Respected folks, What are some things you think would have been great if I had known them earlier?


Sorry for another beginner post, but people who have been doing bug bounty. What clues you can give that made the process easier or simple.

https://redd.it/1cekm8u
@r_bugbounty

I'm stuck in a loop

Hello hackers, I have been doing bug bounties for a very long time and I have recently realized that I am kinda stuck in a loop.

I pick a target to hunt, start my recon process, I gather subdomains using multiple tools, use httpx to filter live subdomains and run nuclei on them and some other same stuffs. I do the same things every time, same tools same methods.

Please help, what can I add to my recon process? Please suggest some unique tools, methods.

https://redd.it/1ceisbd
@r_bugbounty

XSS - Demonstrating Additional Impact

I’ve identified a XSS vuln in an HTML tag attribute. I can easily demonstrate this with alert() or console.log() but I’m wanting to further demonstrate impact, like ATO or something. The JSESSIONID cookie is HttpOnly so I can’t access it via JavaScript. I can get the CSRF token so I was hoping to just use XMLHttpRequest to perform actions as the logged in user. The issue I’m running into is that the injectable parameter has a 100 character limit (enforced on server) and CSP will not allow me to load an external JS file. Any ideas here?

https://redd.it/1cetnb5
@r_bugbounty

Bug Bounty RoadMap Feedback


Hello everyone,

I'm contemplating a career switch to cybersecurity, particularly starting with bug bounty programs. I've outlined a roadmap for myself and would appreciate feedback or alternative perspectives to refine it. If bug bounty programs don't suit me, I'm considering exploring other roles within the Red Team or delving into the skillsets required for the Blue Team. Thanks in advance!

1. My initial plan involves starting with Heath Adams' Practical Ethical Hacking - The Complete Course to establish a strong foundation. I'm a hands-on learner, which is why I opted for this course instead of continuing with the "Getting Started Page" on HackerOne. Additionally, I decided against diving straight into Hack the Box due to the considerable prerequisite knowledge required, which can be overwhelming.
2. Upon completing the course, I intend to explore TryHackMe. Since I'm unfamiliar with it, I'm unsure which rooms are best suited for bug bounty practice. I'm considering the "Red Teaming" room as a potential starting point. It seems like a logical progression since it offers less guidance, requiring individuals to problem-solve independently, yet it's not overly challenging. If skipping this step and proceeding directly to Hack the Box is more advisable, please advise!
3. Finally, I plan to participate in the Hacker101 CTF. I believe that the combination of theoretical knowledge from Heath's course and practical experience gained from TryHackMe will adequately prepare me for these challenges.

Following this, I aim to explore other online CTFs gradually and begin identifying bugs through platforms like HackerOne.

For context, here's a bit about me:

I'm currently an application developer with a consulting company.
I'm proficient in Java, JavaScript, and have some experience with Python.

Thank you for your guidance!


TLDR:

Considering a career shift to cybersecurity, particularly bug bounty programs, I've outlined a roadmap starting with Heath Adams' course for a solid foundation, followed by TryHackMe to gain hands-on experience, and concluding with Hacker101 CTF for practical skill refinement. Seeking feedback. Current background includes experience as an application developer with proficiency in Java, JavaScript, and some Python.

https://redd.it/1cevrpt
@r_bugbounty

I'm curious about XSS filtering

Hi everyone. I'm a bugbounty novice. I'm currently spending a lot of time manually looking for bugs. First of all, I'd like to say that I've already studied the concept, type, etc. of XSS. But I'm asking you a question because I don't think I'm familiar with how XSS is being filtered, etc.

When I type in the payload to find the XSS on the site, they're filtered with high probability, and from what I've studied, they're called sanitizing and escapes. I checked that contents like <, > or "script" are filtered or these are treated as strings.


So, I was wondering implementing XSS is which of the two, or both:

1) Whether you're looking for a bypass beyond this filtering, or

2) if you're trying to inject XSS on a site that doesn't use this filtering.

If it's number one, filtering techniques are advanced for each applied site, and it seems to be almost similar. Do you have any tips in this regard? I've looked into the related content and it's too hard for me. Please give me some advise on this.




https://redd.it/1cezl8p
@r_bugbounty

Are there any web vulnerabilities that are difficult or impossible to automate?

As a beginner in bug bounty, it seems like those who quickly run automation tools often claim the rewards first. So, my strategy is to manually exploit vulnerabilities that are difficult to automate. What are some examples? Initially, vulnerabilities like XSS, SQLi, or path traversal seem automatable or fuzzable.

https://redd.it/1cf4zmz
@r_bugbounty

How LangChain and ChatGPT plugins are getting attacked by this bug

https://journal.hexmos.com/insecure-output-handling/

https://redd.it/1cf9wov
@r_bugbounty

Need help finding my first bug.

