Demystifying Bug Bounties: Insights from a Decade of Experience

hello everyone uh thank you so much for being here uh thank you for showing up and thanks for the b-sides organizing theme for organizing everything uh making sure everything is working and running smoothly uh [Music] perfect thank you uh so basically this is my second time here in Pristina I was here in 2019 for a different conference so it's always uh great to be back here and just enjoy the city uh so basically uh to today we're gonna talk about a topic that is very dear to me that some industry that I've been involved for a decade uh we're gonna talking about we're gonna be talking about like bounties uh and I'm gonna share with you

some insights that are and lessons that I've learned from my experience doing back bounties as a hacker hacking different companies like high profile companies say Facebook Google Apple Etc so I'm gonna be sharing some lessons some insights that I've learned from that experience and I'm also going to be sharing the lessons that I learned actually managing those back Monday programs for some of the biggest companies uh so but before we start I just want to have an idea how many of you here are familiar with the concept of back bounties can you raise your hands uh all right that's good how many of you have earned a back Bounty before a bounty payment all right I think this is a good start

all right so we're gonna we're gonna talk about it but before we dive into the topic I just want to introduce myself uh so my name is Yasin abukir I'm originally from Morocco I'm currently based in France so I hold two Master degrees uh both of them are in management and business basically which is very irrelevant to what I'm doing now as a career it just goes to say that it doesn't really matter what you studied before as long as you have the passion to pursue what you really like and what you're really passionate about so right now I'm doing cyber security apparently uh I do application security Consulting so basically I work with companies to

provide them with uh consultant Services say penetration distance security assessments and whatever uh from 2017 to 2019 I worked as a security analyst for a company called hacker one it's a black money platform I worked as uh through Azure so basically I tried for uh back Monday programs belonging to some of the biggest companies where so I'm going to share that experience later on the on the presentation uh currently this year I actually joined the hacker one hacker Advisory board so basically my role is just to ensure that the hacker Community is well represented and that the hacker feedback is Incorporated in their products and services and I've been doing back bounties since 2013 so

basically it's been a decade 10 years and I am one of the hacker one top 20 hackers all-time top 20 hackers and last year I actually won one of the live hacking competitions back in Denver as you can see in the picture I'm holding the image belt I look like a UFC fighter I know uh so I won the first place we which was quite an achievement because like it was very competitive so yeah that's it but so now we're gonna start by just like for the people who are not very familiar with the what the concept of the bounty program so a background program is basically when a company uh seeks the help of the security research

community help so basically see a company like Facebook Google they want the help of ethical hackers to find security vulnerabilities on their services and products so they set up uh what we call a backbonnet program which has all the kind of roles uh that you should know before participating and once someone like a hacker an ethical hacker or a security researcher finds a security vulnerability they get paid what we call a bounty which is a monetary payment as you can see in this screenshot here this is an example of PayPal backbone program which is hosted on the hacker one platform so this is basically how it looks like and every back Bounty program has a set of roles

or sections uh so a background program they have what we call a bounty table as you can see here in this screenshot there's a bounty table so what is the boundary table is just like how the the monetary reward that you can expect when you find the security vulnerabilities security vulnerability on their product so if it's like a low severity bug you can expect this much if it's like a high severity bug you can expect like 10K uh US dollars or if it's a critical this is how much you're gonna expect uh and every program has an in-scope vulnerabilities these are the security bugs that the company is interested in they want to hear they want to hear

about they want you to find those so they have a list of those in-scope bugs and just like in scope there are out of scope bugs like the company has a list of bugs that they're not really interested in either because they are informative or they are low severity or it's just basically they are false positives so as a hacker you don't want to look for those bugs you just want to avoid them because they're going to be a waste of time and every program has Rules of Engagement it's like roles that you should abide by if you're gonna start hacking on PayPal these are some of the roles that you should respect some of the rules for example is just

like to avoid heavy automation just do not run heavy automation on the on the on their products because you're just gonna bring it down these kind of rules that you have to respect and then there is this service level agreement the the acla is just like the times that you're gonna expect like time to acknowledge your report or your bug how much time are you gonna have to wait to get paid and how much time are you gonna wait to have the bug get fixed or resolved and there is a safe harbor close which is optional which is started recently talking about it the Safe Harbor Clause is basically a legal Clause that the company is basically stating that as

long as you're acting good faith like you have good faith and you we're not gonna prosecute you we're not gonna pursue any illegal action against you as long as you act in good Faith which is very important because uh a lot could go wrong so as you can see I'm pretty sure you guys are very familiar with these logos these are the companies some of the Fortune 500 companies that are running their back money program so these companies they're basically working with ethical hackers to find all those security vulnerabilities that may be uh affecting their own products so basically we have sales for Snapchat slack Facebook Apple Google so all these companies they have what we call APAC

money program so if you have the skill set that it requires and you can find security vulnerabilities on their products you could get paid a bounty in exchange so how I got into back bounties I just want to share with you in my story how I started doing back bounties so basically before uh when I was in my teenage years uh uh I was very passionate about hacking I loved finding security bugs in random software so basically I just go on the internet find a random software and just poking around and find the bugs on that software I I was just doing it for free because I liked it I enjoyed it but uh what I what I did is that when I

find a bug I just basically write the details and I publish it online without even coordinating with the vendor without notifying them to get it fixed or anything uh as you can see here it was back in 2011 2014 2013 these are some of the bugs that I posted on the exploit databases uh if you if you guys are familiar with millworm for example the exploit DB so I find a bug and I just post it online without even getting fixed which is which is bad because this is not how responsible this disclosure works you have to coordinate with the vendor to like responsibly notify them of the bug so that they can get it fixed

and then you can publish your your bug publicly but I was doing it the wrong way which I call the Aries irresponsible disclosure phase as opposed to responsible disclosure so because if you're familiar when we do impact bounties or just vulnerability disclosure in general we have what we call in 90 days rule so basically when you find a bug you have to report it to the vendor you have to report it to the company so they can get it fixed and the company has 90 days to get it fixed if they don't get it fixed in 90 days then and then you can actually publish it with the security communities you can make them aware uh if they get it fixed

