Hello beautiful hackers, how are you, hope you are good.
So today, in this blog, I am going to teach you how to write a proper bug bounty report, with an example report.
Before starting, I have a such a small request to all of you, I always write and post something about cyber security, penetration testing and bug bounty. So if you like my content then don’t forget to clap and follow me
Thanks
So, let’s start it..
Before writing bug bounty report, you have to remind some points of bug bounty report, for fast ,easy nad effective reports writing.
There is total 9 points you should remind as follows
So let’s see about each point in details
1. Vulnerability Name
You should mention that, which vulnerability you found on target website / web application. Is it IDOR, LFI, RFI, SQL injection, SSRF, SSTI, CSRF, CORS, XSS, XXE OR anything else. Mention that name
2. Vulnerability Discription
Describe vulnerability in detail. Suppose you find the vulnerability XSS , then write about it, that is it server side bug or or side bug, is it listed into OWASP Top 10 Vulnerability or not, you can take the help of Google.
3. Vulnerability Severity
Severity is always depends on, “HOW MUCH IMPACT HAPPENS OF VULNERABILITY ON SERVER”.If you are vulnerability impact is low, that means you can’t access sensitive database of the server, using that vulnerable exploitation, then that is such a low impact, that’s why your vulnerability severity is low
4. Vulnerable URL
Mention the URL of target server, where you find out the bug, with that URL end point. It might be your subdomain OR your main domain
5. Payload
Mention that payload that you use to exploit certain vulnerability
(Bonus : Here is some payload resources, for pentesting, bug bounty, and red teaming)
You can download from below links
6. Stapes Of Reproduce
To generate reproduction steps, first find a sequence of actions which reproduce the issue you’re seeing reliably. Next, write down everything you did as clearly as possible. Make sure each step is self-contained: anyone should be able to follow your steps, without access to private or proprietary data.
7. Impact
Write down the impact of vulnerability on server in detail , that how much it affect on server. You can take the help of Google
8. Mitigation
In mitigation unit to write solution of that vulnerability, you can suggest, that how you can fix that vulnerability. For mitigation you can take the help of Google
9. POC
POC stands for Proof of Concept , you have to take screenshots OR Screen recording of exploitation of vulnerability. In short it’s a steps of reproduce in video format OR Screenshot Format, where you can explain the exploitation visually
And here is the explanation of that 9 points that you should remind. Now I am going to show you example of bug bounty reports
_________________________________________________________________
Vulnerability Name- Reflected XSS
Vulnerability Discription- Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser The script is activated through a link,which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Vulnerability Severity- It’s a Client side attack, which is less impactable, which severity has medium
Vulnerable URL -http://testphp.vulnweb.com/search.php?test=query
Payload- <script>alert(‘xss’)</script>
Stapes Of Reproduce -
1) http://testphp.vulnweb.com/search.php?test=query open this URL in your browser
2) capture the request using Burp Suite
3) send request to repeater
4) Put above payload after test
5) Right click and select show responce in the browser copy this into firefox and you will get XXS Popup
Impact- View any information that the user is able to view. Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Mitigation- First and foremost, from the user’s point-of-view, vigilance is the best way to avoid XSS scripting. Specificaly this means not clicking on suspicious links which may contain malicious code
POC- Video
_________________________________________________________________
BONUS POINTS:
So today, in this blog, I am going to teach you how to write a proper bug bounty report, with an example report.
Before starting, I have a such a small request to all of you, I always write and post something about cyber security, penetration testing and bug bounty. So if you like my content then don’t forget to clap and follow me
Thanks
So, let’s start it..
Before writing bug bounty report, you have to remind some points of bug bounty report, for fast ,easy nad effective reports writing.
