Giving Yourself the Best Opportunity to Find a Bug
hi everyone and welcome to the next video in the bug Bounty Series in the previous series we looked a lot at starting out so what kind of vulnerabilities to look for but also what even is bug bounty hunting in this series of videos we're going to go a bit more in depth we're going to be talking a lot more about how to actually start hacking and then moving on to how you actually find your first bug so a lot of the videos in this part of the series are going to be more around okay how do we choose a Target how do we get started on a Target what kind of stuff do we look for what kind of methodologies are we going to be using Etc so in this series we're going to be looking more at that so if you're already somewhat familiar with bug bounty hunting maybe you've had a go haven't been successful this is what we're covering here so this phase of the series is going to be more about that kind of thing so I think you'll really enjoy it as always we've got to thank our amazing sponsor bug crowd a great hacker needs a great platform and Bug crowd is the home of the hacker they provide hackers with the best opportunities to make money Advance their skills build community and unleash Ingenuity through their security knowledge platform they provide distinctive educational content for hackers you can rapidly pick up new skills through bug Crow University or gain practical experience with one of their many monthly challenges or maybe you want to follow real hacking experts like myself as we cover methodology shortcuts and tools bug crowd has an entire level up series unique to the industry that covers all of that so if you're interested in joining bug crowd head over to bug crow.com Slackers now and join the bug crowd Community thank you very much to bug crowd for sponsoring this video bug crowd is sponsoring every single video in this series so you can learn bug bounty hunting and get started on bug crowd today thank you so much to bug crowd for sponsoring answering the video so the very first kind of thing once you sign up to BU Crown you actually have a look is you have this discovery page now the discovery page shows you basically every program that you can hack on so if you're invited into private programs public programs however as we will see BU crowd does have some things that make it a little bit different if you've hacked on other platforms before um you will see bu Crow Works a little bit differently and may be to your advantage so the discovery page is the very first page that you see it shows you a bunch of stuff it will flag up programs that have new scope or high rewards so if you're maybe a beginner you want to look at some new scope you can actually have a look at just the programs that are updated and then you can see what the new scope is very easily so once you've looked to the Discovery page you might find yourself on the programs page and the programs page is essentially the same data but you can actually filter it so you can look for your private programs that you've accepted an invite into you can look at whether or not collaboration is enabled on the program you can look at specific Industries Etc really helpful to just start to narrow things down but this does also show vdps and bug boun programs so you can actually also filter VI if it's a VDP the big change in bug crowd that you may not be familiar with that you may be don't know from other platforms is this idea of joinable program so on bug crowd if you meet certain requirements you can actually join private programs and it's really clear what the requirements are and how to actually join them it's usually related to how many bugs you found so you do need to find a bug first but if you're already finding p4s for example this might be a really good opportunity to actually start getting private invites without necessarily having a ton of critical bug straight off they tend to give you a little bit of information about it it's an Electronics retailer it's a mathematical Solutions provider that can tell you okay are you actually going to be interested in this or what so you do have that element to it it will also often link to things like your your skills it will have things like API hacking for example like specific skills it will actually have its eligibility requirements down here so this one requires at least four submissions that are considered valid an accuracy of at least 50% so you need to accurately rate your bugs you can't just rate a typical Idol as a P1 like a critical vulnerability unless you you genuinely believe that so you have to accurately rate your bugs you need at least a specific priority so depending on the program not every program will have this they usually have a submission count like that's quite common but for a minimum priority that's a bit RAR and here P3 plus submissions of all time at least one so you need at least one submission that's higher than a P3 other requirements you might see include specific countries if you're based in say the E you do need to verify your ID but again fairly easy requirement to meet sometimes you just see submission count at least four and accuracy at least 50% accuracy is probably the big one that I see on most of these so just bear that in mind you also do find like over here a bit of information about the target scope so this one is a web front end with go and Ruby based graphql back end fantastic great IO graph QR hacking so this is going to be something that I want to hack crowd stream is bug crowd's version of hacktivity where people post bug found on blah blah blah this is bug crowd's version of it so it shows you both depending on like the client sensitivity so whether or not they opt into it and by the way if you're run a bug Bounty program you should opt into this because it's really helpful for educational content creators like me to see what people are actually finding and do some research if you look at the amazing stuff being done by bug Bounty reports explain Jesus Christ you should definitely sign up to crowd stream but it also shows some redacted information as well so it might just say submission accepted submission claimed but it won't say the exact target information but it can give you an idea of the kind of V abilities people are finding if it's got that