Bug Bounty Lesson:
Don’t treat a target as pages.
Treat it as a collection of flows.
Login → reset password → change email → delete account.
Each step has params. Each param is a chance for bugs.
Flows reveal more than single endpoints.
If you're working 2–4 hours daily on bug bounties, that's equivalent to working 8+ hours at a regular job. I mean, let’s be honest.We don’t really work nonstop at our jobs, do we? Bug bounty hunting is serious work, not just some time-pass.
#bugbountytips#bugbounty
Found an interesting bug a while back and thought I’d share it here 👇
I came across an unused API endpoint inside a JavaScript file - `/api/users/<user_id>/activities/`. It wasn’t being called anywhere within the app, so naturally, I tried to hit it manually using my JWT from the web app.
The result? 403 Forbidden. No access.
Later that day, I downloaded the mobile app for the same target just to poke around for some other Issues. While logging in, I noticed something odd - the JWT generated by the mobile app was noticeably bigger than the one from the web.
As a next step I threw it into jwt[.]io for a quick look and to my surprise the token had way more scopes and permissions granted compared to the web version even though It was for the same account..
At this point I had a wild theory which I was pretty sure wouldn't work...
But as you can Imagine I went back to that `/api/users/<user_id>/activities/ endpoint, but this time used the mobile-generated JWT... and boom it worked. I had full access to PII data for other users.
The endpoint was probably gated by permissions that only mobile clients were issuing.
Moral of the story? Don’t just test with the web client. Always compare JWTs from different platforms - web, mobile, maybe even desktop. Misconfigured scopes or overly permissive mobile tokens can open up unimaginable possibilities.
Another article:
This is OAuth-related article, In the coming days, I'll be sharing more insights on OAuth security. Meanwhile, check out my first Oauth related article here:
https://t.co/AzUbGQ72Rk
#bugbountytips#OauthSecurity#BugBounty
I can see your pain (new bug hunters), I can see that it’s really hard to find bugs. I know some of you are working for years but didn’t succeed like the way you should be, I just want to let all of you know who are suffering, I am with you guys, I believe in you guys, I know no one believes in you, People call you a failure, Lets convert this pain into something big something worthy ❤️🩹.
7 components in your target that are commonly vulnerable to open URL redirects: 🤠
• Sign in & register pages
• Sign out endpoint
• Password resets (inspect the generated token link too as it may contain a redirect parameter)
• Profile account page
• Email verification links
• Error pages
• Any important action within the app that requires multiple steps
What an amazing write-up by @XHackerx007 So much to learn, especially the creative fuzzing technique, and taking it further, most of us stop after the first step. Brilliant.