独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Bug Bounty For Beginners

In this version of the Bug Bounty methodology and techniques I use during the recon and fingerprinting phase of an engagement. As you probably know there are 3 main phases of a bug bounty engagement: reconnaissance, fingerprinting, and exploitation.

Reconnaissance → fingerprinting → exploitation

The exploitation phase of a hunt is where all the true hacking occurs. Everything up until this stage is just prep work and now it’s time to get busy.

Each target you go after will most l likely be utilizing different technology stacks so it’s important that you know the vulnerabilities and miconfiguration impacting an array of technologies. For example having knowledge of Github is important when mining for hardcoded passwords and other sensitive information. If you don’t know what Github is how are you supposed to know the possible security failures companies can impose when using it? You need to have deep knowledge on a wide range of technologies. In addition to this you also need deep knowledge of web application vulnerabilities. The vast majority of a company’s public facing assets are going to be web apps so it’s vital that you know at the very l east the OWASP top 10. The more vulnerability you know how to exploit the better chances you have of finding one.

Note I won’t be teaching you how to use tools, for the most part everything we do will be done manually so you can get a deep understanding of the process. Once you know how things work at a deep level you will want to replace some of your manual process with tools and automation.

One of the first things you l earn i n hacker school i s how to identify and exploit known vulnerabilities. This may seem like a relatively simple step but you would be surprised at the number of people who completely skip this phase of the exploitation cycle.

Target → Discover endpoints technology & version numbers → find proof of concept(AKA exploit Code) → Exploit

As shown above we start off by visiting the target application, next we attempt to determine what software it is running. Once we find out what software and version the endpoint is running we search on Google and other resources to see if it has vulnerabilities or CVEs. After that we proceed to search for the exploit code and finally we run the exploit code against the target.

Another version of this technique focuses on 1-days. In this cycle we start off by looking at our threat feeds such as exploited and twitter. Here we are looking for new exploits and CVEs that have just dropped; these are known as 1-days. When going down this path time i s the most important aspect, when a new exploit is dropped in the wild you need to start exploiting your targets before they have a chance to patch. Once you hear about a new exploit you will need to quickly find a POC for it and start mass scanning all of your targets for that vulnerability.

As you can see both of these methodologies are very similar. With the first one we find a target and see if it has any known vulnerabilities and if it does we try to exploit them. In the second methodology we are looking for newly released exploits. When a new exploit i s dropped we immediately start scanning and exploiting everything before the defenders have a chance to patch.

When attempting to exploit a target with a known vulnerability you could just launch your exploit at every target and hope for the best or you can do things a little smarter. Identifying the target technology stack will help you find the exploits impacting that stack. Not knowing this information will l eave you blind and you will have to take random guesses at which exploits might work.

Wappalyzer

If you’re attempting to discover the technologies running on a website the best place to start is wappalyzer. An alternative to wappalyzer is “https://builtwith.com/” but I personally like wappalyzerbetter.

I personally like to use the wappalyzer browser plugin as it makes it easy to determine an endpoints tech stack when browsing their website. As you can see in the image above this website is running “Ruby on Target Discover endpoints technology & version numbers find proof of concept AKA exploit Code ExploitRails”, “Jquery 3.5.0”, “and Backbone.js 1.4.0”, and a few other things. Note that if you use a command line tool you can scan multiple websites at once; this is nice if you’re trying to scan hundreds or thousands of sites at once.

You know what software your target is running but how do you determine what vulnerabilities it has? The whole point of l earning a target technology stack is so you can use this information to find associated vulnerabilities.

When I’m looking to see what vulnerabilities a technology has the first place I go is Google. Actually, Google i s the first place I go when I have a question about anything as it’s the best resource out there.

Try typing the following search queries into Google:

● <TECHNOLOGY> <VERSION> vulnerabilities

● <TECHNOLOGY> <VERSION> exploits

There is all kinds of stuff here! I see SQL injection exploits, LFI exploits, and much more. I recommend you click on the first couple l inks to see what interesting vulnerabilities there are.

Another place I like to search is ExploitDB. ExploitDB is a tool used to search and download exploit code. This is by far one of my favorite resources to use when searching for vulnerabilities related to a technology stack.

You can use the website to search for things but I typically use the command line tool called searchsploit. You can download this tool from Github as shown below:

https://github.com/offensive-security/exploitdb./searchsploit “name of technology” Normally once we find out the vulnerabilities a target is vulnerable to we have to search for the exploit code but we can skip this step since ExploitDB provides us with the proof of concept (POC) code as well.

According to Google, the Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. If you’re looking to find what CVEs a technology stack has, there i s no better place to search than NIST.

Searching for “Gila CMS” gives us 17 CVEs, the newer the CVE the better as there i s a better chance the target hasn’t patched their systems yet. Note that just because you find a CVE doesn’t mean you can exploit it. To exploit a CVE you need the proof of concept (POC) exploit code, without that you’re stuck.

You have identified that the target application contains vulnerabilities but to exploit them you need the proof of concept (POC) exploit code. If you don’t have the exploit code you’re only other option is to make it yourself. However, this is beyond the scope of this book.

One of the best places to find exploit code i s Github. Github i s an American multinational corporation that provides hosting for software development and version control using Git. It offers the distributed version control and source code management functionality of Git, plus its own features. Developers love Github and hackers do as well. You can easily search for a CVE on Github as shown in the above image. If there is a POC you will most likely find it on here. However, BE AWARE OF FAKE POCs as these exploits are not vetted and come from untrusted third parties.

I already mentioned ExploitDB earlier so I’m not going to talk about it again but this is a great resource for finding POCs.

https://www.exploit-db.com/

Once you have a working POC you are ready to test it against your target. I always recommend setting up a vulnerable machine to test the exploit against first so you know what to expect from a real target. Once you’re ready just run the exploit on your target and review the results to see if they are vulnerable or not.

Conclusion

Exploiting known vulnerabilities is one of the oldest tricks in the book. That being said it’s still one of the best methodologies to use for quick easy wins. There are really only three steps when using this approach. First determine your targets tech stack, search for any vulnerabilities in that tech stack, and finally run the exploits.

Content management systems (CMS) such as wordpress, drupal, and joomla make up the vast majority of the internet. According to a survey performed by W3Techs 62% of the internet is run on a CMS and 39.1% percent of the internet i s run on wordpress. As an attacker this means the vast majority of the sites you are going to be going up against will be run by a CMS.

As of right now over a quarter (25%) of the internet is built using WordPress. This is useful to know because that means a single exploit has the potential to impact a large portion of your target’s assets. There are in fact hundreds of exploits and mis-configurations impacting WordPress and its associated plug-in. One common tool to scan for these vulnerabilities is wpscan:

https://github.com/wpscanteam/wpscan

The only thing that’s annoying about this tool i s that it’s written i n ruby, I prefer tools written in python or Golang. During the fingerprinting phase you should’ve discovered the technologies running on your target’s assets so i t should be easy to search for sites running WordPress. Once you find a site scan i t with wpscan as shown below:

wpscan — URL <URL>

The vast majority of the sites you scan are going to be patched. This is because most of these WordPress sites are managed by third party vendors who perform automatic updates. However, you will run into vulnerable plugins quite frequently but many of these exploits require credentials to exploit. Another thing I find all the time i s directly listing on the uploads folder. Always make sure to check:

“/wp- content/uploads/”

You can often find sensitive information such as user emails, passwords, paid digital products, and much more.

