Hi there!

What a year it’s been right?! Let’s not mention the C word… it’s lockdown in 2hours here in the UK. Yay. Although, I do hope you are all well & safe! We will get through this ❤ Carrying on.. I announced at the start of the year that I would be releasing my methodology online and finally, as we approach the end of year, it’s out!

Let me explain what’s been going on and what’s in store for the future!

Image for post
Image for post

Figuring it all out

I started designing the new BugBountyNotes platform last year after putting together a small plan however I was diverted from this plan after deciding to experiment with training companies. (A mistake on my behalf I later regretted). I also started to doubt myself and felt like I wanted to ‘branch out’. I thought to myself that it’s all great teaching newcomers how to hack and get involved in bug bounties, but if companies on the receiving end aren’t “up to par” with reports/security overall, am I just setting them up for a bad experience? So I set about training companies how to hack themselves and reached out to various companies, and even had my proposal accepted. …


Image for post
Image for post

This is another bug that was right in front of everyone because if you didn’t purposely look for it you’d never realise personal information was being ‘secretly’ leaked.

How does this feature work..?

When testing on [redacted] I noticed this piece of text:

Checking this box allows us to share your address with the list creator to help them manage their thank you list. You can change your preference at any time.

It only mentions that your address will be shared and nothing else. This is where I begin writing notes, such as “Feature [xyz] — Address is shared, reflected on [redacted].com/example. Only visible to list creator, no-one else.”. This way I know my goals and I can begin to understand how the developers think when implementing features such as this. As my testing continues i’ll begin adding onto my notes to determine if any features are connected or if they share data etc. …


Sometimes new features designed to generate revenue for a company can be rushed and sometimes not enough thought has gone into how to securely implement this new feature into the main web app. What does that usually mean? Bugs! The bigger the company the more products planned on the road map. The bigger the work load the more mistakes that are made.

How a new feature enabled me to bypass ID verification, very easily..

This is an interesting bug I found on a program which enabled me to bypass certain identification processes thanks to new features. The website in question required users to verify their ID in order to claim ownership of the company's page & honestly the process was pretty simple and straight forward. There wasn’t much to it and from my first tests it seemed pretty secure. There was nothing interesting when uploading my ID and I simply couldn’t find a way to achieve admin rights of a company. …


Do any of you use Intruder when checking out subdomains? For me personally I use a tool called “XAMPP” which lets me run PHP locally combined with intruder. From here I then create a simple redirect script inside index.php, <?php $url=$_GET[‘url’]; header(“Location: “.$url); ?>. Next I modify my /etc/hosts/ file and add “anydomain.com 127.0.0.1” and now anytime I visit http://anydomain.com/?url=https://www.google.com/ it will redirect to google.com. Perfect.

So where does intruder come into this.. or more, why? Well the beauty of Burp Suite is you can easily see the Response and that’s exactly what i’m interested in. I love to see what it’s in front of me, understand the code, the flow. I will manually scroll through results to check for anything interesting on the first page, does it make use of much JS, what is referenced, how many redirects occurred etc. (yes it can be tedious.. but hey, i’m motivated, interested & curious. …


Image for post
Image for post

This post is going to outline how I simply applied my methodology and managed to find multiple vulnerabilities leaking airline passenger information on a YesWeHack bug bounty program. My experience on YesWeHack has been extremely good as the companies engage & communicate with you on reports to understand the issue in a very timely manner. I feel like the companies I dealt with on YesWeHack treat me with full respect and honestly I recommend you checkout their platform, I just wish there was more programs! :D

For these findings I spent approx ~15hours max over 3 days to find these bugs. I used zero recon tools and only targeted their main web application. I was shocked at how easy I found these bugs and to this day I still think about other airlines which DO NOT welcome hackers and if they are vulnerable in similar areas. If you work for an airline, please reach out and maybe I can help you! @zseano (or perhaps contact YesWeHack & invite me? …


Image for post
Image for post

Hi there!

I sadly bring you some sad news and that is after a lot of thought I have decided to shutdown BugBountyNotes. The good news is I plan on recreating something & the majority of content on BBN will still be available on my new platform but one important change will be the fact I am opening up more of my time to focus on training companies and introducing them to the world of hackers.

Yes that’s right, I am now going to be working more closely with companies to teach them how working with hackers is beneficial. Not only the results we produce but the knowledge we possess. If you are a British company who is interested in meeting with a hacker and learning how we are hacking you and how hackers can help, please reach out. Also keep your eyes pealed for an event coming in the near future where you will be able to meet me and learn how hackers can help you. …


Image for post
Image for post

I’ve secured a venue, i’ve created the content and now i’m waiting to bring hackers together for the first ever “So you wanna bughunt” training event hosted by me, zseano, located in Cambridge (United Kingdom). I started mentoring via YouTube only a few months ago but i’ve been training people on a 1 to 1 basis for years, just as a friend, not an official ‘teacher’. Now I want to take my mentoring to the next level and bring hackers together in the same room, as you would like a live hacking event, except instead of earning we’re learning.

If you have had the privilege of attending a live event then you will know the atmosphere and vibe is out of this world. So many hacker thoughts flowing at once, it really is amazing to see. And so the birth of my training course meet live event idea was born, So you wanna bughunt? …


Image for post
Image for post

Firstly thank you to everyone who participated in my very first live hands on mentoring. I was a bit unsure how it would go and if people would understand the goal, but overall the day was a success and I plan on hosting the next live mentoring session on 21st July 2019 at 2pm BST, so mark your calendars and hopefully see you there? :)

A huge thank you to those who donated during my mentoring session. I would like to invite all 4 of you to a private mentoring session one week before on 14th July 2019.


Image for post
Image for post

Despite the fact i’ve complained that bugbounties have some problems, no other job out there enables you to sit in the comfort of your own home legally hacking websites in turn for money, and sometimes big money. Money is a massive factor in why people do bugbounties and it’s why many started them in the first place, however sadly a lot of people will end up spending hours finding nothing.

So, in this post I intend to give you some personal tips & advice on how to be successful in bugbounties and turn your time into bugs.

Firstly, be warned: Bugbounties are a risk as to when you will get paid, if you dupe someone, etc. Without risk there is no reward and before you start doing bugbounties you need to learn this. The industry is still growing and expanding. I can not express it enough that to be a successful hacker you have to find what works for you. Yes some payloads are “Do this, do that”, but when really digging into an application and doing recon etc, working out your own strategy will help you massively in being successful. Take a mental note of this! …


Image for post
Image for post

This is only going to be a short post explaining the details of a vulnerability I found which I believe many researchers overlooked when testing the login flow of one program. This bug may affect other sites using an OpenID login flow, I would recommend testing :) (It is best if they have misconfigured their redirectURL to allow for *.theirdomain.com/* as your scope for finding an open url redirect will be greater)

The Login flow

So, on with the bug. When logging into redacted.com it used an OpenID system which works exactly the same as an Oauth login flow in which it takes a redirectURL and will redirect to that URL upon a successful login. …

About

Sean (zseano)

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store