Approaching Large Scope Targets Without Feeling Overwhelmed
hello everyone and welcome to this week's video in the bug Bounty course so today I'm going to be talking about how to get started when you've got a particularly large scope Target now large scope targets are usually recommended for beginners and that's because they tend to be really flexible right like you've got a lot of different stuff to look at and look into and to try and hack on so it can be a really great place to get started because there's a lot more to look at a lot more bugs to find potentially in terms of stuff sort of stuff I hack on I tend to hack on large Scopes but I usually focus on one part of that larger scope this is particularly useful because when you're hacking you learn a lot about how the target starts to develop their applications and by working on scope Target like this you can focus on it not being too overwhelming but at the same time be learning more about how software is developed and how software is deployed on your actual Target and once again the entire bug Bounty course is very kindly sponsored by bug crowd a great hacker needs a great platform and Bug crowd is the home of the hacker they provide hackers with the best opportunities to make money Advance their skills build community and unleash Ingenuity through their security knowledge platform they provide distinctive educational content for hackers you can rapidly pick up new skills through bug Crow University or gain practical experience with one of their many monthly challenges or maybe you want to follow real hacking experts like myself as we cover methodology shortcuts and tools bug crowd has an entire level up series unique to the industry that covers all of that so if you're interested in joining bug crowd head over to bug crowd.com Slackers now and join the bug crowd Community thank you very much to bug Crow for sponsoring this video okay so what do we mean when we say large scope what does that mean a large scope program is really defined Loosely as any program of multiple different websites usually it's star. domain name so it could be any subdomain of a Target domain name and it could be defined as any asset that is owned by Target or that can be proven to be owned by Target it can also include subsidiaries or Acquisitions now the thing with Acquisitions is that often they'll have a minimal Time stuff won't be in scope until they've owned it for a month or two months or whatever or it might be just a scope that has multiple different products to actually look at and that are all listed in the scope table but that all have different like the different functions and different stuff to look at so my example I've got here is the Dell program on bug crowd which is star. dell.com and star. Dell
technologies.com they're really great places to get started because you can Define your own unique scope the downside being that you need to find that scope yourself and that is where we have reconnaissance I've actually even seen reports where the company didn't even know that it was theirs and that it was like vulnerable so it can really be very Broad and certainly if you are looking for that unique scope you're doing something like subdomain enumerations you're looking at say certificates searches you you will find that companies may ask you to prove that they own it and give your justification on that as well so the first thing you might find yourself when looking at these times of targets is really overwhelmed these large scope targets can be super overwhelming to hackers especially if you're new while are they're often recommended because you can find that scope yourself and there's there there's more stuff to look at it is super overwhelming and if you feel really overwhelmed You Are Not Alone top hackers can feel overwhelmed by dealing with a ton of scope you want to start broad trying to find everything and then make your way down to each application understanding the boundaries of each so for example atlassian has a huge scope but they have individual products like a jira ticket and you can use the same maina methodology on that single feat Fe or that single product that they have so you're not necessarily trying to hack everything but really for large scope targets Recon is key there's two different types of Recon cingo has an excellent article that I will link in the description where he defines this just in time Recon which is a single scan on a single day it gives you the layer of the land but it only gives you it at one specific point a lot of new hackers will do this they'll run SE spotter they'll run amass they'll do subdomain eneration and that's it and they won't look at it over time they just do one point now people who have a more Recon focused methodology and where I personally think a lot of new hackers fail is that they don't do this passive or alert based Recon where these scans aren't just run once but they're run weekly or monthly and then anything new is highlighted and when a lot of the best hack are talking about their Recon process they're often talking about this this passive hunt for new stuff and this idea of being the first to find something new when something just gets deployed or when something just gets updated Etc a lot of the hackers that do things like uh subdomain enumeration might do this as well there's lots of different ways to do Recon and in terms of a larger scope actually where you can find bugs is super Broad uh you might look for subdomains and domains as we'll see in the upcoming Recon video you might look at code and Version Control to see if there's any pieces of code that is owned by your Target and then you might want to do a code review also coming up in a video you might just go through the applications that they provide and just go through them one at a time go with the documentation they actually provide you like in my main app methodology you might look at third party services like slack or Integrations within the application you might look for API keys or data dumps via Google doing you might find documents again via um Google