detail and also the kind of bounties people are getting as well so the main thing you'll find yourself looking at is of course the program Pages the program Pages gives you all the kind of ground rules but also some information so this is the indeed program good program on bug Crow I really do recommend it lots of scope if you're a beginner they've got a lot of different elements of the job application process to have a look at first up we have a bit of information about indeed then we have testing requirement in this case you need to add a bug Bounty little thing to stop moderation from picking it up and you should use your bug Crow ninja email account um include bug Bounty and the company title you create don't try and represent yourself as a real company add bug bounty to the request you're sending so the IND D team can identify what you're sending them some ground rules of course and we've also got this little sidebar here we're going to be talking more about that in a moment now before I talk about the in-depth of the kind of Statistics you should be looking at and we actually go look at program page I want to talk about the states in bug crowd because you may not be familiar with them if you've not hacked on bug Crow before so a new state means that it's a new issue and triage hasn't looked at it yet so most submissions new means no one's seen it not bug crowd not the client triaged means that triage has set it's a valid issue it is then still up to the program to review that and accept it or decline it so if it gets accepted by the program and you're expecting a bounty you'll get this state which is unresolved that's usually like when that changes to that state that's usually when you get paid your Bounty you also get some points as well resolved is when a bugus market is fixed now if you can bypass the fix or or if it hasn't been fixed properly at that point you can submit a new report because as far as the client said it's fixed now informational or what previously was called won't fix is essentially they know about the issue either from your report or even previous reports and for whatever reason they do not intend on fixing it now not every security vulnerability will be marked as to resolve by the customer and that's because it's really expensive to actually fix security vulnerabilities it takes a lot of Manpower you've got to get developers on board you've got to get testing you've got to do unit tests it can be quite a lot and for a vulnerability that doesn't necessarily impact that much they may just decide you know what we're not in a position where we can fix it can that change yeah of course it can change does that mean you shouldn't submit that bug I would still submit it if I were you but it is worth remembering that not everything is going to be fixed and not everything is even a candidate to be fixed now the rejected submission states are out of scope so you will receive a penalty if you go out of scope most bug crowd triages are very nice and they won't Mark something is out of scope they'll mark it as na but if you continue to go out of scope they will mark it as out of scope and you'll receive penalties not reproducible triage or the client can't get the vulnerability to work again you'll probably get na before you get this it's only if you start to submit a lot of vulnerabilities that are like not reproducible that you will get a penalty now not applicable on bug crowd is a neutral State it's not a penalty and it's not a positive State it's just neutral if you get na it will not affect your reputation it does not affect your invites it is just just for whatever reason this is not applicable to this program whatever and I really want to stress that is not a negative state that is just a this doesn't apply to this program state it doesn't get used for anything I promise if you get marked as a duplicate your duplicate will be marked like in the original status and it will be linked it inherits it if a duplicate gets marked as resolved but you can still do it cause that issue new report it's a new issue or it's not been fixed properly known issues is on that little sidebar and this is where we start to talk about some of the statistics and I think it's really important to think about statistics in bug bounty hunting because actually the statistics can be really helpful for beginners for choosing what kind of programs you want to look at especially if you don't necessarily have a community yet and you can't just find out from other people like oh what programs do you really enjoy hacking I don't know because I've only literally just come here and I don't have any friends statistics can be a really great way of seeing that known issues it's only on some programs programs specifically have to say yes we want to show known issues which does mean that you won't necessarily see it on everything essentially it gives you an idea of how many duplicates there are so I'll use an example over here so you see this total issue this 278 so that is the total number of submissions including duplicates of known issues Naas as well so it can give you the idea of the amount of duplicates that a program has you see this total here this 278 so that is the total count of issues now we can see here in unique we've got 52 52 is is triaged unresolved and informational so these are issues which are still in the program for whatever reason so 278 is this number so if you do 278 minus 52 you get 226 issues that are in pre-t triage or a duplicate or resolved or na if you take your resolved vulnerabilities rewarded so that's 150 so that's the total number of vulnerabilities this program has has given bounties for minus 52 that are still not fixed you get 98 issues that have actually been resolved now why is knowing the issues have been resolved important if you want less duplicates the easiest way to do that is to work with a program that is on the ball that is answering questions and getting stuff sorted because you just will find less security issues which sounds negative but actually if you think about it if they're resolving in all the p3s and p2s or p1s or whatever if they're resolving those any issue you find has a greater chance of being unique and then you can do some more maths the number of issues pre-t triage or dup or resolved minus the resolved