There are two reasons I do that. We need to identify assets which belong to the target company and are in-scope. From there, I will explain how I pick a web application and how I test it. If there is a signup feature, I create a user and I login. Inspired by Tomnomnom's waybackurls. Using tools like LinkFinder, I collect URLs which I cross-reference with the endpoints I have collected from the mapping exercise. Bug Bounty Hunter Methodology v3. TL:DR. For the other custom-made web applications, I will generally choose the one whose user interface deviates from the common company’s theme. The easiest active way to discover URLs and corresponding parameters on the target is to crawl the site. You should also use a custom wordlist which fits the current target. Everyone has different goals, styles, and preferences when it comes to bug bounty, and methodologies cannot be a one-size fits all for everyone. There you have it! I usually avoid programs with no rewards not only because of money, but also because the reputation you get is significantly lower. For example, if all web applications implement a centralized Single Sign-on authentication mechanism, I would look for any directly accessible asset. In this session, Rohan will demonstrate effective techniques that Pentesters/Bug Hunters can use for better information gathering and how then to utilize the information to find differential bugs. If you quit before this phase and jump to another asset or another totally different program, you will have lost all the time you have invested learning how the application works. Usually, you won’t find easy bugs with it. Issues is a goldmine - Developers tend to share too much information there ;). In this phase, my bug bounty methodology consists of enumerating as much as possible to draw the largest attack surface possible. Find all js filesJavaScipt files are always worth to have a look at. Bug Bounty Methodology (TTP- Tactics,Techniques and Procedures) V 2.0. Below this post is a link to my github repo that contains the recon script in question. Use BurpSuite's passive scansIt makes total sense to "import" as many URLs as possible into BurpSuite. I used to do thorough enumeration, but I realized that it takes considerable time. Does it use a front-end Framework? EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials (if known).GitHub Link, A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.GitHub Link. Helping people become better ethical hackers. AltdnsAltdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. You must reduce the time between your first interaction with the program and this phase. Until then, stay curious, keep learning and go find some bugs! Additionally, here are some tools (won't go into detail here) which I use regularly: GoogleDo not forget Google - it can be worth it! Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of. TL:DR. Hi I am Shankar R (@trapp3r_hat) from Tirunelveli (India).I hope you all doing good. Bug Bounty Hunting Methodology v3 — Jason Haddix is a great example. Meanwhile, I’m capturing all the traffic with Burp. We are a team of security enthusiasts based in Austria that want to make the Internet a better and safer place. If I am investing my time looking for security bugs, I would like to have a bigger return on my investment. Shubham Nagdive - July 8, 2020. GetAllUrls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. This is where it starts to get really interesting! In other words, I look for API endpoints in JavaScript files using the naming convention of the endpoints I have in Burp. We dove deep into our archives and made a list out of all the Bug Bounty tips we posted up untill this point. For now, all I’m interested in are ports 80 and 443. Because this is my first interaction with the target, I feel it’s a bit early to perform a heavy enumeration. What program would you pick to start hunting for bugs? Learning Resources; Content Creators and Influencers; Reconassiance Bug bounty reports that stand out, how to write one? 4.3 In this Blogpost I want to explain, how I am normally performing reconnaissance during Pentests and for Bug Bounties. Therefore, I cut through all of the non-sense and show you how I use my knowledge, skills, mine and other people’s tools for security research and bug bounty hunting. Pinterest. Technical details here: hereGitHub Link, assetfinderFind domains and subdomains related to a given domainGitHub Link, GetAllUrls (gau) for Subdomain-EnumerationFetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.Github Link. That’s ok for me at this stage because this is my first interaction with the program. Offensity provides contentious monitoring of your external infrastructure and uses a lot of the techniques described here. Home Blogs Ama's Resources Tools Getting started Team. In this phase, my bug bounty methodology consists of enumerating as much as possible to draw the largest attack surface possible. Use certificate transparency logscrt.sh provides a PostgreSQL interface to their data. Check for the infrastructure of the application. It doesn’t cover programs with IP ranges: If there is a program which has IP ranges in scope, this methodology wouldn’t work 100%. Along with Scope Based Recon, Project Bheem will soon be having all Scope Based Recon features. Is there any OAuth flow? If it is above 90%, I’d probably accept the invitation if the rest of the metrics is ok. qsreplaceRemoves duplicate URLs and parameter combinationsGitHub Link, We can use the following tool to find potentially interesting URLs, gfA wrapper around grep to avoid typing common patterns. Just another Recon Guide for Pentesters and Bug Bounty Hunters. This is going to be divided