All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Bug Bounty Hunting Tips and Tricks
Since some people have shown interest when I posted things related to web app security, I thought we could maintain a thread with tips that could help people find vulnerabilities, and learn how to protect their apps from them.
I gave one tip yesterday on how I bypassed a restrictive CSP thanks to YouTube to trigger client code execution. https://lowendtalk.com/discussion/comment/3981259#Comment_3981259
Then just a few minutes ago I mentioned in another thread how I escalated a Local File Inclusion vulnerability to not only view sensitive files, but also trigger RCE https://lowendtalk.com/discussion/comment/3981922#Comment_3981922
What do you think? Would it be a nice idea to keep a thread where we collect this kind of information? Of course if we keep it I expect others to contribute as well. 
Comments
Very small amount of active, registered members interested in secops. Do not waste your time and work for free for bilou by increasing seo. We all know krebs, bleepingpc etc. Thanks for initiative.
Yes, I like this thread. I do not know how much I can contribute.
If web-app bug hunting is something you're passionate about, you could even start your own forum. Put the link in your signature and anyone interested will click. Use Vanilla Forums of course.
would be better if it is posted in a blog and it is organized over here. Here it will just get lost among threads
I have found lots of bugs on many sites, like XSS, SQL, or authentication bypassing. I usually send an email to the owner and ask for donations. Unfortunately, I never received any reply 🤣. All of the owners seem careless about these bugs. Thus, I lost interest. I still have interest, so I am curious to know where you post these bugs or how you report them to the owner. To be honest, I never received a reply from any owner over the mail. I never hunt in popular site though which is available in hackerone. I believe it waste of time.
I see from some comments that perhaps there is no point to continue this thread after all.
What you said you have done is extremely unprofessional and I am not surprised that nobody ever replied to your emails. Unsolicited testing for security bugs is almost never welcome by any company and you need to be very careful with this, because chances are that one day someone might start a legal action against you or anyway contact the authorities and try to find out who you are etc.
You should never, ever test a website or else for security bugs without explicit consent of the owner. I hope this is clear and that you keep it in mind in the future.
The only responsible and ethical way of testing an app for security bugs is with permission. The easiest way to do this is by using a bug bounty platform like HackerOne or BugCrowd which are the biggest ones, or other platforms like Intigriti and YesWeHack. They all work more or less the same way and you can hack on those programs safely knowing that you have their permission. And even with permission, you still need to be careful and follow their policies (e.g. rate limit your requests, not use automated scanners which may perform destructive actions, and things like that).
This is the way it should be done and the way I do it. Once you gain some good reputation from some particularly good reports, you can start receiving invites to hack on private programs too, which have fewer eyeballs testing them and therefore you may have more chances to find something compared to public programs which have a lot of hackers looking at them and thus more competition.
I usually spend quite some time to do very good reports (definitely above the quality of most reports I believe) with all the relevant information, steps, video demo and PoC, and very often since I am also a developer I also build apps to automate the attacks so they are more easily reproducible and demonstrate the impact more effectively.
Since I do things properly I receive several invites to private programs basically each week, and I have many private programs I have already been invited to where I haven't even had the time to start hacking on them yet.
Please, to whomever is looking to start with bug bounties: do it properly and ethically, definitely don't do what @jobayer described.
Ughhh please ignore the sour grapes and keep posting.
There is bug bounty and then there is beg bounty.
@jobayer i have to agree with @vitobotta that this asking for donations approach is super risky. Personally i don't think it's (morally) wrong or anything but it's just seriously easy to construe extortion from this and go after you (on top of all the other information technology laws that might or might not have been broken in the process). Certainly not something to be done without a lot of thought in regards to the ifs and whens. How far this is actually even worth it if money is the objective is another question anyways. I don't think a lot of people not offering bounties to begin are going to suddenly whip out cash. Quite the contrary a lot of them will view you as a criminal and your actions as hostile even if you didn't do fuck all, let alone anything destructive and basically saved them from running into some less pleasant internet individual (yeah, sense... there isn't any but it's just how people click).
In my opinion one should just assume that random poking around is probably not going to have some kind of payoff unless payoff means having some fun or there's some kind of black market value to the hypothetical exploit found this way, which is not exactly cool in my book (if one's not going to go full on white hat stuff is better just kept private) but then it's also kinda hard to blame some poor nerd for taking a stack of coins that gets dangled in front of its nose. I'll just hope the person in question realizes what they are doing certainly isn't some kind of game but very, very serious and a couple lousy dollars might not really be worth getting involved with it.
I pretty much miss the days when finding exploits was basically all about the exploration, having some fun, impressing your peers and maybe a tiny bit of creative chaos here or there. That whole approach made everything really simple since once money enters the picture it either basically becomes work or gets poisoned by seriousness (exceptions obviously exist).
I disagree. I think there is a lot wrong in testing third party apps for security bugs without permission. I like the word "ethical" in "ethical hacker" in my job title and description on LinkedIn because it means a lot to me.
Perhaps the reason why it means a lot to me is that when I was younger I started in the worst possible ways.
First, I spent most of my teenager years writing malware for DOS and then Windows (some of my "creations" spread worldwide) to cause harm to people because at the time I was extremely stupid and these things somehow were "fun" for me. Then I started to hack on things to gain stuff illegally because I had bad company that was basically using me and having a very bad influence of me.
I am happy to have met someone who made me understand that what I was doing was wrong in all possible ways and made me change attitude completely. At the time I hacked into a famous research center in Europe and risked big trouble, but that person helped me.
