Main app methodology : Bug bounties

What is a bug bounty?

• If you’re here, you probably already know what a bug bounty is , however, for the ones that are still unaware, a bug bounty is a reward (cash , points or swag) offered to a person who identifies a vulnerability in a system

Usually, bug bounty programs are web applications, or mobile applications, however there is no restraint as to what can or can’t be suited for a program.

Today, we’re going to talk about my methodology of testing web applications.

Here is what we’re going to go through : Preparation , Request(s) inspection, Parameter analysis and finally vulnerability testing which mainly falls under these : broken access controls, SQL injections (old is gold :) ), business logic vulnerabilities (includes vulns like IDORs), SSRFs, RCEs, CSRFs and more.

Preparation

• Here we explore the target for a few hours (5+)
• I recommend doing these while having a proxy intercept every request and response , so that you can inspect functions and whatnot afterwards
• Take note of every privilege level you identify & create a mindmap of the functionalities discovered.
• Read the documentation of the website/API(s)
• Create t reqaccount(s) . (while doing that, test for vulnerabilities such as XSS, or even SQLi. Basically anything that requires input)

Request(s) inspection . Parameter analysis & Vulnerability discovery

• Go to Burp and filter on all requests with parameters.
• Then, try to understand the functionalities that take those parameters , and see if you can somehow exploit them
• Continue exploring the application (Business logic vulnerabilities)
• URL parameters that get resolved : SSRF
• Parameters that fetch files locally/remotely (LFI/RFI)
• CSRF parameters -> leading to CSRF vulnerabilities
• Image upload : XXE (using the SVG extension)
• Document upload : XXE (using DOCX or XLSX)
• Look for information disclosures in the requests and the responses

This is my methodology when testing on web applications. This can be used for both bug hunting as well as web app pentesting gigs/jobs. In the future , I will discuss many of these vulnerabilities and more in my “Explaining vulnerabilities” series, to further educate people interested in offensive security.

I hope you’ve found this useful!