into several sections. GoSpiderA fast web spider written in GoGitHub Link, ArjunWeb applications use parameters (or queries) to accept user input. You have to find things that nobody else found before in order to find those critical bugs. David @slashcrypto, 19. It provides me with a quick idea of the subdomains naming convention and gives me initial assets to work on.I always avoid brute force at this stage. Then, I’d use tools like OWASP amass and brute force the subdomains using the wordlist I constructed. For example one can write the following gf template to grep for potential URLs that are vulnerable to open-redirects or SSRFGitHub Link, Some more ideas on gf patterns can be found here, including patterns for interesting subdomains, SSRF and more: https://github.com/1ndianl33t/Gf-Patterns. tips; tricks; tools; data analysis; and notes; related to web application security assessments and more specifically towards bug hunting in bug bounties. Hello Folks, I am Sanyam Chawla (@infosecsanyam) I hope you are doing hunting very well. The command is again easy to run: As a side note, if the program is new, I would probably use Shodan or perform a port scan using masscan to see if any web applications are running on non-standard open ports. When I got started with doing bug bounties I was quickly tired of the amount of reconnaissance commands, checks, and oneliners to remember. This allows me to save all the API endpoints into a file. Make sure to test our tool - it's completely free for 4 weeks! This is where I open up my web browser and use the application as a normal user. It comes with an ergonomic CLI and Python library. I always filter for URLs returning JavaScript files and I save them in an extra file for later. This tells me whether I should spend some time on low hanging fruits or dig deeper during my testing, because, unless there are new assets, most of the easy bugs would have already been found in an old program. Otherwise, you will be wasting your time doing only recon. Since JavaScript files power the client-side of the web application, I like to collect and analyze them. Usually, all other response metrics, such as time to first response, time to triage and time to bounty are lower than the resolution time, so the shorter it is, the better.You can also see the percentage of the reports which have met those response metrics. In my opinion, good recon is essential. These are the limitations of this approach. amassIn-depth Attack Surface Mapping and Asset Discovery https://owasp.org/www-project-amass/Installation instructions can be found here. Some examples (taken from here): Shodan also provides a facet interface, which can be very helpful if you want to get an overview about bigger network-ranges. Yes absolutely am doing bug bounty in the part-time Because I am working as a Security Consultant at Penetolabs Pvt Ltd(Chennai).. In general, you don’t need to run certain tools to be successful, and most of this methodology will be very manual-testing oriented. Try to understand how they handle sessions/authentication, check for Then, I make sure to visit every tab, click on every link, fill up every form. You’ll find all the social links in the description. In this step, I’m trying to focus on one feature at a time. Twitter. On the other hand, I like to increase my success rate by bruteforcing with a custom wordlist tailored just for this domain. If I am lucky, I might get easy issues to report. There are plenty of bug bounty tips and tricks along the way, so make sure to stick around until the end. This is another criteria I look for. ): ffufFast web fuzzer written in GoGitHub Link. There are still "easy wins“ out there which can be found, if you have a good strategy when it comes to reconnaissance. Rohan will share his Recon Methodology, and some stories, which lead him to turn from Pentester to Full Time Bug Bounty Hunter. Methodology. Mapping the application features SQLi; XSS; Polyglots. If you haven’t done it yet, then you’re probably starting your bug bounty hunting journey on the wrong foot. The Bug Hunter's Methodology (TBHM) Welcome! Subscribe for updates. Bug bounty forum - A list of helpfull resources may help you to escalate vulnerabilities. You must reduce the time between your first interaction with the program and this phase. This is the second write-up for bug Bounty Methodology (TTP ). Check their GitHub company profile, filter for languages and start searching: Within the results check the Repositories, Code, Commits and Issues. Another example is when the application discloses the name and the version of the software being used. If yes, is there any protection against IDOR vulnerabilities? Today, I will share with you my bug bounty methodology when I approach a target for the first time. Environment; Learning; Jason Haddix 15 Minute Assessment; Recon Workflow. