Scribd
Upload
357 views1 page

How To Do Bug Bounty

The document provides tips for finding bug bounties, including gathering target information, using Google dorks, checking the robots.txt file, using tools to find subdomains and vulnerabilities, testing for vulnerabilities like XSS, and learning from write-ups and practice sites.

Uploaded by

bxx31426
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
357 views1 page

How To Do Bug Bounty

The document provides tips for finding bug bounties, including gathering target information, using Google dorks, checking the robots.txt file, using tools to find subdomains and vulnerabilities, testing for vulnerabilities like XSS, and learning from write-ups and practice sites.

Uploaded by

bxx31426
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

FA(+*%+*1AA U(.*&.1<.

()

!"#$%&'()*%+ ,-&.(/*0(12+(&&

3%4'1($*3(1)( 56$$67

5(#*89 : ;*/%+*<(1) : =%&.(+

,1>(

!"#$%"$&'(%$)"*$+',
+"'(%-./

The first step when looking for bug bounties


is to get to know the target.

Here are some of the type of information


that should be gathered on your target:

create a list of all the subdomains & IPs


that belong to the target

Find information about the type of


software & services the site uses.

Do they have a GitHub Account?

Check the robots.txt file

Does the site have any input forms, any


parameters in the URLS?

0/-(,$/.1*2&$.(,-(./$%"$3"$*.2"(
Sometimes search engines will crawl
websites and index pages that have sensitive
information or pages. Google Dorking is
when you use specific queries to narrow
down the results to exactly what you are
looking for. Dorks can be used to search for
certain files, strings, titles, web pages, etc.

Exploit Db is a site where people can submit


dorks, dorks that were submitted on the site
could be used or modified to help find
information about the site that you want to
target.

Google dorking is not just useful for


hacking, but it can also be used in regular
searches. For example lets say that we are
targeting the site mcdonalds.com . We want

to find out all the sites that Google has


indexed we could use the following dork to
find all the results for mcdonalds.com.

site: mcdonalds.com

The dork above will tell the search engine


that we want all the sites that have
“mcdonalds.com”.

The intitle dork seen below will tell the


search engine to look for all the results that
include “Index of” in the title.

?@1/A$(*6B*%+.%.$(*)6<2

The image above shows the intitle dork in


action. We used the dork to find websites
that have a title of “Index of”.

The intext operator can be used to find


pages that contain certain words. In the case
of the image above, we told the search
engine to look for any results from
lowes.com that contain the text “password”

Most operators ( intitle, site, intext) can be


combined with other operators to narrow
down the results even more.

Google Dorks can can be used to find api


key or other sensitive information that could
aid you finding a vulnerability. When
dorking, you do not need to use Google,
other search engines can be used as well. All
search engines are different and will
probably return different pages.

4&.25-(,$%&.$*"+"%/6%7%$)-8.$)"*$/.(/-%-9.
3-*.2%"*-./
Most sites will have a robots.txt file, the
purpose of this file is to tell web crawlers
what they are allowed to crawl and what
they are not allowed to crawl. It is up to the
crawler creator to honor the robots.txt file.

Robots.txt file can be a great way to see


where any sensitive directories or file are on
the site.

(@1/A$(*6B*1*<6#6.&C.@.*B%$(C

The image above shows that usa.gov does


not want crawlers to crawl the /includes/

directory.

:-(3-(,$/'+3";1-(/
There are many hacking tools that can be
used to find subdomain. One of my personal
favorite tool is subdomain3.

Sublist3r

Turbolist3r

Subfinder

Knock

sonarbyte

Sudomy

When looking for subdomains it is a good


idea to use a couple of different subdomain
enumerate tools because they might use
different methods of getting subdomains.
One possible way that a tool might look for a
subdomain is to run through a list of
popular subdomains that will check to see if
the subdomain is valid. Another way is
using DNS records to check to see if any
subdomains can be found in the DNS
records.