in a timely manner then you can share the details but you you're not really allowed to share the details publicly before it's fixed otherwise it's an Uday it's going to be exploited maliciously uh so fast forward to 2013 I was just scrolling uh some art reading about some news articles and I uh I stumbled upon an article that is about a platform called hacker one and that now you can actually work with companies you can hack companies legally and actually get paid for it because I was doing it for free back then so that was an intriguing idea and I I just went straight on hack around platform and I signed up in 2013. so I started poking around and what I

found is they have uh a lot of Open Source projects like python Django rubion reels so basically they want you to find bugs on those projects but back then I don't have I didn't have really the right skill set I did not have much code review skill set so I couldn't find anything in 2013 I was just poking around but no luck at all uh so fast forward to 2014 like one year later I found my first bug my first bug and I earned my first Bounty it was the dumbest bug I ever found honestly so it was a it wasn't Yahoo and what I founded on Yahoo so basically the bug was just like resetting the vote so Yahoo they

have this board the suggestion board where users they can post suggestions on other users they can upload and downvote the suggestion so I was just poking around and I when you upvote the suggestion there is a parameter called vote value it just increments by one right she was like thinking what what can I do here and I change the value of the vote value to 1600 which is a long number and I just clicked on upvote and what happened next is just I reset the votes to zero if you can see here it was like 300 350 57 and then zero this is the dumbest log I ever found it was a low bug but fortunately I

got paid for it I submitted it to Yahoo was back in 2014 and I got my very first Bounty which was like 400 bucks I always I did not believe it because I I was doing this this for free and now I get paid for it and I can do it legally I can hack a company and get paid for it which is which is awesome and I I couldn't really believe it so I was like is this real and I was still in University and the next summer I just spend it just looking for bugs I spent the whole summer just hacking companies because I this is this is too real for me to

so let's talk about some common bug hunting mythologies like when you're approaching a Target what can you do like how can you approach a Target like from my experiences from talking with other bug hunters from with other hackers there are busy I I realized that there are basically four methodologies when you're hacking there are some people when they're looking for bugs when they're looking for security vulnerabilities they automate everything they basically automate everything they don't do anything manual like they've built their automation that they deploy to servers and the automation just continuously looking for bugs and they don't do any manual work which is awesome uh but there are other people they do full manual the full manual methodology is

when you're actually going deep on the on the application and you're doing the manual hacking without any automation without any tools apart from some necessary tools like a whip proxy for example uh so there are some people who likes to who like to do full manual hacking which is cool and there are some other people who do what I call the 50 50. this is my methodology which is basically the the first phase of hacking you do with with Auto with automation I mean you use a lot of tools to collect data like do some reconnaissance fight some sub-domains DNS data fingerprinting all that stuff and then once you click that data then you can do the manual uh

hacking then you can use that data to actually start manually hacking and looking for security vulnerabilities on that data so this is my methodology and there are some people they do what I call the zero day all the things so basically these people they they go and look for bugs on software there that are widely used by the the companies for example WordPress they go and look for a bug on WordPress zero day and then once they find this bug on WordPress they look for all the companies that use WordPress and then they submit those reports to them so they basically do security research and they find zero days and then they find all the

companies that use that vulnerable software or technology perfect I don't know what happened there uh so the question here is which one of these mythologies actually best that is the natural question which one should you go for actually uh the thing is that all these methodologies are have proven to be effective they have proven to be successful as you can see here on each category there is a successful Bug Hunter who have made Millions just using that methodology for example the full automated we have Eric today is new he's one of the best hackers he he's a very successful in the million dollar Bounty he doesn't do any manual hacking he basically built an automation machine

that is continuously working and looking for bugs on a daily basis like oh it's just working when he's not he's not doing any manual manual work and then the full manual we have Ron is a very successful back Hunter as well Ron just doesn't do any automation as opposed to Eric you just like to do manual hacking just go deep on the application understand it and just find logical bugs and the 50 50 we have the legendary friends Rosen one of the best hackers and we have shops for the zero day all the things shops he is one of the co-founder asset note if you go to acidnote.com they have so many uh blog posts about zero diver abilities that

they found on on software uh on popular software so basically it finds o days and he just submit those arrays to pragmatic programs and it works it works for him so they made good money out of it and they're very successful that means that all the mythologies actually work I mean depends on you but if each mythology can come at a cost for example the full automated one they might be very costly because you're running a lot of servers so it might be very costly to run those Cloud servers the full manual you might just be manually hacking and then you might not find any bug at all so there is a cost for each of these methodologies

uh so go big or go home like like these sex is full back hundreds these successful hackers one of the things one of the things that I noticed is that they all try to focus on high severity security vulnerabilities uh High severe High severity security vulnerabilities like P1 which is critical vulnerabilities these are usually server-side bugs uh could be an rce SQL injection ssrf or P2 uh High severity bugs or stored excesses and account takeover authentication Bay pass so all these bug Hunters I noticed I observed that they are actually focusing on P1 P2 which which makes sense why because first of all they're avoiding duplicates and related frustrations because in Black Bounty you have to be the first one to find the bug

to actually get paid if you find the bug but someone found it like before you you're not gonna get paid it's gonna be going to be a duplicate but when you're focused on P1 P2 not a lot of people are actually focusing on that kind of vulnerabilities and they're not easy to be down as well so you're avoiding the duplicate frustration also when you send a high severity back to a company they quickly fix it they have to quickly react otherwise it's going to be exploited maliciously so they quickly get it triaged and fixed which is good and then you have high monetary rewards so basically when you're focusing in P1 and P2 you're gonna earn a lot more than

