Page 43 - Hands-On Bug Hunting for Penetration Testers
P. 43

Choosing Your Hunting Ground                                                Chapter 2

                      What vulnerabilities merit the highest payouts
                      What vulnerabilities will not receive a payout at all
                      What credentials/account you should use as a security researcher (for a social
                      network or something with authentication-restricted pages, companies will often
                      offer pentesters a path to creating an account they can use to test user-restricted
                      functionality)
            The RoE are extremely important not just because they affect your ability to win an award
            (you don't want to spend time chasing down a bug that doesn't merit a payout), but also
            because often the company offering the program uses fidelity to the RoE. It's essential to
            structure your entire pentesting engagement to make sure that it follows the guidelines
            and, at the end of your research, that you don't get served with a subpoena instead of a
            paycheck.

            One of the most common items in any RoE is a restriction on how scanners are used.
            Though we'll go into greater detail in $IBQUFS  , SQL, Code Injection and Scanners, there are
            principles around using scanners that also apply to your pentest tooling in general.

            These principles include the following:
                      Be prepared to avoid using a tool by having an alternate workflow.
                      Use filters (regex or otherwise), whitelists, and other techniques to tightly control
                      where automation is applied.
                      Always verify the results of automatic processes manually before submitting
                      them in a report.
                      Keep verbose logs with timestamps, context info, and so on. They'll make
                      formatting your submission report easier.
                      Rate-limit scanners or automated tools.

            While they just seem like general tips, many of these techniques both help you color within
            the lines of your program's RoE, and d by documenting all the details in the process d give
            you the material to write a comprehensive submission report at the end of your
            engagement. Keeping good documentation, limiting the unbounded potential of recursive
            processes, and overseeing your automated processes are all good habits.












                                                    [ 28 ]
   38   39   40   41   42   43   44   45   46   47   48