Pay more attention to details

By
An elite hacker, a normal hacker, a no-bug hacker hunt on a Survey feature on a website, the 1st one can notice 40 unique details about this feature, the second one notices 20, the 3rd one notices 8. Let assume 2 out of these 40 details are:
   - Survey Editor cannot see survey result when settingA is enabled.
   - When settingA is enabled, survey result will be sent to a redefined receiver list instead.
   - Survey Editor can add more people to the receiver list (via direct API call) after the survey start.
Combine these 3 details, the elite hacker just finds 1 logic bug.

The no-bug hacker cannot even imagine that there are 40 unique details in this Survey feature. He tests the the feature very fast, at a first glance, this feature seems simple and straight forward, looking through the API calls the feature makes, nothing seems out of place. He concludes this feature is hardened and move to the next feature until all features in the target program are tested. He looks at the program statistics:
   - 352 report resolved
   - $230,000+ bounty paid
   - Launched in Jul 2018
and says to himself, this program is very hardened, many people have hunted before me and found most of the bugs. That's why I can't find any. Let finds a less hardened program next time.

Attention to details also means dig deeper. We can't find water by digging 10 shallows holes. 1 deep hole is usually enough. Dig deeper is not the same as the "try harder" though. The "try harder" slogan brings people more stress and burnout rather than success. So what is the difference?. When we think of "dig deeper", we think of reaching a new depth, which shows progress, when we can't dig any deeper, we stop (put some effort into noticing more details, and stops when can't find more details, don't force). While "try harder" is blindly do something again and again with more force, which may or may not have progress.

Technical skill helps in gathering more details. It's a drill that helps us dig deeper. But we need to have a decision to dig a deep hole first.

Attention to details is also good for learning bug bounty. Because when we learn and do enough to reach a certain skill level. We stop improving, no matter how many hours we put into doing this skill. That is the reason why there are many novice hunters complain that they have been hunting for a year and can't find their first bug. Their hunts are shallow, they learn a methodology online and keep spamming it as is, without tailoring to their need. More over, when one method is not working, they soon grab a new "#bugbountytip" method on Twitter and repeat the process.

How to practice paying more attention to details?

- While reading bug bounty write-ups. Beside technical details, tries to notice other subtle things that even authors are not aware of.
- Read blog posts of top hunters, the amount of details they put in their posts are very high.
- While doing bug bounty, notice something you can improve and improve it.
- Look at something you see everyday and notice something do never notice about it.
- Look around your house, see something you can improve and improve it.
- Look around your house, see something you don't need anymore and throw it away.
- Just knowing the important of details is good already.

Comments

  1. Jean BolĂ­varMay 5, 2024 at 3:22 AM

    Hello! It's me again. One month after finding my first bug on a public program, an Open Redirect that was rejected by the security team, I discovered another bug six days ago after switching to a different program (I switch programs frequently after getting bored with them, usually every two weeks; I'm not sure if this is an issue). This time, it was a CORS misconfiguration that, combined with a session cookie having the SameSite=None attribute, allowed me to steal any user's API tokens (about three different tokens) scoped to various web applications under different subdomains, if they visited any website containing my payload. I hope it's not a duplicate, as it was a very easy bug to spot ._.

    If it's valid and well-paid, I may upgrade my old 2GB RAM, Intel Atom dual-core Windows 7 PC.

    ReplyDelete
    Replies
    1. trieulieuf9May 5, 2024 at 8:53 AM

      That's a good find, much better than the Open Redirect. I hope it get accepted. It seems you are heading in the right direction.

      Delete
  2. AnonymousJune 28, 2024 at 9:12 AM

    The amount of value you put into your blogs is enormous. I usually don't comment anywhere, but hats off to your work. I hope more people discover your content. Thankfully, I found you through Reddit, and your blogs really open my eyes every time. Keep up the good work!

    ReplyDelete
    Replies
    1. trieulieuf9July 2, 2024 at 8:30 AM

      Thank you very much for the encouraging words. I appreciate it very much.

      Delete

Post a Comment

Comments are very welcome. I read all comments!

Popular posts from this blog

Beginner Tutorial - How to learn the Technical Skill and Hacker Mindset That Are Required to Find Your First Bug Bounty.

By
In 2023, there are so many bug bounty resources for beginners, much more than before. I believe this is a bad thing for beginners, because now, they have to deal with so much unnecessary distractions just from choosing and sticking to a learning path alone. The over-abundance of free resources also fuels procrastination, we usually see people jumping from one learning path to another, without actually touch a real target. In this article, I will show you how much learning is enough. So you can get out of your learning rabbit holes and start hunting on a real target. By the way, this article aims to help you find bugs in IDOR, Information Disclosure, Business Logics, Broken Access Control. It may not help you to find injections bugs or misconfiguration bugs. Because I don't know how hunt them myself. # Technical Skill If you can solve Practitioner labs in PortSwigger with relatively ease, you have enough technical skill to hunt bugs: - https://portswigger.net/web-security/logic-flaw
Read more

The power of focus

By
A quote in the movie John Wick 1: John Wick is the main of focus, commitment and sheer will Out of all the good traits, the movie writer chooses only 3 traits to describe how bad ass John Wick is. That shows how powerful focus is. I believe he also gets his excellence skills thank to these 3 traits. Focus, commitment and sheer will are pretty similar to each others, they show that the man can stick to something for a long period of time, without switching goal, despite inconvenient challenges. If we apply this to bug bounty, it means, we make a goal, and stick to it, despite all self-doubts. For example, Losef is a beginner, who tries to find his first bug, he sets a goal to hunt on a program for 7 days. In day 1, he feels overwhelmed by how much details his target has. In day 2, he tests features one by one, but finds nothing, he feels down. In day 3, he feels that you have hit a steel wall, which he cannot even imagine how to get pass it. In day 4, he notices the program stats, which
Read more

How to succeed in bug bounty as a non-talented bug hunter

By
Image
When I started bug bounty hunting about 4 years ago. I looked up information about top bug bounty hunter and wondered how are they hunting bugs and grow their H1 reputation so fast. 1 year later, when I found my 1st, 10th, 20th bugs. I still had this question. Because although I had found some bugs, it took me a few days to find one. Recently, as I get more mature in bug bounty. I start to develop a deep understanding for a program. I see many attack surfaces that other people don't realize. When this program releases a new feature, I check if this feature can be abused to attack the attack surfaces A, B, C or D. Oftentimes, at least 1+ bugs are found. When I keep hunting on this program and discover a new attack surface, I check if any existing features can be abused to attack this attack surface. Oftentimes, at least 1+ bugs are found. When there is no new released feature and attack surfaces. I sometimes  wander the program, looking at already tested features and to my surprise.
Read more