issues mean in this case is 134 either pre-t triage or dupe or na that might suggest that this has a very high number of Na submissions I think for this particular one the valid is within 3 days that's a good sinus is an active program I would assume it was maybe na that was causing this again best way to avoid dupes is to work with programs that are like really responsive and that want to work with hackers so this is how bug crowd shows scope and you can see here that on the side it actually covers things like the Technologies in use this is really helpful especially if you're learning specific skills so if you are say looking at okay what technology should I be learning if I'm doing bug bounty hunting my suggestion would be go look at some big programs Walmart indeed Adele as well go look at some big programs and see what technologies they're actually using and then learn those don't take advice from me I'm a PHP programmer and every advice I've ever given anyone is go learn PHP but you can actually see what's in you so you'll see a lot of react from for example super helpful to learn react really good technology to learn at the moment you'll see some like more specific languages potentially you might see some go you might see some Ruby gives you an idea of where you can specialize it will also showare things like mobile testing as well so you can see here that this is indeed this is like a super large attack surface and staring a bug Bounty context this wild card can mean multiple things it might mean that every subdomain is in scope it can also mean that every asset that company owns that you can prove that company owns is also in scope and again you got to look through these for different programs in this case that they've said this is thousands of subdomains that they can't list however here's basically an idea now the indeed program and some other programs as well have this idea of primary targets and secondary targets so if you're hacking a primary target the bounties are going to be much higher and you can actually see this a P2 issue here starts from 1K to 4K and 4K to 10K for a P1 if you're looking at primary targets or maybe you want to hack something that perhaps hasn't had the same amount of scrutiny you might want to look at secondary targets or maybe if you're searching for bounties maybe you're a bit further along in your journey you might want to look at P1 and primary targets so let's take a look at some actual bug crowd scope Pages these are all programs that I recommend because I think they are good for beginners they're friendly they're responsive Etc okay this is the bug crowd start page so to get to the Discovery you want to go here click on Discovery and this is that staff picks and new scope page I was talking about earlier for example we can see here that cloudinary has I think increased theirs this is new scope here so in this case we can go to USAA you go to announcements and you can see that there's out of scope updates and stuff like that so these can help if you are looking for something that is kind of new scope or something that's completely new you can also see here that we can see some joinable programs here you can tell they're joinable because because they'll have vague titles like web API IOS and Android applications and here you can see this is the one that has quite a lot of different requirements on it we can see here different priority ranges and the bounties and also this is a website IOS and Android and again you can see there's some information about the vulnerability rewards as well so this is the I don't know recommendations I guess is probably the easiest way to say it and you can see here you can see all the lassan stuff as well there's also adjust for you choose a Target or explore an industry so if you go to explore an industry it will show you like Banking and e-commerce and Cloud this can be really helpful especially this e-commerce and Retail one if you learn like a specific industry vulnerabilities for e-commerce and Retail it's usually a business logic errors you can actually just apply the same methodology over multiple programs super easily and you can see there's also like business management stuff as well the programs page here so the programs page is that like searchable one so you can throw in like accepted invites or vulnerability disclosure rewards so this will show you anything that's not a VDP but you can also add more stuff in here as well so you can see your pending invites the like whether or not you participated in them specific Industries again so you can start to like really dial down into the kind of programs you're looking for but again I've always found that some of my best results have been found from me just experimenting anyway let's take a look at indeed program again I really recommend the indeed program it's a really great program the team is really responsive I found the announcements here this is going to show you you when new targets get added the crowd stream is going to tell you what people are finding so here you can see this is on Portal indeed Flex this is just something owned by indeed this is on the graph qlm points this can be really helpful in saying what you should be looking at I see this here submission accepted On Target graphql it was a few days ago this to me says I want to look at that graphql endpoint because it's it's very unlikely that if a P2 is being found that there are no p3s and no p2s there to find things and as I've said in some of my other videos I do not find good bugs I don't find like p1s or crits I find like medium and like high bugs at the most because a lot of the bugs I find are easy bugs they're not again not super complicated I'm not that good at hacking Etc so again you see there's another issue here on the graphql API another issue here on the graphql API this is all telling me let's have a look at the program details and the actual scope so you can see that this hasn't got those the like additional statistics that we saw in some of the other programs so you can see here we have vulnerabilities rewarded validation within six days and 75% submissions are accepted or rejected within 6 days so what that means is that there is a out 6 days until you get a bounty so again responsive program we want to see a responsive program if a program