Open redirects abuse trust within domains where the user is redirected to another URL and potentially visiting a malicious actor’s site. These can often be chained with other attacks like CSRF to increase the likelihood of a victim executing an unwanted action. Open redirects can also be used to steal sensitive login information like cookies.

Often, countermeasures involve alerting the user that they are about the leave the site.

• Search for parameters related to redirecting the user like redirect_to
• Search for parameters that include URLs

Rate limiting bugs can have decent impact in some scenarios:

1. Resetting user’s password with a guessable value could be brute forced.
2. Attackers could use the server to spam particular users by sending a huge amount of requests, which could impact company reputation. (Email bombing).
3. A user’s account could be online-brute forced.

Recon is the very first thing that should happen when you sign up for a bug bounty program. The more attack surface you have (that is in scope, of course), the more likely you will reach uncharted territory where other bug hunters haven’t been or spent as much time on which will increase the likelyhood of you finding a bug. This will save you TONS of TIME!

Below is my methodology:

Where to Start?

• Check out the Understanding the Organization section below
• Want to learn more about a specific vulnerability? Go look for it!

Understanding the Organization

• One must understand what the organization’s most valuable assets are. From here, the bug hunter can figure out which kind of vulnerabilities to prioritize. For example, an XSS on the Twitter feed would be devastating.
• Understanding common patterns and mistakes made by an organization can point you in a direction for certain types of bugs to look for. Chances are, the mistake was a pattern and could be repeated throughout the infrastructure.

Dependency Monitoring

• Monitor dependencies for web components and understand what they do. This is how a security researcher was able to find a deserializion vulnerability in Groovy. Since Jenkins depended on Groovy which depended on XStream (the vulnerable component), Jenkins was suddenly vulnerable to remote code execution. This same concept can also be applied to ruby gems, pip, and node.js modules.
• Reference

Finding Deserialization Bugs

• Sometimes, code of the language of choice will deserialize within interesting data structure like YAML or JSON.

Out of ideas?

• Bug Bounty Cheatsheet

You will normally encounter popular frameworks that have XSS countermeasures in place. You can try the following in an attempt to bypass them:

• Search for reflected errors in the app. Sometimes error messages don’t escape HTML to the page.
  • Learn the technology stack the app is using -> search for functions that escape error messages.
  • Sometimes, you might need to bypass multiple technology stacks. For example, django may not escape an message, but react might.

XSS in React.js (methodology could also apply to other frond-end JS frameworks)

• Search for data being rendered with ${JSON.stringify({data})}. JSON.stringify will turn any data you have into a string and render it on the page. This is common in apps because it was a code smell introduced in many redux applications that people have used as boilerplate code.
• Check for places where you can define attributes to HTML tags. For example, a tag with <a href="USER_DEFINED_INPUT"></a> can become <a href="javascript: alert('XSS')"></a>
• Check for calls to dangerouslySetInnerHTML and eval().

Open Ports

sudo nmap -p80,2222 -sV -sC -oA nmap/full-tcp-version 10.10.10.56

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 16:49 EDT
Nmap scan report for 10.10.10.56
Host is up (0.031s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)     
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                    
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)                   
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)                 
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)              
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Vulnerability Discovery

Web services are normally a good place to search. Navigating to the web root reveals the following page: