Bug-Bounty Getting started & some tips
2021-09-16 13:59:42 Author: infosecwriteups.com(查看原文) 阅读量:78 收藏

Yasser Mohammed (@boomneroli)

Well hello everyone It’s yasser again (AKA Neroli),

I know a lot of people asked me on LinkedIn for help and I am really busy so I tried to answer all of your questions here.

Before you want to hack into thing, you need to know how does it works, so you need to understand some web development languages.

PHP:
by “the net ninja”: https://www.youtube.com/watch?v=pWG7ajC_OVo&list=PL4cUxeGkcC9gksOX3Kd9KPo-O68ncT05o

by “ ProgrammingKnowledge”: https://www.youtube.com/watch?v=yMclPkD4sQg&list=PLS1QulWo1RIZc4GM_E04HCPEd_xpcaQgg

Recommended : https://letmegooglethat.com/?q=learning+php+online+for+free+youtube

JavaScript:

by “Dev Ed”: https://www.youtube.com/watch?v=2nZiB1JItbY&list=PLDyQo7g0_nsX8_gZAB8KD1lL4j4halQBJ

by “the net ninja”: https://www.youtube.com/watch?v=qoSksQ4s_hg&list=PL4cUxeGkcC9i9Ae2D9Ee1RvylH38dKuET

Recommended: https://letmegooglethat.com/?q=learning+javaScript+online+for+free+youtube

now the repeated question: Do I have to be professional with web development?

Ans: No, as my Friend “Ibrahim Hegazy” (he is very helpful and talented btw https://twitter.com/Zigoo0) said:
you only need to create a simple website with these functions:

  • login /logout
  • admin panel & user panel
  • add items to database (only by admin)
  • view items (users & admins)

at this point you understand at least the flow from user-end to database.

Now we want to break those things we built and do unintended behaviors,

that’s called web application penetration testing, so first you need to learn about Web applications Vulnerabilities,

owasp top 10: https://www.youtube.com/watch?v=rWHvp7rUka8&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD

Web application penetration testing (by Ibrahim Hegazy Arabic): https://www.youtube.com/watch?v=BjfCWSFmIFI&list=PLv7cogHXoVhXvHPzIl1dWtBiYUAL8baHj

Recommended: https://portswigger.net/web-security/all-materials

Now you have knowledge about some issues, can you hack now? no XD

Mindset and process

Now you need to know how to use this knowledge, you need to build a methodology,

Finding your first bug by Katie Paxton-Fear : https://www.youtube.com/watch?v=RobCqW2KwGs&list=PLbyncTkpno5FZQ3ZgpHj1BdQ7XHwfvO1w

The Bug Hunter’s Methodology v4.0 — Recon Edition by Jason Haddix: https://www.youtube.com/watch?v=p4JgIu1mceI

live recon by Behrouz Sadeghipour : https://www.youtube.com/watch?v=MIujSpuDtFY&list=PLKAaMVNxvLmAkqBkzFaOxqs3L66z2n8LA

my recon by Orwa Atyat :https://orwaatyat.medium.com/my-methodology-in-recon-and-find-bugs-my-methodology-in-hunting-using-phone-ccc9fe06dd2d

Now are you ready to hack? yes, but you will not find bugs :)

At this point you have huuuge knowledge with 0 hands-on experience, so you will not use this knowledge and will got stuck, that’s normal.

Note it’s just tips, may work for you or not,

Read write-ups:

Write-ups are how other hackers think, you will have a great knowledge, tools and methods to hack websites and great recon tips,

Here is a great list by “Pentester Land” : https://pentester.land/list-of-bug-bounty-writeups.html

twitter: https://twitter.com/hashtag/bugbountywriteup?src=hashtag_click , https://twitter.com/hashtag/bugbountytips?src=hashtag_click

Medium: https://infosecwriteups.com/

Play CTFs:

A lot of people won’t agree this tip, but in my opinion ctfs gives you great mindset and searching skills, also it gives you a lot of knowledge about many technologies which can lead you to find great bugs along side with strengthen your understanding for each bug in web applications,

Picoctf: https://picoctf.org/

rootme: https://www.root-me.org/en/Challenges/Web-Client/ , https://www.root-me.org/en/Challenges/Web-Server/

Solve Port Swigger labs:

Those labs are great resource to learn about web applications vulnerabilities: https://portswigger.net/web-security/all-materials

Picking target:

To pick a target you will always find a lot of public programs with many hackers on it’s HOF, does this mean you will not find a bug?
my little brother (who is only 16 years old) found 2 bugs in a big public program, you just need to pick a target that you find interesting, read the program functionalities and browse it,

Try to pick targets with many Access Control policies (many roles, many permissions, many functions and endpoints that is not available for all user roles),

Also pick target that based on technology that you r good at, for ex: asp.net, nodejs, rubyonrails,…etc.

