Hey,
Guys Hope you all are doing well.
I have learned a lot of things from them and I am still learning new things daily from fellow hackers, hacking is a continuous process and ultimately reflects a state of mind.
I have received a lot of messages from people's asking me how to start, where to start in bug bounties. So I have decided to write a blog which contain as much information which helps for beginners.
Quote- "Hacking is a lifelong Journey of Learning "
Table of Content
- Introduction
- Reading
- Practicing
- Connect with community
- Ask Questions
- Motivation
- Certifications
- Conclusion
Introduction
What is bug bounty?
To get a basic understanding of the role, the name itself is quite self-explanatory. A bug bounty hunter looks for bugs in applications and platforms, which they later reveal to the company responsible and are compensated for the same. Numerous companies run established bug bounty programs with predefined rewards.
For instance, Google runs their Security Bug Bounty Program under which it has defined rewards up to $31337 for Remote Code Execution(RCE) and Server Side issues, Bypassing significant security controls and more. Other companies like Facebook, Microsoft have their own bug bounty programs and some other tech giants like Shopify, Twitter and Uber, hosts their bug bounty program on Hackerone.
There are two different fields you can choose your own way.
- Web Application Penetration Testing.
- Mobile Application Penetration Testing(Android and iOS).
Learn how to program.
- Get one of the open-source Unixes and learn to use and run it.
- Learn how to use the World Wide Web and write HTML.
- If you don't have functional English, learn it.
- Try harder / never give up mindset.
Reading
If we haven’t made that clear yet, there’s no fixed way of becoming a bug bounty hunter. Looking at the reports mentioned earlier will make it clear that hackers can be self-taught, or skilled in a classroom, they can be experienced info-sec professionals doing this as a hobby, or students doing this for skill-development or just for fun on the side.
You should focusing on basics and you can learn these basics from-
- Owasp Top 10
- Owasp Testing Guide v4
- Bug Hunter Methodology(By Json Haddix)
- Web Hacking 101(By Peter Yaworski)
Ways to Get Better?
- Read Lots of books.
- Read Disclosed Hackerone Reports(Recommended).
- Read articles, blogs and write-up from your fellow hackers as much as you can.
- Conferences.
- Online Platform for security education.
- Ctf's
Books I should prefer.
Youtube Channel that you must subscribe
Blogs you must follow for amazing resources:
- https://blog.intigriti.com/
- https://www.hackerone.com/blog
- https://www.bugcrowd.com/blog/
- phwd
- Brutelogic
- Tomnomnom
- EdOverflow
Practicing
Since web remains the widest ground for potential bugs, it retains its top position as the most preferred target area, followed closely by network penetration testing. Social engineering is relatively new on the top five but has become increasingly relevant in recent years.
Just like the skills and target areas, the tools and methodologies required to become a bug bounty hunter are also quite diverse. Going by the preferred techniques, attack vectors and methods in the reports mentioned earlier as well as other sources, these are the top five areas to focus on:
- RCE
- XSS
- SQL Injection
- Fuzzing and Information Gathering
- Business Logic
Before start testing in any website you should do practice on any vulnerable apps.
List of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)
- Owasp curated list of web app
- Hack The Box - machines & challenges(Test to get invite code to HTB)
- Avatao(e.g. CrySys 2019)
- Over The Wire -online wargames (Bandit, Natanz, …)
- Hacksplaining
- Penetration Testing Practice Labs
Tools You Should Practice for
Web Application:
- Burp Suite - An integrated platform for performing security testing of web applications.
- Sqlmap - An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
- Assetfinder- Find domains and subdomains related to a given domain.(Thanks @tomnomnom)
- Amass - In-depth subdomain enumeration tool that performs scraping, recursive brute forcing, crawling of web archives, name altering and reverse DNS sweeping
- Sublist3r - For Subdomain Enumeration
- Aquaton - It is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.(Amazing Tool by michenriksen)
- DirBuster - Bruteforce/dictionary attack on web-server to find hidden directories.
- Dirsearch - It is a simple command line tool designed to brute force directories and files in websites.
