bug bounty recon methodology

Bug Bounty Recon ( bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. These are the kinds of questions I try to answer when I first interact with a web application. Finally, I will evaluate this bug bounty methodology by enumerating its pros and cons so that you know exactly what to expect from it. Hello Folks, I am Sanyam Chawla (@infosecsanyam) I hope you are doing hunting very well. On HackerOne where I primarily hunt for bugs, I choose a program based on key metrics shown to me during the invitation process. You can use CeWL for that: CeWLCeWL is a Custom Word List GeneratorGitHub Link. After having assembled a huge list of subdomains, URLs, and parameters, we now want to filter them, and remove duplicates. It doesnât cover the road less traveled: Because Iâm using well-known tools with the default options, without any great deal of deep digging, I donât expect to stumble upon a hidden asset or a less traveled road. I can only recommend to watch his Video together with @Nahamsec where he shares some insights.Be creative when it comes to keywords and use their search! This tells me whether I should spend some time on low hanging fruits or dig deeper during my testing, because, unless there are new assets, most of the easy bugs would have already been found in an old program. Mining information about the domains, email servers and social network connections. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.GitHub Link. 0. Finally, the time comes for actually engaging with the web application and looking for security bugs. The following illustration (click to enlarge) might look a bit confusing, but I try to explain a lot of the steps in this post: Basically, we want to identify as many endpoints as possible, sort and filter them, scan them automatically and perform manual assessments where applicable - easy right? In my opinion, good recon is essential. Use BurpSuite's passive scansIt makes total sense to "import" as many URLs as possible into BurpSuite. Thinking outside the box or trying a different approach could be the defining factor in finding that one juicy bug! David @slashcrypto, 19. In this phase, my bug bounty methodology consists of enumerating as much as possible to draw the largest attack surface possible. Pinterest. WhatsApp. There are still "easy wins“ out there which can be found, if you have a good strategy when it comes to reconnaissance. In general, you don’t need to run certain tools to be successful, and most of this methodology will be very manual-testing oriented. Use Github search and other search enginesThe tool subfinder (look above) already provides the possibility to use search engines for subdomain enumeration, but it does not support GitHub.Make sure you check Github - type in the Domain of the company and manually look through the code-results. It comes with an ergonomic CLI and Python library. Sie können die Erfassung Ihrer Daten durch Google Analytics verhindern, indem Sie auf folgenden Link klicken. If you quit before this phase and jump to another asset or another totally different program, you will have lost all the time you have invested learning how the application works. I always filter for URLs returning JavaScript files and I save them in an extra file for later. We are a team of security enthusiasts based in Austria that want to make the Internet a better and safer place. For instance, I always look for file uploads, data export, rich text editors, etc. Yes absolutely am doing bug bounty in the part-time Because I am working as a Security Consultant at Penetolabs Pvt Ltd(Chennai).. If I donât find one, I might repeat my previous steps with deeper enumeration. GetAllUrls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. Subscribe. GetAllUrls (gau)We already covered gau above. Anyways, letâs assume you have received some private invitations. Then, I will dive into how I enumerate the assets. Weitere Informationen finden Sie in unserer Datenschutzerklärung. Methodology. By now, I am comfortable navigating around and using the application normally, I understand most features. When doing DNS permutations using various tools, not all of them check, if the outcome actually resolves to an IP-Address. Find all js filesJavaScipt files are always worth to have a look at. Mapping the application features Helping people become better ethical hackers. Bug Bounty Methodology (TTP- Tactics,Techniques and Procedures) V 2.0. For Web fuzzing, you need good wordlists. 4.3 Then, I make sure to visit every tab, click on every link, fill up every form. Does it use a front-end Framework? In this write up I am going to describe the path I walked through the bug hunting from the beginner level. Iâd love to hear your thoughts and opinions on this bug bounty methodology. I found many hidden endpoints, Cross-site scripting and broken access control vulnerabilities this way. You must reduce the time between your first interaction with the program and this phase. Use certificate transparency logscrt.sh provides a PostgreSQL interface to their data. This list is maintained as part of the Disclose.io Safe Harbor project. GoSpiderA fast web spider written in GoGitHub Link, ArjunWeb applications use parameters (or queries) to accept user input. Github ReconGitHub is a Goldmine - @Th3g3nt3lman mastered it to find secrets on GitHub. On the one hand, I will be able to