interviews

SecurityTrails Blog · Jul 13 · by Sara Jelen

#ProTips: Catching Bugs with Adrien Jeanneau

Reading time: 7 minutes
Listen to this article

Despite the growing myriad of bug bounty platforms, accessible resources for beginners as well as those looking to further their skills and enhance their toolstacks, and the considerable strength of its online community, bug bounty hunting still remains a challenge for many. As we’ve said before, bug bounty hunting is both an art and a science—it’s about taking the road less traveled when it comes to vulnerability searching strategies.

Bug bounty hunting is a mix of luck, tools, feelings and mindset. And all of it is unique to each hunter. The best way to build your own bug hunting methodology is to learn from those already experienced in the game, and to see how they’re doing it. Maybe catch up on new techniques, clever and novel ways of looking at already overused tools, or simply seeing how they work.

This is why in this instalment of #ProTips, we are joined by Adrien Jeanneau, also known as Hisxo in the bug bounty realm. Adrien discovered the world of bug bounty hunting many years ago, reading write ups and jumping into a more of a pentesters role. Finding bug bounty as a great way to catch up on trends in infosec and get some additional training, Adrien submitted his first valid bug in 2017. Since then, he has been doing bug bounty almost every day after his work day.

After being a security auditor for about 5 years and hunting on the YesWeHack platform (in addition to HackerOne and Bugcrowd) for more than 3 years, Adrien finally joined the YesWeHack team in January 2021 to work with the community, providing tools, content, helping to organize live events, and much more.

Today, Adrian will share his favorite expert tips on how he stays successful in hunting bugs on most of the major bug bounty platforms.

ProTips

  1. Use dorks to find gems
  2. Hidden pages on Liferay CMS
  3. Hidden pages on Drupal CMS
  4. Adrien’s most starred Github projects
  5. Use Grep and your full Burp session
  6. Buy a product or premium plan
  7. Favorite web browser add-ons

ProTip 1: Use dorks to find gems

It’s not an exclusive or a new technique but it has worked many times for me (and still works), so no reason not to share it here.

Many online services are used by developers or teams to organise their works: pastebin, GitHub, Gitlab, Trello, online IDE… Whenever I hunt on a target with a large scope, I always check to see if any developers haven’t used these services for their companies.

For this purpose, dorks are the ideal way to search for this data:

site:ideone.com | site:codebeautify.org | site:codeshare.io | site:codepen.io | site:repl.it | site:justpaste.it | site:pastebin.com | site:jsfiddle.net | site:trello.com | site:github.com "$TARGET"

$TARGET can be many things: an internal hostname used by your target (discovered on your subdomain recon), subdomain, company name, email address, etc.

Another dork that I love to use is to list hosted GitLab instances, which can contain sensitive data and are publicly readable. For example:

inurl:/blob/ "subdomain.com"

I also suggest trying these:

site:domain.com "iframe"
site:domain.com "test"
site:domain.com "demo"

With dorks, don’t hesitate to use filters like “-” to eliminate recurrent words/pages which always appear on your research or “|” which allow you to use multiple filters like this:

site:domain.com -www ext:php | ext:html

ProTip 2: Hidden pages on Liferay CMS

Your target uses the Liferay CMS? That’s good news, and it might be your lucky day! Did you know that you can enumerate hidden pages?

The normal syntax on Liferay is domain.com/web/guest/my-page. I invite you to use Intruder in Burp Suite (or any tool which can do enumerating) on web/guest/$ where $ is a number.

If you use Intruder, I also recommend this setup:

  • Define the payloads as indicated above
  • Click on the Options tab, go down to: Redirections > Follow redirects > Always
  • Start attack
  • Right click on one of the requests > Define extract grep from response & choose to extract strings between <title>Title of your page</title>

With this configuration, you should be able to directly list and see all pages of interest.

ProTip 3: Hidden pages on Drupal CMS

Just as on Liferay CMS, this tip is one that I rely on frequently whenever I’m facing a target that works with Drupal. When they’re up to date and have a limited number of plugins installed, finding a vulnerability with real impact can be difficult.

On Drupal, the web syntax for different pages is: domain.com/lang/this-is-a-secret-page but it can be hard to enumerate all pages because of their name.

Now, you have another way to search for them: fuzz with intruders on /lang/node/$ where $ is a number (from 1 to 500, for example).

In some cases, you might find hidden pages which aren’t referenced by search engines.

Once you’ve listed all the pages that are possible using the Intruder tool, I strongly suggest that you sort through them to see which ones respond with 200 OK. Some of these might have a hidden form, development information, demo pages or even attachments.

Also check for requests that redirect to external sites (via the Location header), as this can sometimes lead you to an external domain that’s no longer active, thus putting you on the path of a subdomain takeover.

ProTip 4: Adrien’s most starred Github projects

ProTip 5: Use Grep and your full Burp session

Once I’ve browsed my target through Burp Suite, I have a little recon routine that has worked for me several times.

In the sitemap list: right-click on the target > Save selected items > uncheck the option “Base64-encode requests and responses” > give a name to the file > click on Save.

This will create a file (often large) containing all the files that Burp was able to identify and add to the sitemap during your browsing.

Then, Grep comes into play and can be a valuable friend.

For example, to list parameters (probably not the most beautiful regex but it works for me):

cat sessionsburp | grep -Eo "[A-Za-z_\-]{1,}=" | sort -u

Before creating your burp file session, you can also filter in sitemap to save only “Content-Type: application/json”.

Now you just need to use Grep to extract JSON parameters from requests and responses generated by your hunting recon. You’ll be able to use it on Intruder or with Burp Suite add-ons like Param Miner.

ProTip 6: Buy a product or premium plan

Depending on your target, some online services include an option to buy products or subscribe to premium features/plans. Believe me, if you have the opportunity to do so, don’t miss out on the chance to make an order.

Keep track of all your requests, and go through the entire purchasing process. This will allow you to expand your playing field, therefore increasing your chances of finding a vulnerability on the scope.

ProTip 7: Best web browser add-ons

In the past year, I’ve installed two Firefox add-ons and they’ve definitely helped me with my hunting process. They’re simple but bug bounty browser extensions can save time and facilitate certain tasks.

  • Shodan: This extension simply allows you to integrate the Shodan tool into your browser. This way, when you browse sites belonging to the scope, you’ll know at a glance which open ports have already been scanned by Shodan.
    Download For Mozilla Firefox / For Google Chrome
  • Wappalyzer: I can’t say enough about this extension. Wappalyzer will give you details about how the website works with a relatively good precision and you will be able to orient your recon based on this information.
    Download For Mozilla Firefox / For Google Chrome



ProTips is an ongoing series where industry experts and researchers share their methodologies and cutting-edge tips on how you can sharpen your own cybersecurity skills. If you have suggestions on who you’d like to see featured in ProTips, or you think you’re the right person for this series, we look forward to hearing from you! Send us an email at sara@securitytrails.com.

Join Adrien and many other researchers and hunters in our SecurityTrails x Amass Recon Master Contest! From July 7 to September 6, users will be able to send results via Amass enumeration feature or our own API endpoint, get points based on subdomain/domain findings, climb to the top of the Leaderboard and win exciting prizes!

Are you ready to participate?

Sara Jelen Blog Author
SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.