The Art of Bug Bounty Hunting

Be a Bug Bounty Hunter

Audience
The target reader does not have to have any knowledge about web application security or mobile application security
in order to read this book, the book will guide the reader through the process of bug bounty hunting and provide all
required knowledge for the reader to become a successful bug bounty hunter

Mission
 Bug Bounty hunting is a new method which companies use to test their applications, The book allows readers
to train themselves as bug bounty hunters to excel in the field of application security.
 There is no dedicated methodology in place right now to help researchers upskill themselves and become bug
bounty hunters, that is why there is ambiguity as to what the field is about, the book solves that problem
 The book will start with teaching researchers the basics of bug bounty hunting, like the platforms, the
reporting methodologies, the do’s and don’ts. Then it will analyze every web application and mobile
application vulnerability with reference to several bug bounty reports teaching the reader what the book is
all about654r

Objectives and achievements

 Basics of Bug Bounty Hunting
 Hunting bugs in Web applications
 Hunting bugs in Android applications
 Analysis of top 300 Bug Reports
 Bug Bounty Hunting Research Methodologies

General structure
Use this section to set out a high-level structure for the book – to set out a series of stages that will take the reader to
the mission’s conclusion and cover the objectives. The aim is to develop a more structured book with a modular
outline that would be easier for our readers to use. We can do this along the following lines:

1. Divide books into approximately 3-5 parts. These will consist of a few chapters each. They will provide a simple
overall structure to the book. This can be as simple as “basics, core content, and advanced techniques”.

2. Each chapter should have a clear focus. Avoiding vague divisions like part 1/part 2 or basic/advanced. Each
chapter title should clearly state what aspect of the overall topic the chapter deals with, in language the readers will
easily understand.

3. Each chapter should divide into approximately 5 sections. These will all have a clear focus of their own,
subdividing the chapter’s topic into subtopics or stages.

Each section, chapter, and part should work on its own and flow naturally from section to section. We should assume
that some readers will work through the book cover to cover, and others will come in just for specific sections. The
book must work for both kinds of readers -- as a tutorial and a reference. Each chapter should have a strong focus
and all chapter titles should reflect it.

The Art of Bug Bounty Hunting Page 1 01 December 2019

To make things easier for you, I have attached a screenshot that will help you understand the difference between a
normal outline and a modularized one.

Before moving into the details, check: is this really giving readers what they want? Does every step move them
significantly closer to the goal? Is there anything I could take out, or anything I need to add to enable the reader to
complete the mission? Feel free to discuss with your editor if you want a second brain involved.

Detailed outline

Part 1- The Basics

Chapter 1: Introduction : Easy : 20

Description:
This Chapter is an introduction for the readers about the preface of the book and how the book will benefit them in
the long run, and how they can take advantage of the knowledge

Introduction
How It All Started
Just Examples and My First Sale
Who This Book Is Written For
Chapter Overview
Word of Warning and a Favour
Background

The Art of Bug Bounty Hunting Page 2 01 December 2019

Skill Learned:
1. How to read the book
2. What to expect from the book
3. What not to expect

Chapter 2: Basics of Bug Bounty Hunting : Easy : 15

Description:
This chapter gives an overview to the reader about what bug bounty hunting is and what are the key initial steps to
do it including the techniques, platforms and tools required for doing it.

Getting Started
Information Gathering
Application Testing
Digging Deeper
Summary

Skills Learned:
1. How to start bug bounty hunting
2. What platforms to use
3. How to hunt for bugs in applications

Chapter 3: How to write a Bug Bounty Report : Medium : 20

Description:
This chapter will provide the reader with information on how to use a vulnerability co-ordination platform to write
bug bounty reports and how to respond to company’s questions with caution and respect. It will provide tips on how
to increase payouts

Vulnerability Reports
Read the disclosure guidelines
Include Details Then Include More
Confirm the Vulnerability
Show Respect for the Company
Bounties

Skills:
1. How to write bug bounty reports
2. How to respond to company’s
3. How to increase chances of payout

The Art of Bug Bounty Hunting Page 3 01 December 2019

Part 2- Analysis and Vulnerabilities

Chapter 3: HTML Injection : Easy : 20

Description:
This Chapter is about HTML Injection. HTML injection is a type of injection issue that occurs when a user is able to
control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can
have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or,
more generally, it can allow the attacker to modify the page content seen by the victims.

