Some “tips” on bug hunting
3 min readNov 14, 2022
Hey guys it’s me Uday and today in this story [This is a dynamic story of bug hunting and you’ll see updates on future, Comments appreciated, and remember Everything here is not written by me i’ve collected it from any medium possible] we are gonna discuss some ways to hunt bugs.
If any website has a Feature like invite someone or referral or send something to … then sometimes like in uber when you enter the referral code of someone uber returns the username and its profile picture of the user and its a information disclosure bug [Fixed now]
- Check the login process
- Do they allow signup with email or Google etc
- Do they allow you to signup with the same company email
- What is the content-type of the signuplogin Page
- When you enter valid credentials, on which page you are redirected like /dashboard
- Do they use 2FA. What happens if you enter wrong OTP code, where you are redirected you. What if you try to access dashboard page directly
- Check the rate limit on the 2FA code feature
- What if you send a 2FA request with DELETE method
- Send bind XSS payload in signup page User-Agent
- What are the roles
- Capture all requests as admin and now send each admin endpoint as low user
- Any File upload Feature? Check for stored XSS or RCE
- List all the API endpoints in a file and try to hit then with different different parameters
- Read DOCS and understand what things are not allowed > Try to bypass it.
- Check the JS file
- Find all endpoints > Check if there is any hidden API endpoint > Can help you to find IDOR?
- Check for DOM based XSS
- Check reflected XSS/ Template injection
- Check the reset Password page for Host Header injection
- Understand how to reset password token generate
- Check waybackurls to find old endpoints
- Check CSRF on all endpoints
- Check key/token leak in JS files
- Check if JSONP allowed > leak users data
- Change content-type applications/json to XML for XXE or Stored XSS
- Check for reverse proxy-based attack
- Check for payment bypassed> change value> response manipulation etc.
- Check the JWT token properly
- Check for Cache poisoning
- Check for request smuggeling
- Check for webhooks > Ssrf
- Check CORS
- Check for access control list
- Check for Cookie headers and find origin for every cookie
- Try to steal cookie
- Swap the request header with all the request and see respones
- Change the origin header to something and Check respones of Access-control header
- Check XSSI
- Check for mass assignment
- FUZZ API endpoint> check error response page/stack trace > Sometimes you will find leaks here
- Check low features like> unsubscribe email > try IDOR/CSRF
- Check for race condition > if 10 API key/token generate allowed try for 20 using race condition
- Check for race Condition> if 10 api key/token generate allowed try for 20 using race condition
- Check for captcha bypass
- if graphql is used > check for graphql based attack
- Check for AWS bugs
- Check if the android app is in scope > try IDORS
- Check for open redirect
- Change false to true in the json request body > check if something changed > like getting access to the premium feature or else
- Check CRLF
- check oauth bypass
- Now if you dont know about the topic > Google > read > practice > find bug 🙂
- Does that website have any 403 page if yes then try to bypass it
- Scan all endpoints using Nuclei, Dalfox.
- Try all Http methods on all parameters and compare the response using vimdiff
- Does that website work if you completely remove a cookie
- Does that website work if you replace first cookie with second cookie
- Does that website work if you replace a cookie with one from another user with a different privilege level
- Can we access without logged in?
More will be explained, updated and added in future
Thanks for reading, Happy bug hunting.
Credits Twitter — @_tabahi