Tales from a failed bug hunter …

Hello Friend! (Yes, You who’s reading) this isn’t just typical write-up rather my path towards bug bounty and how it had changed my thoughts on approaching programs. This is going to be long (My apologies) and I hope you will enjoy. Feedback as usual will be always welcomed.

Some spoilers before you continue :

  1. I won’t be disclosing how much bounty I earned from the vulnerabilities found.
  2. The program names won’t be disclosed due to restrictions.

So, a little about myself. I’m Pentester (Usually breaking things for living), working with financial services for more than 6 years. Before InfoSec career I was web application developer & android app developer. Not explaining this as some gateway to InfoSec but trust me this has really helped me getting into Application Security. I always wanted to start bug hunting and getting bounties. However as STÖK once mentioned in one of his Bounty Thursday Series :

Image : STÖK in his one of YT videos

There’s no short-cut to bug bounties, You will always learn if you’re investing great amount of efforts and energy

I regularly follow Stök for his awesome resources when it comes to recap on tools, techniques about bug bounty hunting.

I tried to start Bug Bounty however most of my reports went either duplicate or Won’t fix/NA. This was somehow putting all of my self-confidence down. Imagine more than 10 or 20 of your bugs submitted to programs got turned down and rejected. I really was thinking Bug Bounty isn’t for someone like me and I should just walk away. But Hey, there was more to just duplicates/NA. Again, turned to STÖK videos and he said :

“Celebrate your failures”

Fast Forward to 2019 I was exploring this android application. While browsing through all of the pages/screens of the application I saw this privacy policy page which said :

“We’ve maintain good security measures for our customers”

This was something really fascinating point for me to take a look into the application and validate their claim. I looked into the application and it had some really basic flaws in it. I’ve further discussed this in my DEFCON Red Team Village Talk. So, I went ahead and reported all of these vulnerabilities to the organization. At first, I thought this responsible disclosure will really back fire. However, they were really open to discussion and just because I did reported those vulnerabilities they decided to sign-up for a private program and invite me to participate and hack their app through that platform. For the vulnerabilities identified earlier, I got bounty for that which was an unexpected response. Anyways, I went ahead and hunted on the same platform and guess what, I was able to make good bounties. This is it! I needed this push and positivity and this really inspired me to go ahead and hunt on other platforms. So this was really great beginning of my way into Bug Bounty. From here on-wards, I’ll discuss further about the vulnerabilities I discovered in different programs. For the sake of understanding, I’ll name them in different ways/terminologies

Project One : Know Impact

So this web app had great number of sub domains, assets in their scope. While discovering content on the assets and enumerating sub-domains, I found one having user input where user can somehow perform testing of their content for example where the thumbnail image, Where to place ads, text size etc. While playing with requests (POST requests) I figured out that the application was somehow throwing user-agent values within web app response. I injected some XSS payloads and only reflected ones worked.

So how can you create impact with this vulnerability? Well, that’s what I learnt. The environment was testing, and there was no way of storing values within the app or reuse it somewhere within scoped addresses. I still went ahead with submission and it was reject. Because, there was no impact of exploiting someone’s user-agent value. Accepting the bitter reality which was I messed it up and I could’ve worked more on the platform to use the vulnerability in someway. So My stats for this program was

Accepted : 0
Reported : 1
Duplicate/NA : 1

Project Two : Never Give Up

This web application had already been scrapped off by a lot of new bug hunters with 90 reports submitted and 20 were validated. Chances were of my reports getting shot down as Duplicate or Not applicable, However to my intuition I just started it and recon the application as per my methodology. In fact, my recon process is not some secret way of earning great bounties rather registering the application and reviewing it as an authenticated user and an unauthenticated user. So, I went in and the first thing I noticed was Account activation on email confirmation. Wait, Does that mean I need to sign-up and get confirmation link on my account? Yes it is. So, I’ve to now login to my email and verify myself. But then, I forgot my password while logging into application. So I went back made a password reset attempt and got password reset confirmation. Now, My Inbox has 2 new emails :

  1. Account confirmation.
  2. Password Reset.

I had to reset my password, and while I did, I was shocked to see I discovered my first vulnerability which I’ll say accidentally. I was welcomed to the dashboard with fully activated account. So, I re-attempted the scenario which worked and this is what I understood about the scenario

(Picture : Account Verification Bypass)

The second one was OTP Reuse which I’ve followed while activating 2 Factor Authentication. The old OTP was not truncated after use which allowed me to reuse already assigned OTP against my account. The scenario can be seen below:

(Picture : OTP Reuse Attack)

I went on this program and I was able to find 12 security bugs with following stats :

  1. 12 In total Submitted Bugs
  2. 1 Marked as Duplicate
  3. All 11 were validated and bounty was awarded.

Why all rambling about Bug Bounty, Reporting, Reconnaissance ? It is because if you’re in the middle of making BB as your side-gig and stuck somewhere in finding these vulnerabilities, trust me you will get through it. It all needs patience, complete focus and more of smart work rather hard work. Also, keep notes of everything you find. I hope this helps you ahead in your bug hunting journey.

Resources

Dealing with Information Security as my Day Job and Information Security Research at night. Co-organizer for #BSidesIslamabad advocate for #HackingIsNotACrime

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store