Bug Bounty / Digital Forensics / Hacking tips / Linux / Networking

Top Vulnerabilities for Bug Bounty Hunters

spyboy's avatarPosted by

Bug bounty hunting isn’t just about finding flaws—it’s about understanding what makes an application vulnerable. Every vulnerability on your target’s perimeter is a potential stepping stone to deeper exploitation. In this post, we cover the top common vulnerabilities, explain why they’re attractive to bug bounty hunters, and provide tactical advice on how to identify and validate them.

1. Insecure Direct Object Reference (IDOR)

Overview

IDOR occurs when an application exposes a reference to an internal object—such as a user profile, file, or order—without proper access control checks. When these object identifiers (often numeric or simple strings) are predictable or easily enumerable, attackers can alter them to access unauthorized data.

Why It Matters

  • Data Leakage: Attackers can access sensitive user data, invoices, or internal files without needing to bypass authentication.
  • Account Takeover: In some cases, manipulating object references may allow privilege escalation.

How to Spot It

  • URL Manipulation: Try changing the ID in URLs (e.g., /profile/123/profile/124) to see if you can access another user’s information.
  • API Testing: Use tools (like Burp Suite) to modify request parameters and verify whether the application enforces access controls.

Hunting Tips

  • Look for endpoints that include a numeric or simple string identifier.
  • Use automated scanners (with manual verification) to find parameters that are susceptible.
  • Cross-check the application’s responses for uniform errors; a missing authorization message may be a red flag.

2. Cross-Site Scripting (XSS)

Overview

XSS vulnerabilities let attackers inject client-side scripts into web pages viewed by other users. This can result in session hijacking, phishing, defacement, or redirection to malicious sites. XSS is usually categorized into:

  • Reflected XSS: Injected payloads that are immediately returned in the HTTP response.
  • Stored XSS: Payloads that are saved (in a database or file) and later served to users.
  • DOM-based XSS: Vulnerabilities located entirely in the client-side code.

Why It Matters

  • Session Hijacking: Steal cookies or session tokens.
  • Phishing: Redirect users to fake login pages.
  • Self-Propagating Scripts: Especially in stored XSS, attackers can affect many users at once.

How to Spot It

  • Inject Payloads: Try simple payloads such as <script>alert('XSS')</script> in input fields.
  • Review Reflections: Examine how user inputs are processed and echoed back in pages.
  • Inspect JavaScript: Look for dynamic DOM updates that use unsanitized data.

Hunting Tips

  • Leverage tools like Burp Suite or OWASP ZAP to automate injection attempts—but always validate the results manually.
  • Check comment sections, search fields, and any input that is rendered without proper encoding.
  • Review content security policies (CSP) to understand possible mitigation gaps.

3. Authentication Bypass / Weak Authentication Logic

Overview

Weak authentication mechanisms or flawed authentication logic can allow attackers to impersonate another user or even gain administrative access without proper credentials.

Why It Matters

  • Account Takeover: Attackers can bypass login flows and access sensitive accounts.
  • Privilege Escalation: Defects in password reset flows or token management can enable higher-level access.

How to Spot It

  • Logic Flaws: Test password reset flows, authentication endpoints, and multi-factor authentication (MFA) enforcement.
  • Missing Controls: Look for rate limiting on login attempts or weak password complexity requirements.
  • Parameter Manipulation: Alter parameters in authentication requests (e.g., changing password reset tokens) to see if bypass occurs.

Hunting Tips

  • Use manual testing to probe for logic errors. Automated tools might miss subtle flaws in reset flows or MFA bypass scenarios.
  • Validate if the system locks accounts after multiple failed attempts.
  • Research the target’s authentication implementation details from documentation or public code repositories.

4. Open Redirects

Overview

An open redirect occurs when an application accepts a user-controlled URL parameter and redirects the user to that URL without validating it. This can be exploited for phishing attacks or as a part of a multi-stage exploit chain.

Why It Matters

  • Phishing: Attackers can create seemingly legitimate links that send users to malicious sites.
  • Chaining Exploits: Often used with XSS or in bypassing secure flows to complete an attack chain.

How to Spot It

  • Test Redirection Parameters: Check endpoints using parameters like redirect, next, or url (e.g., /login?next=http://evil.com).
  • Manual URL Fuzzing: Manually substitute the parameter with external URLs and observe if redirection occurs.

Hunting Tips

  • Validate the destination after redirection. Proper implementations usually restrict target domains.
  • Report open redirects with suggested mitigations, such as using an allowlist for acceptable redirect URLs.

5. Exposed Sensitive Files

Overview

Often configuration files (such as .env, .git, or backup archives) are left accessible due to misconfigurations. These files frequently contain credentials, API keys, and other secrets.

Why It Matters

  • Credential Leakage: Exposes sensitive data that can be used to attack the application further.
  • Internal Structure Exposure: Offers insights into file structures, technologies in use, and internal configurations.

How to Spot It

  • Directory Enumeration: Use tools like gau, waybackurls, or even manual URL enumeration (/config.php, /backup.zip).
  • Review Robots.txt: Sometimes sensitive directories are mentioned here inadvertently.

Hunting Tips

  • Combine automated scanning with manual review to detect exposed files.
  • Cross-reference findings with public vulnerability databases to gauge impact.
  • Look for misconfigured access controls on file storage servers (e.g., S3 buckets).

6. Rate Limiting / Bruteforce Opportunities

Overview

Weak or absent rate limiting can allow attackers to perform brute-force attacks on login pages, password reset endpoints, or even API parameters.

Why It Matters

  • Credential Guessing: Lack of throttling can lead to unauthorized access through credential stuffing.
  • Resource Exhaustion: It may eventually cause denial of service in some systems.