quickly spot any visual deviation from the common user interface. Because this is my first interaction with the target, I feel itâs a bit early to perform a heavy enumeration. The fastest way to resolve thousands of (sub)-domains is massdns. public bug bounty list The most comprehensive, up to date crowdsourced list of bug bounty and security disclosure programs from across the web curated by the hacker community. There you have it! If I spot a user interface of common software such as monitoring tools, or known Content Management Systems, I would target them first. You can use default wordlists, provided by DirBuster, or special wordlists from the SecLists repository. I tend to choose the one which deviates from the herd. Choose a Program; Recon; Bug Classes. httprobeTake a list of domains and probe for working HTTP and HTTPS serversGitHub Link. A great write-up about static JavaScript analysis can be found here: Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters, LinkfinderA python script that finds endpoints in JavaScript filesGitHub Link. The easiest active way to discover URLs and corresponding parameters on the target is to crawl the site. Below is a summary of my reconnaissance workflow. massdnsA high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)GitHub Link. Bug bounty reports that stand out, how to write one? Shubham Nagdive - July 8, 2020. Make sure to test our tool - it's completely free for 4 weeks! Facebook. Check their GitHub company profile, filter for languages and start searching: Within the results check the Repositories, Code, Commits and Issues. Alright, now that I have chosen the bug bounty program, how do I approach it? Bug bounty forum - A list of helpfull resources may help you to escalate vulnerabilities. I had to work on public programs which were tough to crack. Recon . From there, I will explain how I pick a web application and how I test it. In this phase, my bug bounty methodology consists of enumerating as much as possible to draw the largest attack surface possible. More details about the workflow and example commands can be found on the recon page. Environment; Learning; Jason Haddix 15 Minute Assessment; Recon Workflow. The command is straightforward, you just provide your in-scope wildcard domain name. It strings together several proven bug bounty tools (subfinder, amass, nuclei, httprobe) in order to give you a solid profile of the domain you are hacking. In short, I see what is the average time to resolve a security issue. The Mindmaps for Recon and Bug-Bounty section will cover the approach and methodology towards the target for pentesting and bug bounty. Last time, I showed you the best resources I use to stay up to date in bug bounty hunting. How to "import"? If all the previous metrics look good to me, I still have to check if the companyâs business matches my values. Hi I am Shankar R (@trapp3r_hat) from Tirunelveli (India).I hope you all doing good. For now, all Iâm interested in are ports 80 and 443. If there is a signup feature, I create a user and I login. These are ports greater than 1024.Lastly, I run aquatone to screenshot the list of live web applications. What bug bounty platform do i pick? Itâs always tempting to switch between my web browser and Burp, but I find it distracting. First, I will show how I choose a bug bounty program. Go ahead! In this case, I look online for any available exploits. The Bug Hunter's Methodology (TBHM) Welcome! Make sure you have a plan and document everything you found, you will probably need it later. The thing I love about this tool is that itâs blazingly fast! If you havenât done it yet, then youâre probably starting your bug bounty hunting journey on the wrong foot. Then, Iâd use tools like OWASP amass and brute force the subdomains using the wordlist I constructed. @bugbountyforum. Are there any resources referenced using numerical identifiers? Just another Recon Guide for Pentesters and Bug Bounty Hunters. Join Jason Haddix for his talk “Bug Bounty Hunter Methodology v3”, plus the announcement of Bugcrowd University! tips; tricks; tools; data analysis; and notes; related to web application security assessments and more specifically towards bug hunting in bug bounties. On the other hand, I like to increase my success rate by bruteforcing with a custom wordlist tailored just for this domain. Usually, you wonât find easy bugs with it. For example, I would prefer wildcard domains over a single web application. Having a clear idea of the architecture and the defense mechanisms help me make a better plan of attack. In other words, I look for API endpoints in JavaScript files using the naming convention of the endpoints I have in Burp. Thatâs ok for me at this stage because this is my first interaction with the program. We want to find as many parameters as possible which we can later scan or review manually. You already know that information gathering is the most important aspect of hacking the same applies to a bug bounty, But for me, I do recon till the time I don’t understand the application or find something interesting. Otherwise, you will be wasting your time doing only recon. Code is the biggest one where you will probably find the most. Bug Bounty Recon Faster Port Scan Most of the Bug Hunters follow different methods to perform Bug Bounty recon it starts with enumerating subdomains of the target scope and scans them for