A Very Basic Bug Bounty Methodology
Cross-Site Scripting (XSS)
- Look for parameters and user inputs that are reflected back in the page without proper encoding.
- Use fuzzing with a list of XSS payloads to test how inputs are sanitized.
- Test all inputs that could be stored and displayed to other users (comments, profiles, etc.).
- Pay special attention to rich-text fields which may allow HTML content.
- Investigate client-side scripts to identify points where user-supplied input may modify the DOM.
Cross-Site Request Forgery (CSRF)
- Check for forms and state-changing requests that do not have CSRF tokens or other anti-CSRF mechanisms.
- Attempt to craft malicious requests that could be sent from an attacker-controlled site.
Basic SQL Injection:
- Input classic payloads like ' OR '1'='1 to see if inputs are directly placed into SQL queries.
- Observe error messages for hints about the database structure.
Blind SQL Injection:
- Use time-based techniques to infer data, such as adding SLEEP(5) commands and seeing if the page response is delayed.
- Employ automated tools like SQLmap for systematic testing.
File Inclusion Vulnerabilities
Local File Inclusion (LFI):
- Test file parameters with local paths (../../etc/passwd) to read local files.
- Look for scripts that include files based on user input without proper sanitization.
Remote File Inclusion (RFI):
- Where input is used to construct file URLs, attempt to replace these with external URLs to your own server.
Insecure Direct Object References (IDOR)
- Try changing parameters like user IDs in the URL or hidden fields to access data belonging to other users.
- Test incrementing numerical IDs or substituting filenames to access unauthorized data.
- Check if directory listing is enabled by accessing directories directly.
- Look for backup files or directories that are not meant to be public.
Unprotected Files and Directories:
- Enumerate common directory and file names to discover unprotected resources.
- Try logging in with default username/password combinations for common software.
Sensitive Data Exposure
- Look for data transmission over HTTP or weak encryption methods.
- Check password reset functionalities and how they handle user information.
Improperly Protected Credentials and Session Tokens:
- Check for hard-coded credentials in client-side code.
- Test for session tokens that don't expire or aren't properly protected with secure flags.
XML External Entity (XXE) Injection
- Where applications parse XML, try to introduce DOCTYPE elements that define external entities containing file URIs.
- Test error messages for information leakage that might confirm the XXE.
Broken Authentication and Session Management
- Look for cookies that are not protected with Secure and HttpOnly flags.
- Test session invalidation during logout and password change operations.
- Where rate limiting is not in place, check how the application handles automated login attempts with known email/password combinations.
Server-Side Request Forgery (SSRF)
Basic Internal Network Probing:
- Use payloads that call back to your server (http://yourserver.com) to see if the application fetches external resources.
- Attempt to access internal IP addresses (http://127.0.0.1, http://192.168.x.x) through the vulnerable application.
Exploitation of Poorly Secured HTTP Clients:
- Test different schema like file://, dict://, ftp:// to access local resources or make unexpected protocol requests.