Bug Bounty Scoping Question



Hello everyone!

I am about half way through Hack The Box’s bug bounty path and I’ve been looking through bounty opportunities. I have some questions revolving scope and what CAN be done.

I see alot of postings that don’t allow for automatic enumeration tools(such as burpsuite, nmap, etc), “no attacks requiring MITM or physical access or control of a users device”, no XSS, no CSRF, etc.

My question is this: I feel like these scopes dont allow for most of what im learning in HTB so…what are we allowed to even do?

Here is an example:

Out of scope vulnerabilities

Clickjacking on pages with no sensitive actions Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions Attacks requiring MITM or physical access or control over a user's device. Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies). Cross-domain script inclusions. Previously known vulnerable libraries without a working Proof of Concept. Missing best practices in SSL/TLS configuration. Rate limiting or brute force issues on non-authentication endpoints Denial of service attacks (DDOS/DOS) Missing cookies security flags (e.g., HttpOnly or Secure) Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) Missing DNS resource record for Certificate Authority Authorization (CAA) Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version) Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information) Zero-days or known vulnerabilities disclosed publicly within the past 30 days. Vulnerabilities solely based on Open Source Intelligence (OSINT) investigations, without a technical exploit. Broken links or URL inconsistencies without an associated security vulnerability or demonstrable impact on system security. Web links that point to non-existing web pages. Unconfirmed reports from automated vulnerability scanners General low severity issues reported by automated scanners

Again, quite new to this but i feel like theres nothing to be done with a scope like this.

Any thoughts at all would be welcome!

Thank you,

​

https://redd.it/1cdsq97
@r_bugbounty

R_bugbounty

Bug Bounty Scoping Question



Hello everyone!

I am about half way through Hack The Box’s bug bounty path and I’ve been looking through bounty opportunities. I have some questions revolving scope and what CAN be done.

I see alot of postings that don’t allow for automatic enumeration tools(such as burpsuite, nmap, etc), “no attacks requiring MITM or physical access or control of a users device”, no XSS, no CSRF, etc.

My question is this: I feel like these scopes dont allow for most of what im learning in HTB so…what are we allowed to even do?

Here is an example:

Out of scope vulnerabilities

Clickjacking on pages with no sensitive actions Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions Attacks requiring MITM or physical access or control over a user's device. Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies). Cross-domain script inclusions. Previously known vulnerable libraries without a working Proof of Concept. Missing best practices in SSL/TLS configuration. Rate limiting or brute force issues on non-authentication endpoints Denial of service attacks (DDOS/DOS) Missing cookies security flags (e.g., HttpOnly or Secure) Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) Missing DNS resource record for Certificate Authority Authorization (CAA) Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version) Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information) Zero-days or known vulnerabilities disclosed publicly within the past 30 days. Vulnerabilities solely based on Open Source Intelligence (OSINT) investigations, without a technical exploit. Broken links or URL inconsistencies without an associated security vulnerability or demonstrable impact on system security. Web links that point to non-existing web pages. Unconfirmed reports from automated vulnerability scanners General low severity issues reported by automated scanners

Again, quite new to this but i feel like theres nothing to be done with a scope like this.

Any thoughts at all would be welcome!

Thank you,

​

https://redd.it/1cdsq97
@r_bugbounty

Reddit

From the bugbounty community on Reddit

Explore this post and more from the bugbounty community

hottg.com/r_bugbounty/4126

5 viewsApr 26 at 19:22