Mortgage with Bug Bounties — Week 1

Daily log of security activity for people curious what bug bounty life is like.

1/29/2021
https://medium.com/csg-govtech/closing-the-loop-practical-attacks-and-defences-for-graphql-apis-138cb667aaff

1.5 hrs of going to old wells with no luck

1/30/21

1 hr of old well digging and found an xss
The xss was a result of HTTP parameter polluition to get by a filter
The filter would fix the first iteration, but the second would lay the payload

1/31/21

Found all the admin endpoints in a JS file and checked each of them to see if there was any access. Got some false positives because of a “User is not Amdin” error :)

1.5 hr with nothing

2/1/21

Looking for some idea of automation, looked like a good one to run thru

Found this set of snippits to test any found keys:
https://github.com/streaak/keyhacks

Invited to a H1C! The app is small and the scope is *
Found some creds to their FTP server using Google that one of their users felt the need to post online.
Also worked on some random programs, trying to find my feet again.

7 hrs of digging around to find
1. creds — triaged as a high, thanks google and lazy employee
2. an ‘informative’ MITM attack
3. Stored xss
4. 2 Stored CSRFs

Spent an hour working on a 403 detection script

2/2/21

Had a customer complaint at my job about a Google Maps key being public. I recall some people report this in bug bounty so I looked into it more. (Pretty lucky I stumbled across the keys KeyHacks link above just yesterday)

Read these and doubled checked their key to ensure all it well.

https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e

Watched this guy for the first time: https://www.youtube.com/watch?v=qrM5ZigH-PI&feature=youtu.be
He had some good facts about BApps that I didn’t know.

Did some passive Authorization testing on a target that takes some 15 mins to update sessions, so its a good app to test when working the day job.
1 hr of active interaction.

2/3/21

Work started being hectic, so I’ve failed to upkeep blog reading

.75 hrs responding to ticket questions

2/4/21
https://sunilyedla.medium.com/stealing-chat-session-id-with-cors-and-execute-csrf-attack-f9f7ea229db1

2 hrs of hunting for:
Business Logic
2 CSRF
IDOR

Week End Wrap Up

1% done with goal, need to up it if I want to make it.

Reformed Baptist Son Of A Shepard

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store