This is something that has been on my mind the past few weeks, and it’s concerning the topic of utilizing methodologies that are common in the bug bounty arena in domestic penetration testing. Especially when it comes to very high and open scope tests that may have a large number of assets.
Typically as a penetration tester, your goal is to 1. Get in, and 2. Identify as many different potential ways of getting in. That may include any number of vulnerabilities.
Some bug bounty methodology techniques such as performing site-wide screenshots, automating the download of all detected javascript files, and scraping them for secrets by regex.
I see a lot of automation and continuous scanning solutions come out of this revolution known as the bug bounty community. I honestly feel as if some of the best, highest motivation hackers are in the bug bounty space. Innovation has been bred out of the reward of a bounty. Personally I am developing a solution revolving around automated enumeration (and then further diffing, or tracking the changes between scans).
I was watching some of the conference talks at NahamCon today, and one thing I noticed was that feeling of awe that I felt when I first started out in security, that feeling of “wow these people are on another level”. I really feel the bug bounty community right now will be remembered in history for what it has done to open the gates to those with the merit to receive the rewards.
Mostly for me, it is the community. Twitter is extremely active with bug bounty hunters that share their tools and knowledge continuously.
What are your thoughts? Have you had a chance yet to peek into what the people in the bug bounty circles are doing? Do you think it has any significance? Let me know!
I think the reason bug bounties are so successful is the fact that everything one needs is a computer and free time. You don’t have to be employed and you can adjust the time you have for your needs, e.g. a student, prob doesn’t need a proper employer salary (although no one wouldn’t say no), so they hunt as much as they need to and the rest is just for fun. This brings many people with little to no experience into the infosec world, where they can prove their skills and earn some. Also, testing your skills out there in the real world is extremely beneficial for the hunter’s skills.
… the rest is just for fun.
This also plays a big role in the community role. Many people, like myself, do it for fun (profit is just a nice addition), so there is no need for me to hide my techniques or knowledge. So I publish everything I have so that the community can benefit from it (and hopefully does).
Also, I have some questions for everyone out there about bug bounty/pentest methodologies:
When there is a completely open scope, like *.domain.com, from which domain do you start looking for bugs? Is there a reason behind this? I personally start with the main app and slowly beginning to explore the other domains.
Also, when you’re performing site/domain-wide screenshots, what do you see that can pique your interest? Text inputs? Login forms?
Yes this so much! People in countries with little to no opportunity can use their literal 20 year old hand me down computer, install Parrot and make serious dough just by hacking! I love it.
The other awesome thing about the concept is that there is no possible opportunity for bias in a hiring process since there isn’t one. The only potential opportunity could be the bug triager however if you’re anonymous (which you totally can be) you should be treated entirely on merit, which is awesome!!
In answer to your question, when I look at my aquatone results, I look for error messages, maybe there’s a takeover opportunity? Which are cloudflare which are not? CMSs too, if there is Jira, can I find an outdated version? Is there an authenticated vuln that I could exploit if I could successfully spray?
Something I’ve been doing lately is pulling emails from LinkedIn and generating usernames. It’s not worked yet, but it could do worth a shot.
bug bounty certainly has its ways to improve security posture. however, last time i checked (it was a very long time ago tho) i found the system itself is pretty rigged against the researchers. bug hunters are under strict regulations in their every step (and they should be) but there isn’t any regulation toward corporations to make them fulfill their responsibilities (pay the bounty). corporates can easily disqualify your findings from any bounty. but if you, as a bug hunter, arent paid (unrightfully) you don’t have much to do! you can only downvote the company, tweet or maybe blog about your bad experience. and thats it. things may have changed tho
Dupes are a total dick-punch also, you did the work, you found the bug, no money? Fuck!
I have heard that good private programs are where the money and good stuff is at. I think it’s something that just happens to every researcher, but if you’re good, and you get with the right programs, then it can be really badass.
Bug Bounty has it’s problems, but it’s also very immature right now and people are just getting started really. It really IMO is driving innovation, and some people do very well out of it.
I believe BB platforms such as H1 and BugCrowd should take a firm posture to protect both sides. I find the current situation very biased and private programs are not solving it, only delaying the problem. Requiring well defined bounty qualifications and enforcing compliance via middle-man analysis could be a good start for BB platforms. Bug hunters on the other hand could pay an entry fee or comissions in order to become a stakeholder. Capital of BB platforms are its hunters not customers. So IMO these companies should compete for attaining more hunters. And in order to cater that they should start to firmly advocate on behalf of their researchers. Customers will follow after that.
I love what BB stands for and the lifestyle it could provide to security researchers. But personally i’m not thinking to attend to any BB activity before this injustice is resolved.
I’ve only made two submissions to to two bug bounty platforms however, I feel as though it has worked against me in both instances. As an amateur security researcher trying to break and get further into the industry with a portfolio, I depend a bit on writing about the vulnerabilities I find. So forgive if I don’t understand how this is done, please correct me if anything I say is wrong or can be improved.
The first submission I made was a local privilege escalation: high-risk vulnerability. Not only was I marked as duplicate, it was duplicated with a report that was a medium-risk file deletion. The difference between a high and medium finding on the program is $500 - $1,250. I got paid $50. Now I understood that when I submitted this (although I had some hope) this would not be publicly-disclosable (it would have made an absolute killer write-up discussing chained vulnerabilities) however, the real issue was that the report was submitted almost a year ago (as of writing this) and is still in the triaged phase. Rest assured, future vulnerabilities I found in the same product/vendor were publicly-disclosed and I rejected their offer to compensate me on their bug bounty platform.
The only problem with the second bounty I’ve submitted was that it was not allowed to be publicly-disclosed. It would have definitely allowed for a really cool reverse engineering post and boosted my portfolio.
I don’t see how bug bounty platforms help the researcher in any significant way - the vendor still maintains power over the researchers and the vulns. But I don’t deny that it has closed the gap between the two parties. I know that the goal is to improve security and I know that you can do that without publicly reporting every single vuln found but I’m not a seasoned researcher, I don’t find vulns every day, and I have goals to get into certain places in the security industry. Every bit helps. Sure, I might get paid if my vuln isn’t a dupe, but to me, that’s only a bonus reward on top of the discovery of the bug - I would much rather the portfolio than the money. So as it stands now, I’m no longer submitting through bounty platforms, I will let vendors know if they have a vuln and if they don’t recognise and fix it, I will just drop it.
It’s true that companies still have the upper hand, even when platforms like H1 and Intigriti are present. And I don’t think that’ll go away anytime. I don’t know how companies and BB platforms operate with one another but at the end it’s all about the company’s decision to accept or reject a bug.
I don’t see how bug bounty platforms help the researcher in any significant way …
The only help they provide is that the researcher can find many BB programs in one place. It just saves you time, I guess ¯\_(ツ)_/¯. But if you do BB for any reason other than learning, then it’s hard.
The best thing to do is to find a BB program of a company, that actually respects the researchers, and stick with it, which is hard, given the fact that, as you mentioned earlier, they have the upper hand.