actually focusing on low severity and medium bugs I'm not saying by any chance that you should avoid looking for low severity or medium bucks it's just that you're you have to shift your focus to looking for P1 and P2 box if you've got the right skill set and then when you're doing bug hunting you want to focus on healthy and high p and big money programs there is a lot of frustration that can originate from doing back Bounty there are so many companies running a back vanity but they are now all great because like sometimes you submit a report to a company and you have to wait months before they even respond to you or you have to wait

months before you get paid so you want to be picky when you choose which company you want to hack on these are two companies for example which are amazing first one is gitlab if you're familiar with it and the second one is Shopify gitlab for example for a critical they pay up to 35k which is great it's a it's a good return on investment uh and Shopify can even pay 200k for a critical vulnerability that's why I'm saying you have to focus on P1 P2 because there is a high monetary reward out of it and these companies are very healthy they have a great security team very reactive all that stuff uh and before you start before you choose a

program if you for example are using the hackeron platform you can on the program you can see these statistics these are very important before you start hacking our program you see the average time to First Response is how much time it's gonna take for the company to acknowledge your report to get back to you how much time average time to Bounty how much time until you get paid which is important you just want to get paid so it's important to cut it short and how much time to get your bike fixed also you you can see how much this is a PayPal background program this is how much PayPal paid over the years they paid 8 million uh Bounties in total and

you can see the average Bounty that they paid for hackers uh the average is usually 2K to four 4K and sorry the top Bounty is uh is they paid 52 as a top Bounty as you can see there are all the stats you can check before you start hacking our program before you decide which company you want to hack on for example PayPal people here they have appealing numbers which is good but for also for a regular Bug Hunter when they see the number the total of bugs that were resolved you see like it's it's 1470 which is a lot of bugs and then as a regular Bug Hunter Minds there's like there's no way I'm gonna find a security

vulnerability after P after like 700 people found over a thousand bucks this is a regular Bug Hunter mindset which is really bad because like the best hackers they don't really care about those numbers because they know regardless of how many bugs other people found there will always there will always be other security vulnerabilities why because companies they're pushing code they're making changes on a daily basis so they're always like features new features that are being developed so there are always new bugs that are being introduced same there are always like regressions like they might fix a bug today but there might like there might be a code change and so the the bug might happen might show up again so that

we call that a regression so in it doesn't matter how many bucks that program fixed you can always find bugs on these programs and these are the the best programs that you want to focus on these are the the the the the oh it's gone again so these are like the the the the the the the big program like PayPal they pay really good they have a great security team so yeah all right so I was talking about healthy programs the programs that pay really good so these are some of the example of the programs that are really good that you want to work with so if you ever decide to hack on some of the programs some of the

companies I suggest you hack on Tech talk find security vulnerables on Tech talk Dropbox epic games GitHub Uber stripe these are amazing I had good experience with them all right so let's talk about application based Recon and testing uh so every time I talk to a Bug Hunter hacker they're they're just like they're like obsessed with automation a lot of them is just like I I tried this tool and that tool I'm working on building this Automation and that so everyone is just like really distracted from actually what the in-depth testing and the creative aspect of hacking hacking is actually it's more fun actually when you're doing it like you're actually going deep on an application you're

using the creative aspect of it so a lot of people are just obsessed with automation I mean it's not really bad but also not the the it's not very effective so a lot of people in the hacker Community they they ignore the core application a lot of these companies like Tech talk uh stripe Shopify they really care about the core application they want you to find bug on the product itself the core application as you can see here for example Dropbox they have a separate Bounty table and uh separate Bounty amounts just for the core application because they want people to focus on finding bugs on the core app not just going out of scope or

like looking for sub domains and those old outdated assets they want you to find bugs on the core app which would pay a lot more than actually finding security bugs on some like outdated subdomain or whatever so you want to focus on the core app which usually has more importance and priority as well as great compensation uh also when you talk about reconnaissance reconnaissance is a very trendy word in the hacking Community nowadays when you ask someone about reconnaissance or Recon as we call it they just start talking about finding subdomains so basically reconnaissance has been associated with finding subdomains uh whereas reconnaissance actually goes Way Beyond just finding sub domains just above like doing Danish

Recon you find Danish data you find you do some fingerprinting there there's a lot you can do with reconnaissance and also reconnaissance it's just not about finding sub domains we can also talk about the application based reconnaissance which is actually in which is the best Recon that has paid off very well for me the app based reconnaissance is when you actually try to get to know the application you try to fast the application you use it as a regular user and just like click every form click every button fill out every form and just use it as a regular user and just intercept all the HTTP request so you get familiar with it you can also

use the burp Suite burp Suite proxy uh Spider in functionality so you can have a better visualization of how the app looks like as you can see in the screenshot this is a a visual visualization of the zoom API and core application so this is the kind of or reconnaissance that actually paid off very well for me instead of just doing some sub domains reconnaissance because you want to really get to get to know the app and really understand it deeply and go in depth uh also I want to talk about functionality or feature oriented security listing uh some people when they start hacking on an app they they go with the Assumption hey I'm going to

focus on finding excesses so basically they only look for accesses whereas some other people well they use a a better strategy a way more effective strategy which is like uh which is like when you when you're testing functionalities you wanna you wanna think which class of vulnerability would actually apply to this functionality uh for example if you're if you're hacking on an image uploader you're gonna think which which class of vulnerability would actually apply to this image uploader what kind of bugs do you think will be there instead of actually going with the Assumption hey I'm just gonna look for accesses and spend all the time just looking for one single class of vulnerability uh so basically you want

to think what kind of bugs will apply to this functionality that I'm testing uh also Focus manual testing requires deep understanding of the inner workings of AI when you're hacking on the app you want to understand how it works a lot of people they start hacking for example on Tech talk Zoom or they don't even understand the app they don't they don't know how it works they don't know what it does they don't know how the logic is so they're just blindly testing and it's a waste of time when you're starting hacking on an app you want to understand how it works you want to write down everything thing you want to stitch down everything and just understand how

