Look For These Low Hanging Fruits In Bug Bounty

These are few low hanging bugs that you can find on most of the web applications easily.

1. Broken Links

These are the links that are not claimed by anyone but the company has mentioned these links on the websites. These can be claimed by the attacker and he can post content in the name of the company. These links could be a domain name that is not registered, Twitter, Facebook, LinkedIn usernames, or pages that are not registered or deleted by the user.

How to find it?

Use this website to find out broken links on any website

https://www.deadlinkchecker.com/website-dead-link-checker.asp

For more info read this:- https://edoverflow.com/2017/broken-link-hijacking/

Examples:-

https://hackerone.com/reports/1031321

https://hackerone.com/reports/1117079

https://hackerone.com/reports/1239334

https://hackerone.com/reports/1343733


2. Information Disclosure Bugs

Any information which should not be disclosed publicly comes under this category. Sensitive information can be anything like a website disclosing internal directories, internal IP addresses, API keys, personal information, source code, classified documents.

How to find it?
  • Check robots.txt file for any hidden directories

  • Using Directory discovery tools(ffuf/dirsearch) to find hidden directories containing sensitive information like info.php, phpinfo.php

  • Using google dorks https://dorks.faisalahmed.me/#

Examples:-

https://hackerone.com/reports/321249

https://hackerone.com/reports/200079

https://hackerone.com/reports/384782

https://hackerone.com/reports/1241849

https://hackerone.com/reports/1118898


3. Session Expiration Issues

Insufficient Session Expiration occurs when a Web application permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a Web site's exposure to attacks that steal or reuse user's session identifiers.

How to find it?
  • Try to use old cookie after password change. If web application doesn't logout users after password change, then its vulnerable.

Examples:-

https://hackerone.com/reports/737039

https://hackerone.com/reports/1069392


4. Open Redirect

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. Check out this for more info about this vulnerability:-

https://www.cyberick.com/post/open-redirect-and-its-bypasses


5. ClickJacking

Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are actually clicking on another. Its other name, user interface (UI) redressing, better describes what is going on. Users think they are using a web page’s normal UI, but in fact there is a hidden UI in control; in other words, the UI has been redressed. When users click something they think is safe, the hidden UI performs a different action. You can find these vulnerabilities easily.

How to find it?
  • Enter domain of your target in below script

<html>
<head><title>Clickjack</title></head>
<body>
<iframe src="http://www.target.site" width="500" height="500"></iframe></body>
</html>
  • If its loading, then its vulnerable

Examples:-

https://hackerone.com/reports/405342

https://hackerone.com/reports/591432


6. CSRF(Cross-site request forgery)

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. (Conversely, cross-site scripting (XSS) attacks exploit the trust a user has in a particular Web application). A CSRF attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent.

How to Find It?
  • Search for a feature which is performing sensitive action.

  • Check in Burpsuite, if requests using CSRF key or validating CSRF key

  • If not, then use below tools to generate CSRF POC of that request

https://security.love/CSRF-PoC-Genorator/

https://github.com/merttasci/csrf-poc-generator

  • Open html file and check if its performing he action.

  • If not, then its not vulnerable.

Examples:-

https://hackerone.com/reports/152569

https://hackerone.com/reports/177472

https://hackerone.com/reports/339352

https://hackerone.com/reports/856518

https://hackerone.com/reports/8849

https://hackerone.com/reports/1086752


Note:- These vulnerabilities will have low impact and few vulnerabilities are not accepted by many programs on Bug Bounty Platforms. So check the out of scope policy before reporting any of the vulnerability.



That's all Folks!

Thank you

Jai Hind!!!



Like, Share, Comment






















2,245 views0 comments