The secrets of automation-kings in bug bounty
For those looking to make big money in the world of bug bounty, finding 1day (or 1month) web exploits that haven't made their way into scanners yet can be the key to success. In this blog post, we'll explore where and how to get an edge in this area.
A competitive advantage in bug bounty is being able to write your own vulnerability checks. There are hundreds of commercial off-the-shelf (COTS) and open-source software (OSS) that have vulnerabilities that never end up in a vuln scanner for various reasons. Some may be because the software isn't a big name like Microsoft or JIRA, or perhaps the vendor and the reporter don't make any fanfare about the bug. Whatever the reason, you can profit by making your own checks! Making your own checks has never been easier with tools like Nuclei and Jaeles.
For Nuclei, you can create these templates using YAML and the Nuclei template guides here: https://nuclei.projectdiscovery.io/templating-guide/
@jtcsec has a video guide for those interested where he creates a custom CORS check.
For Jaeles by @j3ssiejjj, you can follow the documentation at: https://jaeles-project.github.io/signatures/examples/.
If you're unfamiliar with Jaeles, here's a quick demo:
I use Nuclei for a lot of misconfiguration-type checks and CVEs, and I use Jaeles more for custom web fuzzing.
So now you know how to make a check... but how do you know what to make? Surprisingly, Twitter can be one of the best intelligent sources for this.
First, you'll need a separate Twitter account. Once you have that, head over to https://tweetdeck.twitter.com/! We're going to make our own CTI dashboard for bug bounty!
We're going to use Twitter live searches to find CVEs and exploits to make templates for our scanners.
in mine, I have a column in TweetDeck that represents a live search for each vulnerability type in existence.
For example, one of my columns is a live search for: "local file include" OR "path traversal" OR "directory traversal" OR "arbitrary file read".
Another is: "Broken Authentication" OR "Authentication Bypass" OR "account takeover" OR "Sensitive Data Exposure".
I have over 30 live searches running in TweetDeck to update me on new CVEs, vuln classes, and writeups, which I can then port into vulnerability checks!
Another source of vuln intelligence is parsing Bugcrowd's disclosures and Hackerone's hacktivity pages.
Read the writeups and if one seems like a good check or novel fuzz string, add it to your arsenal.
What's the UBER level of this?
I know two hunters who pay for subscriptions to threat intelligence feeds as an upfront cost. These feeds often have inside info on CVE endpoints that are not public yet, including proof-of-concept (PoC) fuzz strings. They make templates from them and profit. With a constant, automated scanning routine, you can build a monster bug bounty scanning machine!
You should also look into Axiom by @pry0cc as the glue that can scale an operation like this.
That's it for now, did I miss anything?