Beginner Bug Bounty Guide - Part 7

Previous : Beginner Bug Bounty Guide - Part 6

Note: These articles are my take (opinion) on “How to start Bug Bounty”, inspired by security community. These details will be updated as an when I learn new insights. These articles are for ethical and educational purposes only.

This article mainly focuses on need of Recon and Information Gathering. Why we need Recon. How much use can Recon be helpful in bug bounty and Questions that answered using Recon.

Bugs that we can find via Recon?

1. Sensitive endpoints

• API that are hidden/testing purpose, which leak sensitive data.
• Storage bucket with improper permissions having write, add, delete permission to public.
• Endpoints which gives log information. (this may require you to file/directory bruteforce).
• Development, Testing, UAT, QA, Staging, etc URLs. These environment are relatively less secure.
• Sensitive File exposure: Backup files, config files, file system accessible via URLs etc.

2. Hidden Unpatched application and Services

• Companies generally patch the critical assets quickly as compared to non-critical, and would sometime may result in a publicly access service unpatched.
• Running a simple vulnerability scan like nuclei, nikto, burp, we can identify low hanging bugs, which may give up high bounty.

3. Internal Documenations

• useful documentation, API documentation (like simply search the complete document for command, os, run, execute, etc keywords).

4. Find bigger attack surface.

5. Internal administrator console and portals.

• You may find router, switch, etc console.
• The user may set trivial username and password, like admin:pass