Drupal is the third most popular CMS yet I seem to run into Drupal sites more than Joomla. If you find a Drupal site you want to use droopescan to scan it. This scanner also has the ability to scan additional CMSs as well:

https://github.com/droope/droopescan

python3 droopescan scan Drupal -u <URL Here> -t 32

WordPress is by far the most popular CMS with over 60% of the market share. Joomla comes in second so you can expect to run into this CMS as well. Unlike WordPress sites that seem to be fairly locked down Joomla is a mess. If you want to scan for vulnerabilities the most popular tool is Joomscan: perl j oomscan.pl -u <URL Here>

If you ever run into the Adobe AEM CMS you’re about to find a whole bunch of vulnerabilities. 99% of the time this is an instant win! This CMS is riddled with public vulnerabilities and I’m 100% positive there are hundreds more zero days. Seriously this is one of the worst CMSs I have ever seen. If you want to scan an AEM application for vulnerabilities use the tool aem-hacker:

https://github.com/0ang3el/aem-hacker

Note that in order to test for the SSRF vulnerabilities you need to have a public IP that the target server can connect back to.

There are hundreds of different CMSs so it wouldn’t be practical for me to mention every single one of them. The vast majority of sites are going to be running WordPress, Joomla, and Drupal but you still might run into other CMSs. If you come across a CMS you haven’t seen before the first step is to go to exploit db and see if it has any known CVEs:

https://www.exploit-db.com/

For instance, if I discover a CMS named “Magento” I would perform the following search on exploit-db:

In addition to finding single exploits you want to search GitHub to see if there is a tool that can scan for all the possible vulnerabilities and misconfigurations. Like the tools for wordpress, drupal, joomla, and adobe aem there are scanners that target other platforms. As it turns out there is a Magento vulnerability scanner called magescan so we can just use that:

https://github.com/steverobbins/magescan

Make sure to use this process whenever you come across a CMS framework you don’t recognize.

GitHub is a web-based version-control and collaboration platform for software developers and as of right now it’s one of the easiest ways to compromise an organization. This is one of my go to techniques when I want an easy high impact finding.

Finding Sensitive Information

Pilliging github for sensitive information disclosures is one of the easiest ways to compromise an organization. It doesn’t matter how hardened your external perimeter is if your developers are hard coding credentials and posting them online you’re going to get compromised. It’s fairly common for developers to hard code test accounts, API keys, or whatever when they are writing a piece of software.

This makes things easy for the developer as they won’t have to enter their credentials every time they go to run/test their program. However, more times than not these credentials remain in the source code when they push it to Github, if this repository is public everyone can view it. The first thing you need is a list of sensitive words to search on. This can be a file name, file extension, variable name, or anything else. A good list can be found below thanks to “@obheda12”:

Once you have a list of sensitive things to search for your ready to hunt! I normally just type i n the domain of the target followed by the Github Dork as shown below:

Domain.com “password”

As you can see above, searching for the domain “hackerone.com” and the term “password” gave us 7,390 results. In a typical scenario I would end up going through 90% of these results by hand for a few hours before I find something juicy. Having to spend hours sorting through a bunch of trash i s really the only downside to this technique. However, when you do find something it typically leads to an install high or Critical finding.

Another extremely popular vulnerability is subdomain takeover. Though this vulnerability has died down significantly it is still very common in the wild. If you are unfamiliar with this type of vulnerability according to Google “Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization’s subdomain via cloud services like AWS or Azure”.

A subdomain takeover occurs when a subdomain i s pointing to another domain (CNAME) that no longer exists. If an attacker were to register the non existing domain then the target subdomain would now point to your domain effectively giving you full control over the target’s subdomain. What makes this vulnerability so interesting is that you can be safe one minute and a single DNS change can make you vulnerable the next minute.

The vulnerability here is that the target subdomain points to a domain that does not exist. An attacker can then register the non existing domain. Now the target subdomain will point to a domain the attacker controls. If you’re planning on hunting for this vulnerability you are definitely going to be referencing the following github page as it contains a bunch of examples and walkthroughs on exploiting different providers:

https://github.com/EdOverflow/can-i-take-over-xyz

As you can see above this page contains a large list of engines that can be exploited by this vulnerability.

If you click on the issue number it will give you a walk through exploiting that particular engine. Because every provider has its own way of registering domains you will need to l earn the process of registering a domain on the engine that impacts your target.

