100 Bug Bounty Tips 💯

100 Bug Bounty Tips 💯

Table of Contents

Yoo. Welcome to Issue #05 of Navigating Security.

🍃Quote of the week:

Hackers are like artists, philosophers, and engineers all rolled into one. They challenge assumptions, seek flaws in systems, and reshape the world around them in unexpected ways

  Kevin Mitnick

TLDWTR 🙄

  • More CVE hunting tips in case you missed them last time ⏳
  • An aspiring hacker’s web application penetration testing guide for 2024 by HTB’s 2023 MVP 🏆
  • 100 Bug Bounty Tips by @ArchAngelDDay 💯

⏱️ Incase you missed the previous issue, here you go:

[You get a CVE, he gets a CVE, you all get CVEs

CVEs = Clout?

www.navigatingsecurity.net/p/you-get-a-cve-he-gets-a-cve-you-all](https://www.navigatingsecurity.net/p/you-get-a-cve-he-gets-a-cve-you-all?utm_source=navigatingsecurity.beehiiv.com&utm_medium=newsletter&utm_campaign=100-bug-bounty-tips)

This Week’s YouTube Video:

More CVE Hunting

The best way to find CVEs - GithHub Dorking?

An aspiring hacker’s web application pentesting guide 🕸️

Hackthebox’s 2023 MVP wrote a rather lengthy guide on how to get into web application hacking in the year 2024. If you are just starting, this is a good read. He doesn’t spend the entire time promoting HTB, but gives some valuable advice. Here are some of the key takeaways:

  • Master web technologies: HTML, CSS, JavaScript, and server-side languages (e.g., PHP, Python).
  • Use specific tools: Burp Suite (web proxy), OWASP ZAP (vulnerability scanner), and Metasploit (penetration testing framework).
  • Practice on platforms like Hack The Box to gain real-world pentesting experience.
  • Understand both internal (within an organization) and external (from outside the organization) testing approaches.
  • Engage in the testing process, starting from contract and scope definition to reporting vulnerabilities.

https://www.hackthebox.com/blog/an-aspiring-hackers-web-application-penetration-testing-guide-for-2024

100 Bug Bounty Tips 💯

You saw the title, I know you’re here for the tips so I won’t keep you waiting any longer. These are from Douglas Day’s X (formerly known as Twitter) so be sure to check out the original tweet linked at the end. Enjoy 😇

  • Spend at least 30 minutes on a new target
  • Look for “No”s
  • Use Italics Tags in your inputs instead of XSS payloads
  • Focus on SaaS apps that are multi-tenant
  • Buy Burp Pro
  • On a new target go straight to the User Management section
  • See if inviting an existing user to your org exposes their name
  • See if inviting an existing user removes them from their own org
  • If the scope has a wildcard, use sub finder to find subdomains
  • Run HTTPX on the list of subdomains to narrow down alive targets
  • On an app you’re not familiar with, use it like a normal user first
  • If the docs say you can’t do X, but you can do X then you have a bug
  • Use match & replace rules to find new endpoints
  • Budget time into your week specifically for hacking
  • Give yourself a no-bug time limit. I do 3 hours.
  • Go back to old dupes and see if you can still reproduce.
  • Look for “+2” in your reputation log to find dupes that should be now.
  • Make your report a conversation, not a sales pitch
  • Accept & expect that dupes will happen
  • File & Forget
  • If an endpoint has “api/v2/“, try “api/v1/”
  • If an endpoint has “api/v2”, try removing the “v2” altogether
  • 6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs
  • Lows are still bugs that should be filed
  • Be kind to your triager
  • Say “thank you” when you get a bounty
  • If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.
  • If UUID IDORs exist, then look for an endpoint that exposes UUIDs
  • Pin your success on whether you followed your plan, not if you found bugs
  • A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit
  • Going deep will pay off
  • Working with new hackers will pay off in dividends
  • Don’t be jealous
  • Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your sanity
  • If you find a bug that’s OOS, still ask the customer if they care
  • There’s no end. Enjoy the journey
  • Have a hobby that’s not related to hacking
  • Have friends that don’t hack
  • Figure out what time of day you hack the best. Late nights aren’t for me.
  • Spend that extra 2 minutes to make your report look/read nice
  • “Subscribe” to programs that pay well and have good scope
  • Don’t whine on Twitter about a single report. Or at all for that matter.
  • IDORs and Privilege Escalations are a great place to start
  • Unmet expectations lead to disappointment
  • Teach someone else how to hack
  • Time spent reading/learning is time well spent
  • Focus on programs that you actually use in your day-to-day
  • Establish a relationship with the program
  • Try asking the program what types of bugs they want to see
  • Look at a program leaderboard to see who you should collab with
  • When collaborating, an even bounty split eliminates the hassle
  • Take a break when you stop having fun
  • At an LHE, start hacking ahead of time
  • Look for programs that are active in resolving reports
  • Look for programs that haven’t awarded a lot recently
  • Look for programs that have collaboration enabled
  • Look for programs that don’t list out a bunch of known issues
  • Look for programs that have a history of adding new scope
  • Change your strategy if you’ve gone a while without a finding
  • If you’re on a roll, keep doing what you’re doing
  • But don’t let success keep you from evolving/growing
  • Compare yourself against yourself from last year
  • Maintain online presence for new opportunities
  • Be thankful for failure
  • Read disclosed reports
  • Focus on one program at a time. Cycle if you get bored.
  • Don’t spray XSS payloads everywhere
  • If possible, work at a company that has a BBP
  • Spend bounty money on tools that will generate more bounties
  • Budget a specific amount of your bounties for fun. And stick to it.
  • When hacking a store, don’t be afraid to make small purchases
  • Look for changes in JS files to know when there may be new functionality
  • Look for references to subdomains in a company’s GH repo
  • Look for references to subdomains in employee’s GH repos
  • If the app uses Intercom, try booting it with another email
  • Look for second-degree IDORs
  • SSRFs exist when the app makes any external request. Look for these requests.
  • Look for actuator endpoints
  • Find hackers that hack differently than you.
  • Try hacking in a different room of the house
  • Try hacking at a different location altogether
  • If you find the same bug on different endpoints, file it as a different bugs
  • Try always having some pending bugs in your pipeline
  • Break your yearly bounty goal into monthly goals
  • Know when a bounty isn’t worth fighting over
  • Push back gently when a report gets downgraded
  • Use the leaderboard as motivation, not as comparison
  • Don’t reinvent the wheel when a tool exists
  • Don’t be afraid to build the wheel if the tool doesn’t
  • Try collabing in real time over video chat
  • Always ask why something works the way it does
  • When collabing, don’t be afraid to be the underperformer
  • When collabing, don’t get salty about being the overperformer
  • Use mediation, but use it sparingly
  • Be generous with your earnings
  • Hack for fun, not for a paycheck
  • LHEs are a privilege, not an expectation
  • Programs are your friend, not your adversary. Work with them
  • The platform is your friend, not your adversary. Work with them

https://x.com/ArchAngelDDay/status/1661924038875435008?s=20

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.

Tags :
Share :

Related Posts

SQLi is still a thing?

SQLi is still a thing?

🍃Quote of the week: SQL injection is one of the least sophisticated yet most dangerous threats to web application security ~ Kevin Mitnick

Read More