5 super important main-app testing tips for bug bounty hunters with STOK&Haddix

5 super important main-app testing tips for bug bounty hunters with STOK&Haddix

by Alannah

Five things to test on the main app. And If you don’t test for these, well then you’re missing out!.

TL:DR
1. Don’t just poke around on the outside of the app. There’s a lot of stuff on the inside.
2. Always look for IDOR’s and Access control bugs, can you do the same thing as another user?
3. Test all the file uploads, not just the profile picture, test all of em! (Command injection)
BONUS: Check all the dynamic parameters that accept urls or paths for SSRF’s
4. Create an epic wordlist and content discover all the hidden paths, try to identify information disclosures. find that juicy admin panel or forgotten backup.zip file..
5. Check for non technical bugs, what does the customer care about? Can you leak some data?

Some links:
HTML5 Security Cheatsheet – A collection of HTML5 related XSS attack vectors
https://github.com/cure53/H5SC
https://html5sec.org/

ImageTragick
https://imagetragick.com/
https://www.softwaresecured.com/imagemagick-rce-take-2/

SSRF:
https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/

Go follow me on Instagram:
https://www.instagram.com/stokfredrik/
https://twitter.com/stokfredrik

Go give Jason a follow on twitter.
https://jasonhaddix.com/
https://twitter.com/jhaddix

All music from Epidemic sound,
All gifs from Giphy
All your base are belong to us.

We want to work for you

href=”https://www.softdevltd.com/”>Web Design and Development Company

Share this article

Leave a comment

Your email address will not be published. Required fields are marked *

Earns Me Over $158.74 per Day. That is Weird. But it Works
We respect your privacy.
Earns Me Over $158.74 per Day. That is Weird. But it Works
We respect your privacy.