One of the easiest ways to spot a subdomain takeover vulnerability is by the error message it throws. As you can see above when we visit our target site it throws a 404 status code and gives us the error message “There isn’t a Github Pages Site here”. If we go to the subdomain takeover wiki we can confirm that this error message indicates the possibility of subdomain takeover.Now that we have an indicator this site is vulnerable we need to get the github page the vulnerable subdomain is pointing to. We need this information so we can register the domain through github. As shown above a “dig” command can be used to gather the DNS records of the vulnerable domain. We can also see that the domain points to the github page “ghostlulzvulntakeover.github.io”, if we can register this domain we win. To figure out the process of registering a domain on Github you can Google it or you can follow the tutorial in the subdomain takeover github page

Now that we know the steps to register a domain on Github we just need to do it. First I created a Github repo with the same name as the CNAME record. After that create an “index.html” file in the repo as shown. The next step is to set the repo as the main branch. Finally specify the target domain you are going after. That’s it! Now when you visit the target domain you should see the page you set up.

We WIN! As you can see above we successfully exploited the subdomain takeover vulnerable and got our page to appear on the targets subdomain. Note that this is the process for Github, if your target is vulnerable to something else you will have to follow the steps for that provider. Lucky for us all this is documented on the subdomain takeover github wiki.

A database is an organized collection of data, generally stored and accessed electronically from a computer system. If you’re attacking a web application a lot of the time one of the main goals is to compromise the back end database as it’s where all the sensitive user data is stored.

Compromising these databases normally involves exploiting sql injection vulnerability but sometimes it can be much easier. These databases are often exposed to the internet without authentication leaving them opens to hackers for pillaging as discussed i n the following sections.

According to Google “The Firebase Real-time Database is a cloud-hosted database stored as JSON and synchronized in real-time to every connected client”. An issue can arise in firebase when developers fail to enable authentication. This vulnerability is very similar to every other database misconfiguration, there’s no authentication. Leaving a database exposed to the world unauthenticated is an open invite for malicious hackers.

When I’m hunting for this I’ll try to keep an eye out for the “*.firebaseio.com” url, if you see this then you know your target is utilizing Google’s firebase DB. An example domain can be found below:

Vuln-domain.firebaseio.com

If the developer forgot to enable authentication the database will be exposed to the word. You can easily view the database by appending a “/.json” to the url as shown below:

vuln-domain.firebaseio.com/.json

As you can see above we were able to dump a bunch of passwords belonging to an organization. An attacker could then leverage these credentials to perform additional attacks on the application.

You have probably heard of the popular relational database called MySQL. Elastic search like MySQL is a database used to hold and query information. However, elastic search is typically used to perform full text searches on very large datasets. Another thing to note is that Elastic Search is unauthenticated by default which can cause a lot of security problems as described in the following sections.

According to Google “ElasticSearch i s a document- oriented database designed to store, retrieve, and manage document-oriented or semi-structured data. When you use ElasticSearch, you store data in JSON document form. Then, you query them for retrieval.” Unlike MySQL which stores its information i n tables, elastic search uses something called types. Each type can have several rows which are called documents. Documents are basically a j son blob that holds your data as shown in the example below:

{“id”:1, “name”:”ghostlulz”, “password”:”SuperSecureP@ssword”}

In MySQL we use column names but i n ElasticSearch we use field names. The field names in the above json blob would be id, name, and password. In MySQL we would store all of our tables in a database. In Elastic Search we store our documents i n something called an index. An index is basically a collection of documents.

Elastic search has an http server running on port 9200 that can be used to query the database. The major issue here is that a lot of people expose this port to the public internet without any kind of authentication.

Brute forcing is a classic attack that has been around forever and shows no signs of being eliminated. Passwords are a weak point of security and as an attacker you should take full advantage of this. Easily guessable passwords, using default passwords, and password reuse are easy ways for an organization to get compromised. The rule of thumb is if there is a login screen i t should be brute forced.

There are three things you need to have if you want to launch a brute force attack. The three things you need are an endpoint with a login page, a username, and a password. First you need to find the endpoint you want to target.

Now that you know which endpoints to look out for you need to get a list of usernames and passwords? This technique may be basic but you would be surprised at the number of times i v compromised an organization because they are using default credentials.

As shown above one of the best places to find default passwords i s SecList: https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials

The above picture is an example file containing default usernames and passwords to hundreds of routers.

All you have to do is look up the target vendor and try all the default passwords it uses, this technique works very well as people often forget to change the default credentials. If you are targeting an SSH server or something other than a router the process will be slightly different.

Not really, those services also come with default credentials. Depending on the service you are brute forcing you will want to find or create a list of credentials tailored toward that. You may also find that sec list does not have any default passwords impacting the target technology. If that’s the case just perform a Google search or two, I normally find these things i n the first few l inks.

Once you have a good set of credentials you can start the actual process of brute forcing. You could do this by hand but I would 100% recommend using a tool for this job unless you are only testing 5 passwords or something small like that.

If you’re performing a brute force attack you probably want to use the tool “hydra”. This tool supports a bunch of different protocols and has never let me down. Once you have the target endpoint and credentials you can use any tool to perform the brute force attack just pick one you like.

If there is one tool that you N EED to have to be a successful Bug Bounty Hunter it would be Burp Suite.

You can find plenty of bugs without ever leaving Burp, it is by far my most used and favorite tool to use, almost every web attack I pull off is in Burp. If you don’t know what Burp is it’s a tool for performing security tests against web applications. The tool acts as a proxy and allows you to inspect, modify, and replay, etc to web requests. Almost every exploit you’re going to pull off will be done with Burp.

Note that there is a free version (community) but I HIGHLY recommends purchasing a professional license. This is a must have tool.

The proxy tab is probably the most important tab in Burp. This is where you can see all of your traffic that passes by the Burp proxy. The first things you want to do when Burp loads are making sure your proxy is up and running

The next step is to force your browser to route its traffic through the Burp proxy, this can be accomplished by changing your browsers proxy setting and shown below, note this will be different depending on which browser you use. Once you have the Burp proxy listening, the browser configured to use Burp, and you imported the Burp certificate in your browser you will be good to go. Once you navigate to a web page you should see the request show up in Burp as shown below:

As you can see i n the above image the “intercept” tab is toggled on, this means that Burp will intercept each HTTP request and you will have to manually press the “forward” button for the request to continue to the server. While on this tab you can also modify the requests before forwarding it to the back-end server. However, I only use this tab when i ‘m trying to isolate requests from a specific feature, I normally turn “intercept” to off and I view the traffic in the “HTTP History” tab and shown.

As you can see the “HTTP History” tab shows each HTTP request and response that was made by and sent to our browser. This is where I spend 80% of my time looking for something that peaks my interest. When looking at the traffic I’m mostly paying attention to the method, URL, and MIME type fields. Why? Because when I see a POST method being used I think of Stored XSS, Cross site request forgery, and many more vulnerabilities. When I see a URL with an email, username, or id in it I think IDOR.

When I see a JSON MIME type I think back-end API. Most of this knowledge of knowing what to look for comes with experience, as you test so many apps you start to see things that look similar and you start to notice things that look interesting. Clicking on an HTTP request will show you the clients request and the server’s response; this can be seen in the above image. Note that while in this view these values can’t be modified, you will have to send the request to the repeater if you want to modify the request and replay it, this will be discussed in more detail later.

One functionality that I use to find a lot of vulnerabilities and make my life easier is the search feature. Basically you can search for a word(s) across all of your Burp traffic. This is extremely powerful and has directly led me to finding vulnerabilities. For example I may search for the word “url=” this should show me all requests which have the parameter URL in it, I can then test for Server Side Request Forgery (SSRF) or open redirect vulnerabilities. I might also search for the header “Access-Control-Allow-Origin” or the “callback=” GET parameter when testing for Same Origin Policy (SOP) bypasses. These are just some examples, your query will change depending on what you’re looking for but you can find all kinds of interesting leads. Also don’t worry if you don’t know what SSRF or SOP bypass means these attacks will be discussed in the upcoming chapters.

