Beginner Bug Bounty Guide - Part 2

Previous: Beginner Bug Bounty Guide - Part 1

Next : Beginner Bug Bounty Guide — Part 3

Note: These articles are my take (opinion) on “How to start Bug Bounty”, inspired by security community. These details will be updated as an when I learn new insights. These articles are for ethical and educational purposes only

The goal of using burpsuite plugins is to prevent redundant checks and a quick and easy way to testing which saves a lot of time.

1. Helpful Burpsuite Plugins

You can always disable plugins that are not in use in “Extender” tab.

Ref: https://trustfoundry.net/the-top-8-burp-suite-extensions-that-i-use-to-hack-web-sites/

1. Logger++ : The standard “logger” does not logs all traffic. With logger++ you can configure at a very granual level what is the source to be logged, capture filter to log only specific traffic and view filter to see only specific traffic. For complete documentation: In burpsuite -> Logger++ (tab) -> Help (subtab)

Logger++ Documentation

1. or Flow : It is similar to logger++, if you are comfortable with logger++ then you don’t need it.
2. Decode Improved : You can create tabs, saves lots of my time.
3. ActiveScan++ : Test vuln not covered by the in-built burpsuite audit scanner. You need to select all sites to scan from sitemap. Then select actively scan the selected branches.
4. BurpBounty: To Improve the active and passive burp scanner.
5. XSS Validator: This is used to generate XSS Payloads. Then we can use burp intruder to test this payload list.
6. Burp Sentinel: If you think intruder testing takes time or not that powerful, you can use Burp Sentinel and supply custom testing cases and wordlists. This is designed for XSS and SQLi so is a good choice for testing.
7. Param Miner : Find hidden unlinked parameters, it is a very useful plugin, very helpful in Web Cache Poisoning Attacks.
8. HTTP Request Smuggling : Very useful and updated tool for HTTP Request Smuggling.
9. Collaborator Everywhere : This will inject burp collaborator URL in different input points and parameter automatically. Very useful but use cautiously.
10. JSON Web Tokens : To help in analyzing JWT Tokens (Related to API)
11. RetireJS : looks for out of date JavaScript libraries
12. Upload Scanner : File upload scanner. Testing for vulnerability file uploads.
13. JS Link Finder: Passively scan all JavaScript files for links.
14. GoldenNuggets: For extracting useful information from burpsuite crawl.

Burpsuite Plugins to test for Authorization Vulnerabilities

1. Authorize : Help in authorization related vulnerabilities.
2. Autorepeater Burp: AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
3. Auth Analyzer: Automated authorization vuln plugin. You need to login using a user first and then run this plugin.

Documentation

1. Copy Request and Response : (optional) May be helpful in documentation.
2. Site Map Extractor: Extract information from site map, can all links + fetch all request and responses in a text file.

Not Yet Used

• Cloud Storage Tester : Checks cloud containers (AWS buckets, Google Storage buckets) for common misconfiguration issues.
• Reflection: For checking if a parameter of user input sent during testing is reflected or not in response.
• Additional CORS Checks: Test CORS vuln not covered by the in-built burpsuite audit scanner.
• Scope Monitor
• Turbo Intruder : For session Management, Macro and Automation
• Burp Customizer: Themes for burpsuite GUI.

2. Setting up Burp for new bug bounty program

Make sure you read the Program terms and constrains properly, some important details are not in bold font, or at the end of the page, so make sure to read all.

2.1 Setting up Scope

Read Bug Bounty Program terms for instructions on the value for this config. You can use regex wildcard if you select advanced scope. Example,

.*.domain.com

2.2 Phase wise scanning, as compared to scan all at once.

Phase wise scanning : https://www.whiteoaksecurity.com/blog/web-app-pentesting-burp-suite-scan-profile/

In all of the scan profiles, exclude the cookie parameter names for CSRF, Custom Cookie, Session Close/Killer Cookie for smooth audit scans:

Using burpsuite fetch all the cookies and classify them as essential cookies (that the application needs in order to work) and tracking cookies (use for analytics and tracking), you can directly ignore all the tracking cookies, 3rd party cookies (set by other websites).

You may not know all these cookies at the beginning. Start creating a list of “cookies to ignore” and “interesting cookies”.

2.3 Setting Resource Pool

Select the resource pool or number of parallel connections
1. Read Bug Bounty Program terms for instructions on the value for this.
2. Safe: 5
3. Normal: 10

3. Burp Project Options vs User Options vs Global Config

Note: Custom Resource pool created are project specific.

3.1 Project Options

This config is used to fine tune how burpsuite handles tasks,

• handle sessions like, macro actions.
• which burp collaborator server to use
• Handling different HTTP Status Codes like, which redirections to follow and which to not.
• TLS Negotiation.

Project Options

This will include all configs defined in the “Project Options” tab:

Project Options tab

3.2 User Options

This config is used to customize user experience,

• The “connections” and “tls” tab is common for both User and Project Options, but if in clash, Project Options will be given precedence.
• You can customize fonts, character set, fontsize etc.
• Hotkeys config
• Automatic backup settings
• temp directory (the location of .burp when you open burpsuite in temporary mode)
• TLS and Client Side TLS.

3.3 Global Config

You do not need to take backup of this config. This is applied to all projects for the particular installation of burpsuite. (I think it is not exportable)

• Any plugins installed will be available for all projects.
• Any new config in “Configuration Library” for audit and crawl scan will be available for all projects.

Whats Next?

• Working with HTTP2 in burpsuite.
• Out-of-band data exfiltration using burpsuite.
• Working with websockets in burpsuite.
• Create your own private burpcollaborator server. (sometimes traffic containing the default burp collaborator is blocked at firewalls and WAFs).
• Write custom burpsuite extensions using Burpsuite Extender APIs. Write a basic extension just to be familiar with how you can do automation inside burpsuite. Complete Youtube Video on how to build a burpsuite extension. Hello World of Burpsuite Extender APIs.