doing you might do API enumeration such as in my API enumeration video to discover maybe those API end points that are up but not being referenced or that you can't find referenced you might actually just go through the the scope page the scope page will often very clearly say this is what we have this is what in scope and out scope you might use tools that tell you the tech stack of something and instead of hacking an application you might go what's it running you might also look at company news whether that's through updates or patch notes to understand what new features have been released and all of these are valid ways to hunt for bugs on these larger scope programs there's not just one way of doing it and actually if you are a beginner what I really recommend is to focus on what's in front of you don't try and do like loads of subdomain searches and building up a full Recon pipeline look at what's in front of you and hack that first because that will tell you a lot about how the product is supposed to be used subdomain or domain enumeration trying to find what else is out there there's two really good tools for it a mass and sublist you can usually just provide a name or a single domain name and it will cry and find new domain names or related information from a bunch of different sources I really like a mass because it has a visual element to it but either of these tools is really great if you want to know more about how to do specifically subdomain numeration and using that as part of your recon process you probably want to watch my full Recon video but broadly what are we trying to do we're trying to find domains that we can attack you usually won find a bug with Recon alone usually anyway there are some but for the most part you still need to do the actual hacking you need to hack what you find and it can be hard to identify which domains you need to look more in depth at if you've just got like 30 or 40 subdomains I really like Jason's the bug Hunters methodology and if you want to know more I really recommend the video from the hamcom cuz he goes into this quite a lot but but fundamentally we're trying to find stuff to hack we're not trying to find bugs not yet now to start to understand this data there's a few different ways of doing things a lot of people like just taking screenshots of subdomains and seeing what's there and doing a quick pass through to see what is worth looking at in more depth a mass has some visualization tools as well you may want to consider something like Malo if you are a very visual person you've got to do that understanding element to it because again Recon alone is not going to find your a bug and I really want to stress that because I think a lot of people think all you need is Recon but you you do need to actually hack things the bad news for a lot of this is your data has to be formatted in specific ways for these tools and that doing subdomain enumeration in general can be very noisy and potentially lead to IP bands or Waf bands and that can be really frustrating there's ways around it there's VPS ends but it's really annoying screenshots alone may not even be helpful especially as they only work with HTTP but maybe it's websockets maybe it's something else like it's an FTP and it's not got a secure password on it so you can hack it but if you only take a screenshot you're not getting that full picture it takes time to go through the data and you could find nothing and in general subdomains alone are very rarely the be all and endle of any Recon to be honest it really is just the first step and I really want to stress that cuz I think a lot of people think okay Recon all we need to do is just find bugs and that's not necessarily the case open source intelligence there's a lot of different ways to get open source intelligence we don't tend to use a lot of it in bug bounty hunting just because things like people who who work for a company is often just out of scope for us so there's no point information from the dark web we've seen a lot of debates about whether or not data dump should be in scope and whether or not people should pay for them but things like Enthusiast blogs and seeing how people might already be bending the security controls those can be really helpful so it depends on what we're trying to do OSN can also be really helpful for just understanding how something should work and that's something I really want to stress about finding bugs is that understanding stage comes first and the hacking comes after that understanding right like it's just the first step in that understanding speaking of OSN if you are looking for leaked keys or GitHub in general I really recommend truffle hog for that it's a really great tool that can find API keys but a lot of people have been running it so this alone will probably not be enough looking into say using that OS in to find Developers and what they've committed to if they've committed to your targets repository and looking through their commits and seeing if they've leaked a key maybe on a completely unrelated repository that's where you're going to find bugs right it's not enough just to run this once you have to be one constantly running it that kind of just in time versus the passiveness but also looking in those slightly weirder places I will say that overall you don't really want to complicate things even with a larger scope you don't need a fully custom pipeline to start you do not need a super complex flow chart you don't need to get chat GP to generate a lot of code you're just looking for somewhere to start hacking it's easy to invest in infrastructure around Recon but without that you can't use that data you have to take that step back and think okay what does this pipeline look like what do I actually need from this and what you'll probably find is you don't need a lot of Recon you don't need to know every single subdomain you just need somewhere to start an application that maybe people haven't looked at as often and you don't necessarily need these big complex Recon or maybe you do maybe you're a programmer who plays your