How to search for bugs:

Many people try to test applications without even knowing what does it do,

learn more about the program and understand it well, so you can generate scenarios to break it up,

Don’t be random and just try everything without tracing, use checklist and always keep tracking the application flow

here is some great checklists:

by “Mohammed Adam” : https://docs.google.com/spreadsheets/d/1TxNrvaIMRS_dmupcwjwJmXtaFk_lPGE1LzgxPu_7KqA/edit#gid=1308919623

Mahmoud M. Awali tweeting great slides about every bug and how to test it: https://twitter.com/0xAwali

shieldfy : https://github.com/shieldfy/API-Security-Checklist

Automated Tools Do I have to use it

I don’t like automation, automation transforms you into a robot with no brain, you just get money by configuring tools, but also if you want to find bugs you need to work smart,

Write scripts for anything you want to automate like recon and dirsearch.

Some great tools that can help you:
https://github.com/s0md3v/XSStrike
https://tools.kali.org/web-applications/xsser
http://xss-scanner.com/
https://github.com/DanMcInerney/xsscrapy
https://github.com/projectdiscovery/nuclei
https://github.com/s0md3v/Arjun

Github:
https://github.com/topics/xss-scanner
https://github.com/topics/recon
https://github.com/topics/api-testing
https://github.com/topics/vulnerability-detection
https://github.com/topics/vulnerability-scanner
https://github.com/topics/cve-scanner
https://github.com/topics/subdomain-takeover

Null Byte: https://www.youtube.com/watch?v=PPQ8m8xQAs8

Source Code review

A lot of people ignore the js files in the applications despite it can be so vulnerable and lead you to find great issues.

this great video hosted by STÖk can help: https://www.youtube.com/watch?v=FTeE3OrTNoA

Things to read

Despite I am not a big fan of books but it will give you a lot of information about web applications security.

Things to read by Ibrahim Mosaad (Security engineer at Facebook) from this live talk (https://www.youtube.com/watch?v=3IEobo9ccIE) :

The Tangled Web: https://www.amazon.fr/Tangled-Web-Securing-Modern-Applications-ebook/dp/B006FZ3UNI

The web applications hackers handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

Sql injection attack and defense: https://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597499633

Cure53 reports: https://cure53.de/#publications

Don’t ask to ask, just ask (https://dontasktoask.com/) Please read this,

Stop Asking and Start Doing a lot of you ask everyone for tips and help, asking for help is good, but when you need it, there is many resources online that can help you with your search so instead of asking many people, start Learning.

Duplicates, Not Applicant and Informative curse many people tell me that they cannot find bugs, and if they did most of them closed as duplicates or with low impact, that’s sooo normal imagine how many people do what you r doing, same steps, same mindset you all will end up to find the same bug which already been found by another hacker who did as you, so all you have to do is to build a good methodology for your self that can help you to find more hard to notice bugs.

There is no Secret for bugbounty a lot of you asks me as I have a secret tool or a secret tips that can make you find bugs, this is not true, Yeah I know that many people uses scripts and automated tools to get many bugs, but this is shit and you will learn nothing from it, so start working on your skills and don’t be lazy.

Don’t be traditional don’t follow every steps you find in write-ups without thinking, many of you tells me “I found similar bug that you find and the poc didn’t work”, it’s not working like that, you have to understand what is going in the application and understand the bug you are trying to exploit.

Don’t let Fake people frustrate you there is a lot of fake people on social media with very little knowledge always try to show how good they are when they are just script users, focus on your skills and you will be better, high amount of bounty doesn’t mean you are good.

There is very good people on social media that can help you:

https://twitter.com/boomneroli (me of course because I am super hacker XD)
https://twitter.com/NahamSec
https://twitter.com/stokfredrik
https://twitter.com/Jhaddix
https://twitter.com/LiveOverflow
https://twitter.com/Zigoo0
https://twitter.com/dPhoeniixx
https://twitter.com/K4r1it0
https://twitter.com/the_st0rm
https://twitter.com/Zombiehelp54

whenever i remember i will update this list

Now I will leave you so you can all hack and earn money and experience, I will update this post whenever I remember something that can help, I hope you guys be good and find this post useful.


文章来源: https://infosecwriteups.com/bug-bounty-getting-started-some-tips-600866c4d790?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh