AMA with Imran Parray

  • What programming languages do you suggest for bug bounty hunters?

    • You can code in whatever language you want, But here are some of my favourite:

      • Python

      • Bash

      • Golang

  • Should I chose subdomain takeover as my first bug?

    • Start with anything easy, Donโ€™t start with bugs that are complex to find, IMO, Why Not IDOR?

    • I would say look for issues like CSRF,CORS,Broken Access Control,Open Redirects etc.

  • What are the methods to find admin panel and bypass it? If you find http request smuggling bug in site means.. How do you escalate it??

    • Finding Admins Panels:

      • Google Dorks

      • Wayback URLโ€™s

      • Github Recon

      • Bruteforce [dir/dns]

    • Request smuggling can be escalated to many other issues like Account takeover, Token Leakages, Session hijacking and many more stuff, It purely depends upon the context of the attack.

  • Whatโ€™s your methodology for small scope?

    • ๐”๐ง๐๐ž๐ซ๐ฌ๐ญ๐š๐ง๐ ๐ญ๐ก๐ž ๐ฉ๐ฎ๐ซ๐ฉ๐จ๐ฌ๐ž ๐จ๐Ÿ ๐€๐ฉ๐ฉ(๐ง๐จ๐ง ๐ญ๐ž๐œ๐ก๐ง๐ข๐œ๐š๐ฅ)

      • At this point the I will try to figure out what is the purpose of app, For example google forms is used for collecting responses and doing some basic surveys and pools etc.
    • ๐”๐ง๐๐ž๐ซ๐ฌ๐ญ๐š๐ง๐๐ข๐ง๐  ๐ญ๐ก๐ž ๐š๐ฉ๐ฉ(๐“๐ž๐œ๐ก๐ง๐ข๐œ๐š๐ฅ๐ฅ๐ฒ)

      • At this point I try to figure out how things work technically Example: what kind of info is being published about forms and Do the target app have access control model or any kind of technology like markdown.
    • ๐”๐ง๐๐ž๐ซ๐ฌ๐ญ๐š๐ง๐๐ข๐ง๐  ๐ก๐จ๐ฐ ๐ญ๐ก๐ž๐ฒ ๐๐จ ๐ข๐ญ

      • At this point I look into several feature separately and try to understand how they have implemented them, For example in google forms How does they make forms public and private and How does the export feature work etc.
    • ๐‚๐ซ๐ž๐š๐ญ๐ข๐ง๐  ๐€๐ฌ๐ฌ๐ฎ๐ฆ๐ฉ๐ญ๐ข๐จ๐ง๐ฌ

      • At this point I will create several assumptions about many things in the app, For example if the form is public can we still send a response via HTTP requests, Can we choose an out of range option in poll if yes what can go wrong.
    • ๐€๐ญ๐ญ๐š๐œ๐ค๐ข๐ง๐  ๐ญ๐ก๐ž ๐š๐ฉ๐ฉ

      • At this point I will use all of my assumptions that can create abnormal behavior in the app, For example Can we choose an out of range option in poll if yes can I distort the whole response data which is being already collected.

  • Q1. Favorite bug you found?

  • Q2. What bug took you time to execute/escalate?

  • Q3. Favourite tools and plugins?

  • Q4. If you are going to choose a program to hunt for rest of your life, what would be that?

  • Q5. What will be your message for your younger self starting his journey?

  • Q6. Proud purchase?

    1. Integration-Hijacking.

    2. HTTP request smuggling leads to account takeover.

    3. ***ffuf nmap Autorizer MadMethods httpx nuclei***
    4. Itโ€™s a private Program.

    5. ***Be persistent Learn building things Be a master on one thing***
    6. Recently bought a real estate property worth $55k.

  • Can you share your approach to find HTTP request smuggling?

    • I personally use โ€œRequest Sumgglerโ€ Burp extension by โ€œJames Kettle.โ€

    • Cache Deception:

      1. You found an endpoint /user.php.

      2. Sends /user.php/imran.png -> check if it returns some sensitive content in response.

      3. Now copy the same URL and open it another browser browser.

      4. If you are getting served exactly the same content you saw in your previous browser, itโ€™s vulnerable to cache deception attack.

  • What is your favourite program that you would love to hack?

    • Itโ€™s a private program. and I have found more than 100 bugs and got paid $75k on that single program.

  • What type of bugs would you mostly look for in public programs to avoid โ€œduplicatesโ€?

    • Spend more time looking for Logic issues, Most of the people arenโ€™t even looking for them.

    • Spend more time on complex parts of application like integrations, Webhooks, Access control models and Role based Access controls.

  • Burp extensions you use?

    • Autorizer

    • Autorepeater

    • HTTP Request Smuggler

    • Logger++ / FLow

    • JSON decoder

    • Copy as Python Request

    • Turbo Intruder

    • Reflector

  • Do you automate SSRF? Any suggestions to approach?

    • You can do that same stuff on Application level:

      • Save burp History

      • Grep all Endpoints

      • Replace all Params with Burp-Collaborator

      • Watch the Collaborator-client for pingbacks

  • What would you suggest to someone whoโ€™s not finding a single bug?

    • Become the master of one bug.

    • Start Building websites/webapps/MoboApps etc.

    • Be persistent, Even if you canโ€™t find anything for weeks.

    • Make a proper methodology of each bug which include:

      • Where to look for that bug.

      • How to Look for that bug.

    • Donโ€™t loose hope.

  • Web building/making mandatory if we new in bug hunting?

    • Itโ€™s not mandatory, but it worth it and it good to have clearly/clean understanding of things before you start breaking them and the only way to have clear understanding of things is by making/building them.

  • Google dorks which you mostly use?

    • Being honest, I rarely use google for searching anything sensitive, I think wayback is more hacker friendly than google.