Flaws in your software or applications may just be functional – or they could become a serious security issue. That’s why we offer a unique bug hunting service to add to your arsenal and help weed out these security flaws.

Not all bugs are created equal – only some bugs will create a vulnerability that can be exploited by hackers, such as by compromising user authentication, authorization of access rights and privileges, or the confidentiality of your data. Security testers and bug hunters look for these types of flaws. Think of it like this: all men are humans, but not all humans are men; all security bugs are defects, not all defects are security bugs.

What does Intruder hunt for?

The types of vulnerabilities detected by our Bug Hunting service includes everything from simple misconfigurations which leave sensitive data exposed, to exploiting complex attack chains which attackers could use to gain control over your systems.

• Exploitation of injection weaknesses to access databases with sensitive information
• Analysis of code in exposed repositories which lead to privileged access to apps  
• Exploitation of application layer weaknesses like server-side request forgery to gain access to your cloud services
• Exploitation of known weaknesses in out-of-date products to access personally identifiable information

How does bug hunting find these flaws?

Bug hunting looks to find these flaws by continuously testing your external infrastructure and web applications over the term of your agreed contract in a similar way to penetration testing, in that it finds serious weaknesses which scanners alone might not detect.

But unlike a traditional point-in-time pen test, bug hunting is continuous. Bug hunting runs over the term of a contract, often paid for per day, while penetration testing is a scheduled, one-off test of your digital security to identify weaknesses and vulnerabilities. For example, at Intruder if you have 10 days of bug hunting on account, we’ll hunt for these security vulnerabilities spread across the year.

Do I need bug hunting as well as a penetration test?

With a single penetration test, the analysis of your security could be out of date within a day as new vulnerabilities are released so frequently. If one of your developers makes a change or reconfiguration to you application, as soon as a new vulnerability comes out you can’t be sure if it’s still secure. Bug hunting is ongoing and continuous, using the latest techniques as and when they emerge, so your application is checked and tested across the year.

‍

Can I choose what I want tested?

Bug hunting can be more efficient than traditional penetration testing, only looking for exploitable vulnerabilities with proven impact. For example, if you've got a SQL injection, what does that mean for you? Bug hunting goes further – if it finds a SQL injection, it will prove it’s exploitable by extracting sensitive data from the database in the same way as an attacker would. Only then will it be reported when the impact has been proven. If the SQL injection can be used to extract information, it's very serious and impact has been proven, and we’ll report it as an advisory.

Do I need bug hunting if I use a scanner?

Bug hunting is designed to find secret but serious weaknesses which scanners alone can’t detect. For example, authorization weaknesses are typically very difficult for scanners to detect because they don’t have the business context needed to recognize that the data in a particular response is sensitive. But the human eye can detect these weaknesses.

Who does the bug hunting?

Bug hunting is done by qualified penetration testers in accordance with the certification bodies we work with such as Crest and Offensive Security.

Why is this important?

Bug hunting won’t report on theoretical vulnerabilities with tenuous exploits with no public information. Although we’ll test and look for them, we’ll only report the ones that we can prove with an exploit. Bug hunting is also efficient because it only looks for high and critical impact weaknesses. So, no time is wasted reporting on things like missing headers and weak ciphers, which you’ll probably already know about from the scanner.

‍

Ask an expert: Bug hunting in action

With Dan Andrew, Intruder Head of Security

Bug Hunting can help you prioritize fixes on the most critical of your vulnerabilities first, and it can discover weaknesses which you don’t even know about, by employing penetration testing techniques which automated scanners alone can’t find. Perhaps the best way to explain Bug Hunting is with an example...

Imagine you have a large digital estate. You’re under-resourced. Your team has to prioritize the most critical weaknesses to fix first, because vulnerabilities crop up faster than you can fix the ones you already have. Hidden amongst the many weaknesses in products you use is one which allows attackers to exploit a Local File Inclusion weakness from an unauthenticated perspective, but only in certain application configurations.

Our Bug Hunting team steps in and discovers the weakness on a target in a vulnerable configuration, and they exploit the weakness to prove it can practically be exploited, and not just in theory. So, they prove that attackers can access a local configuration file which contains credentials for one of your databases, and they gain access to the database using these credentials, which contains sensitive information on one of your customers.

Once impact is proven, the weakness is reported to you as a critical risk advisory – now you can focus on a fix for a vulnerability that you now know needs prioritizing above others, because it’s proven to be exploitable and the impact is clear and high risk.

‍

‍

Need to know

What is it?

Our bug hunting pits your external targets against our team of expert penetration testers to try and find weaknesses and exposures. We focus on finding the high impact attack chains that could have significant impact on your business if not found and fixed.

What’s included?

• Manual discovery of content, services, applications
• Targeted reconnaissance and attack surface mapping
• Exploiting recent vulnerabilities
• Scanning for weaknesses not yet covered by our core scanning engine  
• Enumeration of user accounts and weak perimeter passwords

How is it different from a penetration test?

• It’s not as structured as a standard penetration test and is delivered in a similar style to a Bug Bounty, but run by our expert inhouse Security team
• It’s widely scoped and typically includes all the systems in your account, including production systems (of course we take extra care to minimize any risk of testing production systems)
• It’s not an exhaustive test of every system in scope, and is usually focused on a particular area, such as a recently changed API.
• We only report High or Critical impact weaknesses so it's more time-efficient than a pentest

What do you focus on?

This is completely up to you – whatever you think will help us discover any weaknesses.

• Testing without credentials means it’s performed from the perspective of an internet-based attacker
• Testing with credentials will expose what could be available to an attacker with inside information or access to privileged information (such as change notes or source code)  

How do you report?

We send out advisories for any security issues uncovered during the process. If no issues are found, we’ll let you know too.

Who’s it for?

Bug hunting is a bolt-on service available to Premium and Vanguard customers, booked by the day. It’s a hybrid service, which means it’s a blend of vulnerability management and pen testing rolled into one. You’ll see the output from bug hunting advisories alongside any issues discovered by the Intruder scanner.

‍

If you want more information about Bug Hunting or the other features available with our Premium or Vanguard plans, check out our pricing page or contact our Sales team.

‍