Top-Tier Bug Bounty Hunter Mindset

our next keynote speaker who in his own words is a digital Nomad a hacker who travels around the world out of a backpack and a laptop he literally does so as we witness on his Instagram exploring the world in his running shoe skates ski boots Cycles scooty surfboard actually anything and everything he could lay his hands on a travel Enthusiast a fitness freak a fine chef his rant in the top 20 in hacker one and has won the mvh most valuable hacker title for the latest hacker one live event h1303 let's hear it with a huge round of applause for Yasin abukar hello everyone uh thank you so much for having me here today uh it's really an

honor to be invited to talk about at besides Ahmedabad this is my second visit to India I was here first time during the nolcom in Goa in 20 2019 if I remember I had such a good experience so it's really nice to be back here thank you so much for having me um so I was thinking about like the topic for today like I was just thinking what should I talk about should it be technical or non-technical or just something in between because it's like just like Heather mentioned like there were no guidelines to uh to talk about but like since a lot of you here are probably in there you're involved in the back bounties so so do I I I'm also

involved so I I thought naturally probably people will expect me to talk about that topic but like today it's not going to be about how to get started in background is because I think they're going to be another panel later own but I'm more going to talk about how you can actually step up your back Bounty game or how you can like develop or build this top tier back Bounty Hunter mindset so you can find more cool uh cool and impactful bugs when you're doing bug hunting but before we get into it let me introduce myself first uh my name is Yasin a book here I go by the same username yes in Applecare I'm originally from Morocco I'm based in

France and I've I've I'm a business major uh like I think a lot of you here probably have different backgrounds when it comes to studies uh same for me I come from a business background I have two Master degrees one in corporate finance and the second in management of information system that was pure management stuff like literally no computer science or anything that means that if you're passionate about something you can do it regardless if you got a degree or not I've been involved in the application security Consulting for a little over a decade right now I I do a lot of pain tests and secure assessments for companies uh I'm also involved in back

bounties I've been doing back bounties since 2013. uh it's been a long time I'm one of the hacker one top 20. I recently this year I won the mvh the most valuable hacker at the live hacking events organized by hacker one in Denver that's me there holding the belt I look like a UFC fighter I know that thank you so much and a lot of you probably know me by my avatar on Twitter I use the goat don't ask me I just love goats uh yeah so I'm also an X hacker I I worked for hacker one for a while like probably two years from 2017 to 2019. that was such a very interesting experience that

I'm gonna talk about later on in the slides and I've been traveling almost full time for a over four years I started in 2018 I've been to a bunch of countries including India as I mentioned earlier so probably 40 countries and yeah that's it all right so let's get into it I'm gonna talk about how I got into that bounties so as I mentioned earlier I've been always passionate about security since a young age probably 15 16 years old and I loved finding security bugs in software just for the fun of finding those bugs uh I wasn't doing any back bounties back then so what I was doing was kind of I love to call it irresponsible disclosure

versus responsible disclosure so basically I was Finding security vulnerabilities in software and I would just post them publicly on exploit databases which is that's not the way to go about it because like you have to coordinate with the vendor before you actually post it but I was just I don't know I'll probably doing it for clouds I don't even know what I was doing so these are bugs from 2011 like a bunch of SQL injection uh cross-site scripting authentication Bay pass so it was just posting everything I exploit DB but then I later on I was reading a hacker and an article news article about this company called hackeron and how you can start actually hacking legally

without risking to go to jail and you still get paid for it was like oh wow that's interesting so I went straight and signed up on hacker one right this is this is this is hacker one back then it was a really crappy interface uh so I signed up on this platform but I couldn't really figure it out there were like a bunch of Open Source projects like Django python all that stuff I didn't have the skill set to actually do any code analysis or anything so I just let that go until later on on in 2014 uh there was Yahoo program on hacker one it got launched and I gave Dara a try I

gave it a try and started looking for bugs on Yahoo and luckily I got one lousy bug it's really bad not not that good but like this is uh the bug that I found my first bounty to be honest uh I managed to reset the count the vote counter so Yahoo has a suggestion board where any user can post suggestions and other users can either Vote or down vote and I was like okay so when you click on vote you just like there is a parameter called vote value and it just adds one or minus one so I was like What if I just changed it to 1000 right I just did it like in the browser console there so

it changed it to 16 000 for example and I clicked on vote and what happened is just the boat just got reset as you can see here it was like three 357 votes and when I just did that like I put 6 000 and click convert would just reset the whole thing that was the bug seriously it's quite a lousy bug but Yahoo actually accepted it I submitted it in February 2028 2014 and they were like okay yeah we're gonna accept this and they paid 400 bucks for it it was like wow that was my first Bounty I was like holy I can actually make money doing some hacking is this real I did not believe it until I actually got the

money in the bank so it's like okay we can we can keep doing this so it was uh it was a summer of 2014 I just finished University so I had plenty of time and I just went ahead and submitted a large box any kind of box you can think of I'd read people disclosure I just keep submitting but that was low quality stuff and I got so many not applicables holy that Journey was really bumpy and for Australia and I did not expect it to be that difficult so I got rejected for various reasons the first one is like a lack of security impact I would submit it back but there was really no security impact it was just

that an informative basically and sometimes out of scope I just go out of scope I don't even respect this scope that's bad please don't do that or maybe false positive sometimes I don't understand the application very well and I think oh that's a bug whereas era is not actually a bug you just need to understand the app and that's that's it's just working as expected or poor communication my English back then was not perfect I was still good but not perfect but also I did not know how to write good reports I was missing details no POC uh impact statement was not on point so I got rejected a lot and I felt really frustrated especially back