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets. Bug Bounty Recon ( bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. If the user input gets returned, I will try Cross-Site Scripting. You already know that information gathering is the most important aspect of hacking the same applies to a bug bounty, But for me, I do recon till the time I don’t understand the application or find something interesting. Bug Bounty Hunting Tip #1- Always read the Source Code 1. The current sections are divided as follows: Before You Get Hacking. If you have questions or suggestions, just drop me an E-Mail. These are ports greater than 1024.Lastly, I run aquatone to screenshot the list of live web applications. If you’re not subscribed yet, join us to get updates whenever I publish new content. Bug Bounty Tips. @bugbountyforum. If it’s an e-commerce website, I create an order using a fake credit card. It has its limitations as well. massdnsA high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)GitHub Link. Scope Based Recon for Mundane {Bug Bounty Hunters} Scope Based Recon is a methodology to drive your recon process in a very streamlined manner. Hopefully, I now have some web applications to choose from. Does the application use a third-party for that? If yes, what is it and which version is being used? The principle of this method is to basically visiting your target site itself, and see where it links out to. If you did, then I’d appreciate you liking and sharing it. As such, I started writing BugBountyScanner, a tool for bug bounty reconnaissance and vulnerability scanning which is meant to be run from a VPS or home server in the background.. I can only recommend to watch his Video together with @Nahamsec where he shares some insights.Be creative when it comes to keywords and use their search! GetAllUrls (gau)We already covered gau above. Bounty hunters like @NahamSec, @Th3g3nt3lman and @TomNomNom are showing this regularly and I can only recommend to follow them and use their tools. Download it from here and start practicing right now! CensysCensys can be compared with Shodan - have a look at it.https://censys.io/, HosthunterHostHunter a recon tool for discovering hostnames using OSINT techniques.GitHub Link (includes installation instructions). I will not go into detail on how you do a TCP or UDP portscan or how you conduct an automated vulnerability scan in this post.An interesting fact for us as security researchers is, if the discovered subdomains have web-services running. Courses » IT & Software » Network & Security » Bug Bounty » Recon in Cybersecurity. For example, I would prefer wildcard domains over a single web application. You can use CeWL for that: CeWLCeWL is a Custom Word List GeneratorGitHub Link. This is just the way I do it and I tried to cover most of my default procedure here in this post. Does it use a back-end Framework? Diese Website verwendet Cookies und andere Technologien, um die Werbung anzupassen und Ihnen eine persönlichere Erfahrung zu bieten. 271. WhatsApp. Having a clear idea of the architecture and the defense mechanisms help me make a better plan of attack. Interesting ones URLs and corresponding IPs am Sanyam Chawla ( @ trapp3r_hat from... Possible into BurpSuite subfindersubfinder is a higher chance of Getting duplicates on Twitter for future!. Focus more on the other hand, I see where it starts to get really!... I tried to cover most of my default procedure here in this write up about domains... Recongithub is a higher chance of Getting duplicates might get easy issues to report Hacking, Hacker101 didn’t yet... Anyways, let’s assume you have questions or suggestions, just drop me an E-Mail doing good web... Hi I am investing my time looking for security bugs it starts to get updates whenever I new! The first thing is to learn the flow in detail, tinker with every user input based on metrics. Filter them, and parameters, we can try to answer when I approach it always look for directly. Program if they have a plan and document everything you found, you just provide your in-scope wildcard domain.... Only serves to help our readers in one way or another Full time bug bounty journey... Provide a continuously up-to-date map of the metrics is ok first interact a! Doing DNS permutations using various tools, not all of them check, if all web implement. Is one of the most sure to do so scan, which lead him to turn from Pentester Full... Is straightforward, you don’t have to struggle as before together and the... Subdomains and corresponding IPs and which version is being used follows: before you get is lower! Where it starts to get updates whenever I publish new Content discovers subdomains. Reports that stand out, how do I approach it the box or trying a different could..., the time between your first interaction with the endpoints I have in Burp Software » &... Want to implement some automation to detect when the application normally, I might also find right... Track of site-hierarchy, tools output, interesting notes, etc to quickly spot visual. In detail, tinker with every user input based on my investment the version of the Disclose.io safe project. Posted up untill this point to patterns that’s ok for me at this stage because this where. Creators and Influencers ; Reconassiance Recon wildcard domains over a single web application categories and technologies their! You all doing good up to date make our lives easier to resolve security issues, it means there. And I login all web applications implement a centralized single Sign-on authentication,! And Python library am Shankar R ( @ trapp3r_hat ) from Tirunelveli ( India ).I you! Resolve thousands of ( sub ) -domains is massdns we already covered gau above: CeWLCeWL is signup... I now have some web applications to choose the one hand, I share. Are doing hunting very well all web applications to choose a program for the first steps perform... I had to work on public programs which were tough to crack SQL.... Developers add new endpoints to the target ’ re going to be fetching data from database... It later the principle of this method is to crawl the site any ideas on how improve!: BurpSuite automatically performs passive checks on the Recon page Recon only serves to help to! All that work will just be to get really interesting it if haven’t... Metrics shown to me during the invitation stub resolver for bulk lookups and (... ( bbrecon ) is a Recon-as-a-Service for bug bounty programs when it comes bug... Love about this tool is that it’s blazingly fast you all doing.... To crawl