HTML Injection
Description
Examples
Coinbase Comments
Hacker One Unintended HTML Inclusion
Within Security Content Spoofing
Summary

Skills Learned:
1. What is HTML Injection
2. Top HTML Injection BB reports
3. How to find HTML Injection

Chapter 4: HTTP Parameter Pollution : Medium : 15

Description:
This chapter is about Bug Bounty analysis on the HTTP Parameter Pollution Vulnerability. Supplying multiple HTTP
parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting
these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal
variables values. As HTTP Parameter Pollution (in short HPP) affects a building block of all web technologies, server
and client side attacks exist.

HTTP Parameter Pollution

Description
Examples
HackerOne Social Sharing Buttons
Twitter Unsubscribe Notifications
Twitter Web Intents
Summary

Skills Learned:
1. How to find HPP bugs in applications
2. Top HPP Bug Bounty reports
3. HPP Essentials

The Art of Bug Bounty Hunting Page 4 01 December 2019

Chapter 5: CRLF Injection: Medium : 20
Description:
This chapter focuses on CRLF Bug Bounty reports. A CRLF Injection attack occurs when a user manages to submit a
CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

Description
Twitter HTTP Response Splitting
Shopify com Response Splitting
Summary

Skills Learned:
1. How CRLF attack works
2. What are top CRLF bugs
3. How can CRLF be used against systems

Chapter 6: Cross site request forgery: Medium: 20

Description:
This chapter is about basic CSRF attacks and bug bounty reports. Cross-Site Request Forgery (CSRF) is an attack that
forces an end user to execute unwanted actions on a web application in which they're currently authenticated

Description
Examples
Shopify Export Installed Users
Shopify Twitter Disconnect
Badoo Full Account Takeover
Summary

Skills Learned:
1. How CSRF attack works
2. Top CSRF BB reports
3. Preventing CSRF attacks

Chapter 7: Application Logic Vulnerabilities : Difficult : 30

Description:
This chapter is about Business Logic and Application Logic flaws. Application business logic flaws are unique to each
custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using
deductive reasoning to trick and ultimately exploit the application

Description
Examples
Shopify Administrator Privilege Bypass
Starbucks Race Conditions
Binarycom Privilege Escalation
HackerOne Signal Manipulation
Shopify S Buckets Open
HackerOne S Buckets Open
Bypassing GitLab Two Factor Authentication
Yahoo PHP Info Disclosure
HackerOne Hacktivity Voting
The Art of Bug Bounty Hunting Page 5 01 December 2019
Accessing PornHub’s Memcache Installation
Summary

Skills Learned:
1. What are business logic flaws
2. How to find business flaws
3. How do business Logic flaws work

Chapter 8: Cross site scripting attacks : Difficult : 30

Description:
This chapter is about bug bounty approach towards XSS vulnerabilities. Cross-site scripting (XSS) is a type of
computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts
into web pages viewed by other users

Cross-Site Scripting Attacks

Description
Examples
Shopify Wholesale
Shopify Giftcard Cart
Shopify Currency Formatting
Yahoo Mail Stored XSS
Google Image Search
Google Tagmanager Stored XSS
Summary

Skills Learned:
1. What are XSS attacks
2. How to find XSS in bug Bounty programs
3. Top XSS reports

Chapter 9: SQL Injection : Medium : 20

Description:
This chapter is mostly about finding SQL injection flaws in Bug bounty programs. SQL injection is one of the most
common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page
input.
Description
Examples
Drupal SQL Injection
Summary

Skills Learned:
1. How to find SQL injection
2. How does SQL injection work
3. SQL injection in bug bounty program

The Art of Bug Bounty Hunting Page 6 01 December 2019

Chapter 10: Open Redirect Vulnerabilities : Medium : 20
Description:
This chapter is about Open Redirect vulnerabilities in web applications. Unvalidated redirects and forwards are
possible when a web application accepts untrusted input that could cause the web application to redirect the
request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker
may successfully launch a phishing scam and steal user credentials.

Description
Examples
Shopify Theme Install Open Redirect
Shopify Login Open Redirect
HackerOne Interstitial Redirect
Summary

Skills Learned:
1. What are open redirect vulnerabilities
2. How to identify them
3. How do they work

Chapter 11: Sub Domain Takeover : Medium : 15

Description:
This chapter focuses on Sub domain takeover vulnerabilities. A subdomain takeover is considered a high severity
threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control
over one or more (sub)domains.