That person is no longer with us unfortunately but that process still means a lot for me.
Since then I have only been doing this kind of word totally legally with bug bounties/pentests. I still have a lot of fun, and the money I make this way is totally clean, like my conscience.
Yes, you're right. When I was a kid, I did these things without thinking much. Now I don't do it anymore. I stopped everything related to hacking 12–14 years ago. My intentions were good; if they pay, okay; if not, at least they will solve the issue after checking the report. During that time, I hacked into a local banking system and mistakenly did something horrible. Later, I felt guilty. Though it was not intentional, I finally contacted them directly to solve it, and they solved it. But later, I realized they could have punished me then instead of solving it. though it helps them a lot and didn't cause any harm to their system. However, they thanked me, and I moved on, finished my studies, opened four different companies one after another, and I never looked back. As you have opened the thread, it has drawn my attention and made me interested in learning about things. Anyway, thanks for the advice.i will never do anything related with hacking in the future. Even If I do, I will definitely follow your advice.
Well, i predate the whole ethical label too. Never been much of a problem for me. Sure, times have changed and things became way more serious but it doesn't really bother me much since even if i got back into it the fun wouldn't come back anyways (for me) as the whole surrounding landscape simply doesn't exist anymore. Looking back i'm morally at peace with me though. Sure, i've seen others fuck themselves royally (raids and all that fun stuff) but they usually brought it upon themselves by getting greedy or evil (not saying that there's some kind of karma involved or anything but if some person keeps asking for it long enough...).
Well, the only thing my virii destroyed was my own harddisk and after that i got bored with the chapter pretty quickly. Annoying people online proved to be more fun anyways. Sure, saying every second person you'd meet was involved in some kind of fraud (even if just to get online) might have been an understatement but it was up to every person themselves what they'd think to be morally justifiable and of manageable risk. I think i have a somewhat vivid idea what you mean by the last part. Well, it's all about the details, the risk and keeping things fun. I can very much see how stuff like that might have been a big temptation, which spiraled out of control pretty quickly though.
If i were an asshole i'd ask why your connection was traceable but then it was innocent times back then and everyone got careless once in a while. Beyond that it's the risk/fun factor again i guess with fun obviously being a pretty subjective thing, so that's only saying so much.
I guess i can see where you are coming from. We are basically looking at the topic from very different angles though. To me messing with IT stuff has always just been good fun, even if there's quite a bit that i wouldn't repeat in 2024 (if it even were possible). I'm not saying that i never drew the short stem either but oh well, it's been nothing really disastrous. I'm also not sure at what time frame you are looking back at. For me it's the 90's to early 2000's. Things changed pretty quickly from there on so that might make quite a bit of a difference too.
Yeah, i'm not saying the way isn't fun too and like i've said above fun is subjective anyways. To me a research facility probably wouldn't have been even half as tempting as to your earlier self, since what am i going to do with the data? Sure, i could read it and feel a bit like James Bond but that's not all that funny to me. I'm by heart mostly just a troll and a silly child after all
I have never been traced or caught or anything because of a technical mistake.
It all escalated from a Server Side Request Forgery (SSRF) where I was able to add my SSH key to one server thanks to AWS' metadata API, and from that server I found credentials for other servers, and could access a lot of stuff in their network included databases and network shares with a lot of research material etc etc. You may perhaps guess which research center it was.
At first, I was cautious and since I didn't have permission for anything I used the printers in their network to print a page with information on what I found.
But a couple of months later I checked and nothing had been fixed, so perhaps something went wrong when I printed that page or something. So because I was stupid, I thought I'd contact them formally with my email and my name thinking that they might appreciate and they would give me a reward if I helped them fix the issues.
Boy I was wrong. Since they had my real name they contacted the authorities and if I didn't end up in jail is thanks to one person that worked there and knew me indirectly (long story) and helped me resolve the situation. He managed to convince the head of the research center not to prosecute if I helped their IT team fix the issues, which I did and all was good after that.
So it was not due to a technical mistake, it was because I was stupid in a different way. I also had problems with my wife on that episode, and I also had to promise to her that I would never do anything anymore without explicit consent, so I started with bounties.
I see, so basically well intended white knighting that backfired horribly. Yeah, people often times aren't very appreciative that one didn't just
rm -rf /*everything for the lols but actually tried to help them. I can see how it's probably pretty shocking having to learn this the (extra) hard way.Well, like i've said, even if it would have been it wouldn't really be exactly bad or anything. Early on there were so many flimsy protection schemes that just worked by the inherent dysfunctionality of communication technology/businesses/bureaucracy as a whole that pointing fingers over something like this would be kinda silly.
Sure, why not. If one mostly likes the challenge it's probably a pretty nice hobby with good money opportunities these days.
Latest critical finding: I was able to corrupt other people's votes in the e-voting system for a EU country 🤣
Reward is only $2K as this program doesn't pay much but it took me 5-6 hours to find the issue so not too bad.
Yeah, voting integrity isn't much of a big deal after all, isn't it?
Exactly, it's ridiculous. At least this program pays something. Most programs run by governments are VDPs (Vulnerability Disclosure Program) that don't pay any bounties.
Orion Hunter ??
https://hackerone.com/coinbase/hacktivity?type=team
Half a million for a vuln is a dream
I am far from that kind of bounties because I know close to nothing about cryptocurrencies, so I work on web apps and the payouts are much smaller typically.
But I can't complain. Since yesterday I found 5 bugs in less than 48 hours
maybe paul le roux can help