Some “tips” on bug hunting

Hey guys it’s me Uday and today in this story [This is a dynamic story of bug hunting and you’ll see updates on future, Comments appreciated, and remember Everything here is not written by me i’ve collected it from any medium possible] we are gonna discuss some ways to hunt bugs.

If any website has a Feature like invite someone or referral or send something to … then sometimes like in uber when you enter the referral code of someone uber returns the username and its profile picture of the user and its a information disclosure bug [Fixed now]

1. Check the login process

• Do they allow signup with email or Google etc
• Do they allow you to signup with the same company email
• What is the content-type of the signuplogin Page
• When you enter valid credentials, on which page you are redirected like /dashboard
• Do they use 2FA. What happens if you enter wrong OTP code, where you are redirected you. What if you try to access dashboard page directly
• Check the rate limit on the 2FA code feature
• What if you send a 2FA request with DELETE method
• Send bind XSS payload in signup page User-Agent
• What are the roles
• Capture all requests as admin and now send each admin endpoint as low user

1. Any File upload Feature? Check for stored XSS or RCE
2. List all the API endpoints in a file and try to hit then with different different parameters
3. Read DOCS and understand what things are not allowed > Try to bypass it.
4. Check the JS file

• Find all endpoints > Check if there is any hidden API endpoint > Can help you to find IDOR?
• Check for DOM based XSS

1. Check reflected XSS/ Template injection
2. Check the reset Password page for Host Header injection
3. Understand how to reset password token generate
4. Check waybackurls to find old endpoints
5. Check CSRF on all endpoints
6. Check key/token leak in JS files
7. Check if JSONP allowed > leak users data
8. Change content-type applications/json to XML for XXE or Stored XSS
9. Check for reverse proxy-based attack
10. Check for payment bypassed> change value> response manipulation etc.
11. Check the JWT token properly
12. Check for Cache poisoning
13. Check for request smuggeling
14. Check for webhooks > Ssrf
15. Check CORS

• Check for access control list
• Check for Cookie headers and find origin for every cookie
• Try to steal cookie
• Swap the request header with all the request and see respones
• Change the origin header to something and Check respones of Access-control header

1. Check XSSI
2. Check for mass assignment
3. FUZZ API endpoint> check error response page/stack trace > Sometimes you will find leaks here
4. Check low features like> unsubscribe email > try IDOR/CSRF
5. Check for race condition > if 10 API key/token generate allowed try for 20 using race condition
6. Check for race Condition> if 10 api key/token generate allowed try for 20 using race condition
7. Check for captcha bypass
8. if graphql is used > check for graphql based attack
9. Check for AWS bugs
10. Check if the android app is in scope > try IDORS
11. Check for open redirect
12. Change false to true in the json request body > check if something changed > like getting access to the premium feature or else
13. Check CRLF
14. check oauth bypass
15. Now if you dont know about the topic > Google > read > practice > find bug 🙂
16. Does that website have any 403 page if yes then try to bypass it
17. Scan all endpoints using Nuclei, Dalfox.
18. Try all Http methods on all parameters and compare the response using vimdiff
19. Does that website work if you completely remove a cookie
20. Does that website work if you replace first cookie with second cookie
21. Does that website work if you replace a cookie with one from another user with a different privilege level
22. Can we access without logged in?

More will be explained, updated and added in future

Thanks for reading, Happy bug hunting.

Credits Twitter — @_tabahi