ctfnote.com
House of WrituepCryptoBook
Search…
/home/ret2basic
Pentest
Enumeration
Exploitation
Privilege Escalation (must read)
Active Directory (must read)
Pivoting
Password Cracking
Buffer Overflow
Report Writing
Web
OSWE Prerequisites
HTTP
Burp Suite
Information Gathering
OWASP Top 10
File Upload (must read)
SQL Injection (SQLi) (must read)
Cross-Site Scripting (XSS) (must read)
CSRF and SSRF
XML External Entities (XXE)
Insecure Deserialization
HTTP Request Smuggling
Other Attacks
Bug Bounty Report Writing
Crypto
Hash Functions
MAC
AES (must read)
Diffie-Hellman
RSA (must read)
ECC
Digital Signature
JWT (must read)
PRNG
SSL/TLS
Research (must read)
Computer Science
Python (must read)
The C Programming Language
Linux Command Line
Algorithms
The Linux Programming Interface
Computer Systems
Distributed Systems
Practical Packet Analysis
Static Analysis
Pwn
Linux Exploitation
Windows Exploitation
Fuzzing
Reverse
Python Bytecode
angr Template
Misc
Forensics
Steganography
Powered By GitBook
Bug Bounty Report Writing

Step 1: Craft a Descriptive Title

Wrong Example

"IDOR on a Critical Endpoint"

Correct Example

"IDOR on https://example.com/change_password Leads to Account Takeover for All Users"

Step 2: Provide a Clear Summary

Correct Example

The https://example.com/change_password endpoint takes two POST body parameters: user_id and new_password. A POST request to this endpoint would change the password of user user_id to new_password. This endpoint is not validating the user_id parameter, and as a result, any user can change anyone else's password by manipulating the user_id parameter.

Step 3: Include a Severity Assessment

Evaluate severity based on CVSS:
  • Low severity: open redirect only for phishing
  • Medium severity: CSRF on password change
  • High severity: open redirect for OAuth
  • Critical severity: SQL injection leading to RCE

Step 4: Give Clear Steps to Reproduce

Wrong Example

  1. 1.
    Log in to the site and visit https://example.com/change_password.
  2. 2.
    Click the Change Password button.
  3. 3.
    Intercept the request, and change the user_id parameter to another user's ID.

Correct Example

  1. 1.
    Make two accounts on example.com: account A and account B.
  2. 2.
    Log in to example.com as account A, and visit https://example.com/change_password.
  3. 3.
    Fill in the desired new password in the New Password field, located at the top left of the page.
  4. 4.
    Click the Change Password button located at the top right of the page.
  5. 5.
    Intercept the POST request to https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.
  6. 6.
    You can now log in to account B by using the new password you've chose.

Step 5: Provide a Proof of Concept

Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.

Step 6: Describe the Impact and Attack Scenarios

Correct Example

Using this vulnerability, all that an attacker needs in order to change a user's password is their user_id. Since each user's public profile page lists the account's user_id, anyone can visit any user's profile, find out their user_id, and change their password. And because user_ids are simply sequential numbers, a hacker can even enumerate all the user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.

Step 7: Recommend Possible Mitigations

Correct Example

The application should validate the user's user_id parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.

Step 8: Validate the Report

Double check that everything is correct.

Tips

  • Don't assume anything
  • Be clear and concise
  • Write what you want to read
  • Be professional

Reference

Bug Bounty Bootcamp
nostarch
Bug Bounty Bootcamp - Vickie Li
Previous
LDAP Injection
Next - Crypto
Hash Functions
Last modified 5mo ago
Copy link
Contents
Step 1: Craft a Descriptive Title
Wrong Example
Correct Example
Step 2: Provide a Clear Summary
Correct Example
Step 3: Include a Severity Assessment
Step 4: Give Clear Steps to Reproduce
Wrong Example
Correct Example
Step 5: Provide a Proof of Concept
Step 6: Describe the Impact and Attack Scenarios
Correct Example
Step 7: Recommend Possible Mitigations
Correct Example
Step 8: Validate the Report
Tips
Reference