then there was no reputation system so companies just closes any ages like that and what happened is that boom hacker was like where can I introduce the reputation system I was like okay I'm doomed because I've got so many in A's way back before their reputation system and what happened with hackerman is that when they set up the reputation system they applied it to all previous reports so I've got all so many Nas and a lot of these companies just close here and even if it's an informative because there wasn't much education around the reputation thing so I my my repetition got ahead actually uh so as you can see but in 2015 like one year later I still made it to top

top 100 at hacker one but with a horrible signal that's one like 1.6 out of five that means that the signal actually means that how many valid reports that you submit right so that means my signal was bad that means a lot of my reports were basically not gonna lie yeah so fast forward one year later in 2016 I I kind of managed to make it to a hacker one's first life hacking event was the very first official one it was in Las Vegas h1702 it was quite an interesting experience because like I was surrounded with some of the top hackers that were invited from different locations in the world and it was inspiring but it was also

humbling experience but the Imposter sunroom felt so strong just like Hitler mentioned like during your career always Gonna Fill it to some degree you just have to know how to manage it because like there will always be stuff to learn so I felt the Imposter standard beer surrounded by the top hackers there and also with my bad signal like whoa and this is when I realized that uh in the Life hacking event I realized that I need to improve I need to step up my game right I need to improve my testing methodology find new techniques to actually step it up that's right after h1702 I I went with this mindset of finding like cool blogs and just like

cut the and I found my first rce it was an image magic vulnerability very straightforward so I got my first rc was critical and they paid 3K for it I was very happy about it and I I just love this new mindset that I'm starting to develop like looking for impactful and cool bugs other than just sticking to low hanging fruits so fast forward to 20 to 22. uh my signal here my all-time stats I managed to improve my signal it's now 5.20 took a while actually it took a while but it was worth it the impact is still is still good I could improve that as well uh reputation points doesn't matter in the last 90 days just like past three

months I've been invited with a bunch of Life hacking events so my findings were more impactful like I was more focused on finding impactful bugs that's why you can see that my signal was is good it's seven out of seven which means all the reports that I've submitted were valid uh I got a solid impact as well and that was that took a while to improve actually but it all it took is the change of mindset like uh changing your mindset from actually focusing on low quality stuff that to actually looking for good and impactful bugs all right all right let's stay back a bit so I managed uh uh I mentioned that I worked for hack one right so I was

part of a hack on triage you're probably guys familiar with it so when I joined them how come it was quite an interesting experience because as a Bug Hunter I learned a lot from it I'm not gonna lie I did learn a lot so what I did uh as a triager is I was working as an interface between hackers and companies so basically we would receive reports from hackers I do the validation the proofreading and everything and we pass pass it along to the team to the the company so we managed big programs we we worked with U.S military we managed Spotify program Adobe PayPal slack you name it all those big companies that's why it was interesting

and we received a lot of garbage reports just like the reports that I used to submit it was was it was a very a lot of spam honestly like a false positives informatives and but there was always a few selected people they would always submit good stuff when I say good stuff's like very good bugs very impactful amazing reports well written good uh clear impact statement POC reproduction details but we would always remember these guys as triage would remember them so every time this may report we're excited to triage because we know it's good stuff right and that's why it's important to actually uh focus on submitting good bugs and I also noticed that a lot of

people they submit the reports but they don't have good understanding of CVS as cbs's way it's a standard that we use to assist the severity of a vulnerability it's the industry standard but I I what I realized working for hackerman is a lot of hackers they don't know how to use their CVSs so they either submit reports with very inflated severity like it's a low bug but they submit it as a critical that's very typical right I did that to no no judging and yeah like understanding CVS is actually important because these people are missing out on a lot of uh on bounties like for example when you find a bug and you're very familiar with cvcs

you want to like double down on like hitting all the components on CVSs you want to like uh demonstrate impact that you can impact confidentiality you want to demonstrate that you can impact Integrity availability and minimum minimize the complexity or just get rid of user interactions so you can actually increase the impacts of your bugs so understanding CVSs is very important also a lot of triage frustration originates from poor and unclear communication with backbending programs just like I mentioned earlier a lot of hackers this is a report not reports it's just that it's not well written either like the English is broken so you might want to like step up your English because it really helps a

lot or just like the way you write reports like do you include a good description a good summary to include POC or like reproduction steps uh clear impact statement as well so it's very important to know how to write good reports and keep in mind that every organization has just a different thread model which means that like a high severity bug for a company is not necessarily has the same severity for a different another company because it's just they have a different threat model so when you get paid like for example uh for an access is as high on a different program don't expect the other program to pay similarly similarly it's like it's just different

all right let's talk about some common bug hunting methodologies like from my experience there's a triage or just like as a hacker collaborating and talking to other hackers I realize there are like almost four how about hunting methodologies that I could I could I could observe the first one is the full automated and unauthenticated there are some people they automate everything they they barely do any manual hacking there like everything is just authenticated but most of mostly it's unauthenticated like they have templates it's just random on different programs but they don't do anything everything is just automated and there's the full manual some hackers they love just focusing on the app and just doing everything manually like no

scripts and no tools or anything just like get down and hack that app so this is the film I like to call it the full manual and the 50 50. that's me 50 50 which means that I like to do like half of my work and I I do it automated I do a lot of Recon automated and once I have all that data I start doing everything else manually like the every all the testing I do it manually that's why I call it the 50 50. most people do that and there is the zero day zero day all the things there are some people that love to do security research and what they do is just they go and hack these

