Any advice on finding anything but low hanging fruit?
Posted in BugBounty Discussion by @monkeyman



I'm not sure if it's a mindset thing that's messing me up or not, but I can't seem to find anything other than trivial bugs. I've tried just sticking to one program for a couple months and just reading documentation on everything, but in the end the result was 5 months of nothing and 2 invalid reports.

I've been trying my hand at bug hunting for about 3 years now, but it seems that the only bugs I can find are ones that are really trivial.

I was wondering, what mindset do you guys have when really trying to crack something that seems unbreakable on the surface? Do you stay on one promising looking request for months on end? Do you read RFC's on everything that's even remotely relatable? What check boxes go off in your head that makes you think, "This can't be exploited."?

Posted on 2018-12-04



Reading documentation is fine, but it sounds like you might be overdoing it a bit if you're reading docs and RFCs for months.

Personally, I read documentation to find out how something is supposed to work. I then ask myself what assumptions are being made that I can challenge and try to exploit.

As for checkboxes that make me think "This can't be exploited," that's tough to answer - it's more of a gut feeling for me. I have a full-time job and a family with kids, so my bug-hunting time is somewhat limited. When I've exhausted my knowledge, talked to some peers for additional ideas, and done the research that I feel adequately answers my questions - that's when I make the decision to keep hunting on that piece of functionality or to move on. I keep pushing on one thing iff I am convinced there is something further to explore or other attack vectors I haven't thought of.

It's also important to keep in mind what exploits you're trying to pull off and how they would manifest themselves in whatever piece of functionality you're investigating. Also keep in mind what successful exploit would mean and the sort of impact it would have.

Also keep in mind that focusing on one thing for so long can cause you to miss opportunities to discover other vulns elsewhere.

Posted on 2019-01-07 at 04:20:46pm (GMT)



Thanks for the great reply.

I think I've came to the conclusion that I don't test api's very well. Most of the time I'll only check for IDOR's, but not put too much effort into logic bugs. The two api presentations at this years levelup really opened my eyes to this. You should check them out if you haven't already.

Posted on 2019-01-28 at 07:07:40am (GMT)