- http://pastebin.com - Paste code/text with coloration
- HackBar - XSS/SQL tests
- EditThisCookie - Edit cookie, can lock cookie
- https://dnsdumpster.com - Free domain research tools, find subdomains
- https://pentest-tools.com/home - Subdomain brute-force not 100% free
- Wfuzz - Web bruteforce/enumerator
- S3 bucket finder - Brute-force s3 buckets
- Nmap - find ports and hidden services
- Gitrob - Find Sensitive information in Github repository.
- Wayback Machine - Find the url's
Mobile Application
- Dex2jar - Useful to convert dex files into jar to de-compile the application.
- Appium - Appium is an open-source tool for automating native, mobile web, and hybrid applications on iOS and Android platforms.
- Apktool - Reverse engineering Android apk files (Thanks @planetzuda)
- NinjaDroid - Ninja Reverse Engineering on Android APK packages (Thanks @geekspeed)
- Objection - Mobile exploration toolkit, wrapper of frida
- uber-apk-signer - Signing apk
Once you’re armed with knowledge and the right tools, you’re ready to look for some bugs to squash. Companies will often have a link somewhere on their website offering bug bounties, but they can be hard to find. You’re better off checking a bounty board where hackers are reading publicly disclosed vulnerability reports and updating an active list on the daily. Like these
Note:- I suggest to all the beginners that do not user automate scanning tools they all are having 95% False positive cases.
Connect with community
The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do.
Get involved with successful bug hunters to take guidance from them, get new ideas and learn faster.
Recommended communities focused on bug bounty:
Connect with community
The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do.
Get involved with successful bug hunters to take guidance from them, get new ideas and learn faster.
Recommended communities focused on bug bounty:
- Bug bounty forum
- Bug bounty world
- Hacker news - (News curated by community - top posts are most relevant)
- Hacksplaining - (Security training for developers)
- VulnHub - (Provide materials that allows anyone to gain practical 'hands-on' experience in security)
- Live overflow - (Place to learn about topics such as buffer/heap overflows, reverse engineering, vulnerability) analysis, debugging, fuzzing and generally hacking
- You can connect famous hackers by following them on twitter, Linked-in and Facebook.
- Here is the list of Hackers you must follow on twitter.
Ask Questions
You can ask about your doubts by posting your question in the community like Facebook bug bounty poc Group, I suggest you please do not ask inappropriate questions to any Infosec Professional.
You should be technical while asking any question like do not ask anyone with Can you teach me how to start in bug bounties?
There is no one who can teach you whole things but can guide in their own way, No one can spoon feed you everything.
While asking question to someone please do not expect quick response from them, no one is free, they have their own schedule, you have to be patient and if you didn't get any response please do not ping them unnecessarily.
Motivation
- Learn tips and techniques
- Be challenged
- Have fun
- Make money
- Advance one’s career
- Do good in the world & help others
- Protect and defend
- Show off
- Challenge one’s abilities
- Learn new area in IT - it_skill++
- Potential main source of income
- Bug bounty, Pen-testing, internal security expert
- Emerging market for cyber security
- Write blogs about you findings
Certifications
- OSCP, OSCE by offensive security
- CEH - certified ethical hacker
- CISSP, Security+
- + a lot more
- Not needed if starting with security/bug bounty
- Mainly a formal requirement in job descriptions
Conclusion
- Work hard
- Acquire the right skills
- Follow the methodology
At last hacking is not a one day learning process, you should do practice, practice, and practice to became perfect in this field. No technology is perfect if you didn't find bugs in you first stage do not loose your hope try harder and harder and I am sure you will pass this phase too. I hope you all enjoyed this article and I will add all the bountytips at one place later so stay tuned till now thanks for reading, signing off.
And this article is incomplete without GIF
Credits- I am thankful to these guys Ajay Kulal and Ranjit Pahan for proof reading this post.
Credits- I am thankful to these guys Ajay Kulal and Ranjit Pahan for proof reading this post.
Feedback are truly welcome and appreciated, you can share you feedback with me at below links.
Very nice... Good going.. Keep it up
ReplyDeleteGood job bro
ReplyDelete