There is total 9 points you should remind as follows
- Vulnerability Name
- Vulnerability Discription
- Vulnerability Severity
- Vulnerable URL
- Payload (which is used to exploit vulnerable URL)
- Steps Of Reproduce (complete exploitation process)
- Impact
- Mitigation
- POC (Proof of Concept)
So let’s see about each point in details
1. Vulnerability Name
You should mention that, which vulnerability you found on target website / web application. Is it IDOR, LFI, RFI, SQL injection, SSRF, SSTI, CSRF, CORS, XSS, XXE OR anything else. Mention that name
2. Vulnerability Discription
Describe vulnerability in detail. Suppose you find the vulnerability XSS , then write about it, that is it server side bug or or side bug, is it listed into OWASP Top 10 Vulnerability or not, you can take the help of Google.
3. Vulnerability Severity
Severity is always depends on, “HOW MUCH IMPACT HAPPENS OF VULNERABILITY ON SERVER”.If you are vulnerability impact is low, that means you can’t access sensitive database of the server, using that vulnerable exploitation, then that is such a low impact, that’s why your vulnerability severity is low
4. Vulnerable URL
Mention the URL of target server, where you find out the bug, with that URL end point. It might be your subdomain OR your main domain
5. Payload
Mention that payload that you use to exploit certain vulnerability
(Bonus : Here is some payload resources, for pentesting, bug bounty, and red teaming)
You can download from below links
6. Stapes Of Reproduce
To generate reproduction steps, first find a sequence of actions which reproduce the issue you’re seeing reliably. Next, write down everything you did as clearly as possible. Make sure each step is self-contained: anyone should be able to follow your steps, without access to private or proprietary data.
7. Impact
Write down the impact of vulnerability on server in detail , that how much it affect on server. You can take the help of Google
8. Mitigation
In mitigation unit to write solution of that vulnerability, you can suggest, that how you can fix that vulnerability. For mitigation you can take the help of Google
9. POC
POC stands for Proof of Concept , you have to take screenshots OR Screen recording of exploitation of vulnerability. In short it’s a steps of reproduce in video format OR Screenshot Format, where you can explain the exploitation visually
And here is the explanation of that 9 points that you should remind. Now I am going to show you example of bug bounty reports
_________________________________________________________________
Vulnerability Name- Reflected XSS
Vulnerability Discription- Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser The script is activated through a link,which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Vulnerability Severity- It’s a Client side attack, which is less impactable, which severity has medium
Vulnerable URL -http://testphp.vulnweb.com/search.php?test=query
Payload- <script>alert(‘xss’)</script>
Stapes Of Reproduce -
1) http://testphp.vulnweb.com/search.php?test=query open this URL in your browser
2) capture the request using Burp Suite
3) send request to repeater
4) Put above payload after test
5) Right click and select show responce in the browser copy this into firefox and you will get XXS Popup
Impact- View any information that the user is able to view. Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Mitigation- First and foremost, from the user’s point-of-view, vigilance is the best way to avoid XSS scripting. Specificaly this means not clicking on suspicious links which may contain malicious code
POC- Video
_________________________________________________________________
BONUS POINTS: 
- Always make report into word file OR PDF file while sending. Always avoid in txt format
- While taking screenshot, use always high quality software
- for screenshot, I’m suggesting you two best softwares
ShareX & Greenshot - Use always OBS Studio Software for recording POC video. This software available for windows, mac, and linux . If you are using kali linux then kazam is also best option for you
- Avoid the mistakes such as, you are clicking on wrong page,and get back again OR you’re spelling mistake while typing payload OR you missed something while exploiting and you get error OR write explanation on text editor, stop avoid this all things while screen recording
- Your screen recording speed should be 1.0X. It should not be so fast like 1.5X , 2.0X, 2.5X OR it should not be very slow like 0.5X like this
- Always record your POC into 720p OR 1080p quality with .mp4 extention
- Don’t Apply any background music on POC. It should be non-musical video always
- Your video should be between minimum 1 min to maxmium 5 min time limit, because you just have to record exploitation part.
