BUG BOUNTY HUNTING In this article,I shall focus on one of the ways you can ďŹ nd bugs - a question that I get asked ever so often by people who want to join bug Bounty hunting. We shall be guided by Owasp Top 10-2017 A9- Using Components with Known Vulnerabilities (https://www.owasp.org/index.php/Top_10-2017_A9-Usi ng_Components_with_Known_Vulnerabilities.).
Most of the work is done during recon and this is probably the most important step. I like using Shodan, Google dorks and zoomeye to narrow down to assets of interest. Be on the lookout for advisories especially from the most commonly used softwares; in this article I shall show redacted demos of bugs that I have got bounty from by using Owasp Top 10-2017 A9.
Examples:*
1. Vulnerable Jenkins without authentication: Recon: I used Shodan to search for Jenkin instances and narrowed down the assets that had a bug bounty program (it is important to stick to programs that allow for vulnerability disclosure, otherwise it is criminal)
https://www.shodan.io/search?query=x-jenkins+200 From this, I got a couple that had no authentication and over and above saving several credentials in the code, they allowed me to install a terminal and could have execute code as a jenkins user or root. Full write-up is at https://the-infosec.com/.../from-shodan-to-remote-code-execution-1-hacking-jenkins/
13