Now that we have a list of subdomains, we


have widen our net. We could use the
following tools to check to see if any of the
subdomains are vulnerable to subdomain
takeovers. Subdomains takeover usually
happen because the subdomain has a
CNAME in the DNS records but no host that
is providing contents.

https://github.com/m4ll0k/takeover

https://github.com/EdOverflow/can-i-
take-over-xyz

https://github.com/LukaSikic/subzy

Dangling DNS records are when a host


name is still tied to a DNS record but the
hostname is not owned by the original user.
A malicious user could create an AWS
account and instance with the host name of
the old server. Now all the traffic will be
routed to the malicious server where they
could carry out a bunch of different attacks.
I created a list of some tools that can check
to see if the server is vulnerable.

https://github.com/tacticaljmp/danglin
gaws

https://github.com/In3tinct/Taken

Hacking tools such as the ones listed above


are cool and might work good, but
sometimes you have to manually look for
vulnerabilities in order to find one. It is a
good idea to get familiar with how
vulnerabilities work instead of relying on
hacking tool to do the heavy lifting.

<""3$"8.$=;1>
Nmap is great scanning tool, it can be used
in a bunch of different ways. Such as:

Looking for services running on non


standard ports

Determining what services are running


on a host

Has a wide selection of NSE scripts

It has Firewall Evasion features

Can perform different types of scans (


xmas, fin, connect, idle, udp, etc )

nmap -sV -sC 127.0.0.1

The -sv flag runs service detection scan.


The -sC flag will run all the default NSE
scripts. This might give the scanner more
information about the services that are
hosted on the server.

nmap -p- 127.0.0.1

The nmap command above will scan all


65535 ports.

nmap 192.168.1.1 -A

The -A flag will run Os detection, version


detection, script scanning as well as run a
traceroute.

nmap -Pn --script=dns-brute


example.com

The command above will use dns-brute NSE


script to gather subdomains that might
exists for the domain.

?81@-(,$#-%&$'/.*$-(>'%
The first thing I do when I come across any
input fields is try the payloads listed here.

If that does not work I will enter special


characters at random and see if the website
responded in a certain way or removed
some of the characters.

If I enter characters like the following:

<script></script>

and the website responds but removes


certain characters like this:

<script</script>

I might then try a string like this:

<script>><</script>

With the hopes that the website removes the


first > but keeps the other > . Sometimes
entering random characters and looking at
what the site accepts or keeps can give you a
good idea how they filter out certain
characters. Also it is a good idea to look at
the source code of the page to see if there is
any JavaScript or code that tells you how
they filter out special characters.

URL parameters can also be tested. There


are a bunch of different attack vectors that
could be used such as:

parameter pollution

Sever Side Request Forgery

SQL injection

XSS

Path Traversal

XSRF

A.13$"%&.*$>.">8.B/$C',$C"'(%@$#*-%.$'>/
No one is good at everything, same with bug
Bounties. There is always new stuff to learn.
One of the best ways to learn is to read other
peoples bug bounty reports. Most of
writeups can be found on Medium, some
other good sites that have bug bounty write
ups are:

https://infosecwriteups.com/tagged/bu
g-bounty

https://writeups.io

https://hackernoon.com

https://pentester.land/list-of-bug-
bounty-writeups.html

Another good method of getting Bug bounty


tips is to follow this hashtag on Twitter.

Below is a list of good sites that can help you


learn how certain vulnerabilities work and
allow you to practice hacking them in a safe
environment

https://portswigger.net/web-
security/learning-path

https://ctf.hacker101.com

https://www.hackthebox.com

https://owasp.org/www-
community/attacks

https://www.hacksplaining.com

https://xss-game.appspot.com

https://bughunters.google.com/learn

https://book.hacktricks.xyz/pentesting-
web/web-vulnerabilities-methodology

https://portswigger.net/burp/documen
tation/desktop

https://www.hackerone.com/resources
/e-book/bug-bounty-field-manual

https://www.reddit.com/r/bugbounty

=.9.*$<-9.$'>

When you are starting out, it might takes


months or weeks until you find a bug. But
do not give up! You can learn as you hack
and use the stuff you learned on other bug
bounty programs.

