I have a pretty sweet job . I get to read bug bounty submissions that blow my mind. I spend a considerable amount of time each day gathering my jaw from my office desk after reading about some face-melter P1s. As you probably know, Bugcrowd works with many of the world’s largest companies, so here’s some food for thought; at some point I’ve probably validated a bug that could expose your personal information. It’s a good thing that it was reported by an ethical hacker, not exploited by a criminal!
There are many Bugcrowd researchers who have big brains. Bugcrowd’s big brains are brilliant at bringing the bugs™. The problem is, most of the time, we’re not really able to talk about those bugs in detail because, y’know, it’s illegal or something. What we can do though, is comment on more general hacking trends and techniques that we are seeing. So that’s what I’m going to do in this blog. Hopefully it will help to guide you in deciding where to focus your hunting!
I’m sorry for the first one, it’s a boring one, but it is necessary and accurate.
OWASP Top 10… Everywhere…
Okay, okay! I get it. You came here for shiny new hacking techniques and I’m throwing you the same old stuff that has been around for decades. This isn’t exactly earth-shattering information, but hopefully it will be a nice reaffirmation for some of you. Most of the valid bugs I see today are still textbook examples of the OWASP top 10. Most notably:
- Cross-Site Scripting
- SQL injection
- Insecure implementations of various authentication flows (*cough* OAuth)
- Sensitive data exposures (secret keys in client-side code, open /.git/ repositories, etc.)
- Open redirects that steal sensitive tokens
- Access control issues (IDORs)
The Best Bugs are Business Logic Bugs
I’m unsure if this is an overall trend or just the bugs I’ve seen, but a good portion of the P1s recently have been business logic bugs. They’re difficult to put into a category because they are often unique to the operation of that particular application. Some fictitious examples may include:
- In an e-commerce application, you can purchase gift cards with a discount code recursively, effectively creating infinite money.
- Bypassing identity verification by simply skipping steps in an onboarding process.
- Spoofing the source of automated account altering requests to update someone else’s account.
- Getting premium features of an application without paying by altering a server response to imitate a successful payment.
These bugs tend to be custom to the features of that particular application, so they are not possible to discover with automation. For this reason, fewer people are looking for them and I am constantly blown away by these types of bugs being found in cornerstone applications of very large companies with older bounty programs.
Subdomain Takeovers are Still a Thing
I still see subdomain takeovers being reported every day, the most effective way (and perhaps the only way) to find them today is to have fast, scalable automation infrastructure that is scanning constantly.
Many of the most profitable subdomain takeover methods are not listed in public sources, or are at least not very well known about and require custom tooling. I would recommend analyzing popular services and DNS records of your targets and building out techniques to better identify takeover opportunities to maximize your income if you wish to hunt this bug class. This leads into the next section nicely!
Niches are Key – Research Pays Off
It is apparent that many of our top researchers have spent a lot of time and energy learning the ins and outs of popular services and technologies to uncover common misconfigurations with security consequences. If you happen to notice that there is a common misconfiguration with a popular service that others are not looking for, you may be able to discover this same issue across many programs. These misconfigurations may include:
- Misconfigured permissions allowing public exposure of sensitive information.
- Publicly accessible files that are meant to be deleted before deployment. Sometimes these allow you to access sensitive information or perform administrative actions.
- Reversing CVEs that don’t have public exploit code.
Ditch the Dupes!
So we’ve talked about what you should be hunting for, now I want to talk about what you shouldn’t be hunting for (if you want to maximize your bounty profits).
There are certain classes of issues that exist and are easy to find, but they’re nearly always duplicates unless the program has very recently opened. For example:
- DMARC/SPF
- Rate-limiting
- Lack of session expiry
If you’re hunting these, I’d encourage you to look outwards into more impactful bug classes. Although these are often suggested as good places to begin, you should branch out from these as quickly as possible if your goal is to be an impactful researcher and/or earn money. Exploring outside of these classes leads to more opportunities and invites quickly, and remaining in these areas will severely limit your hunting opportunities.
If you have any questions about this article, feel free to contact Bugcrowd at support@bugcrowd.com. If you want to get in touch with hakluke (the author) directly, you can find him on Twitter (https://twitter.com/hakluke), YouTube (https://youtube.com/hakluke) and Instagram @hakluke_!