softwares they find zero day vulnerabilities and then there are a lot of bug Bounty programs that you probably used that vulnerable technology should so These Guys these bug Hunters they just go and uh test the old day on all the back Bounty programs and this pays a lot actually and so these are the four mythologies that that I can think of and the natural questions that might come is which one is the best right which one is best I don't know so actually all of them have proven to be effective to be efficient why because there are people who have proven that I'll give you an example all right default automated I'm not very sure

about this but I think I think it it's almost accurate for automated and unauthenticated I can give the example of Eric today's new he's doing a lot of automations and he's doing it successfully he's made Millions out of it so that means it works right and there is the full manual Ron he loves to hack it apps he doesn't do any automations just like everything is just manual understanding of the app and so on and there's friends friends loves to do some automation he does a lot of automation but also a lot of manual testing it's just like everything is like 50 50 and it works France is a legend he has made good money with that

methodology I guess and there is shops shops loves doing good analysis he loves finding zero day vulnerabilities in software and then just test that zero die across different bug Bounty programs so all these bug hunting methodologies actually work it's just like some of them might be more efficient more effective than the others for example the full automated and authenticated that requires a lot of costs because you're gonna run so many servers in the cloud so that might be very costly also some Cloud providers they're going to block your access most of the time if you're running brute forcing or heavy scanning and such or just like the full manual like it might take a lot of time

to actually find bugs doing that doing it manually because like you have to spend a lot of time invest a lot of time and A4 actually understanding the application so it might take a while to actually find that vulnerability so like all these methodology actually work it's just like each one of those have like pros and cons right and it it's up to you it depends on your skill set all right this is just an example of like how you go about bug hunting for example let's let's assume that you want to make 100K in bounties like probably three months or six months or in one year I don't know it depends on your goal how do you go about it would you

actually go and find 200 bucks a low or medium to get like each bug 500 200 bucks is a lot just to make 100K right I mean some people could pull it off it's easy I mean if you if your goal is to make it in one year you can do that or you can find 100 bucks each bug is like 1K but it's still a lower medium still a lot of reports right you have like the spam programs with some just to me to make it your goal or you can focus on finding impactful vulnerabilities that will pay much more and just like suppose that you submit 20 bucks each of those are medium and high and each one

is 5K which is very standard payout for like a natural back Bounty program or you can find 10 only 10 bucks high focus on only high and criticals and each high and critical would pay for example 10K any or already made your goal right I think the middle ground is the best way to go about it because if you don't spend you don't spend too much time like just submitting also not list frustration and what I think is a top tier Bug Hunter from experience will always try to maximize the returns with the minimum reports because they're aiming for impact you're aiming to find critical and high security vulnerabilities who can maximize your returns with less reports with lists

bugs submitted ah right so as I mentioned uh the middle ground was pretty good so uh as a top tier back Bounty you want to focus more on like criticality on actually proving impact so we want to focus on P1 and P2 bugs these like P1 and P2 uh means like P1 stands for critical bugs and P2 stands for high security high security vulnerabilities critical it's usually server side bugs like maybe an rce SQL injection xxc ssrf authentication PayPass or high severity bugs where maybe you can access only user data but that's still bad uh so like I'm not saying that you should skip on finding a low and medium vulnerabilities definitely not if you come if you're

testing the app and you come across those bugs just submit them what I'm saying is that you have to go with the mindset or just the goal of finding impactful vulnerabilities like when you start hacking on an app just focus on finding P1 and P2 that will take some time to find those bugs but it will pay a lot in the long term Trust me so why do you want to look for P1 and P2 first of all you avoid duplicates and related frustration because a lot of if you submit like mediums and lows a lot of people submit the same stuff so we always end up with so many dupes it's and it's I know it's a frustrating

experience when you find a bug but it's a duplicate someone beats you to it but when you find P1 and P2 I don't think there will be a lot of duplicates first of all because you get quick triagent resolution when you submit a critical to a company they have to act on it very quickly so your report is triaged very quickly and it gets results super quickly you get paid easily that's another reason and high monetary rewards like P1 P2 they pay very well to get good bounties and another thing is that you want to hack on healthy and high paying programs when I had got when I I don't try to choose a program I always go for this

like I check the Bounty table for example this gitlab this is their Bounty table for high severity bugs they pay between 5 and 15K which is decent and critical goes 20 35k which is pretty good these are healthy program this is Shopify Shopify is paying up to 100K for one buck so basically if you can find a very good critical in mind okay the 100K I talked about later earlier you can just get it with one Buck but might take a while it might take some time right but it's doable uh all right talking about hyping and healthy programs most of the mature programs they display their stats their health stats this is from hacker one

different platforms they also have a stats for programs so on hacker one like before I start hacking on a program I check the average time to acknowledge my own reports for this this is PayPal's background program so they take four hours to to give you the first response and the most important one is how much how much time until I get paid right that's the most important one so PayPal for example it takes 18 days I think that's that's okay it's not bad uh also look at different program stats like average Bounty that you might that is getting paid the top Bounty that was paid and you might get that or there are some numbers there so people they have

like 1 470 bucks that were fixed and for a regular Bug Hunter when they see that number there's like oh no no way that I could find anything on PayPal there's like oh one thousand that's too many bugs fixed already am I going to find something that's the regular Bug Hunter mindset but like I talked here about Hunter that doesn't matter doesn't make any sense why because like they know there are so many changes that are getting pushed every day so many so so many code changes that every day there might be a vulnerability that is being introduced right so those numbers do not make a sense it should not intimidate you if you say one

