Bug Bounty Tips: Business Logic and Bounty Point of View
The bug bounty tip of this week is by Mustafa Oksuz, who is in the Cybersecurity Researcher Community of BugBounter. Mustafa’s bug bounty tip focuses on identifying logic errors, integration points, and dynamic nature of systems. Read more!
It is not always easy to catch a logic error, especially when dealing with large systems. In this context, it is necessary to position the point of view correctly. Let’s list these points.
Integration or Inheritance?
The weakest points of systems are integration points. Focusing on these points can increase success. While finding an IDOR (Insecure direct object references) is not a logic error, discovering an address substitution in steps such as sales contracts or invoices can create a logic error. These are niche points, so focus on them.
Systems are Alive
Systems are constantly evolving and ever-changing. These changes may sometimes be specified in the programs, but not always. Therefore, when revisiting any program, the system structure should be examined thoroughly, and hunting should begin by looking for change points.
Force the System for Logic Errors
This may not necessarily yield perfect results initially. If you can purchase a product for 25 USD when the price is 20 USD, you are very lucky because errors often work both ways. If you can exploit the system, you can often use it to your advantage!
Be Appetitive and Altruistic when Hunting
Most security researchers proceed with scans that have little or no human factor when scanning systems. Not every bounty hunter scrutinizes systems sufficiently during hunting. If it is an e-commerce company, it may not want to pay or register for systems that require a lengthy registration process.
Thank you for reading Mustafa’s tip this week! Login now to put what you’ve learned into practice.
Get Bug Bounty-Famous with BugBounter!
The bug bounty tips are one the most effective methods to contribute to the international community of bug bounty hunters as you help each other develop as cybersecurity researchers, and increase your online reputation.
BugBounter values the efforts of the bug bounty hunters who’d like to contribute to the international community of bug bounty hunters at the utmost level.
If you are not registered on BugBounter, register today and reach out to us with the following:
- Your BugBounter username,
- A photo of you, or a display picture to represent you,
- The social medias you’d like to be tagged with your username,
- And – the most important one – your bug bounty tip.
Please note: your bug bounty tip might be altered according to our bug bounty tip style guidelines. We will ask for your approval before publishing the bug bounty tip.