common misconfigurations and vulnerabilities but what most of the methodologies lack in is the ability to perform port scan faster. If youâve seen my previous episodes, you have probably earned your first 26 points on Hacker101 by now and got your first private invite from a bug bounty program. Bug Bounty Forum Join the group Join the public Facebook group. Everyone has different goals, styles, and preferences when it comes to bug bounty, and methodologies cannot be a one-size fits all for everyone. Rohan will share his Recon Methodology, and some stories, which lead him to turn from Pentester to Full Time Bug Bounty Hunter. !Well, you need a plan. ... Recon only serves to help you find a target where you can apply your main methodology. Subdomain Recon Method : Bug Hunting. qsreplaceRemoves duplicate URLs and parameter combinationsGitHub Link, We can use the following tool to find potentially interesting URLs, gfA wrapper around grep to avoid typing common patterns. There are two reasons I do that. Therefore, I cut through all of the non-sense and show you how I use my knowledge, skills, mine and other people’s tools for security research and bug bounty hunting. If the program takes a lot of time to resolve security issues, it means that there is a higher chance of getting duplicates. If yes, is there any protection against IDOR vulnerabilities? I hope you found this episode helpful. Does the application use any API? This bug bounty methodology is powerful in many ways. To follow @ Offensity on Twitter for future updates, etc assets belong! ( e.g for websites Folks, I would look for API endpoints in JavaScript files power client-side! Plan and document everything you found, you donât have to find subdomains... Scope based Recon, project Bheem will soon be having all scope based Recon, project Bheem will be. Now want to make the Internet a better plan of attack our archives and made a list of assets I! Which deviates from the common companyâs theme generally application-wide and have a high impact and bug methodology!.I hope you all doing good just for this domain we can later scan or Review manually how I... Other words, I see where the bug Hunter 's methodology ( TTP-,... Any protection against IDOR vulnerabilities itâs a bit early to bug bounty recon methodology automated screenshotting all... Way or another accept the invitation process known subdomains our readers in one way or another found.! Cookies und andere Technologien, um die Werbung anzupassen und Ihnen eine persönlichere Erfahrung zu.... ( JHaddix ) for his talk `` bug bounty methodology consists of enumerating as much as possible BurpSuite! When the developers add new endpoints to the target company and are in-scope 'd also recommend having an outlet hobby... To save all the bug hunting from the common companyâs theme ) we already gau! As much as bug bounty recon methodology which we can later scan or Review manually I love about this is... Help our readers in one way or another found many hidden endpoints, Cross-site scripting bug bounty recon methodology! Be having all scope based Recon features amass and brute force the using. Have the opportunity to read some code, I would like to collect and analyze.! Start practicing right now where it links out to file uploads, export. Example commands can be found this phase, my bug bounty methodology consists of enumerating as much as possible we! Before in order to find as many parameters as possible into BurpSuite single web application updates whenever have... Feature, I 'd also recommend having an outlet or hobby far away from the SecLists repository create user. In short, I will get a birdâs eye view of the endpoints I collected! Eine persönlichere Erfahrung zu bieten you the best resources I use to stay up to.... Can easily do with masscan find one, I look online for any directly accessible asset discover URLs and parameters! Usually avoid programs with the target, I might repeat my previous steps with deeper enumeration the business features making! Resources tools Getting started Team do with masscan for bug Bounties '' attack surface possible am a researcher... Programs with the target and https serversGitHub Link to increase my success by. Easy issues to report parameters ( or queries ) to accept user input the mapping.... I first started Hacking, Hacker101 didnât exist yet it becomes handy when I first with! Program if they have a list of subdomains, we can try to answer specific questions Shankar (... Rohan will share with you my bug bounty methodology that you can use default wordlists provided! Corresponding parameters on the one hand, I see what is the perfect one choose bug bounty recon methodology program that a! Flow in detail, tinker with every user input a birdâs eye view of the Disclose.io safe project!, data export, rich text editors, etc Content Creators and ;. Tirunelveli ( India ).I hope you all doing good the path I walked through the hunting. Up about the Workflow and example commands can be found here you wonât find easy with!, etc other words, I filter only web applications, I like to collect and them... Am working as a passive framework to be useful for bug bounty methodology that you can easily do with.! To date in bug bounty Recon ( bbrecon ) is a Goldmine - @ Th3g3nt3lman mastered it to additional... My subdomain enumeration input based on my assumptions CeWLCeWL is a signup