thousand bucks fixed you might still find a lot of bugs and that coming from my experience because I've been to life hacking events where we had a like very big programs very mature like they fixed so many bugs and then you see this top 100 bug Hunters they find criticals like how do you do that that means because there are always like changes there are always like vulnerabilities that are being introduced without the developer developers knowledge so it doesn't matter these are some programs that I recommend that you might hack on they pay very well they have good stats good time to good response time Tech talk Dropbox epic games GitHub Reddit instacart stripe and Uber Uber just got hacked but

they still pay good all right let's talk about some in-depth reconnaissance okay so unlike what is common like reconnaissance is like a trending word everyone is just keep talking about it reconnaissance what do you do reconnaissance but what is commonly taught is like people have this wrong idea about reconnaissance that is it's only about finding sub-domains that is very incorrect the reconnaissance is a broad War it's about acquiring information about the target any kind of information anyway so it can be like Danish finding DNS information Port scanning Services fingerprinting anything it's just not sub domains enumeration you have to change that idea and like Mike my kind of autumn uh reconnaissance that I love it's not

about sub domains you know uh reconnaissance it's about Rick don't reconnaissance on the app itself so if the if the core app is in scope I love to Recon the app itself and how I go about that is I usually go and just do some automated or manual spidering of the app I I log in as a regular user and I just click on everything I submit every floor I create I create other forms I just use it as a regular Bug Hunter as a regular user and I capture everything in history and I'm using the proxy or I just use burp sweet crawler that it helps a lot especially if you want to automate it and then you have a like

this you can just visualize all the assets or all the architecture of your app you can visualize it on Burp suite for example when you go to sitemap so I love doing that so I can have a uh a global view of what I'm hacking on

mobile app or a desktop software if they do I go and decompile it reverse engineer it and just look at the source code find juicy information that will help me hack on the core on the core app that would might that might be like sound like going out of scope but it's always like just to acquire that information that will help you actually hack the main app that is in scope this is my favorite thing to do when I do reconnaissance JavaScript files these are super good when I'm hacking on an app uh as I said I just browse it as a regular user and capture everything and then I go and check all the javascripts that were

being fetched by the app because this JavaScript they have a welded valuable insight and leads because they could have end points they could have parameters that are not visible uh they could have hard-coded in credentials I've got those a lot of times expired domain names that you can claim and achieve a certain impact or post message mixed configurations so what I just do for example I go on Burp suite and I just filter by all show only JS files I copy all the links I fit everything into link finder very good tool but a link finder just scraps all the end points from JavaScript files that's one way to go about it but I also do a lot of

manual inspection of these JavaScript files because you might miss a lot of stuff you might might miss hard-coded credentials a lot of companies they just put their credentials in JavaScript that's that's really weird but like job like doing reconnaissance and reading JavaScript is very important and it actually pays well this is one of the bugs that I found during a live hacking event uh so this bug here I found it thanks to JavaScript a lot of people missed on it and they paid 22k for it so I don't know how like the the Mystic that a lot of people did is I don't think they they they read the JavaScript all the JavaScript because I could I managed to find that

endpoint the partner connect I found it in Javascript file and I navigate to it and I realized that I get redirected to entertainment.redacted.com with the access token so this company is authenticating me to a different Service uh using that endpoint so what I realized is the path parameter was vulnerable to open redirect it was a simple B pass as you can as you can see below the pay pass was like a DOT the dot example.com and when I put that it just redirects me to my own website the attacker control website and it leaks the user access token so basically you can just give uh send the link to the user when they click on it while

authenticated it can leak their access token that was an account takeover on three different Services because as you can see in the use case parameter it says entertainment that's just one service there are two other servers is that I can take over with this block and I found it thanks to JavaScript files all right one thing that I also love to do is like enumerating an HTTP parameters and request headers like when I've got this when I've got hacking on an app and I've got this endpoint I don't have any information about it I just like use paraminer to find all the hidden parameters all the hidden headers I managed to like once I managed to find

this header X4 x dash forward four and it was vulnerable to SQL injection I found it using paraminer uh there was a time when I found when I found a parameter it was URL something I was vulnerable to ssrf thanks to paraminer so I always recommend like looking and enumerating these hidden parameters and headers or I use the go tool by Corbin it's very amazing it just features all urls from a Wayback machine the internet archive so when you're hacking on an app you want to know all the available endpoints and using go tool is really helpful because you get all these endpoints that were indexed at some point in time and as you can see in this screenshot there

uh another thing that I love to do when I do reconnaissance is continuously monitor the JavaScript changes because these JavaScript they always change developers they always modify them they always add new endpoints if they're working on a new feature they add the end point to the JavaScript even if it's not visible on the app itself they might have the endpoint in JavaScript so in the future they're going to implement it so always continuously monitor these changes I helped develop I was a contributor to develop jsmon it's a tool that you can use to monitor these JavaScript when there are changes as you can see in the screenshot you get a ping on telegram for example and you can see

the difference all right let's talk about manual security testing as I mentioned earlier a lot of people are obsessed with automation everyone is just talking about automation hey I'm building this automation machine I'm automating this and this and that but like everyone is just skipping the most important part which is the creative and the manual testing which pays way more in the long term and also like uh a lot of people just do and they do this all if this automation but they skip the core application and a lot of the times companies are more interested in finding security vulnerability in the core application other than their sub domains they don't they don't care about that