everything is interconnected especially if it's a complex application like Shopify for example so that that way you're going to find more logical blocks you have more chances of finding security vulnerabilities instead of just blindly testing whatever without even understanding what it does and also what makes the difference between a regular Bug Hunter and successful one is the successful bug Hunters they are ready to go the distance what I mean by that is that when you're hacking on an app and there is like some features you have to pay them you have to pay the features to get access to it some bug Hunters they don't they wouldn't pay that because they it's a waste of money but

successful bug Hunters they will pay for the Pro Plan so they get access to those features behind the paywall because not everyone has tested those features and which is uh which will give you a competitive advantage so another thing is that you have to be willing to go to the distance for example what I mean by that is that there are some apps uh that requires you to complete a setup uh there is like a complex setup some people are very lazy to complete this setup uh but successful but Hunters they take their time to to configure everything and just set it up because that will that will make the difference or if the company has a hardware device

you want to order it because you have more chances of finding bugs on that device or just like if there there's a documentation make sure you read the whole documentation so that you understand everything and that you will have more chances of finding more security vulnerabilities so always be ready to go the distance uh okay this is a in related to what I'm just saying this is a vulnerability that I found last year in a live hacking competition with a friend of mine Andre uh so basically this application this was supposed to be a very secure messaging app that I used by governments uh I'm not allowed to disclose the name of the company because it's private but

what I'm saying is that this this com the this company they have first they have the SSO which is a feature which is a pro feature you have to pay to get access to it uh we pay to get access to that feature and I'm pretty sure a lot of the hackers that were with me in the live hacking event they did not pay for it that made the difference that's how we found this part so we paid the for to access the we paid the Pro Plan taxes the SSO feature and also setting up the SSO took a lot of time and I'm pretty sure a lot of hackers would have just skipped it because it takes so much time

but we took our time to set up everything and basically this wasn't an account takeover we could like take over hack any account without with zero interaction so what was happening is that uh when we set up our SSO we used OCTA for example and in our OCTA instance we can add the the user our Target our victim's email that is on the vulnerable app so we add it to our OCTA which is which you can do uh and then what we try to do next is we try to to SSO to the vulnerable applications so when we reach the octal login page we're logged into our email the victim's email that we added to our OCTA instance and

then what happened is that there was uh an improper validation and then we would be able to log into any user's email so basically we could just we just need the victim's email we added to our OCTA instance we initiate the SSO login and then we would log into their account so basically this was very simple bug but very impactful because we could hack any account without any user interact and it was you got paid as a critical it was got the highest Bounty amount uh this is a second example this is another bug that we found last year was in a different life hacking competition uh this is an ssrf server-side request forgery uh so basically this company

they have an EPI and I was just browsing the documentation so what made the difference here is the documentation I had the I read the documentation I took my time to read the documentation whereas some people did not do that so that made that made the difference so basically I was just reading the API documentation and I I noticed this request and what the first thing that uh that caught my attention was the URL parameter so basically when you see a URL parameter the first thing that comes to mind is to test it against Asus RF which is a server-side bug it's very critical so uh but when I try to replicate this the request did not work

why because uh first of all uh reading the documentation I realized that I need to set up a separate user account and for that user account I need to explicitly granted the API permissions and even after granted API for Missions I need to generate valid API credential for that separate user account just so I could reproduce this this API request so the first thing I did was to point the URL to uh to the local localhost look back the localhost address so I can reach the the organization internal Network when I did that it did not work uh I got uh I basically I got unauthorized I don't have the the response here but when I

tried the typical payload The Local Host API did not work so I tried a bunch of B passes and the one that actually worked was using the epv6 format as you can see there I used the apv6 format and it worked and I got the response as you can see here I got access to their localhost internal network uh so basically this one got paid as a critical I just want to demonstrate that what made the difference here is just I I took the time to read the documentation uh some people may have read it but they did not did not completely understand it from my from talking to them so that's what makes the difference just like go in the

distance all right so another thing that I recommend is just like fuzzing all the things fuzzing is very powerful literally Falls everything there are so many tool that allows you to do fasting especially when you're hacking from a black box approach uh fuzz the end points you can fast the parameters you can pass the directories everything and even when fuzzing a lot of people a lot of people do is just they use generic word list they use a word list for everything but what I do recommend is that you use a what we call a context based word list for example if you're fuzzing a WordPress uh installation you want to use a word list that is adapted

to the WordPress uh installation if you're fuzzing let's say an ESP uh Target you want to use an Adaptive word list and for that I recommend for example Asic node they have a different so many different word sets based on what kind of Technology do you want to start fuzzing fuzzing is very powerful we're going to find all kind of stuff doing it this is another simple bug just doing flossing well I found it last year so I found this uh uh which allowed me to access the admin panel or of a company it was an internal support panel so what I did so basically doing some recall I found an internal admin portal it was

like admin.redacted.com because it's a private company I don't want to disclose the name so it's like admin.redacted.com account but I I just ran fluff uh which is very profit is an amazing tool that you can use for fuzzing uh it's it's built in gulang It's relatively fast uh so we just used fav to Brute Force the directories like from account Brute Force the directories and what I found is account slash register very easy very stupid uh register and what that means that I could register my own account and become an admin of that pan of the portal panel so basically I can I was able to register an account as an admin and what is funny is that I could

explicitly give myself as many permissions as I want as you can see all the permissions there uh the the register input shouldn't have been public it should not have been public uh because it's an internal panel so now everyone can just register an admin account and I got access to their internal panel so fuzzing is very important it's very powerful especially if you're doing Black Box uh hacking you don't have much information about the target uh another thing is Javascript jaw I love JavaScript I found so many bugs just reading JavaScript files because JavaScript a lot all the modern applications they use JavaScript to load different things like endpoints parameters and all that stuff so when

