How I Found My First Bug (now you can too)

Introduction

As someone with a background primarily in application security engineering and penetration testing, transitioning into bug bounty hunting presented both opportunities and challenges. While many skills are transferable, my reconnaissance (recon) abilities were quite subpar when I first started in the bug bounty space. It took me quite some time to adapt to the fact that I wouldn’t have access to source code or direct communication with developers regarding specific functionalities or behaviors of applications.

In this article, I’ll outline my approach, the setup I used, and provide a detailed walkthrough of how I discovered my first bug.

Choosing a Target

When selecting a target, there are several factors to consider:

1. Objectives: It's essential to define what you aim to achieve - this could range from earning income, researching a specific vulnerability, or using bug bounty as a learning experience.
2. Approach: Your preference may vary based on whether you aim to find as many bugs as possible or focus on refined testing methodologies.
3. Target Type: Different application types can yield different results. For instance, I prefer applications with multiple user types and complex authorization/authorization models.

My Approach

Here is a checklist of my approach:

1. Recon: Solid recon is fundamental. Influences from experts like Jason Haddix helped me refine this aspect of my approach.
2. Authentication and Authorization Testing: Spending time testing how the application handles various user roles is crucial.
3. Application Logic Attacks: Once familiar with the application's functionality, I focus on the custom code or risky behaviors such as file uploads.
4. Technology-Specific Attacks: Depending on the application technology, I’ll test for specific vulnerabilities tied to that tech stack.
5. Injection Attacks: Finally, focus may shift to injection attacks and related vulnerabilities based on previous findings.

Automation

For efficiency, I created a script that queries targets every 24 hours, running tools like web analyzers. The script also tracks changes over time and notifies me on Discord of any updates to the targets being monitored. If there's interest, I can provide a tutorial on how to create such a script.

Finding My First Bug

The target I selected was an API-driven application with multiple account types, including standard users and teams. This complexity provided many avenues for exploration.

1. I created two accounts each for the standard user and team-admin roles and carefully examined the JSON web tokens (JWTs) to compare claims and attributes.
2. After exploring various authentication checks and attempting mass assignment attacks, I encountered an interesting situation during account updates.
3. While testing endpoints for updating account information, I modified the request body to include another user's object ID—which should have been restricted access—and found that the admin for one team could update information for a different team's account, revealing a broken function-level authorization.

I documented the steps thoroughly, took screenshots, and submitted a detailed report for responsible disclosure. A few days later, the vulnerability was verified.

Reflection and Advice

From my experience, finding one bug often leads to discovering more, as similar patterns may reveal deeper systemic issues in the application. If you successfully find vulnerabilities, it may indicate broader flaws in overall design or security measures.

Sadly, my first bug was part of a responsible disclosure program, which meant there was no monetary reward, but the learning experience was invaluable.

Final Insights

• Tailor Your Strategy: Align your methods with your personal goals rather than following generic advice.
• Seek Complexity: Choose applications with multifaceted user roles and permissions, as they often harbor more vulnerabilities.
• Understand the Application: The better you know an application, the more effectively you’ll discover its weaknesses.
• Consistent Commitment: Instead of relying on motivation which can be fleeting, set a schedule for your bug bounty work to ensure sustained progression.

Keywords

bug bounty, application security, pen testing, reconnaissance, authentication, authorization, JSON web tokens, broken function-level authorization, automation, responsible disclosure.

FAQ

Q: What is bug bounty hunting?
A: Bug bounty hunting is a practice where security researchers find and report vulnerabilities in software or applications, often in exchange for a reward or recognition from the software providers.

Q: How can I improve my reconnaissance skills?
A: Study techniques and methodologies from experts in the field, practice on various applications, and regularly review your recon processes to stay updated.

Q: What should I look for when choosing a target?
A: Consider your objectives, the complexity of the application, the type of vulnerabilities you wish to explore, and the diversity of user roles in the application.

Q: How can automation assist in bug bounty hunting?
A: Automation helps keep track of targets, checks for updates, and runs initial scans, making your testing process more efficient and organized.

Q: What was the value of finding my first bug?
A: Even though my first bug had no financial reward due to the responsible disclosure context, the knowledge gained and insights learned were invaluable for my growth in this field.