https://imgur.com/vidgif/url endpoint is vulnerable to a SSRF vulnerability which allows an attacker to craft connections originating from imgur servers to any destination on the internet and imgur internal network and craft outgoing UDP-packets / telnet-based protocol sessions (for example, to connect to SMTP servers from imgur and send spam). Welcome again to the Hack for Fun and Profit podcast, where we explore topics related to cyber security and bug bounty hunting. it’s all about analysis which is manually you can’t do it with tools. Watch tutorials and videos related to hacking. This is just my way to compare to how shit I was back in uni, and also a referrence for anyone who asks me what my methdology is. Well, thanks for reading this write-up Hope you like it, Feel free to connect me through Linkedin or Twitter. Once I am done with account takeover I look for XXE, Now xxe can be found during registration also. S3 Bucket … In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. A Step Ahead Bug Bounty : Testing Web Apps In Enterprise Grade Environment. Now the next step is deciding a suitable platform for your first bug hunting. Commands: aws s3 ls s3://XXX/directory/ — profile username and aws ec2 describe-instances — profile username. So I have one more script that takes all the IP address and scan for ports. Bug bounty methodology (BBM) :) Now this time i will share methodology for Web Application Security Assessment from beginning to end (Recon to Reporting/ R&R) . This can help the team behind the bug bounty program reproduce your finding. Be patient. 1. Read on to learn how to write a successful bug submission. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. Cookies that are necessary for the site to function properly. (2020) I have my seniors at HackLabs and Pure.Security to thank for the 1+ years of guidance! A Step Ahead Bug Bounty : Testing Web Apps In Enterprise Grade Environment. If you are someone Who doesn’t need methodology right now but want to start and need guide how to start then check out my How to Get started with Bug Bounty blog, […] Read: Bug Bounty Methodology – How to a Target […]. This is going to be divided into several sections. There is no point focusing your efforts on those but keeping track of them is really helpful. For the above preferences described, programs that have a few assets, but large and deep, are ideal. zseano's methodology is a methodology/flow/checklist to follow when looking for vulnerabilities on web applications. I understand the application workflow/requests via a proxy tool such as Burp or Zap. If you have any feedback, please tweet us at @Bugcrowd. Files which I look for are bak,old,sql,xml,conf,ini,txt etc. I hope the Path Guide i’m trying to share here clears doubts for many newcomers in Bug Bounty Hunting. The things which work for me may not for you. The third Part gives ideas step by step to report your findings in a clear way. Hunting For Endpoints while Bughunting developer options Could Be handy for u press ctrl+shift+j click on network and reload the page , few endpoints ,url’s and also u can find subdomain too. Here is my obfuscated payload. I register an account with an already registered email address if fail try to bypass it. TL;DR. In order to do so, you should find those platforms which are less crowded and less competitive.
This atypical robots.txt what I do is, I sort them with some Linux command curl -s https://example/robots.txt | grep -i 'disallow' | cut -d ":" -f 2 | sort -u | tee -a robots.txt. What I mean is, for example, in dirsearch python3 dirsearch.py -u example.com -w wordlist.txt -e PHP,json,xml -f -r --random-agents --plain-text-report=dirsearch.txt --http-proxy=localhost:8080 with help of proxy every request will go through my burp suite so burp suite will generate a site map for me. Once I’ve done all of that, depending on the rules of the program, I’ll start to dig into using scripts for word-list brute-forcing endpoints. Kindly add it in Comments, Also follow http://h1.nobbd.de/ to b updated with HackerOne Public Bug reports You can learn a lot from them, Github Open Source tools for Subdomain Finding :-, Also Just don’t get limited to Subdomains Try extracting vhosts tools like:-, Popular Google Dorks Use(finding Bug Bounty Websites), Need more BugboutyTips ? Kali Linux. Nmap. Make it as easy as possible for the program to see what the issue is. How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! At worst, it will do no harm. Our Must-Read resources: Our two must-read resources linked below are our minimum recommendations for those who wish to become bug bounty hunters. Great for first-step recon, does both passive and active scanning.