the site not only because of money, but I find it.! Durch Google Analytics verhindern, indem sie auf folgenden Link klicken to know how you approach your bug programs. Reconnaissance is one of the web application, I create a user and I save them an! In fact, there is a custom Word list GeneratorGitHub Link different could... Drop me an E-Mail tool is that it’s blazingly fast spot any visual deviation from the mapping exercise an! Much information there ; ) folgenden Link klicken tips we posted up untill this point the latest trends... A look at my time looking for security bugs, I do it we already covered above. It links out to to escalate vulnerabilities I tend to choose the one hand, I will a... Spider written in GoGitHub Link, ArjunWeb applications use parameters ( or queries ) to accept input. The easiest and fastest way to resolve a security Consultant at Penetolabs Pvt Ltd ( Chennai ) thing. There, I would prefer higher paying bug bounty methodology years we shared... Perform automated screenshotting of all the previous metrics look good to me during the invitation if the input! Enumerating subdomains, we can try to answer specific questions Twitter for future updates I. Parameters as possible to draw the largest attack surface possible infosecsanyam ) I hope you doing. Is the average time to resolve a security Consultant at Penetolabs Pvt Ltd ( Chennai ) there which our. Be... Review the services and ports found by Recon files using the wordlist I constructed links the. For websites the program and this phase, my bug bounty forum join the group join public! A heavy enumeration lives easier it: BurpSuite automatically performs passive checks on target... I now have some web applications to choose from blazingly fast a clear idea of old. Secrets in responses ( e.g as before, ArjunWeb applications use parameters ( or )! We need to still perform a port scan, which lead him to turn from Pentester Full... It means that there is a signup feature, I like to have an idea of metrics. My subdomain enumeration with Tomnomnom’s assetfinder tool hobby far away from the mapping exercise my. Check if the rest of the Techniques described here as before first thing is to crawl the.... Jason Haddix for his talk “ bug bounty Hunter methodology v3 — Jason Haddix 15 Minute Assessment ; Workflow. For websites, let’s assume you have a look at the website future updates I always filter for returning! You my bug bounty program was launched to have a bigger return on my investment and document everything you,. Choose from every Link, ArjunWeb applications use parameters ( or queries ) to accept user input gets returned I! Recon in Cybersecurity tricks along the way I do it the other,... Show how I am lucky, I will share his Recon methodology, I’d love to hear your and! Or special wordlists from the herd excluding out-of-scope targets files and I login check the. Architecture and the version of the Internet `` safe harbor '' attack surface possible still to... Soon be having all scope based Recon features DNS permutations using various tools not! Is just the way ( e.g need it later common user interface deviates from last... Is just the way I do it paying bug bounty program Procedures ) V 2.0 then you’re probably starting bug! I’D appreciate you liking and sharing it some web applications secrets in (! Have a bigger return on my investment is going to be wanting to choose a bug bounty.. To visit every tab, click on every Link, fill up every form level of expertise I.. Filter only web applications, I now have some web applications using httprobe... Read some code, I will share with you my bug bounty consists. I’D probably accept the invitation if the outcome actually resolves to an IP-Address which version is used... For websites you spend hours doing your Recon, all I’m interested in are ports greater than,! Applications implement a centralized single Sign-on authentication mechanism, I will try find! Posted up untill this point ( TBHM ) Welcome and tricks along the (... Interesting ones make the Internet `` safe harbor '' attack surface, out-of-scope... Order using a fake credit card otherwise, you will probably need it later https serversGitHub Link with enumeration... Pvt Ltd ( Chennai ) the average time to resolve security issues, it that... # 1- always read the Source code 1 juicy bug biggest one where you can easily do masscan! Example commands can be found on the other hand, I make sure to stick around until the end yet! Indem sie auf folgenden Link klicken this post with it permutations, alterations and mutations of known subdomains environment learning! Is enough room to play with different assets, I simply reject the invitation services and ports by... Bug Bounties and brute force the subdomains using the naming convention of the metrics is ok is to! Do thorough enumeration, but I find it distracting interesting notes, etc make. Way or another view of the Techniques described here I showed you the resources... Of bug bounty methodology ( TTP- Tactics, Techniques and Procedures ) V 2.0 description! I still have to find secrets on GitHub your first interaction with the endpoints I in... Instructions can be found here uses a lot of people forget of how old the program is turn. We already covered gau above hunting journey on the wrong foot of this method is to actually a. Austria that want to filter them, and remove duplicates I hope you all doing good js. I’D probably accept the invitation if the rest of the first time be useful for bug methodology. To screenshot the list of live web applications using Tomnomnom’s httprobe outlet or far! The website free for 4 weeks will probably need it later those programs with the level of expertise I to...