How to Spot It

  • Automate Repeated Requests: Use tools or scripts to send multiple login attempts in rapid succession and check for throttling or account lockouts.
  • Review Response Codes: Look for repetitive “too many attempts” or similar indicators in HTTP headers.

Hunting Tips

  • Test various endpoints (login, password reset) for rate limiting.
  • Use Burp Suite’s Intruder with proper payload lists.
  • Note that even if an endpoint appears rate-limited, subtle differences (such as increased response times) might reveal weaknesses.

7. CORS Misconfigurations

Overview

Cross-Origin Resource Sharing (CORS) policies dictate which origins are allowed to access a resource via a browser. Misconfigurations, such as allowing wildcard (*) or unvalidated origins, can enable attackers to access sensitive endpoints from malicious sites.

Why It Matters

  • Unauthorized API Access: Attackers can bypass same-origin policies and access endpoints intended for internal use.
  • Data Exposure: May lead to unauthorized data exfiltration if confidential API responses are exposed.

How to Spot It

  • Inspect HTTP Headers: Check for the Access-Control-Allow-Origin header in responses.
  • Test with External Origins: Attempt API calls from different origins (via a proxy or custom tool) to see if the browser accepts responses.

Hunting Tips

  • Check for endpoints that return overly permissive CORS headers.
  • Suggest an allowlist approach where only specific domains are permitted.
  • Validate if sensitive actions or data retrieval endpoints are accessible cross-origin.

8. Host Header Injection

Overview

Host header injection can occur when an application uses the HTTP Host header to construct links, redirect requests, or enforce security policies without proper validation. Attackers can manipulate these headers to cause unintended behavior.

Why It Matters

  • Redirect Poisoning: Can lead to phishing by redirecting users to attacker-controlled pages.
  • Security Bypass: May affect password resets or link generation that rely on the Host header.

How to Spot It

  • Alter Host Header: Use tools like Burp Suite to modify the Host header and observe changes in application behavior or response content.
  • Review Application Logic: Identify if any dynamic URL generation depends solely on the Host header.

Hunting Tips

  • Document any changes that occur when you modify the header.
  • Report potential impact along with remediation advice (e.g., hardcoding the host value on the server).
  • Check for chaining opportunities with other vulnerabilities such as XSS or CSRF.

9. Improper Access Control (Role-based Authorization Flaws)

Overview

Improper access control occurs when an application fails to enforce privilege restrictions on users. Even if authentication is in place, low-privileged users might access admin or restricted functionalities.

Why It Matters

  • Privilege Escalation: Can lead directly to account takeover or administrative actions.
  • Data Exposure: Sensitive data might be accessible to all users if controls are too lax.

How to Spot It

  • Test with Different Accounts: Compare responses when logged in as a normal user versus an admin.
  • Alter Authorization Parameters: Modify role identifiers or resource IDs within requests to see if access controls are enforced.

Hunting Tips

  • Create multiple accounts with varying privileges to test endpoints.
  • Use manual testing to verify that each sensitive operation performs proper role checks.
  • Look for endpoints that simply rely on client-side validation for access control.

10. Subdomain Takeover

Overview

Subdomain takeover occurs when a subdomain points to an external service (like AWS S3, GitHub Pages, or Heroku) that has been deprovisioned. Attackers can claim the dangling resource and host malicious content.

Why It Matters

  • Brand Reputation: A compromised subdomain can damage trust and be used for phishing.
  • Attack Surface Expansion: It can serve as a launching pad for further exploits by impersonating the target.

How to Spot It

  • DNS Enumeration: Use tools like Amass, Subfinder, or custom scripts to enumerate subdomains.
  • Check Resource Existence: Validate whether each subdomain still resolves to an active service or if it shows error pages.
  • Automatic Scanning: Tools like Subjack or nuclei can help identify dangling subdomains.

Hunting Tips

  • Regularly scan the target domain for subdomain anomalies.
  • Report findings with recommendations for proper DNS configuration and removal of obsolete resources.
  • Highlight the potential for phishing or malware distribution if the takeover occurs.

Bonus: Additional Vulnerabilities and Tips

While the above ten vulnerabilities form a core checklist for bug bounty hunters, there are additional issues and techniques that can boost your impact:

a. HTTP Request Smuggling

  • Overview: Manipulating HTTP headers to trick the server into processing requests incorrectly.
  • Tip: Use manual manipulation of headers via Burp Suite; be mindful of different proxy behaviors.

b. CRLF Injection

  • Overview: Injecting carriage return (CR) and line feed (LF) characters into HTTP headers to split responses and inject malicious content.
  • Tip: Test for output vulnerabilities in error messages and redirection responses.

c. General Recon Tips

  • Emphasize Recon: “Recon is king” – you cannot hack what you don’t see. Leverage tools like Wayback Machine, gau, and public code repositories to map out hidden endpoints.
  • Tool-Assisted Intelligence: Use automated tools judiciously and always verify their findings manually.

Conclusion

Bug bounty hunting is as much an art as it is a science. Understanding the inner workings of vulnerabilities—from IDOR and XSS to subdomain takeover—empowers you to methodically approach each target with a clear checklist. Remember, high-quality reports that include detailed reproduction steps, clear impact assessments, and actionable remediation suggestions not only boost your credibility with bug bounty platforms but also ensure that your discoveries lead to safer web applications.

By mastering these top vulnerabilities and the bonus techniques, you set yourself on a path to earning big rewards while contributing to the overall security of the digital ecosystem.

Happy hunting, and remember: a meticulous approach to recon and testing is your greatest ally in this ever-evolving field!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.