isn't meeting their response efficiency that can imply that actually they can they're going to have a lot of duplicates because they're not necessarily fixing issues you can see here we've got some information about don't violate the terms of service don't violate the law and here we can see the primary target so we have primary targets secondary targets and other targets you can see here that these have different Bounty amounts because this is what they want you to focus on so in this case this stuff here is a secondary Target and this stuff here is a primary target and you can see this includes account information profile information that graphql API an Android app and IOS app a Chinese IOS app and and Android app the out of scope here is the chatbot stuff they don't own and some specific again chatbot stuff and some specific websites you can once again see some of the technology that they using this can be really helpful in deciding what to learn for example this is hosted on AWS uses bootstrap Amazon cloudfront jQuery and something called Gatsby so really helpful to see actually what technologies are my targets using what can I learn how can I learn those new skills because especially nowadays I think it's I think it's been a case for a while but especially nowadays in bug bounty hunting having a specialty can be such a huge help for me it's API testing for other people it's Recon or it's cloud or it's ssrf or whatever like business logic is whatever all of that can be so helpful it has some information about what it considers like a P1 P2 P3 or P4 issue for if you use other bug Bounty platforms this is a crit this is a high this is a medium and then this is a low and again stored xss here is always going to be a high that's not necessarily always going to be the case on other programs so really helpful to know that and there are some exceptions here that are the T so the VRT when you s submit it will give you like a vulnerability they give you like a priority but they don't want HTML injection self xss or email stuff unless you can demonstrate a risk some helpful tips for testing a lot of programs will have these in helping you navigate the application especially if it's not something you're familiar with already and they are all also include a Target overview so you can see what you want to have a look at immediately thinking profile and resume created that's going to be one of their key functionality but there's also like a developer API they want you to focus on o floors looking at privilege escalation Etc that's an example scope page let's take another another look at another scope page here Credit Karma this does have those known issues you can start to think okay how am I going to approach this is this going to be a Target that's responsive see here 75% of submissions are accepted or reject them in two days so they're responsive great have they got a lot of known issues not too many they've got a high number of rewarded vulnerabilities as well looking at this part of the the ratings and rewards you can see this is not a is as detailed as ineds and again that's going to depend on the person you are hacking not every program is going to care about everything it's just a nature of their business right they can't fix everything so the they specifically call out open redirects and social media link hijacking as just stuff they're not interested in so they don't want to hear about it they don't want to they're not going to fix it avoid looking for those so you can see see the program rules here is actually fairly slim if you really do struggle with more complex scope and rules some programs really will have rules that are like don't just delete any information you access don't send the pii apart from the reproduction steps redact pii do not perform testing that includes brute force on registration and covery so again standard scope we have in this case their mobile apps and down here we have their web testing and then we have the op out of scope category what can sometimes be confusing is if you have quite a lot of URLs that are in scope and actually when it comes to hacking them you're stepping on a Minefield with which ones are actually going to be considered out of scope or not again we have tax support tax help and again we've got that detailed breakdown of all the Technologies so WordPress New Relic PHP we've got these are not super helpful cuz they're like Swift yeah it's an iOS application of course it's called Swift and here you can see a full list down here of their focus areas so authentication privilege escalation data exposure we've got web out of scope IOS and Android out of Scopes and you can get your credentials for a program programs that do have credentials can go either way for me sometimes they can be really helpful because when I self-register they get tend to set up multiple things you have to pay for example however I will say that it can be a huge burden on the hacker because you have to wait for those credentials to actually get assigned it can go either way so let's look at one more of these I'm going to pick from the discovery I'm just going to pick randomly let's go for cloudy information about what they do and immediately after seeing this you can see that this is apis and development stuff these are really good to hack because if they are doing developer stuff a lot of other hackers will actually get very intimidated by them actually hacking them can be a really great way of finding unique bugs because nobody else is looking at them um we've got some general guidelines some reward guidelines our in scope targets our out scope targets super simple and straightforward we like to see it um some information on access in this case you must use your bug croud ninja address some of the focus areas out of scope and also excluded submission types now again these are really helpful because they can can immediately tell you whether or not you should even bother reporting something and you won't report everything you find looking at the statistics over here you can see that this is quick validation the payout is potentially a little bit low which suggests maybe there's a lot more kind of P3 issues but it doesn't mean that there's no P2 issues or anything like that if we have a look at the announcements we can see there hasn't