Reflections on a Decade in Bug Bounties : Experiences and Major Takeaways

About Niks
• A Decade in bug bounty
• Synack Red Team Legend
• Founder BSides Ahmedabad
• Advisor RiskProfiler.io
About Charlie
• Texas native Charlie has a deep interest in
computer science.

• Started as an International Flight Attendant at

United Airlines, he transitioned to networking,
programming, stack development, web design,
and finally breaking stuff.

• Helped manage over 2400 engagements with

teams of over 1000 researchers across all
verticals in commercial and government

• Helped develop products around OWASP, NIST,

OSINT, API and AI testing
Early 2013 - Inception
• Was working in ethical hacking training company
• Often found myself out of money by the middle of each
month.
• No sense/idea about bug bounty stuff
• I was introduced to my co-worker, Jinen, and he
mentioned me about PayPal Bug Bounty Program
• From there I have been introduced to Bug Bounty
• But there was still very less trend, I only heard about
Google and PayPal had Paid Programs and rest running
VDPs.
Inspiration
• Came across a blog claiming to got
XSS in google acquisition and some
other apps
• These stuff looks simple but you need
to know their assets
New Opportunities
• Thought to try out Google Bug Bounty first
• No idea about the bug, submitting any random stuff without logic
 Progress

• Reported all year to google with

Duplicate/No-Impact/HOF only
 Breaking the
Barrier
• After not much success with google, moved on with new program
• Heard about a new independent program Nokia Vulnerability Disclosure
• But it wasn’t VDP, they are giving out their most expensive smartphones to top
severity issue
• Top Severity criteria was only SQLi, RCE, Command Injection etc.
• All Nokia Assets in scope
 Breaking the
Barrier
• List down all their assets
• Started to test only SQLi
• Got a SQL error on one asset
• After testing further, was able to dump their DB
Breaking the Barrier
Breaking the Barrier
 Key Take-ways
Until Now
• Don’t give up
• When one door closes, another opens up
Motivated , now what? (Mid 2013)
• Small Success but got some motivation to do better
• Further been reported & paid across multiple bug bounty programs such as Mozilla,
Barracuda labs, PayPal, Squidoo, ebay etc.

Note: Since I lost access to my old email acc, these photos(of ss) been taken from my fb account
Motivated, now what?

Note: Since I lost access to my old email acc, these photos(of ss) been taken from my fb account
The Genesis of Bug Bounty Platforms
• Got to know about some bug bounty platforms running some paid
bug bounty programs (Late 2013)
The Genesis of Bug Bounty Platforms
• While Hackerone and BugCrowd was available to signup directly
• Synack using Hands-on Assessment, Written Assessment and ID
Verification to onboard the researchers.
Struggle to compete at highest level
• Yahoo started their program with Hackerone
• First bug was XSS in Yahoo mobile mail, but the bounty was low
which I feels like I lacked at demonstrating the impact
Struggle to compete at highest level
On BugCrowd, out of 89 bugs I reported, I had 29 accepted, 48 were Duplicates and rest was
rejected for several reasons

Not fast enough

Struggle to compete at highest level

worst report writing

 Shortcomings?

• Always looking for low hanging fruits

• Worst report writing
• Lack in chaining bugs to make it impactful
• Not so fast in reporting
• Target Approach
• Delving into impactful findings and blogs by other Bug Bounty Hunters
• Exploring pen-test reports, excellently written bug bounty reports, and
gathering feedback from triagers to improve my reports.
• Adapting platforms
• CTFs and Labs
• One Target at a time
• While H1, BC used to accept reports on first come first serve
• Synack during 2016-2023 had started Quality rule
• Quality rule was a 24-hour rule where they give you ample time to write report,
and only well written report accepted
• Only after first 24-hour after program launch, first come and first serve applies
• Besides that, they also mandate the use of Launch-point (VPN)
• For a newcomer, it had become bit complex to hunt on Synack but if you've
been working on it for a while, you get used to it.
Skills refined
SSRF in HelloSign
• Microsoft started their bug bounty program for online services(Late 2014)
• Submitted multiple reports
• 90% of them got accepted compared to 10% of Duplicate
• Been included in MSRC top 100
Progress
• Late 2015 - Early 2016
• Created a financial back-up out of bug bounty
• Stepped away from the 9-to-5 Job
• Turned into Full time Bug Bounty Hunter
• Had a confidence to do better
 SQL Injection in an e-commerce Solution

• Onboarded on a target which is an e-commerce solution

• While modifying profile, came across parameter `country_id`
• Got a SQLi error after adding a single quote
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• Started with directories and files brute-force

• applications keep redirecting me to a login page on each directory
and file brute
• login page redirecting me to portal page, creating loop condition
• Tried changing method but same result
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• Noticed application is using a third-party solution

• After a quick search, found it's a hosted e-invoicing solution
• Idea was to retrieve the application paths and try brute-forcing
again with those
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