but the core app pays a lot more this is an example from Dropbox uh it says here this is the Bounty table only for the core app everything else this bounty table doesn't apply to it and this is a really good decent Downy amount if you're hacking on their core app foreign so functionality or feature oriented distance a lot of people when they start testing they go with the Assumption hey I'm going to look for excess hey I'm going to look for a ssrf and then they start like looking for a certain class of vulnerability whereas my methodology is like just test every functionality like I've got for example this up uploader or image uploader and I think

what kind of bugs will apply to this functionality uh if you're testing a web hook for example what kind of bugs you might be testing for you might want to test for ssrf right so that's how I go about it which which kind of bugs that would apply to this functionality where instead of actually going and looking for certain class of vulnerability focused manual testing it requires deep understanding of the inner working of the app when you're hacking an app you want to spend a lot of time just understanding it understanding how it works reading the documentation uh clicking the boxes submitting the forms and everything so you can understand how everything is connected especially when you're hacking

on a big app and everything is just interconnected so you want to spend a lot of time just understanding it and always be ready to go the distance like when you have an app that has a paid plan you want to pay that plan because you know there are so many features behind behind the pro plans we want to go the distance and actually invest some money so you can be ahead of the competition you want to if they have an SSO you want to configure it but I guess it I mean I know it will take time to set up set up everything and now what's going to make the difference between you and the regular Bug Hunter when they

send this is oh I was like oh I'm not gonna go and set up this it's gonna take time and that's what makes a difference or if you they have a hardware device go ahead and order it get it and start testing it all right let me showcase a bug where I found an account takeover this required like understanding the ad so this was on a three year three year old program very old I did not expect to find this and I was hacking on this program for a while I didn't find this but it took time because I needed to actually understand how it works so I was looking at their authentications authentication and I tried to catch

everything just write down everything so you can have it in front of me so what I noticed is that when a user navigates to the login page they get redirected to this endpoint hand in the Second Step the oauth flow so it started and when they enter their email address and password they get oh by the way and the Second Step you can notice the correlation correlation ID so I noticed that one I was like what is this for so when the user is logs in uh the the correlation ID is used uh in this endpoint of the login callback and look when the user logs in the correlation ID gets authenticated and the correlation

ID is used to return the authorization code and I was like how can I how can I go about hacking this one so what I thought about is that what if I generate my own login link as you can see in the first step and I send it to the victim right and I I like I have my correlation my own correlation ID because I generated that link and I send it to the user when the user logs into their account I quickly hit the oauth endpoint like I do a sort of race condition so I can beat the other user to consuming the correlation ID because I generated it and the user authenticated it so I can use the

correlation ID which I have to actually get their authorization code but the second step I had to automate it I had to start a loop using python or whatever so I can keep hitting the that endpoint and wait for wait for the user to authenticate and that was an ETO and they paid 20K for it this is the second block because I I mentioned earlier you should always have to like uh be ready to go the distance so this bug that we found it required setting up the SSO so basically this is always also behind the pro feature so basically I have to buy the Pro Plan and then I have to go through all the documentation so I

can set up the SSO and that what made the difference this bug was was there for a very long time but I don't think people took the time to actually pay for that plan or just like set up the SSO and it was very simple super easy so what happened is I would just add the victim's email to my own OCTA the EDP and uh what happened next is that I tried to log in you see I set up the SSO on the Target app and I try to log in to OCTA with the victim's email so basically I added the victim's email to my SSO and I log into my own SSO and I

log in with the victim's email and that caused some identity conflict which led to the application letting us the the victim's account and that was a very impactful bug we got paid 55k for it with oxb Andre he's a good friend of mine so that was a really good bug and we have a third bug what made the difference how I found this bug is that first of all I had to read the documentation it was a very complicated documentation and there is another step that was very hidden in documentation it says that if you want to activate or enable this API you need to create a separate user account and explicitly assign the Epi permission to

that user account a lot of people missed that didn't either did not read the documentation or they did not understand that step so once you do that you can construct the the HTTP request and then you can actually be pass it the B pass there was some sort of validation but I was able to bypass it using a typical day pass I use the EP V6 format this was the Bay pass and I was able to hit the internal uh internal Network and that was a good ssrf that got paid 30k so as I mentioned earlier it's just like always be ready to go the distance read the documentation don't be lazy just do everything as instructed

Also let's talk about automation a lot of people talk about automation but there are different aspects to it like there when we talk about automation we talk about automating the Recon on the content Discovery the first phase we can also talk about automating the vulnerability Discovery right we also talk about automating changes monitoring like monitoring changes you can automate that or there is like some sort of automation where you just automate like the boring stuff the boring tasks right so when we talk about automation there are very different aspects to it these are some tools that you can use for each of those steps of automation or aspects automation there are so many tools out

there it's crazy it's very overwhelming that you might actually just get confused or lost but if you want to build your own automation I think automation is good like when it helps when you just collect data as a starting point so you can start doing manual testing I'm not against automation I'm building it myself but you just have to know how to use automation this is how you can build like a basic automation flow this is a basic one first thing that you might want to do is just you load in the scope like you can use the bibiscope tool you load the scope from all the uh platforms the background platforms so you have the scope all the

target companies and you start the in sub domain enumeration you can use EMAs SubFinder as a blister I use EMAs works very well and then the second third step this one a lot of people skip it is permutation so when you have this list of subdomains that you gathered you can do do the permutation technique where you permutate the words in the subdomain like you have this subdomain called for example admin dot read example.com you can do permutation like admin Dash panel admin Dash test this is the permutation this one actually helps a lot uh someone wrote an article about it where where they confirmed or they proved that it it might add like up to 20 percent results