been any major updates so we might want to say you know what this hasn't had any major updates while it is responsive it's not necessarily got new scope coming out so maybe you want to skip this again it depends on your hacking Style and what you choose to hack this kind of very technical programs can be actually really great to choose a target for because if you do have that technical expertise other hackers don't and at the fundamental end of the game like end of the day with bug bounty hunting is you're in competition with the other hackers they are your friends they are awesome they're very friendly but you in competition with them you've got to make sure that you're like setting yourself up for Success anyway let's go back to some final thoughts and what I think some of your main consideration should be when you hack on these programs as well as some bug crowd specific stuff that you may want to think about and consider okay okay welcome back I hope you found that helpful some other things talk about specifically for bug crowd information vdps on bug crowds do not offer points vdps on bug crowd do not offer invites they are see something say something programs rather than come and hack me I've got presents they're good for testing new techniques on real targets getting a feel for a real website but if you you do vdps if you smash a bunch of vdps you are not going to get any invites and you're not going to get any points you can't buy anything with Kudos in reality so the best way to get invites on bug crowd is this crowd matching thing they sell it to their customers so you have a resume page you can fill out your resume with information about your experience or certifications you have and you can connect things like your GitHub your stack overflow pentest the lab you can have preferences on invites and availability you can participate in programs create more get more active bugs consistency etc those are all better ways of getting invites specifically on bug crowd if the number one thing you can do on bug crowd to get private invites is literally just find bugs if you find bugs you will get invites it's true on all platforms to be honest every single time that I like dust off my occasional bug Bounty Hunter and actually submit something I get a ton of invites straight afterwards bug crowd also has something called request a response you might be familiar with this as being called mediation or appeals again it's not really for choosing a program but I think it's important to talk about so you can actually request a response from bug crowd or the program if you're waiting on updates there's a you fill out and if you are maybe wanting to choose maybe a program that's really receptive maybe you've had poor experience in the past um request or response might be something that kind of tips that balance for you so my suggestions pick a large enough scope to Pivot within the application you do not want to be stuck on one piece of hacking for hours it doesn't feel good you don't feel like you're learning you feel like you're spinning in circles I find that I don't like huge Scopes I like a smaller scope cuz I'm not like a big Recon hacker if you're a big Recon hacker obviously very large scope perfect for you but I like enough scope that I can pivot within the application so multiple functionality I can look at maybe an e-commerce system but there's also a social media aspect or there is also a chatbot access Etc a pro program which has a quick validation time if when we're looking at the actual program we saw an example of this but I want programs that are actually replying to issues I don't really want to wait months for a vulnerability just to go through the process usually the speed is on the program not on BG crowds triage triage tends to be quick but clients can be very very slow hence the request a response a super clear scope policy that you can follow so one thing that makes bug Crow a bit different is that you actually can't export the scope really easily into something like bu so being something that's clear that you can understand that makes sense I think huge Advantage I don't want to be wondering is this going to be considered out of scope because I just won't hack them I just I won't do it I won't bother I won't waste my time if I don't understand the scope page I am out of there and looking at the program statistics kind of understand how many duplicate issues there are how quickly are they actually resolving bugs and trust me guys I know how it feels to find a vulnerability get very excited and then get told it's a duplicate everybody experiences that you are not alone if you have experienced that and that is something that you are getting super frustrated with that's so normal it's so normal so these are my advice largest scope good validation times something you're familiar with or already used so if you don't need to learn the functionality it's a huge Advantage I've literally spent hours looking at trying to understand how an application works from a user perspective let alone from hacking just understanding what how the application is supposed to work in the first Place clear scope makes a lot of sense seems very clear and looking at those program statistics trying to Divine whether or not this is a really responsive program and stuff is actually getting fixed reasonably that's all I've got for you today folks I hope this was really helpful and I hope that this encourages you to get started I will say that I have also had success in choosing a program randomly and and just trying it out I don't think you can really properly game the system sometimes you get lucky and sometimes you don't now these are great ways to maybe tip the scales in your favor but when you find your first bug and your first few bugs just in general there is a luck Factor the more experienced you get the less of the luck Factor there is because as you get more experienced you'll develop your intuition but also your like actual knowledge of vulnerability ities as well but saying that I know this is something that a lot of people wonder about and especially because my previous video was like a different platform maybe this gives you insights on another one so I hope you found that helpful and I will see you guys in the next video bye everyone
2023-11-30 09:01
