Bug bounty hunting is a fascinating and challenging field that combines technical skills, creativity, and persistence. While some vulnerabilities are well-documented and frequently exploited, there’s a category of bugs that are often overlooked: easy but rare bugs. These bugs are relatively simple to exploit but rarely encountered, making them valuable targets for savvy bug bounty hunters.
Here’s a look at some of these hidden gems and tips on how to identify and exploit them.
1. Forgotten Subdomains
The Bug:
Many companies host subdomains that are no longer in use but remain active. These forgotten subdomains often run outdated or misconfigured applications, creating potential vulnerabilities.
Why It's Rare:
Subdomain enumeration is common, but most hunters focus on the primary domain. Subdomains with no clear function are often ignored.
How to Exploit:
Use tools like Sublist3r or Amass for subdomain enumeration.
Check for unmaintained services, default login pages, or forgotten test environments.
Exploit common vulnerabilities like outdated CMS versions or directory traversal.
2. CORS Misconfigurations in Rare Endpoints
The Bug:
Cross-Origin Resource Sharing (CORS) misconfigurations allow malicious websites to interact with APIs or web services belonging to the target. While CORS misconfigurations are known, they are rarely found in non-standard endpoints.
Why It's Rare:
Most hunters check for CORS issues on main APIs but neglect auxiliary or internal APIs.
How to Exploit:
Look for endpoints using tools like httpx or Burp Suite.
Test for permissive configurations (Access-Control-Allow-Origin: * or specific whitelisted domains without proper validation).
Craft malicious requests to extract sensitive data.
3. Weak Reset Token Implementation
The Bug:
Password reset functionalities are a common attack vector. Some websites generate weak or predictable reset tokens, making it possible to hijack accounts.
Why It's Rare:
Most modern systems implement strong token generation, but legacy systems or custom implementations may be vulnerable.
How to Exploit:
Inspect reset tokens for patterns (e.g., base64-encoded email addresses or timestamps).
Use brute-force techniques if rate-limiting is absent.
Combine with account enumeration for precise targeting.
4. Server-Side Template Injection (SSTI) in Uncommon Forms
The Bug:
SSTI occurs when user inputs are improperly handled in server-side templates, allowing attackers to execute arbitrary code.
Why It's Rare:
SSTI vulnerabilities are often overlooked because hunters assume all inputs are sanitized.
How to Exploit:
Look for input fields in admin panels or internal tools.
Inject payloads like {{7*7}} or ${7*7} and observe responses.
Use tools like tplmap for automated testing.
5. Misconfigured Rate Limiting in Sensitive Operations
The Bug:
Rate limiting prevents abuse of endpoints, but misconfigured or missing rate limits in sensitive operations (e.g., password reset or payment processing) can lead to exploitation.
Why It's Rare:
Most hunters focus on login endpoints but ignore less obvious operations.
How to Exploit:
Identify endpoints performing critical operations.
Use tools like ffuf or custom scripts to test for high-speed requests.
Exploit vulnerabilities like account lockout bypass or payment tampering.
6. Insecure Deserialization in Unexplored Parameters
The Bug:
Insecure deserialization allows attackers to inject malicious objects into serialized data, leading to remote code execution or privilege escalation.
Why It's Rare:
Serialization vulnerabilities are often buried in obscure features or undocumented APIs.
How to Exploit:
Identify serialized data in requests (e.g., JSON, Base64).
Test with payloads from tools like ysoserial.
Focus on endpoints with admin or debugging functionality.
Tips for Finding Rare Bugs
1. Think Beyond the Obvious: While others target popular endpoints, focus on lesser-known functionalities like internal tools, debug pages, or beta features.
2. Leverage Automation: Use tools to scan large scopes but manually analyze results to spot anomalies.
3. Understand the Business Logic: Knowing how the application works can reveal vulnerabilities that scanners miss.
4. Stay Curious: Research less-discussed vulnerabilities, and experiment with creative payloads.
Easy but rare bugs often hide in plain sight. While they require a bit of extra effort to uncover, they can yield significant rewards. By broadening your scope and focusing on overlooked areas, you can find these hidden gems and set yourself apart as a bug bounty hunter.
Happy hunting!