Beyond the Borders of Scope


Jr0ch17 has been in the security industry for about 3 years now, mostly working as a pentester while getting industry certifications like OSCP and GWAPT. Since March 2020, he decided to give a shot to doing bug bounty full time. As a hobby, he likes to play hockey and to hack.


In this session, I’m going to talk about a somewhat controversial topic in bug bounty: looking at out-of-scope assets. This is not about doing actual hacking on those out-of-scope assets, it’s about doing recon on them in special ways in order to find bugs on the in-scope assets. The recon that I do uses a few techniques/tricks that I’ve been doing for a while which have resulted me in finding some bugs in programs’ core applications. As a matter of fact, with the help of that recon, I have never gotten a single duplicate yet so it definitely is an unexplored area. I will go through each technique or trick and show an example of a bug I’ve found. Some as simple as a reflected XSS (actually not that simple) and some with higher impact like RCE and information disclosure.