strengths you're like I can write really fast code and make sure it's deployed really well and put alerts up and something like Recon is then maybe a much better option remember large scope doesn't mean only Recon it means that Recon is an element of that now there are tools that can tell you what something is built with like alyer which can tell you hey this is running Shopify with Google analytics or View and engine X by using some fingerprinting techniques I've also find that error message are really good for doing this because you'll see Java you IL error and you're like oh yeah that's running Java then some other things to keep a lookout for is just strange implementations and that's very non-specific but recently I did find a bug where it was like a unique way of doing a graphql API and I hadn't ever seen the graphql be called in this way and when I looked it up it was only implemented in a few different servers and then that server implementation was then vulnerable to another attack so by going into like Supply chains it can be really helpful note that a Target won't necessarily accept a vulnerability on something they cannot control but something they can control like open source software that's been misconfigured they will pay for so if you find a bug on Shopify report that to Shopify if you find a bug on an implementation of an API framework that's when you might want to consider doing it to the Target not Shopify cves there is again a really good talk um from Godfather AA about uh Showdown and leveraging Showdown for vulnerabilities you can actually get access to Showdown for free if you're a student and it has a vulnerability searge you can put in a cve and it will show you matching ones the difficulty comes is okay how do you take that and take it back to your target it's a challenge there are so many good ways of using Showdown properly going into things again I really recommend or presentation because that is how to use Showdown I watched it live as well actually it was very good live another thing you might consider is just Google doing in general I put a link to this in the um description but this is just a link of like common Google dogs and here you can see files containing GC info as a section again you have to figure out how you're going to take that back to your target maybe that's adding more parameters maybe that's just uh verifying who owns it Etc in terms of what your Google doing looks like it depends on the target the index API I find does nothing does nothing for API hacking because most apis don't have an index they're usually controlled by a framework nowadays but it can still be really helpful for just finding interesting stuff again you're not finding of vulnerability here you're finding something that's worth looking at you're finding something that you might want to look more deep in depth to uh news and updates going through version histories going through marketing blogs really useful ways to understand what an application is supposed to do and also the kind of flaws it has quite often you might just see security issue but actually if you dive into the um patch notes it might be potentially a bit more information again it's not guaranteed but it at least tells you what your target is deploying now of course if you can find something that's newly deploying that's in scope that is great on a large scope uh Target because you've got somewhere to start you've got okay I can start there I can start on this new thing and you're going to be looking at like low competition bug hunting remember we are not trying to find bugs when we do this we are trying to find stuff it might be useful stuff it might be completely useless stuff Recon is about more than just that single scan by doing it over time that's what really gives Recon based bug Hunters their power and skills and how they're actually able to find bugs if you want to be a Recon focused Hunter you're going to need to invest in pipelines and notes and alert systems and how you respond to those alerts and what kind of things you're even been searching for it takes a lot to invest into that and quite frankly when you're a beginner if you don't already have those skills there are other hackers who have already developed them and who can find stuff much faster than you can at the moment saying that does that mean you shouldn't look at Main scope targets no you just need to have some targets once you have some targets just hack them no different to the main app meth methodology treat each like it main application and just go through it so start out by looking at what how the application works think about the kind of security controls that are in place think about how you would break some of those security controls then try out some payloads some signs of bugs and then that will lead you to how you should approach that Target in terms of what vulnerabilities to actually look for again the point of a large scope is to do some basic reconnaissance once you've done your basic reconnaissance you just stick to your regular methodology you don't have to do a Recon Focus methodology I think that's really important so hopefully that was helpful and useful to think about how we might approach a large scope Target in the live stream at the end of this series I'll be looking at a large scope Target and showing you techniques that I would start with but my techniques are often just look at what's there pick an application and just start M out methodology I am not doing any kind of complex Recon it's not in my skill set it's not my forte I don't find it enjoyable I just don't do it saying that if you do want to learn more about Recon I really do recommend the Recon video that I put up in the YouTube suggested video thing that pops up at the end of videos start there if you are a new hacker you just want to do whatever comes next large scope Target May at methodology just have a go at actually hacking something I promise you will learn so much thank you very much for watching and thank you very much to bug crowd for sponsoring this video bye everyone
2024-01-05 08:18