Burps proxy tab is where you will spend most of your time so make sure you are familiar with it. Any traffic that is sent by your browser will be shown i n the HTTP history tab just make sure you have intercept turned off so that you don’t have to manually forward each request.

I generally don’t find myself in the target section of burp suite but I think it’s still important to know what it is. The “Site Map” sub tab organizes each request seen by the proxy and builds a site map as shown.As you can see in the above image a site map i s built which easily allows us to view requests from a specific target. This becomes fairly useful when hitting an undocumented API endpoint as this view allows you to build a picture of the possible endpoints. You can also view the HTTP requests in this tab, clicking on a folder in the sitemap will only show requests from that path. In addition to the “Site Map” tab there is a “Scope” tab. I almost never use this but if you want to define the scope of your target this will limit burps scans to only the domains in scope.

If you’re doing any fuzzing or brute forcing with Burp you’re probably doing it in the “intruder” tab. When you find an interesting request right click it then click “Send to Intruder”, this will send your requests to the intruder tab as shown.

Go to the intruder tab and you should see something like this. Now click the “Clear” button to reset everything. Now from here your steps vary depending on what you’re trying to do, but suppose we are trying to do some parameter fuzzing. One of the first things we need to do is select the value we are trying to modify. This can be done by highlighting the value and pressing the “Add” button as shown. As you can see above we are selecting the “cb” parameter value. Since we are attempting to do parameter fuzzing this is the value that will be replaced with our fuzzing payloads.

You may have also noticed the “Attack type” drop down menu is set to “Sniper”, there are four different attack types which are described in the table below:

Once you have selected your attack type and the value to be modified click on the “Payloads” sub tab. Here we want to select our payload type and the payload list. There are numerous payload types but I’m going to keep it on the default one, feel free to play around with the others. As for my payload list we want a list of fuzzing values. For this example I’m just going to use the default lists that come with Burp but there are some other good lists on SecLists:

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

Now to use Burps pre defined list just click the “Add from list” drop down menu and select one: Now that you have your fuzzing list imported all that you have to do is press “Start attack”. As shown above after hitting the “Start attack” button a popup will appear and you will see your payloads being launched. The next step is to inspect the HTTP responses to determine if there is anything suspicious.

Intruder is great for brute forcing, fuzzing, and other things of that nature. However, most professionals don’t use intruder, they use a plugin called “Turbo Intruder”. If you don’t know what “Turber Intruder” is, its intruder on steroids, it hits a whole lot harder and a whole lot faster. This plugin will be discussed more i n the plugins section.

In my opinion this is one of the most useful tabs in Burp. If you want to modify and replay and request you do it in the repeater tab. Similar to Intruder if you right click a request and click “Send to Repeater” it will go to the repeater tab.

Once the request is sent to the Repeater tab you will see something like. One this tab you can modify the request to test for vulnerabilities and security misconfigurations. Once the request is modified you can hit the Send button to send the request. The HTTP response will be shown in the Response window. You might have noticed that at the top there are a bunch of different tabs with numbers on them. By default every request you send to the repeater will be assigned a number. Whenever I find something interesting I change this value so I can easily find it later, that’s why one of the tabs is labeled SSRF, it’s a quick easy way to keep a record of things.

Add a comment

What is your view?

Send

Related posts:

Why do cab businesses need to invest in taxi app?

Finding a taxi has become an easy task, because of taxi app development. Clients are conducting mobile apps to locate the nearest cab and book with just a call. Apart from the best booking…

Learning python

I just started learning python. I am writing this blog to keep up my motivation levels and also to share my experience with other python noobies. I am using jupyter notebook as an editor. It has been…