacking some gov staff, now! @bachama..." 😉 but am curious, so thx for sharing somme toughts!

Gave +1 Rep to @solemn condor

Hey, what is better bug-bounty platform for beginner? (ease to use)

@old umbra can we name and shame here?

hackerone

Help required

Confused in learning path @

You want shame here? You can

That isn't what this channel (or server) is for.
If it comes up in conversation and you can prove the accusation then I have no problem with examples being made (i.e. using a name-and-shame to make a point), but if it's purely for vitriolic reasons then no

No I was more wanting to know who Jin got scammed by in order to avoid them in the future that was all

From a Hackerone program.

i'm just doing public program and not from platforms like hackerone o bugcrowd etc

bug bounty people getting denied stuff is common, just research the company history on twitter to see 😄

This is true, all common and famous people are boring from there programs

there is a reason companies like zerodium exist

Oh, then, yes

By all means

This is useful for the fast installation of all necessary tools https://github.com/0xJin/awesome-bugbounty-builder

try to report one critical to mail ru xD

@old umbra cheers that looks pretty comprehensive for people starting out

yup

Any bug bounty platform for beginners ?

check the pinned messages at this channel

Bug bounty and beginner don't really go together, your best bet is starting on hackerone and trying to do the CTF to earn private invites

Thanks

That wasn't an invitation to dm, please refer to #rules, specifically rule 1

Hackerone has CTF or are you referring to THM?

Hackerone, you can compete in their hacker101 ctf, every flag is worth points which once you reach a milestone, you are rewarded with a private invite

Appreciated.

Curiosity bc im just finding this channel. What are private invitations?

https://docs.hackerone.com/hackers/invitations.html

Nice, thank you!

Thanks @fallen palm. For some reason didn't give a +1

Gave +1 Rep to @hardy cape

https://i.imgur.com/LfE1gkp.png

is there a way to bypass this to get the full error?

It's IIS 8.5

It'd be a pretty major problem if there was.

Ah

(I'm asking because I'm not sure if there's a CVE for it or so considering the IIS version is old)

That’s the beauty now you can try find that out. Though chances are it’s just an error page

So this may be the wrong thread to ask.. but anyone recommend any good reads for someone new to bug-hunting?

https://pentester.land/list-of-bug-bounty-writeups.html

and portswigger

how to begin at bug bounty ? & what i should study to be bug bounty ? do we need study langage php html css javascript and python ?

Woah! Please refer to the pinned messages first😄

@dusty pasture

hey quick question

which THM learning path would teach me the most about bug bounty?

@old umbra sorry for the tag..not sure if i'm allowed but i didn't see anything about tagging ppl in the rules 🙂

i thought u shared a bug bounty set up for beginners recently?

yup

Not the person, but using search #bug-bounty message

oh wow it literally is just 3 scrolls upwards

you need it?

sorry

OpBanana was wondering 🙂

you can find it in my profile a pinned message https://twitter.com/0xJin

ah i see!

@old umbra thanks 🙂

whut it doesn't give rep here?

What do u mean?

i tried giving you +1 reputation

ah lol xD i don't know xD

it worked in general chat like this lol

yes true ahah

thanks

Gave +1 Rep to @covert moth

yeah work

whut

xD

you already have to much rep, can't gain more

does this error lead to any type of sqli? Error! System.Data.SqlClient.SqlException (0x80131904): Unclosed quotation mark after the character string ''. Incorrect syntax near ''. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)

yes it 's

union select??

try boolean-based

try with some payload true and false request

or use sqlmap

where's the injection point? which form?

search form

omg lucky xD

but it show an error so i think try to send delay u can use burp?

what ya got in mind for that??

is not easy find an sqli on search parameter in 2021/2022

try these paylaods

' or sleep(5)#

' or sleep(5)-- -

in burpsuite

and let me know the request

tried these already it think!! but gonna tried it again

Use burp with these payload and let me know the millisecond

ok mate thanks

Gave +1 Rep to @old umbra

if you can put here a screenshot of response

getting this error

This is not an error bro

Give me the path vulnerable without a domain disclosed

I give u a command

ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24hdnLmsBookUserReviewID=1&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24hdnLmsBookID=&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24txtsearch='%20or%20sleep(5)--%20-&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24DDBranch=%25&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24DDBookType=%25&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24DDLanguage=%25&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24DDBookCategory=%25&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24UDCLmsAdvanceSearch%24Button4=Search```

Student_LmsAdvanceSearch.aspx?mmid=

If you put a quote ‘ on mmid parameter

It’s vulnerable?

already did that no it's not

So

What is vulnerable?

Send me screenshots or something

search form i think

Ok type something like “hello” in the search form

And intercept with burp the request

After u have intercepted , right click and save the item

Now go on terminal and use

with sqlmap

right

sqlmap -r intercept.txt —dbs —batch —random-agent —dbms=MySQL

i'll try that see if i get something thanks

Gave +1 Rep to @old umbra

Sure if u get now send me screenshots

We will add some tampers

ok mate! sure

but there gotta be something vulnerable right? after seeing this error?

Yes

But u need the poc

yes exactly

I think it is too early 🙂 Learn network,apps etc concepts