<aside> đ Source: https://www.bugbountyhunter.com/zseano/ Author X: https://x.com/zseano
</aside>
This guide is designed to give you an insight into how I approach testing for vulnerabilities on web applications as well as guidance with participating in bug bounties. This guide is aimed at those looking to learn the mindset and to begin learning a flow to follow when looking for vulnerabilities, such as the questions you should ask yourself when testing, common vulnerability types and techniques to try as well as various tools you should be using.
This guide assumes you already have some basic knowledge on how the internet works. It does not contain the basics of setting tools up and how websites work. For learning the basics of hacking (nmap scans for example), the internet, ports and how things generally work I recommend picking up a copy of âBreaking into information security: Learning the ropes 101â by Andy Gill (@ZephrFish). At the time of writing this it is currently FREE but be sure to show some support to Andy for the hard work he put into creating it. Combine the information included in that with my methodology and you'll quickly be on the right path.
https://leanpub.com/ltr101-breaking-into-infosec
Being naturally curious creates the best hacker in us. Questioning how things work, or why they work how they do. Add developers making mistakes with coding into the mix and you have an environment for a hacker to thrive.
A hacker like you.
Sharing really is caring. I can not be more grateful for those who helped me when I first very started with bug bounties. If you are ever in a position to help others, do it! I'd like to dedicate this page to those who took their time to help me when I was new to bug bounties and still to this day offer me help & guidance.
@BruteLogic â An absolute legend who has my utmost respect. Rodolfo Assis specialises in XSS testing and has become somewhat of a âgodâ at finding filter bypasses. When I was new I stuck to finding just XSS and I could see Rodolfo was very talented. I had an issue once and I didn't think he'd reply considering he had 10,000+ followers but to my surprise, he did, and he helped clear my confusion of where I was going wrong. Rod, as a personal message from me to you, don't stop being who you are. You are a great person and you have a bright future ahead of you. Stick at it man, donât ever give up.
@Yaworsk, @rohk_infosec and @ZephrFish â also known as Peter Yaworski, Kevin Rohk and Andy Gill. I met these three at my first ever live hacking event in Las Vegas and we've been close ever since. All 3 have extreme talent when it comes to hacking and I admire all of their determination & motivation. These three are like family to me and I am so grateful I got the chance to meet them.
If you don't already, I recommend giving all of them a follow and checking out their material.
The word âhackerâ to some means when someone acts maliciously such as hacking into a bank and stealing money. Some will use terms such as âWhitehatâ (âgoodâ hacker) and âBlackhatâ (âbadâ hacker) to determine the difference however times have changed and the word hacker should not be used to solely describe someone acting in a malicious manner. This is what you call a criminal. We are not criminals. We are bug bounty hunters. Throughout this guide you will see the word âhackerâ being used and I want to make it clear that when we use the word âhackerâ we are not describing someone acting maliciously or illegally.
The information provided in this methodology is intended for legal security research purposes only. If you discover a vulnerability accidentally (these things happen!) then you should attempt to responsibly report it to the company in question. The more detail the better. You should never demand money in return for your bug if they do not publicly state they will reward, this is extortion and illegal.
Do NOT purposely test on websites that do not give you permission to do so. In doing so you may be committing a crime in your country.
This methodology is not intended to be used for illegal activity such as unauthorised testing or scanning. I do not support illegal activity and do not give you permission to use this flow for such purposes.
The contents of this book are copyrighted to the author Sean Roesner (zseano) and you do not have permission to modify or sell any of the contents.
When showing examples of applying the methodology you may see references to some of BugBountyHunter's web applications such as BARKER, KREATIVE and FirstBlood. Please note these web applications are for members only and more information on this can be found at https://www.bugbountyhunter.com/membership
Our web applications are designed to help you gain confidence when identifying vulnerabilities on web applications. There are no flags to find and instead you have to work out how each feature works on fully functionable websites. Just like it is on a real bug bounty program.
BugBountyHunter offers realistic web applications with real findings found by myself personally.
I wonât bore you too much with who I am because hacking is more interesting, but my name is Sean and I go by the alias @zseano online. Before I even âdiscoveredâ hacking I first learnt to develop and started with coding âwinbotsâ for StarCraft and later developed websites. My hacker mindset was ignited when I moved from playing StarCraft to Halo2 as I saw other users cheating (modding) and wanted to know how they were doing it. I applied this same thought process to many more games such as Saints Row and found âglitchesâ to get out of the map. From here on I believe the hacker in me was born and I combined my knowledge of developing and hacking over the years to get to where I am today.
I have participated in bug bounties for a numerous amount of years and have submitted over 600+ bugs in that time. Iâve submitted vulnerabilities to some of the biggest companies in the world and I even received a Certificate of Recognition from Amazon Information Security for my work!
I taught myself to hack & code from natural curiosity and I have always been interested in learning how things were put together so I'd take them apart and try to rebuild them myself to understand the process. I apply this same thought process with taking apart a websitesâ security.
When doing bug bounties my main aim is to build a good relationship with the company's application security team. Companie s need our talent more than ever and from building close relationships you not only get to meet like minded individuals but you take your success into your own hands. As well as this the more
time you spend on the same program, the more success you will have. Over time you begin to learn how the developers are thinking without even needing to meet them based on how they patch issues and when new features are created (new bugs, or same bugs reintroduced?). Always think about the bigger picture.
I really enjoy the challenge behind hacking and working out the puzzle without knowing what any of the pieces look like. Hacking forces you to be creative and to think outside the box when building proof of concepts (PoC) or coming up with new attack techniques. The fact the possibilities are endless when it comes to hacking is what has me hooked and why I enjoy it so much.
