It’s been few months since I started bug bounty, I first started using automated scanners and understood it was useless.I’m doing everything manually and I’m mostly focused on business logic errors and violation of secure design principles but everytime I found something it's never "interesting" for them.Example with my last report:A company sell its products only in kekistan and on the frontend you can only register an address in kekistan, however if i managed to set a physical address outside of kekistan and order product to this address. And you know what it has been closed as N/A.When I look at the leaderboard of yeswehack I just don’t get how they manage to find 10 differents type of vulnerabilities during the same day. Im starting to think there’s a privileged community of hunters who know things we don’t know. Or maybe they're friends with the triagers idk.
They could be saving up all the vulns from different time periods, then finally submitting them all in one day.Happens a bit in CTFs when submitting flags. One person will be at the bottom and then suddenly skyrocket to the top.
>>107703095it's simple, find a general bug in a website framework, e.g shopifythen you have two choices:>notify the framework of the bugVS>notify 10 different business of a bug in their website
>>107703161Could you please elaborate further
>>107703243some framework perform input verification on the client side. for instance, when you enter a confirmation password, only the frontend will check password == confirmation_password. That way you can send a buggy POST form to the backend and it will accept it.Now think about this for every form on a website, every input type needs to be checked by the backend or you can simply input garbage data.
>>107703095>Im starting to think there’s a privileged community of hunters who know things we don’t know. Or maybe they're friends with the triagers idk.I have worked BB reports for a very very large global cloud provider.There was one dude who took massive bounties every year, lots of them.It's a skill issue. There are just some people who are beast mode as fuckThis guy would regularly find issues several years old that nobody had ever noticed.There was another guy who exclusively reported issues with a specific mobile app. He had Frida orchestrating it to such autisticially uber specific levels that he pwned it left and right, resetting other users passwords, account hijacking, you name it. His orchestration layers were so complex we would spend weeks recreating it. But the dude killed it.It's just dedication and aptitude. There's no other magic sauce.
>>107703095Generally companies only care about actually impactful violations of security. "You can do something you're not supposed to" is not always necessarily impactful.In your case for example, the address validation to only kekistan is basically just a feature to make the website nicer to use: if you're outside kekistan the website will immediately reject your order and you don't have to waste your time or theirs. It's not a business-critical piece of logic; placing an order is just placing a request for their product, and if the company doesn't have the infrastructure and logistics set up to fulfil overseas orders, then they simply will not fulfil it, and your external order will be cancelled.This wastes a bit of the customer's time but if you had to manually craft a POST request or whatever for that, then it was clearly intentional and not something that affects real customers. It also wastes a bit of their time but since you likely need real payment details to place an order, if you try to spam it they can blacklist you and complain to your bank.This is why this is a complete non-issue for the company.What you need to find is stuff that will actually cause tangible disruptions or losses. Leaking a secret, hijacking a login, accessing unauthorized data, genuine bugs in monetary logic that have legal repercussions (bear in mind most maliciously crafted orders on storefronts can likely just be cancelled so that's not trivial), cross site scripting, etc.
>>107703424>He had Frida orchestrating it to such autisticially uber specific levels that he pwned it left and right, resetting other users passwords, account hijacking, you name it.Sounds like a pretty major skill issue on your part lmao
>>107703095>there’s a privileged community of huntersimo they just have years of experience and so have very specialized tools which they know how to use, and they can automate them to take full advantage of them. They may even have built their own tools, so of course running an automated scanner will not put you on their level
>>107703424Well, I guess there's person like that. So it's a big skill issue for me.I spend hours trying to bypass things, inject wrong data, modifying requests until it looks suspicious... at what cost...>>107703515I don't use scanners, it's a waste of time and companies aren't that dumb to launch a BBP without testings these scanners previously on their assets.