Hey I'm looking for advice. I have been learning PHP for about 7 months and have some decent knowledge about it.

I have a website that has a chat, file upload and stuff.

I understand CSRF, samesite, CORs misconfiguration, XSS, redirection, SQLi,

File upload, info disclosure and I can't find a bug its been about 5 months looking. I'm looking for some advice please.

And how do you guys keep up to date I have RSS but no decent feeds. I have this sub RSS thats about it.

I have nearly completed every portswigger lab but I suck. Any advice please. And thank you 😊

https://redd.it/1cfb1ur
@r_bugbounty

Wanted to get a back door air screen to keep flies out…. Any suggestions



https://redd.it/1cffv72
@r_bugbounty

Need help! Possible major securityleak on major screenshot platform

So this post is gonna be updated as this situation ensues;

I have today found a bug within gyazo giving me access to other gyazo account's saved pictures.


Gyazo is a screenshot platform


Any tips regarding this situation is highly appreciated as i have never before found a bug this big with the danger/harm potential it has.





Tried to contact their support and it says they are on holiday till over the new years.









https://redd.it/1cfnf8m
@r_bugbounty

Whats the top closed source and open source bug bounty platforms?

Im looking for both options. I need to be able to put also non-bug related bounties on this board/platform as well which im guessing wouldnt matters as you should be able to put any content/request/bounty if its bug related or not right?

https://redd.it/1cfu4b5
@r_bugbounty

Github Dorking Code section

Hello!

Github removed the sort filter in the code section. How you guys are dealing and searching for the latest leaks and keywords when you are doing a repeated dork every day.Removing the filter to latest update will just give you the same result every time you dork it. In the past when I was doing Github dork I will do my search on specific company and then filter the code section to latest update to see the new thing only.

https://redd.it/1cfu3uk
@r_bugbounty

It pays you back!
https://redd.it/1cfya12
@r_bugbounty

Social engineering has to be a part of BB

So in reality someone would screw you over through any hole they find. And humans are the most vulnerable place. IT departments think they do enough testing among employees. But they might not be doing enough since one has to have a specific mindset. Which could lead to more innovative approaches that can disclose a problem.
I personally see BB as a preventative measure against potential attacks. And in such case they should cover all possible vectors of an attack. Including social engineering.

Just a discussion.

https://redd.it/1cfyiuk
@r_bugbounty

Looking for Swedish bug hunters!

Hello!

I am producing a podcast on behalf of a university in Sweden and am looking for an active bug hunter to interview! The episode is about IT-security and what is the driving force behind being a bug hunter.

If you feel like you / someone you know would fit in, please leave a comment or send a message.

Thanks in advance!

https://redd.it/1cg0szc
@r_bugbounty

Who are you?

Please identify yourself

View Poll

https://redd.it/1cgalds
@r_bugbounty

How long do you stick around looking for an XSS exploit on a page? What are some good indicators to move on from testing a sink/source?

I am currently playing with XSS payloads for a sink I found. I've gotten different responses according to different payloads to test the firewall, as well as getting passed it by getting responses from the IAM microservice and AWSELB load balancer. I got responses from the server directly as well, but nothing exploitable. I'm just in the vuln stage with this.

For context: the JS code shows the level of input validation, which is minimal, and why I've gotten around I believe.

So, I am wondering some good indicators that this JS sink isn't exploitable, although vulnerable?

Edit: spelling

https://redd.it/1cgaimc
@r_bugbounty

Efficient way to learn with real targets

Respected folks, kindly suggest how you learn a new vulnerability and practice on real target (after doing portswigger lab) .

What iam currently doing is, after portswigger lab. Just choose any target from VDP and testing on it. Mostly iam not able to find the bug.

Can you share your experience with this? How do you practice while learning?

https://redd.it/1cgdi9e
@r_bugbounty

How important is recon actually?

I've never done recon apart from basic subdomain enum.

I have been reading and watching guides all day on recon. And came across a video of a guy saying recon is worthless because if you find a bug on a subdomain thats way off the radar. The attack surface is pointless because there's no exploitablilty.

Please help me get better at bug bounty.

I have today learned subfinder, httpx, ffuf can be tricky with params, ASN enum and aquatone. Am I missing stuff.

https://redd.it/1cga6vs
@r_bugbounty

Cant change my report title on hackerone

I submited a report on hackerone with a very shitty title and its been a day and i cant change it anymore any solutions?

https://redd.it/1cgi8rk
@r_bugbounty