I'm hacking online app I I literally first thing I do is just like gather all the JavaScript files that are being fit or loaded by the that app because I know in those JavaScript I can find endpoints I can find parameters I can find hard-coded hard-coded credentials API Keys everything so reading and inspecting JavaScript files is very important it's it's one I've got a friend of mine he got like probably 80 percent of these bugs are post message bugs from JavaScript files so I highly recommend that you reach JavaScript when I I'm hacking on an app I use burp Suite so basically I just filter by GS I by JavaScript files and I copy all the

JavaScript links and then those links I feed them to to the link finder Pi which is a tool that you can use to automate the JavaScript files inspection and it gives you all the end points that extracts from those JavaScript files and those endpoints might be might be new features might be invisible not used in the main app so it will give you a competitive advantage okay this is a this is another vulnerability that I found last year again in a live hacking event so uh I I'm pretty sure a lot of people missed it because they haven't they haven't thoroughly read those JavaScript files so what happened here is that I was able to take over uh any account on three uh

three multiple three different services for this company uh so basically I was just looking at the JavaScript files and I found this endpoint the first one partner connect so I found this endpoint uh there is the path parameter so when you navigate to that endpoint you are actually being redirected to their entertainment service it's the so basically they're using that this endpoint for authentication uh so basically the path parameter was intriguing so I was like okay let's try an open redirect on this path parameter so I tried the most typical payload which was just using the dot example that com so basically the the the the the the the companies domain will become a sub domain and then the I realized

that the path parameter was was uh vulnerable to an open redirect vulnerability and what is intriguing here is that we in the redirection happens it actually leaks the user access token and I can use that access token to take over to uh interact with to interact with the user with the victims account so basically here though what I'm just gonna what I'm just saying is that I found it because I read the JavaScript that's how I found that endpoint and that's how I found those parameters and constructed them and this allowed me to take uh over their entertain the user entertainment account as you can see in the use case parameter it holds entertainment there was also a

dining one there is another service called uh travel so basically I can take over three uh three services and it was paid as a high security but all right so we're just talking about JavaScript files how important they are because they have so many juicy stuff in there but one one other thing that you can actually do is that you monitor the changes because like in those javascripts uh a lot of developers I said earlier they are always pushing new code they are always building new features they're building new stuff so so they're always changing these JavaScript files what you want to do is you monitor them you monitor them so when they change something in that

JavaScript you get a notification and you are the first one to check it so what I recommend that if you want to monitor these JavaScript this is a this is a tool that I recommend I I contributed to building it it is called jsmon so basically you give it the JavaScript links and it just monitors them on a daily basis and then when is when there is a change on that Javascript file you just get a notification and this will give you a competitive Advantage because you're gonna be the first one to check for the new changes maybe you'll find uh something vulnerable uh similarly I I mentioned earlier that you should be fuzzing into points

parameters everything uh one way you can do that is one of my favorite extensions is it is called param Miner paraminer basically allows you to uh enumerate parameters when you have an HTTP request uh and then you don't have much information about that HTTP request you might use paraminer so you can actually enumerate hidden parameters you can enumerate uh headers uh and and a lot of stuff that you can integrate with paraminer it has a huge word list it actually works very well I've had really good success with it and I highly recommend it uh there were there were times when I found like a hidden hitter that was vulnerable to a SQL injection uh there

was a time when I found a hidden parameter called URL which was also vulnerable to an ISS RF vulnerability so there is so much you can do with paraminer and just talking about the application Level uh application based reconnaissance here we are just talking about application based reconnaissance we're not talking about enumerating subdomains or whatever because this is way more important actually and one way to actually enumerate endpoints is to use the the tool that I call go this is the best tool ever and props to carbon who built this tool so basically this one when you give it the the the asset the Target that you want it just uh gives you all the end points that were

previously indexed in like the internet archive or index somewhere else so basically you have uh you have an access to a whole lot of endpoints that you can start hacking on so this this tool is really amazing great success with it as well so highly recommend it all right scope is negotiable uh basically when you're hacking on a program there's like there is an in-scope assets the company tells you you only hack on these assets these domain names don't hack on this domain names so we call it disco so basically when you're hacking on an app sometimes you're limited sometimes the app is very limited you don't have much access what I what I suggest is that you expand the

scope how you check if the company has so basically if you're hacking the website their website check if the if the company has a mobile app check maybe they have a browser extension or maybe they have desktop app or just some other kind of app when when they have these you can just decompile them not necessarily to hack on them but just decompile them to gather all the leads and insights in inside those apps maybe you'll find hard-coded in points you'll find juicy hard-coded uh credentials so this is the way to expand the scope this is basically may sound like going out of scope but as long as you're not necessarily mainly hacking on that app you're gonna be fine so as yeah

I mentioned it there never hack never hack one out of scope assets but only use it to click insights on that list this is this an example another vulnerability so basically I was hacking on this company I've been hacking on it for like two years and at one point I couldn't find anything anymore uh the scope just seems very limiting but this company they had an extension a browser extension the browser extension was not part of the scope but uh I I needed I needed some further leads that can help me to hack on the main scope so what I did I downloaded the extension I decompile it which is pretty easy uh I decompiled the the browser extension

and yeah so it had three million installs which is pretty pretty high uh so I decompiled it the first thing I did I reviewed the manifest.json file because when you decompile and Chrome extension for example there is always a manifest Json that has some definitions so what I noticed is that they have some white listed domain names this one I call it evm-target.com so this one was white listed there and what I noticed is that this domain name it was whitelisted but it was expired I mean I could buy it I could purchase that domain name for 12 euros but I I was like looking for what can I use this domain name for even if I

purchase it what can I what can I use it for is there something I can do with it so I I do I mean I do die I dived into the the good analysis and what I found in the the code is that there is a rejects validation that it it was chicken for white listed domain names it was chicken if those that domain name is wirelessly or not if it's white listed if it's white listed then the extension will push a header will a pin the header the user request with the as you can see below xwb session with the user decision so basically if I purchase that domain name right and there is a victim that is