Description
Examples
Ubiquiti sub domain Takeover
Scanme Pointing to Zendesk
Swiping Facebook Official Access Tokens
Summary

Skills Learned:
1. How to find sub domain takeover vulnerabilities
2. What are top bug bounty reports
3. How to prevent SDT

Chapter 12: XML External Entity Vulnerability : Difficult : 20

Description:
This chapter is about. XXE attacks. XML External Entity (XXE) refers to a specific type of Server-side Request Forgery
(SSRF) attack, whereby an attacker is able to cause Denial of Service (DoS) and access local or remote files and
services, by abusing a widely available, rarely used feature in XML parsers.
Description
Examples
Read Access to Google
Facebook XXE with Word
Wikiloc XXE
Summary

The Art of Bug Bounty Hunting Page 7 01 December 2019

Skills Learned:
1. What is an XXE attack
2. How does it work
3. How to find XXE in BB programss

Chapter 13: Remote Code Execution : Difficult : 15

Description:
This chapter is about RCE vulnerabilities. Remote code execution is the ability an attacker has to access someone
else's computing device and make changes, no matter where the device is geographically located.

Description
Examples
Polyvore ImageMagick
Summary

Skills Learned:
1. What is an RCE
2. How to find RCE vulnerabilities in BB programs

Chapter 14: Template Injection: Medium : 20

Description:
This chapter is mainly about template injection vulnerabilities. Template injection vulnerabilities arise when
applications using a client-side or server-side template framework dynamically embed user input in web pages.

Description
Examples
Uber Angular Template Injection
Uber Template Injection
Rails Dynamic Render
Summary

Skills Learned:
1. How to find Template injection in web application
2. What is client side and server side template injection
3. How to prevent it

Chapter 15: Server Side Request Forgery : Medium : 20

Description:
This chapter is about the vulnerability server side request forgery. In a Server-Side Request Forgery (SSRF) attack, the
attacker can abuse functionality on the server to read or update internal resources.

Description
Examples
ESEA SSRF and Querying AWS Metadata
Summary

The Art of Bug Bounty Hunting Page 8 01 December 2019

Part 3- Research Methodologies

Chapter 16: Top Bug Bounty Hunting tools : Medium : 35

Description:
This chapter mainly focuses on teaching the reader how to use some of the top tools used in bug bounty hunting, it
also tells the reader how to establish an understanding of what and where to use which tool

Burp Suite
Knockpy
HostileSubBruteforcer
sqlmap
Nmap
What CMS
Nikto
Recon-ng
idb
Wireshark
Google Dorks
JD GUI
Mobile Security Framework
Firefox Plugins
Cookie Manager+
Wappalyzer

Skills Learned:
1. What tools to use
2. How to use the tools
3. Where to use them

Chapter 17: Top Learning resources : Medium : 25

Description:
In this chapter, the reader will learn about all the learning resources that most top bug bounty hunters use to stay on
top of their game. Hackers will learn how to use the online platforms for their benefits of learning

Online Training
Web Application Exploits and Defenses
The Exploit Database
Udacity
Bug Bounty Platforms
Hackeronecom
Bugcrowdcom
Synackcom
Cobaltio
Video Tutorials
youtubecom/yaworsk
Seccastscom
Further Reading
OWASPcom
The Art of Bug Bounty Hunting Page 9 01 December 2019
Hackeronecom/hacktivity
Twitter #infsec
Twitter @disclosedh
Web Application Hackers Handbook
Bug Hunters Methodology
Recommended Blog
philippeharewoodcom
Philippe’s Facebook Page - wwwfacebookcom/phwd-
fintenet
shahmeeramircom
NahamSeccom
blogit-securityguardcom
bloginnerhtml
blogorangetw
Portswigger Blog
Nvisium Blog
blogzsecuk
Bug Crowd Blog
HackerOne Blog

Skills learned:
1. Top online learning blogs
2. Learning methodologies
3. Top techniques used by bug hunters

Author Bio
Shahmeer Amir ranked 3rd most accomplished bug hunter worldwide has helped more than 400 organizations
including Facebook, Microsoft, Yahoo and Twitter resolve critical security issues in their systems. Following his vision
of a more safer internet, Shahmeer Amir is the Founder and CEO of Pakistan's Cyber Security startup Veiliux aiming to
secure all kinds of organizations. Shahmeer also holds a relevent certifications in the field of cyber security from
renowned organizations like EC-Council, Mile2, ELearn Security etc. By profession, Shahmeer is an electrical engineer
working on different IoT products to make the lives of people easier.

The Art of Bug Bounty Hunting Page 10 01 December 2019