Techniques for Bug Bounty Hunting

Basic Techniques for Bug Bounty Hunting

1. Cross-Site Scripting (XSS)

XSS happens when a website lets you input data that it then shows to other users without checking if it's safe. For example, if you can insert code (like JavaScript) into a search box or a comment section, and it runs when someone else views the page, that’s an XSS vulnerability.

How to test for XSS:

• Try entering something simple like <script>alert('XSS');</script> into input fields (search boxes, comment sections, etc.).
• If you see a popup with "XSS" or anything that looks odd, it means the site is vulnerable to XSS.
• 
  

How to find it:

• Test any place where you can input data (e.g., forms, comments, search bars).
• Look for reflected inputs (where the website shows what you entered).
• 
  

2. SQL Injection (SQLi)

SQLi is when a website’s database is not secured, and an attacker can insert harmful SQL commands to access sensitive information like usernames, passwords, or even take control of the database.

How to test for SQL Injection:

• Try putting in a single quote ' in form fields (login, registration, search).
• If you see an error like SQL syntax error or weird messages, the site might be vulnerable.
• You can also try inputs like admin' OR '1'='1 to see if you can bypass login pages.
• 
  

How to find it:

• Check login forms, search boxes, or any place where data is submitted to the database.
• Use a tool like SQLmap to automate finding and exploiting SQLi vulnerabilities.
• 
  

3. Broken Authentication

This occurs when an attacker can log in without needing valid credentials or can take over other users’ accounts.

How to test for broken authentication:

• Try to reset someone else’s password using just an email address.
• See if you can manipulate the login session (using session cookies or tokens).
• Use brute force (many password guesses) to see if you can guess someone’s password.
• 
  

How to find it:

• Look at the login, registration, and password reset forms.
• See if account creation allows weak passwords.
• 
  

4. Insecure Direct Object References (IDOR)

IDOR happens when a website gives you direct access to an object or information that you shouldn’t be able to see. For example, if changing a URL lets you see another user’s data.

How to test for IDOR:

• Look at the URLs after you log in. If the URL has something like ?id=123 or ?user=456, try changing those numbers to something else, like ?id=124 or ?user=789. If you see someone else’s data, the site is vulnerable to IDOR.
• 
  

How to find it:

• Check for unique IDs in URLs, forms, or API requests and try modifying them.
• 
  

5. Security Misconfigurations

These happen when a site is not set up properly. For example, when sensitive files are accidentally made public or default configurations are not changed.

How to test for security misconfigurations:

• Try accessing common sensitive files like /admin, /config.php, or /backup.zip by typing these URLs after the domain.
• Look for error messages that reveal server details, like the type of software or server being used (e.g., Apache, Nginx).
• 
  

How to find it:

• Look for exposed files or error pages with sensitive information.
• 
  
• Use tools like Nmap or Dirbuster to scan for hidden files and directories.

Tools for Bug Bounty Hunting

• Burp Suite: A tool to intercept and modify web traffic. You can use it to test for vulnerabilities by manipulating data sent between your browser and the server.
• 
  
• OWASP ZAP: Similar to Burp Suite, but open-source. It helps find security vulnerabilities in web apps automatically.
• 
  
• SQLmap: An automated tool to test for SQL injection and exploit it.
• 
  
• Dirbuster: Used for finding hidden directories on a website.
• 
  

Steps to Start Testing

1. Start Small: Begin with small, simple tests like trying XSS in search fields or checking if the site handles inputs correctly.

   
   

2. Gather Information: Explore the website thoroughly. Try every form, button, and link to see how the site behaves.

   
   

3. Test Using Different Inputs: Once you find a form or a field, try putting different kinds of inputs like:

   • Numbers
   • Special characters (', ", <, >)
   • SQL queries (' OR 1=1 --)
   • 
     

4. Automate with Tools: Tools like Burp Suite and SQLmap can help you automate these tests, making it easier to find vulnerabilities faster.

   
   

Creating a Report

Once you find a vulnerability, HackerOne will ask you to submit a report. The report should be detailed, including:

1. Summary: Explain what the vulnerability is in simple terms.
2. 
   
3. Steps to Reproduce: Show exactly how you found the bug so they can confirm it.
4. 
   
5. Impact: Describe what an attacker could do with the vulnerability (e.g., steal data, take over accounts).
6. 
   
7. Suggested Fix: Recommend how the developers can fix it (e.g., sanitize input, use secure authentication).