Aaj Kya Seekhenge?

  • βœ… Scope kya hota hai bilkul basics se
  • βœ… In-Scope vs Out-of-Scope ka fark
  • βœ… Asset Types kya kya test kar sakte hain
  • βœ… Vulnerability Types kaunse bugs allowed hain
  • βœ… Scope ko sahi se padhne ka formula
  • βœ… Scope se bahar gaye toh kya hoga?

πŸ’‘ Kyun zaroori hai? Scope samajhna bug bounty ka traffic signal hai β€” Red light pe rukna zaroori hai, nahi toh accident! Out of scope testing = ban + legal trouble!

Scope Kya Hota Hai? Simple Example

Ek story se samjho:

Socho ek Shopping Mall haiΰ₯€ Mall owner ne tumhe kaha:

"Aap hamare mall mein security check karo dekho koi kamzori hai kya?"

Lekin saath mein bola:

βœ… Check kar sakte ho:
   β†’ Ground floor shops
   β†’ First floor restaurants
   β†’ Parking area
❌ Check NAHI kar sakte:
   β†’ Owner ka private office
   β†’ Bank branch (separate company)
   β†’ Doosre tenants ke stores

Yahi hai Scope!

Bug bounty mein company tumhe batati hai:

  • Kaunsi websites/apps test karo βœ…
  • Kaunsi websites/apps kabhi mat chhuao ❌

In-Scope vs Out-of-Scope

In-Scope = Yahan Test Karo

Yeh cheezein program mein clearly listed hoti hain sirf inhi pe testing karo:

Example β€” Zomato Bug Bounty:
βœ… IN SCOPE:
   *.zomato.com          (sabhi subdomains)
   api.zomato.com        (API endpoints)
   Android App           (Zomato mobile app)
   iOS App               (iPhone app)

Out-of-Scope = Kabhi Mat Chhuao!

❌ OUT OF SCOPE:
   blog.zomato.com       (blog platform)
   partners.zomato.com   (partner portal)
   Third-party services  (payment gateways)
   CDN providers
   Employee emails

⚠️ Golden Rule: Agar kisi asset ka program mein mention nahi woh automatically out of scope hai! Assume mat karo company se poochho ya chhod do!

Asset Types Kya Kya Test Kar Sakte Hain?

Har program mein assets listed hoti hain alag alag types hoti hain:

Type 1: URL / Domain

Example: *.example.com
Yahan * matlab = wildcard = sabhi subdomains
So test kar sakte ho:
β†’ www.example.com
β†’ api.example.com
β†’ admin.example.com
β†’ dev.example.com
β†’ staging.example.com
Sab in scope hain! 🎯

Type 2: Mobile App (Android/iOS)

Android: com.example.app (Play Store package name)
iOS: com.example.ios (App Store bundle ID)

Yahan test karte hain:
β†’ App ka traffic Burp Suite se intercept karo
β†’ Local storage mein sensitive data check karo
β†’ API calls analyze karo
β†’ Deep links check karo

Type 3: API

Example: api.example.com/v1/*
Test karo:
β†’ Authentication bypass
β†’ IDOR (ID change karke doosra data dekho)
β†’ Rate limiting bypass
β†’ Mass assignment
β†’ Broken Object Level Authorization (BOLA)

Type 4: Source Code (Open Source)

Example: github.com/example/repo
Test karo:
β†’ Hardcoded secrets/API keys
β†’ Vulnerable dependencies
β†’ Logic flaws in code
β†’ Security misconfigurations

Type 5: Executable / Desktop App

Example: Windows/Mac desktop application
Test karo:
β†’ Local file inclusion
β†’ Privilege escalation
β†’ Insecure data storage
β†’ Memory vulnerabilities

Vulnerability Types Kaunse Bugs Allowed Hain?