using the Chrome extension and then they visit that domain name they're they're HTTP request will contain their decision so I can I can I can freely extract it because they're visiting my own website so that's what I basically did I just purchased that domain name I set up my P you see so basically when I send the victim when I send the website to the victim and they access it I can extract their session from the header because it because my domain name that I purchased was white listed so that was uh that was an account takeover again it was a it was a high CV bug as I said just uh expand the scope if you're limited try

to explore other things that the company might have on the side yeah exactly so uh as I was mentioning uh I bought the dummy name when the user accesses my domain name there is a session token that is appended to their header I can I can extract it and I can show it there as you can see the from the POC all right uh just talking about the uh understanding the app this is a vulnerability that I found uh that really required a deep understanding of the application so basically this is a company that I've been hacking for three years and I haven't found this one until until last year because it really required deep understanding of the app

and because it's a bit complicated so it wasn't an account takeover due to Broken authentication so what was happening is that when the user tries to log into the developer portal there when they navigate to the sign-in page there is an odd flow that is being initiated and the oauth flow as you can see here I noticed there's a correlation ID parameter I did not know what it what it what what it was doing but I was it was very intriguing so when the user uh enters their email address and password then they log in what happens next is that the the user is redirected to a login callback with the correlation ID that is being authenticated so the

correlation ID is being taken and then sent to an auth callback which then Returns the authorization code so basically it's the user navigates the sign-in page there's an old flow that is being initiated with a correlation ID when the user logs into the page there is the correlation ID is being sent to the login callback and then there is the authorization code that is being returned so it's like I was like thinking how can I hack this one what can I want to what can I do here so what I found is that actually I can generate my own login login link with my own correlation ID because basically if you know the user's correlation ID you

can generate their authorization code so basically I generated my own login link with my own correlation ID as you can see there then I send it to the victim so basically when the victim looks they log into their account the correlation ID has become authenticated so basically I have the correlation ID so I can send the correlation ID to an oauth endpoint so I can exchange it with an authorization token but the catch here is that I have to beat the user I have to be the first one to exchange the correlation ID into into an oauth authorization account so in this step I had I had to automate it so basically when the user logs in I quickly exchange

the correlation ID into an authorization code and that was an account Takeover in that one and I haven't found it until like three years later because I I it really required understanding the app let's talk about Automation and I've mentioned automation quite a few times but let's talk about it so when we talk about automation there are there are different uh aspects of automation that we talk about the first one is automating Recon and content Discovery by this I mean just like automating the data collection it could be collecting subdomains DNS records which is sports scanning directory and file enumerations and there are so many tools to achieve this this is one of parts of the

automation we also talk about automating automating vulnerability Discovery uh it's basically automating vulnerability Discovery could be active or passive vulnerability scanning so basically you're automating the scanning instead of doing the manual thing also we talk about automating change changes monitoring as I mentioned earlier you can automate monitoring JavaScript files so you don't have to check on the JavaScript every once in a while you can just automate that we'll also talk about automating repetitive tasks some boring tasks that you always do manually you can automate that you can just write a script to just automate it so you don't have to do the boring test and for these categories for each category we have a bunch of tools that you can use for the

recall for example there is Ms hack crawler https DNS X there's so many tools that you can use for automation you don't even need to build your own tools anymore there's so many open open source tools that you can use for for the vulnerability the automated vulnerability Discovery there is a nuclear I'm sure a lot of you are very familiar with nuclear as well sorry uh and for the changes you can use Ms sub Lord is my tool to to monitor the subdomain enumeration and then we have other tools for repetitive tasks so when we talk about automation this is a simple flow that you can build your own yourself if you want to build your

own automation so this is a this is a this is a simple reconnaissance flow it starts from the first step which is loading the scope load is basically you go to uh uh hacker one like a back money platform and you extract all the assets that are in scope that the companies are interested in so you extract everything you can use BB scope tool which allows you to extract everything off in an automatic way and the step the second way the second thing you want to do when you have the assets you want to hack is to run sub domain enumerations or enumeration on those assets so you can find subdomains you can see some tools that you can use I

use EMS and then you can use pure mutation technique this is an amazing technique that I really recommend permutation is basically when you find a subdomain say for example admin dot example.com you can you can try permutation which is like admin Dash test or admin Dash uh prod this is this is what we call primitation you're primitive different words so you can find so you can find more subtle means and actually do permutation you can run DNS resolution so you can find the the subdomains they're actually they're actually resolving and then you can do DNS enumeration Port scanning within map and then the last step is vulnerability disclosure once you have all that data you're going to run vulnerability

scanning on it you can find bugs so this is a simple flow if you want to build your own automation this is a this is a project of mine that I've been working on with a friend of mine maluk last year uh so we've been working on building our own uh our own automation uh this is how it looks like so we basically built it with python on top of Django framework we use Luigi for tasks or orchestration bootstrap for the for the interface and we used postgres for the database uh for the open for the tools that we use we basically used in map which is a classic we used amass for subdomains enumeration we used a bunch

of Port Discovery uh projects like httpx and nuclear for vulnerability scanning so this is how it looks like we can add acids we can edit assets uh this is the this is the notifications we would get when there is a when the automation finds vulnerability when we find the uh an account sub domain takeover for example uh this is our dashboard the total we were monitoring 84 uh how much is that 8 million assets we will continuously monitoring 8 million assets we've got like 55 000 vulnerabilities a lot of them are actually informative because we did not filter filter it out so if you want to build the automation it's it's as easy as that as I showed you earlier but but

one thing that you know is that there's there's so many open source projects as I mentioned there are so many open source tools you don't even need to build your own tools you can just use those open source in your automation uh also one thing is that automation should be complementary what I mean by that is that you should be focusing on manual hacking automation you just use it to find some bugs that uh like for example low hanging fruits you want to focus on high severity bugs and then use automation to find some low hanging throws some easy box on this side but you always want to focus on manual hacking also efficient automation should give

