Tips & Tricks
Winning Bug Bounties
Websecurify Suite provides many tools that can be successfully used to win web application security bug bounties offered by numerous vendors online. We have personally collected a few. In this mini tutorial we will show you several essential steps to get you started.
Start by performing a full recon of the target. Some bounty programs have limited scope but mostly you are allowed to test the entire web estate. Doing a good research initially will help you locate weak areas where you may be able to find a lot of low-hanging fruit.
We love to use Recon for this. This tool will collect as much information as possible about the target from public-domain databases and will try to do several passive vulnerability hunting exercises.
The second step is to automate as much of the testing crud as possible. Some bounty programs do not allow usage of scanners due to possibility of disruption. However, the reality is that some form of automation is a perfectly valid technique you can use and the scanners are good candidate for this stage.
Fire off the Scanner from the suite and pay attention on the results. You may have to run it multiple times with different configurations. Try first as unauthenticated user. Then try as authenticated user. Run the Scanner at specific locations. Rinse and repeat. This will get you best results by far.
Some areas have to be covered manually or in a semi-automated fashion and this is where you can use tools like HTTPView. This tool will help you monitor the requests and responses exchanged between the browser and the target application. Some requests may look suspicious in which case you can use several other tools from the Suite depending on what you are planning to achieve.
Once you locate a suspiciously looking request or response, identify its type in order to figure out what to do next. Use tools like Resend to mess around with the data and request parameters. If the request is a call to JSON or XML service, use tools like JSONFuzz or Xmlfuzz respectively. If you are working with a standard
POST request using urlencoded form data than use Retest, which will automate the fuzzing for you. In general, use the tools that fit best your problem.
There are plenty of security researchers out there hunting for bugs but do not be discouraged. With enough time and patience you will be able to find something. Some of the vulnerabilities we have reported took us less than 30 seconds to find using only Recon. Those were the lucky ones but there are plenty of vulnerabilities floating around. It takes a bit of time and dedication.