Sirf targets hi nahi bugs bhi limited hote hain jo report kar sakte ho:

Commonly Allowed Vulnerabilities:

πŸ”΄ Critical:
   β†’ Remote Code Execution (RCE)
   β†’ SQL Injection (SQLi)
   β†’ Authentication Bypass
   β†’ Account Takeover
🟠 High:
   β†’ Cross-Site Scripting (XSS - Stored)
   β†’ Server-Side Request Forgery (SSRF)
   β†’ Insecure Direct Object Reference (IDOR)
   β†’ XML External Entity (XXE)
🟑 Medium:
   β†’ Cross-Site Request Forgery (CSRF)
   β†’ Open Redirect
   β†’ Information Disclosure
   β†’ Broken Access Control
🟒 Low:
   β†’ Clickjacking
   β†’ Missing Security Headers
   β†’ SSL/TLS issues

Commonly NOT Allowed:

❌ Self-XSS (sirf apne aap pe kaam kare)
❌ Missing rate limiting (login pe)
❌ Email enumeration
❌ Clickjacking on login page (usually)
❌ CSV injection
❌ Banner grabbing / version disclosure
❌ Social engineering
❌ Physical attacks
❌ Denial of Service (DoS/DDoS)
❌ Brute force attacks

πŸ’‘ Pro Tip: "Out of scope vulnerabilities" section zaroor padho kuch companies specific cheezein allow nahi karti jo doosri companies karti hain!

Real Program Scope Kaise Padhein? Step by Step

Chalo ek real program scope padhte hain DoD VDP example:

Step 1: Asset List Note Karo

*.mil (sabhi .mil domains)

Iska matlab US Military ki hazaron websites in scope hain!

Step 2: Exclusions Note Karo

❌ Nuclear systems
❌ Mission critical systems
❌ Weapons systems
❌ Safety of life systems

Step 3: Vulnerability Types Padho

βœ… Web application vulnerabilities
βœ… Network vulnerabilities
❌ Physical security issues
❌ Social engineering

Step 4: Rules of Engagement

βœ… Manual testing allowed
βœ… Automated scanning (limited)
❌ DDoS testing
❌ Exploit actual vulnerabilities for data access

Step 5: Safe Harbor Check Karo

"We will not pursue civil action or initiate a
complaint to law enforcement for accidental,
good faith violations of this policy."

Safe Harbor hai = Legal protection hai = Testing safe hai! βœ…

Scope Map Banao Pro Technique

Jab program join karo pehla kaam yeh karo:

πŸ“‹ SCOPE MAP β€” Example Corp

IN SCOPE ASSETS:
β”œβ”€β”€ Web
β”‚   β”œβ”€β”€ www.example.com βœ…
β”‚   β”œβ”€β”€ api.example.com βœ…
β”‚   β”œβ”€β”€ admin.example.com βœ…
β”‚   └── *.example.com βœ…
β”œβ”€β”€ Mobile
β”‚   β”œβ”€β”€ Android App βœ…
β”‚   └── iOS App βœ…
└── API
    └── api.example.com/v2/* βœ…
OUT OF SCOPE:
β”œβ”€β”€ blog.example.com ❌
β”œβ”€β”€ support.example.com ❌
└── cdn.example.com ❌
ALLOWED BUGS:
β”œβ”€β”€ XSS βœ…
β”œβ”€β”€ SQLi βœ…
β”œβ”€β”€ IDOR βœ…
└── Self-XSS ❌
NOTES:
β†’ Rate limiting: 10 req/sec max
β†’ Test accounts use karo: test@example.com
β†’ Response time: ~5 days
β†’ Safe Harbor: YES βœ…

Yeh map banao aur testing ke dauran hamesha refer karo!

Out of Scope Gaye Toh Kya Hoga?

Yeh bahut important hai clearly samjho:

Scenario 1: Accidental Out of Scope

Tumne accidentally ek out-of-scope URL test kar diΰ₯€

Company ka response:
β†’ Report close kar denge "Out of Scope"
β†’ Warning de sakte hain
β†’ First time mein usually ban nahi hota
β†’ Lekin reputation pe asar padta hai

Scenario 2: Intentional Out of Scope

Tumne jaanbujhkar out-of-scope target test kiyaΰ₯€

Company ka response:
β†’ Program se permanent ban βœ…
β†’ HackerOne/Bugcrowd account ban βœ…
β†’ Legal action possible ⚠️
β†’ Career khatam ho sakta hai ❌

🚨 Real Example: Ek hacker ne out-of-scope database access kiya "prove" karne ke liye company ne police complaint ki aur usse jail huaΰ₯€ Paisa kamane ke chakkar mein life kharab!