you actionable actionable box if your automation is just finding false positives like informative bugs something that is not actionable then it's just wasting your time so you want to make sure that your automation is actually fine in Security Box uh the challenge is Task orchestration uh a lot of people they build their automation but it's just using a bunch of bash scripts and if you want script uh breaks down the whole automation breaks down so you want to use some tools for task orchestration we used Luigi which was built by Spotify and then you want to do load distribution across multiple servers because when you're doing automation you're you're monitoring so many assets you cannot do that on one

server you need so many different servers so you need to uh balance the load across multiple Services you can use kubernetes for example or you can use Fleet and Axiom which is very compatible with back bounty hunting uh also most technology automation they catch low hanging fruits uh and as I mentioned the the low severity and medium severity bugs they're usually just gonna result in me in duplicates which is frustrating and as I mentioned there are so many automation Frameworks that you can just install you don't have to build your own there is Recon for the win osmetus 3 engine Axiom Etc also one of the most powerful tools that just uh being developed is nuclei which is a

vulnerability scanner basically a lot of bug Hunters they're using it blindly so basically they just use nuclear with the existing templates uh which is which is which is not an effective approach because other other countries they're doing exactly the same so when you're not doing anything different so basically you're just gonna get so many duplicates if you're using the nuclear tool there below you want to do your own security research and build your own templates and feed them to the tool yeah exactly as I mentioned here so basically we were always taught like when I started hacking I did not know how to code so basically I started hacking without even any coding knowledge and I did I did fine honestly

I did really fine but just like uh over the years you realize that actually coding is very important coding on reading code is going to give you a competitive Advantage so you you can actually start hacking without any code knowledge you can do it from a black box approach but at one point if you want to step up your game if you want to be a good hacker you want to learn how to code you want to learn to read the code because it's very necessary and will give you a very competitive Advantage uh as I said Black Box testing is fun but when you can actually read the code you're gonna find way more bugs uh even

even some bugs like the accesses the client-side bugs like just a Dom based access it requires a certain understanding of JavaScript to find it so at one point it's very important to learn how to code also you can use that skill to find zero day vulnerabilities in software you can find zero the vulnerabilities for example in WordPress you can read the code find a bug and then you can check and find all the companies that use WordPress and then you're going to get boundaries from there so basically you can use it for Uday research and also when you're doing security research I recommend you look for pre-authenticated or unauthenticated vulnerabilities because like when your participating in back Bounty you cannot

just tell the organization hey you need to log into your account so then you can upload this web shell so basically you want you are you should be interested in finding unauthenticated vulnerabilities if you're if you want to do backgrounds so another thing that I recommend is monitoring for new cves uh so when there is a a new vulnerability that was found it's usually being assigned a CVA for tracking for tracking purposes and what I personally do is I track I monitor the CV the new cves uh so when there is a new CV that is being pushed I get notified I know there is a new vulnerability that was being found so I can actually go and look for it on other

companies uh so you want to Monitor cves and I highly recommend you check attacker KB which is a basically kind of a forum where other security researchers they discuss new vulnerabilities you can find pocs you can find exploits there that you can basically use in your back hunting or hacking also if you want to get into security research uh these are some of the uh references some of the sources that I highly recommend so there is this article by James Kettle very very good researchers if you want to get into security researching there is the asset Note Block you can find so many uh bugs that are being explained in a very good way with the technical details and and

the exploit as well the WASP code review guide the pen tester lab code review exercises there are some amazing exercises if you guys want to get into uh into uh code analysis and there is the our certificate if you guys if there are some of you are interested in certificates I recommend the advanced whip attacks and the explosions insert it's a very good one uh has good reputation and the office sorts have good reputation reputation as well all right so let's talk about security impact so basically when you're hacking uh when you're doing back bounties it's not like doing a penetration testing you have to show impact when you find a bug if it doesn't have a security

impact then it's not really a bug so when you're doing back Bundys you have to demonstrate for the organization that your bug actually has an actual security impact for example here uh if you find an exorcist and then you just tell the organization hey I found this pop-up I can just do this JavaScript or you can actually show them that you can use the excesses to hijack the user session token which one do you think would get paid more the simple pop-up below or the the one where the the attacker has demonstrated they can use the accesses for session exfiltration I'm pretty sure the first one will get paid a lot more than the first example

it's one bug but you have to demonstrate what you can do with it because this is not a painting if you're doing back bounties it's not a penetration testing where you can just like report the bug you have to show actual impact you have to show the organization what you can do with it uh yeah as I mentioned background is not a traditional painters so you have to demonstrate security impact which is very important uh always ask this question if you find a bug what is the worst thing I can do with this vulnerability so always you want to always maximize the impact always the escalate uh and also most companies they pay bounties based on CVSs CVSs is a

standard there is a standard that we use in the industry to assess the severity of a vulnerability when you find a bug it's either a low severity medium severity high or critical so when you have an understanding of the services you want to double down on each component of the services you want to make sure to demonstrate that you can affect confidentiality with deer bug you want to make sure you demonstrate that you can affect availability and integrity Etc so understanding Services is important also uh think out of the box when you get a bug uh you don't know what to do with it just think out other box I think out of the box think of

creative ideas there are always some ideas there are always some change that you can you can you you can use with your bug exactly so when you find a low hanging fruit box like a simple like a low bug for example that open redirect usually when you submit an operatorx for a company it gets paid like 100 bucks 200 bucks depends on the program but what I personally do I don't submit that that bug for the organization I keep it for myself and I wait for the opportunity to use it with another vulnerability so I can chain it and maximize my impact same thing goes for open redirect cooking injection for example if you find an exorcist without

any security impact don't submit it to the program keep it for yourself because at one point if you keep hacking on that company you're probably gonna use that exercise along with another bug to maximize your impact also always make sure you abide by the program rules sometimes you you find a bug and you want to maximize your impact you want to access their internal Network you want to extract internal data you have to be careful what kind of data you're extracting from the company because some some some people they find an ssrf and they start they start pivoting in the internal network of the company which is bad or sometimes when you're testing uh when you're extracting user data always

