bug bounty hunting

SecurityTrails Blog · Apr 22 · by Gianni Perez

How to Boost Your Bug Bounty Hunting with SQL Explorer

Reading time: 6 minutes
Listen to this article

Despite a growing multiplicity of platforms, learning resources and community forums in recent times, the practice of bug bounty hunting remains a challenging undertaking for many.

The operating principles that include having an adequate scanning infrastructure, or learning the right combination of open source tools through rigorous trial and error in lieu of more proprietary approaches, constitute an important balancing act that requires careful planning and overseeing. Relaxing these requirements in a way that is amenable to finding true positives, at least when it comes to actionable security vulnerabilities, is always a possibility, but the trade-off space is somewhat complex and often not worth the risk given the elevated chances of generating poor results.

So, in the summer of 2020, when we introduced the SQL-like query language and its web interface SQL Explorer, customers and security practitioners alike instantly seized the opportunity to leverage this new tool by relying on the power of SQL syntax and predicates over structured data—a reasonable improvement in the eyes of those always seeking to eke out as much information about a target as possible.

In this blog post, we’ll review a handful of use cases using SQL Explorer as we highlight some of its compositional semantics and user interface features in light of a sample bug bounty hunting (BBH) or cybersecurity research exercise. As the examples unfold, we trust you’ll realize how powerful this method can be in helping you identify all those elusive, low-key artifacts in the blink of an eye, giving you that much-desired edge over your competitors.

Let’s take a look!

Boosting your bug bounty hunting with SQL Explorer

Let’s begin our tour of SQL Explorer by conducting passive recon in the form of an entry-level query against the flagship domain: americanexpress.com. A typical prime scenario entails mapping subdomains within a given apex in scope—in this case, we’ll attempt a vertical domain correlation ranked by popularity and limit the number of results to five for readability purposes.

SELECT
    domain.hostname
FROM
    hosts
WHERE
    domain.apex = 'americanexpress.com'
    AND domain.subdomain IS  NOT  NULL
ORDER  BY
    rank.open_page_rank
LIMIT
    5

Here’s the output:

SQL Explorer

Great, but not overly impressive—many popular information gathering tools can already accomplish these point-in-time lookups with relative ease. Bug bounty hunting is essentially a race against time and people; every minute and every second counts, so let’s take this example a little further and see if we can aggregate better data under a single pane of glass.

Find non-anycast associated IPs with open ports

For example, let’s modify our search to include any lesser-known hosts having non-anycast IP addresses associated with the domain in question, with an additional view on port 22 (SSH) being potentially exposed to the internet.

SELECT
    domain.hostname,
    ip.address,
    ip.detail.domain
FROM
    hosts
WHERE
    ip.detail.domain LIKE  'americanexpress.com'
    AND ip.meta.is_anycast IS  false
    AND ip.ports_real EQ 22
ORDER  BY
    rank.open_page_rank DESC

As you can see, hosts with open ports are instantly revealed:

Hosts with open ports

Alternatively, we’re also interested in the sort of granularity that allows bug bounty hunters to pour over a target, for days on end if necessary, to identify any inherent gaps and leverage specific vulnerabilities that others could have possibly missed. This is in stark contrast to the pentesting dictum that solicits a predetermined (and usually short-lived) amount of time before you start footprinting away.

Find endpoints running Jenkins

Using the same hosts table, let’s combine the power and agility of SQL Explorer to quickly list endpoints running Jenkins—a Java-based automation platform for continuous software integration and delivery with a rich plugin ecosystem—whose balkanized nature has resulted in many security vulnerabilities over the years ranging from cross-site scripting (XSS) possibilities to complete host takeover via privileged accounts.

Say, as a bug bounty hunter, you want to start testing Jenkins using a novel attack vector you’ve just crafted, and you’re interested in knowing whether targets of your choosing are vulnerable to such an attack.

Using SQL Explorer, you could approach the problem by querying HTTP header fields for the strings x-jenkins% and Jetty% using the http.headers.server property (Note: The % character is the equivalent of a wildcard operator).

SELECT
    domain.hostname,
    ip.address,
    http.headers.server
FROM
    hosts
WHERE
    http.headers.raw LIKE  'x-jenkins%'
    AND http.headers.server LIKE  'Jetty%'
    AND ip.address IS  NOT  NULL
order by
    rank.open_page_rank ASC

The output should look like:

querying HTTP header

Identify certificates that are invalid after a given date

Although many, if not all, popular bug bounty programs nowadays consider SSL certificate issues (e.g., expiration) an out-of-scope vulnerability for reward purposes, SSL certificate misconfigurations can still indicate that a particular site or host may be undergoing maintenance or simply suffering from a lack of proper oversight. SSL/TLS certificates, particularly those with weak or problematic cipher suites which haven’t been properly deprecated from frontend servers, can also be vulnerable to certain attacks given the right conditions.

SQL Explorer comes with a useful set of SSL reference properties to help bug bounty hunters determine certain certificate conditions such as domain ownership and issuing organization, hashes, signing attributions, as well as different validation dates.

For instance, using the ssl.not_after property, a short construct like the one below can help you identify certificates that are not valid after a given date—notice the ssl.not_after column pointing to the exact expiration date.

Identify non valid certificates

Find JARM signatures shared across multiple hosts

Last, but certainly not least, let’s take the case of JARM signatures and observe how SQL Explorer deals with this popular TLS fingerprinting mechanism, this time using a different table: ips. As you may know, JARM signatures can be used to quickly identify disparate infrastructure that share a common configuration, and even malicious endpoints hosting command and control (C2) servers and similar network threats.

As hinted, SQL Explorer leverages direct JARM signature references to extract the desired information. Here’s an example of such a query in the ips table context:

Ips table context

Once you’ve obtained the desired results, SQL Explorer allows you to save them in either JSON or CSV format for later consumption.

Summary

Bug bounty hunting is both art and science—in essence, it is all about the road less traveled. That means bug bounty hunters must be willing to forgo the type of vulnerability searching strategies that pentesters usually engage in favor of more novel approaches. Once again, the goal is to descend on a target in unsuspected ways, maximizing our impact over the affected platform if we want to meet with success.

See how SQL Explorer can help you even in your most ambitious intel-gathering projects. Get a fresh new outlook on actionable data with SurfaceBrowser™, our curated engine of all internet-facing assets.

Gianni Perez Blog Author
GIANNI PEREZ

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.