to your recon and then you do some Danish resolutions you can get rid of all the hosts that are not a lot live or then you do some Danish enumeration find all those DNA information which you can for example get the a recourse and then you port scan everything I use an in-map I'm a very classic very traditional but works very well and then the last step is the vulnerability scanning that when you got all the information you can just start the vulnerability scanning this is a simple reconnaissance flow that you might want to implement which I did myself well a good friend of mine still earlier uh this year we started like building some automation uh so because we want to

monitor changes we want to monitor uh uh just catch the low hanging fruit we don't want to spend time looking for that so we want to build automation that will help do that and just give us data to act on and start our manual testing so we built a fully fledged automation web app we called it recontrol I built it with a good friend of mine called me Luke uh our stack was very simple we used python we used Django framework which helps a lot with Luigi for task orchestrations and bootstrap for the front end we use postgres for database we use a lot of Open Source tools like in map EMASS https nuclei so this is how

it looks like we can add assets to the scope we can edit it we have like this I I'm this is an example where we monitor subdomain takeovers so we we get these AWS bucket takeovers we use nuclear templates as well and that works a lot like we got so many supplementary covers using the automations and this is how the dashboard looks we get an uh we can see everything like from the dashboard how many assets have we scanned so far total vulnerabilities total vulnerabilities there are so many informatives there because we haven't filtered out everything and the scheduled tasks and stuff like that automation there are so many open source tools as I mentioned that you can

actually get confused easily and overwhelmed so you have you need to pick the right tools right don't be lost between trying this tool and then jump into this tool and that and just wasting a lot of your time in automation it should be complementary as I mentioned earlier if you want to make big bounties you have to focus on the main app on the core app and automation should only complement your uh your testing like it gives you a starting point or just data to act upon uh efficient automation should always yield like a actionable information if your automation is wasting your time is like giving you a lot of false positives and wasting your time I don't think it's

worth it because you could have used that time actually hacking on the core app so make sure your automation is always like gives you uh good info uh the challenge is Task orchestrations as I mentioned a lot of people here uh do automations in a broken way they have a bunch of bash scripts if one tool breaks everything the whole flow just breaks so you want to or like figure out a way to orchestrate everything we for our automation we use Luigi for example I I recommend it it was developed by Spotify and also the challenge how to uh distribute the load across multiple Services uh some bug Hunters that use kubernetes which is pretty complicated

to set up but it's worth it some people they use Fleet or Axiom these are open source tools that are used very widely by bug Hunters most big money automation only catch low hanging from fruits which is true might result in duplicates or you might want to step up your Automation and there are so many automation Frameworks you don't even need to build it unless you really have to like there's the osmetus there is a Recon for the win I really recommend this one there is osmetus re-engine Axiom so basically you don't have to build it yourself these are emission Frameworks they have everything covered so you can just use those nuclear is an amazing tool I love nuclei

uh props the project Discovery for building it but what I noticed is that a lot of people just use nuclear blindly it's just use the same public templates as everyone else so everyone is just getting duplicates and just getting frustrated if you can use nuclear in an efficient way like do your own research build your own templates that would work a lot better than actually just running it on public programs like everyone else all right let's talk about security impact I have two screenshots here uh one that just says a typical pop-up accesses and the one that actually managed to hijack the user station which one do you think will get a bigger Bounty it's obvious that the the the the

one in the top right because I managed to show impact whereas the other one is just like oh I found this exercise okay what can you do with it so you always want to show impact to the program always try to maximize the impact so for example the decision token I could not lick it because there was an HTTP only flag but when I was I was I was determined to increase the impact so I was looking at the app and I was looking at the source code and there was an end point where the user station was in the source code why I don't know and that actually helped be past the HTTP only

because I can just use my X this is the fetch to fix it from the source code uh so I wanted to talk about secret impact back boundary is not a traditional pen test you're not supposed to submit uh informative bugs without any security impact in back Bounty you need to show impact if you your bug doesn't have any impact don't even bother submitted because it's just gonna result in a lot of frustration so you always want to maximize impact always ask this question what can I do with this bug I've got this but what can I do it as an attacker how can I use it against the app the company's users and then most of the companies they pay

out based on services and that's why I mentioned earlier it's important to understand CVSs so you can try to maximize each component of it like confidentiality make sure you hit that integrated make sure your bug can actually lead to manipulating user data availability as well so understanding of C basis is very important think out of the box always come with ideas on how you can escalate your bugs there are always so many creative ideas to go about your your bug and how you can escalate it so just think out of the box as a hacker and also when you got some low hanging fruits like you find an open redirect find Cookie injection access without security impact myself I

usually just say that I just save it for a later use I know some people might beat me to submit it but like some people might skip it so I I always note down this low hanging fruits because I know at some point in the future I might chin it with something to increase the impact say you have an open redirect you could use it for an ssrf that's critical you could use it to leak the oauth credentials as I mentioned earlier in my in the bug where I used an operator to leak the access token if I submitted the operator just like that it would just get low maybe get paid 100 bucks whereas

