Summary of The Bug Hunter's Methodology - Application Analysis | Jason Haddix

00:00:00 - 00:45:00

Jason Haddix provides a methodology for application analysis, listing six areas to look for in any application. He also provides advice on how to find vulnerabilities in these areas. He also recommends looking for content types and apis, as well as account data. Finally, he advises looking for errors in the application.

• 00:00:00 Jason Haddix discusses the mental hurdles that new bug bounty hunters face, including the importance of client reputation. He recommends print resources and live hacking resources to new bug bounty hunters.
• 00:05:00 The bug hunter's methodology is to first overcome four mental hurdles in bug bounty investigations, such as pre-testing, size, and fallacies of application analysis. Once these are overcome, the hacker will look for vulnerabilities in publicly accessible areas of the application.
• 00:10:00 The bug hunter's methodology begins with reviewing the level of service of the server, which relates to the application. This is followed by looking for default admin panels, default credentials, and anything that is not custom code. Next, the browser extension Wapalizer is used to find technology used by the website. Finally, known vulnerability cves are checked, and any that are found are saved into a mind map.
• 00:15:00 The Bug Hunter's Methodology is a simple process of finding vulnerabilities in applications, code, and systems. The video's author, Jason Haddix, recommends using Project Discovery, Nabu, Ferro Buster, and other content discovery tools to quickly find vulnerabilities. Haddix also recommends using lists of specific vulnerabilities to rapidly brute-force attack applications.
• 00:20:00 The Bug Hunter's Methodology discusses how to choose a word list for different types of content discovery, how to find endpoints and paths in applications, and how to use historical content discovery tools to find old versions of websites.
• 00:25:00 Jason Haddix discusses the methodology he uses to analyze applications, including questions he asks and the importance of data passing. He also discusses the importance of understanding user levels and multi-tenancy in web applications.
• 00:30:00 The Bug Hunter's Methodology is designed to help you find security vulnerabilities in applications. It starts with asking the site's unique threat model, then looks for past security research involving the site. Next, it examines the site's application framework for vulnerabilities. Finally, it spiders the site to look for vulnerabilities.
• 00:35:00 Jason Haddix describes how he uses application analysis and parsing of javascript code for content discovery and vulnerability assessment. He recommends xml hacker's Gap tool and Hunt project, which uses statistical analysis of vulnerable parameter names to find the cream of the crop.
• 00:40:00 Jason Haddix provides a methodology for application analysis, listing six areas to look for in any application. He also provides advice on how to find vulnerabilities in these areas. He also recommends looking for content types and apis, as well as account data. Finally, he advises looking for errors in the application.
• 00:45:00 The speaker discusses how they use application analysis techniques to find vulnerabilities and how their knowledge base evolves over time. They also provide a preview of their upcoming recon talk, which focuses on specific bug classes.