5 Common Coder Mistakes in Bug Bounty Hunting (with Code Fixes)

Danial Zahoor

12 Jan, 2024

Here are some common mistakes coders make when doing bug bounty, along with code examples and tips for avoiding them:

1. Input Validation Errors:

Mistake: Failing to properly validate user input, leaving applications vulnerable to injection attacks like SQL injection, cross-site scripting (XSS), and command injection.

Code Check:

# Vulnerable code:
username = request.GET['username']
query = "SELECT * FROM users WHERE username = '" + username + "'"

# Secure code:
username = request.GET.get('username')  # Use get() to handle missing values
query = "SELECT * FROM users WHERE username = %s"  # Use parameterized queries
cursor.execute(query, (username,))

2. Broken Authentication and Session Management:

Mistake: Improper authentication or session management, allowing attackers to hijack accounts, steal sensitive data, or perform unauthorized actions.

Code Check:

// Vulnerable code:
sessionStorage.setItem('authToken', token);  // Storing sensitive tokens in client-side storage

// Secure code:
const httpOnlyCookie = new Cookie('authToken', token, { httpOnly: true });  // Use HttpOnly cookies
res.cookie(httpOnlyCookie);

3. Sensitive Data Exposure:

Mistake: Failing to protect sensitive data like passwords, credit card numbers, or personal information, leading to data breaches.

Code Check:

// Vulnerable code:
String password = request.getParameter("password");  // Storing password in plain text

// Secure code:
String password = request.getParameter("password");
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));  // Hash passwords before storage

4. Cross-Site Scripting (XSS):

Mistake: Allowing attackers to inject malicious scripts into web pages, compromising user security and stealing data.

Code Check:

// Vulnerable code:
document.getElementById("comment").innerHTML = commentText;  // Direct output of user input

// Secure code:
const safeComment = escapeHtml(commentText);  // Use HTML escaping to prevent XSS
document.getElementById("comment").textContent = safeComment;

5. Security Misconfigurations:

Mistake: Using default settings, unnecessary features, or outdated software, creating vulnerabilities.

Code Check:

Review application configuration for secure settings.

Disable unnecessary features and components.

Keep software and libraries up-to-date.

Additional Tips:

Use secure coding practices and libraries.

Follow OWASP Top 10 guidelines.

Conduct thorough testing and peer reviews.

Stay updated on security vulnerabilities and patches.

Employ automated security testing tools.

Danial Zahoor

Professional Ethical Hacker and Cybersecurity Researcher with a proven track record in dismantling online threats. Successfully neutralized 4 scammer networks, thwarted 13 phishing schemes, and disrupted 4 kidnapper networks. Committed to ensuring online safety and security, I leverage my expertise to protect individuals and organizations from digital threats. Passionate about cybersecurity education and empowering others to stay safe online.