But …. Demo only

Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• Explored a bit to find out any hosted version with credentials exposed
• End up on YouTube video of application demo
• Just watching the video, end up disclosing Invoicing details of all their
clients
• Further, decided to check the subdomains of the application to see
if I can get any demo version hosted on one of their subdomain itself.
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• After running a quick sub-finder, I end up getting plenty of demo

instances
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• After exploring a bit, I found all demo instance were not having
authentication.
• After watching YT video again, I found that client don’t need to login,
some very specific links were generated and sent to client to view/pay.
• So instead of capturing path now, I captured all post-based requests
• Next, I replayed it on in-scope domain
• It worked without redirect loop
Key Discoveries
Un-auth SQL Injection in an Online Car Marketplaces

• Next, I tested all parameters for SQLi and end up getting couple of
them vulnerable
Key Discoveries
Path Traversal + SSRF in a Bank Asset
While browsing application, stumble across cdnFileName parameter
Key Discoveries
Path Traversal + SSRF in a Bank Asset

• cdnFileName takes a file input user_tools.bundle

• Comment in response was “/* File : api.github.com/repos/bank-
name-frontend/contents/dist/dev/assets/js/user_tools.bundle.js */”
• try to traverse the directory using ”../” until /repos/bank-name-
frontend/
• Later use GitHub Api to query their internal data
• Final Payload: ../../../../../events?t=
Key Discoveries
Path Traversal + SSRF in a Bank Asset
Worked as expected, able to query GitHub Api to leak internal data
Key Discoveries
Account Takeover

• After doing subdomain discovery, stumble across a subdomain

• Was giving 403 forbidden error
Key Discoveries
Account Takeover

Did a quick google search using “site:”

Yields numerous results, but one stands out as particularly
interesting.
Key Discoveries
Account Takeover

• Asking for some ID (DVN)

• Figured DVN stands for some vendor number
• After exploring further, found its 9-digit number assigned to all
vendors at the time of licensing
• Did a quick google search on DVN ID, found its under google images,
written on some papers.
• Most of these are on ”yumpu.com”, so it's easy to collect more such
numbers
Key Discoveries
Account Takeover
Key Discoveries
Account Takeover

• After entering DVN number and forget password

• Figured, its querying the password first and sending the newly
created password to user’s email in plaintext
• Was able to takeover any account just by knowing DVN number
Key Discoveries
SSRF in Attack Surface Management

• Application takes domain name as input

• Application starts recon for subdomains, IP address, certs etc.
• It also creates screenshot for parent domain too.
Key Discoveries
SSRF in Attack Surface Management
Key Discoveries
SSRF in Attack Surface Management

Thought to put a domain name with redirect setup on index page for
e.g
Key Discoveries
SSRF in Attack Surface Management

Added the domain in internet inventory, but the no screenshot

captured
Key Discoveries
SSRF in Attack Surface Management
 Key Discoveries
SSRF in Attack Surface Management

• After exploring further, I figured out they are not using EC2 but Lambda
• Further looking for any internal API specific to Lambda
• Came across a tweet
Key Discoveries
SSRF in Attack Surface Management

Changed the redirect URL to “localhost:9001/2018-06-

01/runtime/invocation/next”
 Key Discoveries
SSRF in Attack Surface Management

Attempted the SSRF again and got the event data that was passed into the
function for that current execution
Key Discoveries
SSRF in Attack Surface Management
Key Discoveries
XXE in Help Desk Software

• While registering for application, came across a wsdl file

• Used wsdler burp ext. to parse the file
Key Discoveries
XXE in Help Desk Software

Directly calling a file through XXE payload was only enumerating the file
Key Discoveries
XXE in Help Desk Software

Directly calling a file through XXE payload was only enumerating the file
Key Discoveries
XXE in Help Desk Software

• To exfiltrate the data, thought to use emulate ftp

• Fired the payload and was able to exfiltrate the data
Key Discoveries
XXE in Help Desk Software

• Fired the payload and was able to exfiltrate the /etc/passwd file content
While full time bug bounty is great, but it affects mental health in some way

• One or two bad month and you will start doubting yourself
• Imposter Syndrome: Constantly comparing oneself to others and feeling inadequate
• Burn-outs are quite normal
• Frustration: Reports Rejected/Duplicated, dispute with triage/client, prolonged waiting for a
report etc
• Stress: Until reports get triaged
Addressing Mental Health
• Read publicly Disclosed bug bounty reports
• Read blog posts by bug hunters
• Read research papers or watch conference talks
• Watch out Twitter for #bugbounty or #bugbountytips trends
• Attend conferences
• Subscribe to good newsletters
• Collaborate
q Pay close attention to scope. Nothing hurts more than spending time on a report only to find it was never in
scope.

q Do not submit numerous low impact reports with the hopes that something will get Paid. Focus on Impact.

q Tune your Automated tools

q We receive many submissions in less timeframe, so it may take time for your report to be reviewed. Be
patient and follow up politely if you haven't received a response within a reasonable timeframe.

q Use professional and respectful language when communicating with the triage team. Be responsive to any
questions or requests for clarification.

q Write clear, concise, and detailed reports that include all necessary information.