Simple Rule: Shak ho toh mat karo company se ask karo!

Company Se Scope Clarification Kaise Maangein?

Agar koi asset clearly mentioned nahi HackerOne pe directly pooch sakte ho:

Message Template:

Subject: Scope Clarification Request
Hi Security Team,
I'm planning to test [specific asset]. I noticed it's
not explicitly mentioned in the scope. Could you please
clarify if testing [asset name] is within the program
scope?
Thank you!
[Tumhara Username]

Most companies 1–2 din mein jawab deti hain aur appreciate karti hain ki tune poochha!

Scope Se Related Pro Tips

Tip 1: Wildcard = Goldmine!

*.example.com in scope hai?
Matlab karo subdomain enumeration!
β†’ subfinder -d example.com
β†’ amass enum -d example.com
Jitne zyada subdomains = zyada attack surface = zyada bugs!

Tip 2: New Assets = Fresh Bugs!

Company ne scope mein naya asset add kiya?
Turant jaao wahan naye assets pe bugs fresh hote hain
aur competition bilkul nahi hoti!
HackerOne pe "Watch" button hai program updates notify karta hai!

Tip 3: Mobile App = Hidden APIs

Mobile app in scope hai?
Burp Suite se intercept karo β†’
Usme hidden API endpoints milenge jo
web pe test nahi kiye gaye hain!
Hidden endpoints = untested = bugs! 🎯

Tip 4: Old Scope vs New Scope

Program ke changelog dekho β€”
purani scope entries jo recently remove hui hain
sometimes still accessible hoti hain!

Example: api.old.example.com - removed from scope
but still live β†’ grey area β†’ clarify karo!

Practical Aaj Ka Kaam

1️⃣ HackerOne pe "DoD VDP" program kholo
2️⃣ Scope section completely padho
3️⃣ Apna Scope Map banao (notepad mein)
4️⃣ 3 in-scope assets list karo
5️⃣ 3 out-of-scope assets list karo
6️⃣ "Allowed Vulnerabilities" section note karo
7️⃣ Safe Harbor clause dhundho β€” hai ya nahi?

Quick Revision

🟒 In-Scope     = Yahan test karo βœ…
❌ Out-of-Scope = Kabhi mat chhuao β›”
πŸ—‚οΈ Asset Types  = URL, Mobile, API, Source Code
πŸ› Vuln Types   = Kaunse bugs allowed hain
πŸ—ΊοΈ Scope Map    = Apna plan banao testing se pehle
βš–οΈ Safe Harbor  = Legal protection check karo
πŸ’¬ Clarify      = Shak ho toh company se poochho

Meri Baat…

Pehli baar maine scope ignore kiya tha bahut excited tha testing karne ke liyeΰ₯€

Ek target pe mujhe ek beautiful SSRF vulnerability mili lekin jab report submit ki toh company ne kaha:

"This asset is out of scope. Report closed."

Pura din waste! 😭

Us din se maine ek rule banaya:

"Pehle scope padho 15 minute lagaoΰ₯€ Baad mein 15 ghante testing karoΰ₯€"

Yeh discipline hi hai jo mediocre hunters aur elite hunters mein fark karti hai!

Foundation ke 5 articles complete ho gaye ab asli game shuru hoti hai!

Agle section mein hum sikhenge Recon Tools Subfinder, Amass, HTTPX, Nmap, Shodan yeh woh weapons hain jo tumhara attack surface reveal karte hain! πŸ”πŸ’₯

HackerMD β€” Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD

Previous: Article #4 HackerOne & Bugcrowd Setup Next: Article #6 Subfinder: Subdomain Dhundho Like a Pro!

#BugBounty #Scope #EthicalHacking #Hinglish #CyberSecurity #HackerOne #Bugcrowd #BugBountyBeginner #HackerMD