I have shared lots of content with the community and even created a platform in 2018 named BugBountyNotes.com to help others advance their skills. I shut it down after running it for a year to re-design the platform & to re-create the idea, which you can now find on BugBountyHunter.com.
To date, I have helped over 500 newcomers and helped them discover their first bug and some have even gone on to earn a sustainable amount over the years. But I am only 10% of the equation, you have to be prepared to put in the time & work.
The 90% comes from you. Time and patience will pay off. Get firmly in the driver's seat and make hacking on bug bounty programs work for you.
Youâre the one producing the results.
I strongly believe everyone has a hacker inside them, it's just about waking it up and recognizing that we all naturally possess the ability to question things. It's what makes us human. Being a hacker is about being naturally curious and wanting to get an understanding of how things work, and what would happen if you tried â xyzâ. This isnât just related to hacking. Bought a new device and curious how it works or what requests are sent? Youâre already digging that rabbit hole to dive into.
Question everything around you and ask yourself what could you try to change the outcome. Remember, every website, device, software, has been coded by another human. Humans make mistakes and everyone thinks differently. As well as making mistakes, also take note that developers push new code and features weekly (sometimes daily!) and sometimes cut corners and forget things as they are often faced with deadlines and rushed things. This process is what creates mistakes and is where a hacker thrives.
A lot of people ask me, âDo I need a developer background to be a hacker?â and the answer is no, but it definitely does help. Having a basic understanding as to how websites work with HTML, JavaScript and CSS can aid you when creating proof of concepts or finding bypasses. You can easily play with HTML & JavaScript on sites such as https://www.jsfiddle.net/ and https://www.jsbin.com/. As well as a basic understanding of those I also advise people to not over complicate things when starting out. Websites have been coded to do a specific function, such as logging in, or commenting on a post. As explained earlier, a developer has coded this, so you start questioning, âWhat did they consider when setting this up, and can I maybe find a vulnerability here?â
Can you comment with basic HTML such as <h2>? Where is it reflected on the page? Can I input XSS in my name? Does it make any requests to an /api/ endpoint, which may contain more interesting endpoints? Can I edit this post,
maybe thereâs IDOR?! - And from there, deep down the rabbit hole you go. You naturally want to know more about this website and how it works and suddenly the hacker inside you wakes up.
If you have no developer experience at all then do not worry. I recommend you check through https://github.com/swisskyrepo/PayloadsAllTheThings and try to get an understanding of the payloads provided. Understand what they are trying to achieve, for example, is it an XSS payload with some exotic characters to bypass a filter? Why & how did a hacker come up with this? What does it do? Why did they need to come up with this payload? Now combine this with playing with basic HTML.
As well as that, simply getting your head around the fact that code typically takes a parameter (either POST or GET, json post data etc), reads the value and then executes code. As simple as that. A lot of researchers will brute force for common parameters that aren't found on the page as sometimes you can get lucky when guessing parameters and finding weird functionality.
For example you see this in the request:
/comment.php?act=post&comment=Hey!&name=Sean
But the code also takes the â&img=â parameter which isn't referenced anywhere on the website which may lead to SSRF or Stored XSS (since it isn't referenced it may be a beta/unused feature with less 'protection'?). Be curious and just try, you can't be wrong. The worst that can happen is the parameter does nothing.
Youâve just bought a new smart system for your house which allows you to remotely connect in to just make sure your cookers are turned off etc. Most people will blindly connect them and get on with their lives, but how many of you reading this would connect it and start questioning, âHow does this actually work? When I connect to my smart home system what information is this device sending out?â. There has to be some sort of data being sent from one device to the other. If youâre nodding saying âYes, this is me!â, then youâve already begun your journey into becoming a hacker. Question, research, learn, hack.
A bug bounty program is an initiative setup to incentivize researchers to spend time looking at their assets to identify vulnerabilities and then responsibly report it to them. Companies set up a policy page detailing the scope you are allowed to poke at and any rewards they may offer. As well as this they also supply rules on what NOT to do and I highly recommend you always follow these rules or you may end up in trouble.
You can find bug bounty programs on platforms such as HackerOne, BugBountyHub, Synack, Intigritti and YesWeHack. However with that said you can also find companies prepared to work with researchers from simply searching on Google, for example: (don't forget to check for different countries, don't just search on google.com â try .es etc!)
âresponsible disclosure programâ âvulnerability disclosure programâ âvulnerability program rewardsâ âbugbounty reward programâ inurl: vulnerability disclosure inurl: responsible disclosure
At the time of writing this bug bounty platformâs such as HackerOne will send âprivateâ invites to researchers who regularly spend time on their platform and build âreputationâ. A lot of researchers believe the most success is in these private invites but from experience a lot of the public-paying programs on platforms still contain bugs and some even pay more than privates! Yes, private invites are less-crowded, but don't rely on them. Should you spend time in a Vulnerability Disclosure Program (VDP)? In my opinion, yes, but with limits. I sometimes spend time in VDP's to practise and sharpen my skills because to me the end goal is about building relationships and becoming a better hacker (whilst helping secure the internet of course!). VDP's are a great way to practise new research, just know your limits and don't burn out giving companies a complete free test. Companies want our talent so even if they don't pay, show them you have the skills they want and should they âupgradeâ their VDP to a paying-program, you may be at the top of their list to get invited. Perhaps there is some cool swag you want, or you just want a challenge on a sunday afternoon. Know your risk vs reward ratio when playing in VDPâs.