I used it to leak the watch credentials and I got paid the maximum so make sure you abide by the program rules I know you want to maximize your impact but sometimes you might get carried away and just go and start pivoting in their internal Network and that's might be a deal breaker so always make sure to read the rules and before you start escalating don't execute dangerous commands when you get an RC and you start removing stuff and deleting stuff or changing stuff don't do that or accessing other user data always use your own testing accounts when you do that code review and security research we were always told that to start hacking you don't need to code right you don't

need to read code it's useless you can just do everything in Black Box I started myself I didn't code I didn't know how to code or anything I did I did very well I did well but I realized at some point in the future that actually understanding code writing code reading it is very important I realize that it's a CR it's very crucial if you want to stay relevant in back bounties you might always go about testing like in a black Bose approach but we when you can actually read code you're likely to find a lot more bugs than the others that will give you an edge a Competitive Edge so I think writing and reading code is very

important if you want to step up your game even like a lot of bugs client-side bugs when you read JavaScript it requires you to understand the code you when you read it when you're looking for post message uh bugs in the client in JavaScript you need to understand how JavaScript works right so that's very important or just like a Dom exercise that requires a certain uh understanding of code and like also as I mentioned earlier one of the bug hunting methodologies is just like finding zero day vulnerabilities so when you know how to code we know how to read code you're more likely to find blocks in third-party software and you can use those zero day to actually find

them on back money programs so I think coding is actually very important and for backbone is when you're looking for zero day vulnerabilities I always advise people to look for pre-authenticated and unauthenticated vulnerabilities because like impact Bounty uh you don't have on you can now authenticate to their own service you can always like demonstrate impacts from the outside so if you've got Odes unauthenticated Odes that's that's even more maximum aim impact where you have whereas if you have an authenticated Uday how can you go about it just tell the program hey you can log into your account and start uploading this web shell doesn't work so always look for on authenticated or pre-authenticated also another thing when you do code

review is like monitoring for new CVS cves a lot of vulnerabilities they get assigned CVS so what I do myself is I like to monitor the new cvas like when there is a new vulnerability a zero dive vulnerability that gets published I use attacker KB I love this project they they have technical analysis for all the a lot of zero day vulnerabilities they have I find exploits here and pocs they talk about all the technical analysis of the vulnerability so I highly recommend attacker KB these are some resources you can use if you want to learn code review uh you have the so you want to be a web security research article by James Kettle very good one acid note blog

security advisories they publish a lot of their zero dive vulnerabilities really amazing write-ups and you can use OAS code review pinterester lab code review exercise as well or there is if you want to willing to pay money you can go for uh the advanced sweep addicts and exploitation I've had I've heard good feedback about it I've started it recently as well so yeah and collaboration collaboration is very very new we started talking about collaboration a lot lately and me uh like some of the best and most impactful bugs that I've seen were actually a result of collaboration between a team or just a bug Hunters so when you're collaborating it's just like everyone brings a different skill set if

you this guy is good at reverse engineering this guy is good at some certain skill so when you like combine everything it's just very powerful um and even blackbody platforms you realize that collaboration is actually very powerful and they started implementing features to support it for example on hacker one if you have a report you can invite someone to your report a collaborator as they call it they started building bound is split so if you get a if you're two people dancing vulnerability you can split the Bounty automatically and this started giving business collaboration awards at life hacking events so they realized that collaboration is very powerful and I've seen it myself some of the best

bugs always uh were a result of collaboration so if you're always if you're ever like stuck somewhere you could not escalate the vulnerability find someone who is relevant someone who has the knowledge you can find these people there are so many open communities where you can meet other bug Hunters where you can actually share leads and collaborate there's like the bug Bounty worlds like Community there isek Discord Community there is hacker one Discord community so you can meet a lot of people there so if you've got if you're stuck somewhere you could not escalate a bug or something you could just hit someone up and start working together but always have you have to set expectations up

front because collaboration there is a lot of frustration that may originate from it like people for example they're not agreeing on the Bounty amounts so you have to always agree on the Bounty split if I'm collaborating with you we would have to agree on the balance play am I getting 50 50 or 50 or uh 70 20 so we have to agree on that and also agree on some conditions like how how do you go about sharing the research suppose you have a research together the other guy might just go and share it with someone else so you have to set expectations up front so you don't so you avoid complications and frustrations that might arise

okay so this is a DM I received from someone on Twitter they were like uh they were like hey bro I've got this this is RF I could only hit external websites he hit me on Twitter and he was like hey do you want to collab and what I liked about it is that he was setting expectations up front he was like well I will share 50 50 Bounty if I can manage to escalate it I was like okay I'm down to give it a try all right so basically it was a P4 bug P4 means the low because he was only able to hit external websites right he couldn't he couldn't hit any internal endpoints so I give it

a try this is wasn't this was an old cve so basically this is the HTTP request and the URL is the vulnerable parameter so when you put an external website maybe burp collaborator you get ahead you get a ping right that's all he could do that's all he could do with it so I give it a try first thing I did I don't know how he missed this one this is the most typical ones like two just put the localhost and point it to 80 port and I got well come to nginx but that was that was like P4 that maybe P3 right but we want to maximize the impact even more this is this is really nothing because I

don't have any impact okay I know that you have nginx internally so what so what I try next I tried to hit the ews metadata endpoint because they were using AWS so first thing I thought about is like I could exfiltrate security credentials but that did not work because I was getting 401 unauthorized it didn't make any sense right so I started reading about ews metadata endpoint and I came to realize that they have two different versions if you if you're familiar with the ews metadata endpoint there is the first version is where you just send a get request and you get the information back no authentication required but this target here was using the second version and

the second version requires that you submit a certain header and get an authentication token and use the authentication token to actually exfiltrate the security credentials like a two-step thing and I need to control the headers when I do the SSR if I need to that was a challenge I keep reading and reading and I I came to know that these this app is actually using Atlas in gadget that uses the Google Gadget API so the Google Gadget API they have other parameters that were load like the HTTP method the post data and the headers so basically I can control the post data I can control the headers and I even can control the method that I