It’s not where you start, it’s where you finish.

My wrestling coach in High School used to


say that quote all the time during practice
and meets. It holds true to almost anything
you do. If you keep hacking away and
learning you will likely become a expert on
the topic. Remember though that no one
can become a expert at everything and
getting a bug bounty will take time and a lot
of effort.

Maybe, spend a whole week targeting a site


with a certain vulnerability, try everything
you can think and then the next week try
looking for a different type of vulnerability.

Use white boards or take notes during the


hunt, that way you can come back to
hacking when you take a break. Also
sometimes if you been working on
something too long you get tunnel vision
and brain. Where the solution might be
right there in front of you but since you too
focus on it you miss it. After a day or two
break come back with fresh eyes and brain
and you might see something or figure it
out.

D88

D88

!"#$%&#"'%()*+$'%,$-./$** 56$$67

,-&.(/*0(12+(&&*%&*1*A"#$%41.%6+*.'1.*&A(4%1$%&(&*%+
A"#$%&'%+E*"A46/%+E*7<%.(<&*%+*4-#(<&(4"<%.-*1+)
(.'%41$*'142%+E*&A14(C*F"<*&(4"<%.-*(@A(<.&*7<%.(*.6
/12(*.'(*4-#(<*"+%>(<&(*/6<(*&(4"<(G*6+(*>"$+(<1#%$%.-
1.*1*.%/(C

H1.I1'*,/%.' : 5(#*89

Q1+Z$0/.*(1;.$.(';.*1%-"($9-1
3-)).*.(%$*./>"(/./

J".'(+.%41.%6+ 9*/%+*<(1)

J<"+*K1+E<1 : 5(#*88

I*2&.%@>.$!125F&.C"7$^
U185%&*"',&

P142.'(#6@ ;*/%+*<(1)

J+2%.1*,%+'1 : 5(#*88

=;1>Z$I$=.%#"*5$G21((.*

Y+B6</1.%6+*U1.'(<%+E X*/%+*<(1)

H1.I1'*,/%.' : 5(#*8D

F*@!125M.$V$!"#$#.+/-%./$#"*5

0(#*,(4"<%.- 9*/%+*<(1)

J+.6+*,"##6.%+*L&21>1+&M : 5(#*8D

U&1%$1($-(_.2%-"($-(%"$_`'.*@W/.8.2%"*$21(
8.13$%"

O"E*O6"+.- 9*/%+*<(1)

N(1)*/6<(*B<6/*,-&.(/*0(12+(&&

0$1"''$/2$2%&#"'%!$234'

O1#-I"+(1

CD=D:EFG$H:$<DFFE=<$I$JK4
LDAE:E4IFEH=$:AHM$NO<0IAP6

P6+6<=1+)

!"("*Q1(3B/$%"5.(
!H=HA$&1/$+..($*.9-.#.3$+@
F"5.(?"25.%$1(3$#.$#-88$+.R
2"((.2%-(,$%"$;"*.R

Q<%&.1+*=1+( %+ 0(#9*!<6B%$(

I$G(.15$?..5$1%$?*")-8.B/$S!$TNTT
A"13;1>

31..*,"%4'( %+ R6/1(*Q(4'+6$6E%(&

U1((14*@$V$F&.$81*,./%$*1(/";W
#1*.$-().2%-"($-($!-/%"*@

K12"#*O1$'1< %+ S67(

G.2'*.$P.9.8">;.(%$?*12%-2./
#-%&-($X"#.

T1"$.,71A

Q-9.$"($F./%(.%Y

UJQ*V(.76<2 %+ UJQ*V(.76<2

<1;.I2.$4&188.(,.Z$U-($<IF
#"*%&$[\NN]Y

W%21%

Q1+Z$0/.*(1;.$.(';.*1%-"($9-1
/'+%8@$3-)).*.(%$*./>"(/./

J#6". P($A Q(</& !<%>14-

5$+%+6$%!$234'%-77

You might also like