bug bounty

Bug Bounty Tips #5, Half-Life Alyx, Everyone works from home, and more…

April 6, 2020 By Craig Hays Leave a Comment

Reading Time: 2 minutes

Craig’s Newsletter April 6, 2020 Edition

Hi All!

Here’s a little update on what I’ve been doing since we last spoke.

What I’ve Been Writing

Since the last update I’ve published my 5th in a series of bug bounty hunting tips:
Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche. You can read it for free on craighays.com or if you’re a medium.com member you can support me by reading it there.

What I’ve Been Watching

Things are pretty stressful for everyone right now. We can’t go outside, we can’t see family and friends, and everything’s a little bit tense. While unusual for me, I’ve been enjoying watching jacksepticeye playing Half-Life Alyx in virtual reality from start to finish. I haven’t owned a gaming PC for a very long time and I can’t justify building one just for this game. I’ve found that watching someone else play it is good enough for some well-needed escapism without investing in all the kit needed to play it.

What I’ve Been Doing

It feels like the entire world has changed since I last emailed out a couple of weeks ago. All over the world, anyone who can do it is now working from home. The safety net of the corporate firewall is gone. People are working permanently behind home routers with default passwords, firewalls turned off, and… who knows what else is happening. Therefore, I’ve spent the last couple of weeks at work making sure everything is as it was designed to be, for when things like this happen. I suspect many of you will have been in the same situation.

That said, I’ve started learning more about gRPC at a very low level as I’m really interested in bug bounty targets using this method of data transfer. It isn’t as easy to work with as text encoded HTTP requests so there might not be so many people testing this in this bug bounty space. I did, however, find this Burp Suite Protobuf plugin from NCC Group which looks really useful. Hopefully, I’ll get a chance to try it soon.

What I’m Doing Next

I’m planning on publishing an article on my work analysing external inbound and outbound email through Exchange 365 as there doesn’t seem to be any way to do it in detail in the native reports. My PowerShell scripts need a bit of polishing to make them publishable, but once done I’ll host them up on Github and link to them from the article.

As always, if you’ve got feedback, questions, or something to add, please get in touch.

Stay home, stay safe, and take care.
Craig

Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche

March 28, 2020 By Craig Hays 2 Comments

Reading Time: 6 minutes

To earn more money from bug bounty programs, become the best in the world at one thing and ignore the rest. Here’s why.

bug bounty hunting tips aim to become world-class in your niche — Photo by Giorgio Trovato on Unsplash

It’s very tempting to try to learn and apply everything there is to learn about different types of vulnerabilities. When you look at bug bounty writeups like those one hackerone.com, it is clear just how different are each of the reported vulnerabilities. When I first started looking into bug bounty programs, I thought I had to learn everything about everything in order to compete. That just isn’t true. In fact, it’s the opposite. If you want to do well with bug bounty programs, pick something you’re interested in and could spend thousands of hours looking at, and learn everything there is to know about it. Find your niche.

[Read more…]

Bug Bounty Hunting Tips #4 — Develop a Process and Follow It

March 12, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

The easiest way to fail as a bug bounty hunter is to search at random without a methodology or process to follow. Here’s what to consider.

Photo by Mark Fletcher-Brown on Unsplash

It is really easy to jump straight in and wildly throw payloads at a system when you first approach a target. Admittedly, it can feel great for the first hour or so but after that, you can start to become bored and frustrated if you don’t find anything. And without a structured bug bounty hunting process, you probably won’t find anything new.

It is important to develop and follow your own testing process in order to test thoroughly and professionally. When you first start out your process will be weak and immature but you’ll develop and improve upon it the more bug bounty hunting you do. If you do this consciously you’ll have greater results.

[Read more…]

Bug Bounty Hunting Tips #3 — Kicking S3 Buckets

February 22, 2018 By Craig Hays Leave a Comment

Reading Time: 4 minutes

There has been a lot of press recently about misconfigured Amazon S3 buckets leaking confidential information. The root cause of this is that in the past S3 buckets have been incredibly easy to misconfigure. Sometimes buckets are made web accessible by anyone. Other times buckets are web restricted but can be accessed through Amazon S3 API by any authorised user.

Due to the nature and number of these breaches, Amazon have recently released their Trusted Advisor service for S3 for free to everyone to try to crack down on the problem. The challenge now is getting people to look at the new output and make changes based on the feedback. In the meantime, let’s have some fun kicking over S3 buckets to see what bounties fall out.

Finding S3 Buckets

S3 buckets are all reachable via a web interface, whether access is permitted or not. The URL format is:

[Read more…]

Bug Bounty Hunting Tips #2 —Target their mobile apps (Android Edition)

February 9, 2018 By Craig Hays 1 Comment

Reading Time: 6 minutes

If you read through the disclosed bug bounty reports on platforms such as hackerone.com it is clear that most bug bounty hunters are targeting web applications and neglecting the mobile application landscape. This is an opportunity that you can take advantage of.

Android app bug bounty — Photo by LOLIONI on Unsplash

I’ve had a lot of success recently looking at mobile apps, specifically android applications. After searching online for decent training material I stumbled upon the Udemy course Android Application Penetration Testing which has proven invaluable. (Disclaimer, I get no financial gain or anything else out of linking to this course, other than more competition in the android bug bounty space.) 4.5 hours of training at 2x regular playback speed and you’re in a good starting position.

Just like web applications, you can find the OWASP Mobile Top 10 very useful for identifying vulnerabilities to look for. My personal favourites are:

[Read more…]