that is I sent the internal Network so I did that I hit the metadata endpoint and I managed to exfiltrate the authentication token and I used the authentication token to send another request it was a post request if I remember yeah it was a post request I used dot on the metadata token directs filtrated earlier and I managed to get the AWS security credentials and we managed to escalate it from a P4 to a P1 and this one got paid as a maximum as a critical so collaboration is very important and that guy if he submitted it as a P4 he would have got paid very less but now as a P1 even if we split it it's still a

good bounding so that proves the power of collaboration this is something we used to do in way back in 2016 we used to gather a bunch of bug hunters and we started a spreadsheet this was back in 2016 with Mark Litchfield a lot of good hunters and we would see the goal like for this one was like hey we want to hit 300K I think I don't remember but it was like in three months so everyone was just like if you wanna if you get a bounty you just add the number how many Bounty you you found if it's a public program you can just put it there if it's a private just put it in the

private boundary column so this is some sort of friendly competition just to push each other to to just like encourage and motivate each other to find bugs and it actually works it works they but we did not hit the goal I guess a lot of people were busy back then but we made like 100k same with uh some friends of mine we did the same like me and my friend Ayub and geek boys Sandeep we did this in April 2016 so what I'm saying is just do you want to collaborate I always have this uh friendly competition between each other so you can push each other of course and this is something I had with

namsik on Twitter it was a public uh public queue with nehem sick and it was just it was just like we're like giving each other some hard time on Twitter but it was like a friendly competition right it was just like pushing each other so that we can climb that ladder we can go on the leaderboard so it's like always changing my bio hey and I'm sick is it getting cold down there it was a very friendly competition I don't know if you guys remember but what I'm saying is just that always collaborate always like uh uh do some friendly competition with your friends so you can push each other uh Last Words bug hunting is is not a

race it's a marathon it requires consistency always like looking for bugs it requires persistence like some of the best chains that I've had it took me a year maximum so like just collecting every piece so it requires a lot of persistence and it requires patience backbonding really you don't need to be patient even like looking for bugs or get waiting to get paid or just waiting to get a response so these are very like three very important values that every Bug Hunter should have also take as many notes as you can this is very important a lot of people they spin up burp Suite a temporary project once they finish testing they just close it everything is

lost why I love taking notes it helps me a lot because like those notes you can always go back to them and just like oh you might have missed something right so like always take notes I use uh what is it called notion for myself some people use GitHub repositories to Note Everything it doesn't matter as long as you just keep taking notes and keep learning keep acquiring knowledge because it's important you don't want to be stagnant keep diversifying your skill sets you can always have this Competitive Edge over others someone who is only good at web app and someone who is good at webhav and also Hardware testing will have more competitive advantage and also bank money can easily drain

your mental health because like it might take a toll in your mental health because it's very difficult like you spend so much time in front of your laptop looking for bugs and at the end of the day you might not find anything at all that is very frustrating so that's why you want to take care of your mental health like always balance things out and make sure to enjoy the journey just don't go hard on yourself it's supposed to be a lot of fun right so yeah that's it thank you so much which way is the best to learn vulnerability by books or by research sorry can you see again can you hold it a little bit closer which is the best

way to learn vulnerabilities like books or tweets oh okay so if you want to learn about vulnerabilities I I'd suggest books yeah but like the best way actually is to read other people disclosures like when you go on hackeron platform for example you can find so many disclosed bugs that way you know what kind of bugs that companies are interested in and what kind of bugs do you want you to look for so I read people's disclosures I also love reading other people's write-ups so there are so many back Bounty write-ups publishing vulnerabilities that people found so you can also use that and I recommend the for for books I recommend the web applications hackers handbook that is a

good starting point yeah okay thank you cheers okay just one more question just quickly so actually I'm also working on similar automation product like which you have mentioned yeah so my question is like while scanning multiple assets we have a lot of data like uh so I am using noise DB uh so my question is like uh like for example if you're scanning the entire not entire internet like at least the bug Bond targets as well so we have multiple sub domains and a lot of ips so how concurrently like uh do you uh rescan the assets and do you keep the results to differentiate between the past can you can you repeat the last part do you keep the results of

the past scan and the new scans and multiple scan results to compare the results or like uh if if you're doing that like how do you maintain a lot of data like uh because according to me uh when I was making the product so what I felt is like database is the only cost which is uh which is like a a major cause in this uh that makes sense for us for example uh we only keep like the the like the last recent change we don't keep track of all the changes because as you mentioned that would be a lot of workload on the database and also like storing data is not a problem for us we use postgres we

highly recommend it it's very scalable so that's not a problem at all yeah so the question is like uh do you only use postgres or like is there any specific reason why you use why you choose sqlite database only like not not no SQL not like no particular reason we just really liked postgres and we had a previous experience working with it and we knew that it's very scalable there are so many resources online if we get stuck or anything like that postgres has like a huge community so no particular reason I think you can use any that even my SQL you can use that it works a lot of companies they could scale their

mySQL database so the choice of database is now important actually it's not relevant yeah uh actually I have uh moved a lot of like uh in past like I when I was starting this product so I first chose the mongodb then I moved to pursue as well then I again moved to mongodb because like uh what I felt like uh I've read a lot of Articles like when it comes to postgrad school there is a scalability issues uh when we go with a lot of data like we need to do sharding and we need to create multiple instances of foreign

okay that makes sense I think for us like because we only use that automation for big bounties we don't have to care about sharding or anything because we don't have that much that much data that would make a difference actually so yeah it doesn't make any difference for us so we just use postgres yeah so one last question like uh are you making uh the product which you mentioned mini controller.io I think can you see again just two minutes sorry no sorry we have to already asked you questions later we are already running cheers thank you so much [Applause]