Mobile bug bounty always seemed like an area that was presented as a niche or an opportunity in the bug bounty world. Yet, personally, I never really spent much time on it. One reason was that I assumed many bugs would require an app to be installed on the victim’s...
Case Studies
GraphQL Case Study – there’s so much more than IDORs!
If your GraphQL testing ends with introspection queries and basic ID swapping, you’re missing out on a lot of impactful bugs. GraphQL APIs can open doors to vulnerabilities ranging from SQL injections and CSRF attacks to subtle caching issues, tricky race conditions,...
XXE Case Study
XXE is a very curious bug class for me because I don’t find it often. When I say I don't find it often, I actually mean that the last time I came across one was during a pentest four years ago. So I wanted to figure out whether they’ve just become rare, or if I'm...
Bypassing admin checks and more – Privilege Escalation case study
Privilege escalation bugs were not something I used to pay a lot of attention to. Thus, I was amazed when, to prepare for the interview with Douglas Day, I spent a few hours just hunting for them and quickly, I found two of them on a program I've already been familiar...
Request smuggling case study – what more to do other than running existing tools?
HTTP request smuggling is a great vulnerability class. Over the years, we’ve seen many articles with great research and findings. But personally, I’ve never done more discovery than running HTTP Request smuggler. I wanted to know how can I profit from that and what...
How to find CSRFs despite SameSite cookies? CSRF Case Study
I was very curious about the CSRF case study. It’s a bug class that had been very popular but then came the SameSite cookie attribute that’s a very effective measure against this bug class. There was only one way to find out if the SameSite attribute did kill CSRFs or...
RCE – where to look for them? RCE Case Study
This was definitely the hardest case study. Usually, I am able to quite well, reduce the number of different labels that I have. But there's a huge variety of bugs that can result in a command execution. It also shows how much we have to learn to be able to find those...
How to make money for DoS bugs? DoS case study
DoS bugs were very intriguing to me. On one hand, I thought they were usually out of scope of web programs anyway. On the other, I saw big, even 5-digit bounties being awarded for them. So I decided to do what I like to do - extract all DoS reports from the Internet...
Account takeover case study + checklist that will help you find them
I can now say that I do these case studies regularly. I extract all the reports of a particular bug class from the Internet and I study them. I thought no case study will surprise me anymore - a few 5-digit payouts from big companies followed by tens of reports from...
How to maximise payouts for file disclosure bugs? File disclosure case study
Path traversals may seem like an easy vulnerability class - read /etc/passwd, send a report, done. But it’s only scratching the surface. What about file writes? What files to read to prove the impact? How to turn it into RCE? To answer these questions, I went on the...