use your own account use two accounts do not extract other users data that will violate the company's rules and I'm pretty sure you're not going to get paid for your work so always abide by the program rules and be careful what you what you do when you're trying to maximize impact all right when we talk about bounties nowadays we started talking about collaboration uh as I mentioned earlier some of my bugs I found them in collaboration with some Trends collaboration is very powerful why because like everyone when you're working with someone else everyone brings a different skill set to the table maybe I'm good at web hacking and the other guy is good at mobile hacking

and we when we combine that it's it's a powerful collaboration from from just from my experience some of the most impactful vulnerabilities that I've seen myself were were a result of collaboration between a team or just two people so if you're doing back bounties you want to get to know other people you want to start collaborating with them so you can join forces uh as you see everyone brings a different skill set uh even black money platforms like hacker one they recognize that collaboration is powerful so what they started doing is they started building features to see Port collaboration now on hacker one you can add someone one as a collaborator to your report you can even split Bounty

automatically so they're just keep adding in features to support collaboration also if you're stuck somewhere there are so many uh communities out there online there is like a hacker one Discord where you can find so many Hunters so if you're stuck someone you can just shoot them your question I'm pretty sure everyone will be happy to answer it there is the nehem stick Discord uh Community the back Bounty World slack if you just Google those I'm pretty sure you're gonna find the link to access those communities so this is one way to collaborate with other people because uh because trust me collaboration is very powerful and I've seen a lot of people make great progress

just collaborating with other people but when you're collaborating when you're working with someone you have to be very you have to be very uh to have to agree upfront on on some terms for example if you find a bug together how much is going to be displayed is are you going to split the Bounty 50 50 because I've seen a lot of conflict summarize because if that like they find a bug and this one wants 30 the other guy wants 50 so you have before you even start collaborating you have to agree on the balance split and also you have to uh make sure uh that if it's a unique security research the other partner is

not gonna leak it because some people they do security research and get leaks to the public so you want to be very upfront on that regard okay just talking about collaboration this is a Twitter DM I received from a guy so basically he found an Asus RF which is a low severity ssrf it's a it's a it's a known cve so this guy he was like hey bro uh I know you're very good at ssrf and I got this is this ssrf which is low severity he wants to maximize the impact because he has a low would he would get paid 100 bucks so if he managed to maximize the impact he will be worth a lot more so what I like

about this guys he's actually he's very uh like from Advance he's like I will share it's gonna be like a 50 50 Bounty spot as I mentioned earlier you should agree upfront about the pound display so he gave me the details so this guy basically uh this is a kind of Confluence uh instance he managed to uh send an external I mean to hit external websites with the with this ssrf like heading external websites is not there's there's not much impact there uh so as you can see the URL parameter is the one vulnerable we pointed it to the verbs with collab collaborator and we can see the response so it's a necessary for the

response which is a good star but this this is low right so I tried to point it to the Local Host uh address uh and I managed to to hit the internal network of the company and it was I received welcome to nginx which means uh access the internal network but there's much you can do with this I mean I managed to access the internal network but there isn't much there's much impact here so I wanted to escalate the impact furthermore because this would have been just a P2 like a maybe a medium security block so I want to escalate the impact so I noticed that the the the company or the instance was hosted on ews I'm at

Amazon web services so what I thought about next is maybe I will try to hit the metadata into point if you guys are familiar with the cloud AWS metadata endpoint which has security credentials stored there so I basically pointed the URL parameter there in the request I pointed it to the metadata address but unfortunately I got 401 which is unauthorized which is where normally when you send a kit requested the metadata into point you get you get a response so I couldn't understand what was happening so I kept searching and looking and reading documentations and I came to realize that the company here they're using a different version of the metadata endpoint so in in the past days

there was there was the ec2 the MTS the version one so basically if you just send a get request to the metadata endpoint you're gonna get a response back but then new version which is way more secure it actually requires you to send a put request to with with the with a special header to the metadata endpoint and you get a token and a session token and then with that token you can send an authenticated request to the metadata endpoint and then you can extract the the security credentials this is a long process I I I thought maybe this is a dead end I couldn't I don't think how I would be able to escalate this further more but I kept

reading and what I realized is that the Confluence installation here actually uses the Google gadgets API which is defined by open social specification and what I realized is that this endpoint it takes the HTTP method parameter the post data parameter and the headers parameter which means I can control the the HTTP request method I can control the post data and the header which is all I need to make the attack scenario success so what I did next is I sent a put request to the metadata to extract the decision token when I got decision token uh I used that station token to send another request uh another post request to the metadata uh the security the security

credential endpoint with the with this the session token in the header as you can see there and finally I managed to extract the the security credentials and this is Maximum Impact because this is a critical so basically because of collaboration that guy reached out to me on Twitter we managed to escalate as a low severity bug to a critical bug and it got paid the maximum so this is why I'm saying collaboration is very powerful if you're stuck somewhere you know someone with the right skill set just reach out to them I'm pretty sure uh they're gonna help and they will be happy especially especially if you're gonna split the bounty so I'm just going to talk about my

experience manage impact money programs I'm oh yeah all right all right yeah less worse uh so basically bike hunting is is not a race it's not a race it's a marathon so it requires to be consistent it requires you to be persistent and have patience it really requires patience because sometimes uh it takes so long to find a bug or it takes so long to get paid so you have to have patience take as many notes as you can a lot of people they start hacking and then they close everything down without taking any notes a lot of my amazing bugs is because of the notes that I've taken over the year so take as

many notes as you can and also keep learning don't don't stagnate keep learning because there's there are always new technologies new techniques new security research so if you want to stay ahead of the game if you want to be one of the top back bounty hunters you have to keep learning every day and also back hunting can be can drain your mental health you can hit burnouts very easily because it's not easy so you want to do a lot of other activities on the side and just just really have fun it's supposed to be fun that's it thank you so much appreciate it thank you