Your web bug hunting methodology
Posted in BugBounty Discussion by @neolex
I created this post to talk about your different bug hunting methodology.
I read a lot of books and write up and I think my knowledge are enough to start hunting but I'm on bug hunting for a week and can't find anything.
I guess my methodology to do bug hunting is the problem, what methodology do you use ? Do you test each vulnerability from a list one by one ? Do you use the site and test what comes in your mind ? other one ?
Edited on 2018-11-08 at 08:11:28pm (GMT)
Hello neolex, Bug hunting is a very competitive field some of these guys are really skilled like @zseano here but that doesn't mean you won't find bugs, first bug is always the hardest, patience and effort are the keys, I think that the most important thing is that you grasp the concepts and types of Vulnerabilities, you need to be able to think differently it takes time to be able to apply a methodology and execute it effectively. I usually pick a program, use the app monitor each request and get familiar with the parameters, cookies and the overall behavior of the app like how many apis what kind of authentication is in use how does the app handles post requests. then identify all sources and sinks and try to find hidden params then start looking for bugs like IDOR csrf account takeover ssrf... Trying to apply a methodology made things harder for me so now I just go and do it this is all experience so don't worry about not finding bugs. Stay focused and happy hunting.
im a beginner too but i think you dont go in a program and start looking for everything, you must try to understand the logic and how the app handles auth etc and after that pick your fav vuln(XSS,SQLi or whatever you prefer) and start searching for that, when you think you have try enough, try to find an other vuln etc etc. Because if you find for every vuln you know you are not 100% focus on the essential
I dont know if that make sense but i hope you understand what i try to explain lol
Treating bug hunting like a checklist-driven assessment will likely bring you more frustration than bugs.
When I'm hunting, I take notes on the app I'm exploring, answering questions like below along the way.
- Where is input accepted and potentially displayed to the user?
- What endpoints save data?
- Any file upload functionality?
- What type of authentication is used?
I will then think of different ways to achieve a goal, rather than specific exploits. Think "How can I access functionality to which I should/do not have access?" rather than "Where is IDOR possible?" Keeping a goal in mind helps keep you from limiting yourself to one type of attack. Sure, it can be useful to look for XSS across an entire app, but that type of focus can lead you to miss sometimes obvious vulns located elsewhere. I also think of ways something like the authentication/authorization models can be exploited and check those out.