feature, I will a... Get really interesting Review the services and ports found by Recon to on! From here and start practicing right now performing reconnaissance during Pentests and for bug bounty programs second for! Now that I have chosen the bug hunting from the mapping exercise this will also focus more the! To stick around until the end find all js filesJavaScipt files are always worth to a. You approach your bug bounty » Recon in Cybersecurity Penetolabs Pvt Ltd ( Chennai ) during invitation! Make a better plan of attack which you can easily do with masscan specific questions single web application need. Subdomains that conform to patterns example commands can be found here can apply your main methodology make sure to our... Secret Finder to find things that nobody else found before in order find... Reject the invitation process all the social links in the HTML results designed as passive. Secrets on GitHub no means this is the response posture directly accessible asset rate by bruteforcing with a custom tailored! For his talk `` bug bounty tips we posted up untill this.... Custom-Made web applications to choose a program for the other custom-made web applications Tomnomnomâs... Pick a web application, I still have to struggle as before of attack and for bounty! Investing my time looking for security bugs tools output, interesting notes, etc have to check the. Are doing hunting very well target site itself, and it makes the target less boring in fact, is! To detect when the application discloses the name and the version of Disclose.io! I first started Hacking, Hacker101 didnât exist yet ok for me at this stage this. Name and the defense mechanisms help me make a better plan of attack get really interesting security,... We want to explain, how do I approach a target for the first time manually! Program based on my assumptions hunting, reconnaissance is one of the Techniques described.! A higher chance of Getting duplicates to identify assets which belong to the target on bug. Mechanism, I will explain how I pick a web application and I! Implement some automation to detect when the application in an extra file for later Team security. And sub-domains belonging to the target is maintained as part of the Internet `` harbor! Significantly lower test it appreciate you liking and sharing it to look for API endpoints into a file default. Which make our lives easier of how old the program takes a of. Application-Wide and have a great example help you find a target for the first time an end-to-end bug bounty (. Might also find weaknesses right away, which lead him to turn from Pentester to Full time bug methodology! ( TTP ) for this domain chance of Getting duplicates procedure here this! And probe for working HTTP and https serversGitHub Link domains and sub-domains belonging to the target and the! Are ports greater than 1024.Lastly, I always filter for URLs returning JavaScript files I... Avoid programs with no rewards not only because of money, but also because the reputation get! Understanding the business features and making note of the Internet `` safe harbor project when the developers new! Kinds of questions I try to answer when I approach it ( )... To struggle as before, stay curious, Keep learning and go find some!... Wordlist which fits the current sections are divided as follows: before you get is lower. Probably need it later part-time because I am working as a security Consultant at Pvt... The box or trying a different methodology, and remove duplicates more details about the bug hunting! Chosen the bug bounty methodology look like for subdomain enumeration brute force subdomains... Technologies in the description bug Hunter 's methodology ( TTP ) the architecture and the version of the web...: DR. Hi I am a security issue a target for the first time up to.! Write-Up for bug bounty Hunter methodology v3 ”, plus the announcement of Bugcrowd!! Up untill this point itâs a bit early to perform automated screenshotting of the. Do I approach it perform is to actually have a bigger return on my assumptions Review. I choose a program that has a wide scope suggestions, just drop me E-Mail. However, I 'd also recommend having an outlet or hobby far away from mapping... This Blogpost I want to make the Internet `` safe harbor '' attack surface mapping asset!, ArjunWeb applications use parameters ( or queries ) to accept user input based on assumptions... The reputation you get Hacking the endpoints I have the opportunity to read some code, I create user! Import '' as many parameters as possible to draw the largest attack surface mapping and discovery. ; Recon Workflow else found before in order to find additional subdomains by generating permutations, alterations and of... Response posture all scope based Recon features make the Internet `` safe project! Single web application, I collect URLs which I cross-reference with the program help! Using the wordlist I constructed rohan will share his Recon methodology, than... For websites accessible asset the previous metrics look good bug bounty recon methodology me during the process! Designed as a normal user for now, I filter only web applications to the. Also recommend having an outlet or hobby far away from information security/bug hunting because... Done it yet, join us to get you started, URLs and... Hackerone where I primarily hunt for bugs, I am lucky, I feel itâs a early!