Skip to main content

Getting started with Bug Bounty!


Hey,
Guys Hope you all are doing well.
I started my journey in bug bounties around 1.5 years ago, and I am thankful to all the members of security community who share their knowledge to the community.
I have learned a lot of things from them and I am still learning new things daily from fellow hackers, hacking is a continuous process and ultimately reflects a state of mind.
I have received a lot of messages from people's asking me how to start, where to start in bug bounties. So I have decided to write a blog which contain as much information which helps for beginners.

Quote- "Hacking is a lifelong Journey of Learning "

Table of Content
  • Introduction
  • Reading
  • Practicing
  • Connect with community
  • Ask Questions
  • Motivation
  • Certifications
  • Conclusion
Introduction

What is bug bounty?
To get a basic understanding of the role, the name itself is quite self-explanatory. A bug bounty hunter looks for bugs in applications and platforms, which they later reveal to the company responsible and are compensated for the same. Numerous companies run established bug bounty programs with predefined rewards. 
For instance, Google runs their Security Bug Bounty Program under which it has defined rewards up to $31337 for Remote Code Execution(RCE) and Server Side issues, Bypassing significant security controls and more. Other companies like Facebook, Microsoft have their own bug bounty programs and some other tech giants like Shopify, Twitter and Uber, hosts their bug bounty program on Hackerone.

There are two different fields you can choose your own way.
  • Web Application Penetration Testing.
  • Mobile Application Penetration Testing(Android and iOS).
Learn how to program.
  • Get one of the open-source Unixes and learn to use and run it.
  •  Learn how to use the World Wide Web and write HTML.
  •  If you don't have functional English, learn it.
  •  Try harder / never give up mindset.

Reading

If we haven’t made that clear yet, there’s no fixed way of becoming a bug bounty hunter. Looking at the reports mentioned earlier will make it clear that hackers can be self-taught, or skilled in a classroom, they can be experienced info-sec professionals doing this as a hobby, or students doing this for skill-development or just for fun on the side. 

You should focusing on basics and you can learn these basics from-
  1. Read Lots of books.
  2. Read Disclosed Hackerone Reports(Recommended).
  3. Read articles, blogs and write-up from your fellow hackers as much as you can.
  4. Conferences.
  5. Online Platform for security education.
  6. Ctf's
Books I should prefer.
Youtube Channel that you must subscribe

Practicing

Since web remains the widest ground for potential bugs, it retains its top position as the most preferred target area, followed closely by network penetration testing. Social engineering is relatively new on the top five but has become increasingly relevant in recent years.
Just like the skills and target areas, the tools and methodologies required to become a bug bounty hunter are also quite diverse. Going by the preferred techniques, attack vectors and methods in the reports mentioned earlier as well as other sources, these are the top five areas to focus on:
  1. RCE
  2. XSS
  3. SQL Injection
  4. Fuzzing and Information Gathering
  5. Business Logic
Before start testing in any website you should do practice on any vulnerable apps.
List of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :) 
Tools You Should Practice for

Web Application:
  • Burp Suite - An integrated platform for performing security testing of web applications.
  • Sqlmap - An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
  • Assetfinder- Find domains and subdomains related to a given domain.(Thanks @tomnomnom)
  • Amass - In-depth subdomain enumeration tool that performs scraping, recursive brute forcing, crawling of web archives, name altering and reverse DNS sweeping
  • Sublist3r - For Subdomain Enumeration
  • Aquaton - It is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.(Amazing Tool by michenriksen)
  • DirBuster - Bruteforce/dictionary attack on web-server to find hidden directories.
  • Dirsearch - It is a simple command line tool designed to brute force directories and files in websites.
  • http://pastebin.com - Paste code/text with coloration
  • HackBar - XSS/SQL tests
  • EditThisCookie - Edit cookie, can lock cookie
  • https://dnsdumpster.com - Free domain research tools, find subdomains
  • https://pentest-tools.com/home - Subdomain brute-force not 100% free
  • Wfuzz - Web bruteforce/enumerator
  • S3 bucket finder - Brute-force s3 buckets
  • Nmap - find ports and hidden services 
  • Gitrob - Find Sensitive information in Github repository.
  • Wayback Machine - Find the url's
Mobile Application
  • Dex2jar - Useful to convert dex files into jar to de-compile the application.
  • Appium - Appium is an open-source tool for automating native, mobile web, and hybrid applications on iOS and Android platforms. 
  • Apktool - Reverse engineering Android apk files (Thanks @planetzuda)
  • NinjaDroid - Ninja Reverse Engineering on Android APK packages (Thanks @geekspeed)
  • Objection - Mobile exploration toolkit, wrapper of frida
  • uber-apk-signer - Signing apk
Once you’re armed with knowledge and the right tools, you’re ready to look for some bugs to squash. Companies will often have a link somewhere on their website offering bug bounties, but they can be hard to find. You’re better off checking a bounty board where hackers are reading publicly disclosed vulnerability reports and updating an active list on the daily. Like these
Note:- I suggest to all the beginners that do not user automate scanning tools they all are having 95% False positive cases.

Connect with community

The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do.
Get involved with successful bug hunters to take guidance from them, get new ideas and learn faster.
Recommended communities focused on bug bounty:

Ask Questions

You can ask about your doubts by posting your question in the community like Facebook bug bounty poc Group, I suggest you please do not ask inappropriate questions to any Infosec Professional.

You should be technical while asking any question like do not ask anyone with Can you teach me how to start in bug bounties? 
There is no one who can teach you whole things but can guide in their own way, No one can spoon feed you everything. 
While asking question to someone please do not expect quick response from them, no one is free, they have their own schedule, you have to be patient and if you didn't get any response please do not ping them unnecessarily.

Motivation

  • Learn tips and techniques 
  • Be challenged 
  • Have fun 
  • Make money 
  • Advance one’s career 
  • Do good in the world & help others 
  • Protect and defend 
  • Show off 
  • Challenge one’s abilities
  • Learn new area in IT - it_skill++
  • Potential main source of income
  • Bug bounty, Pen-testing, internal security expert
  • Emerging market for cyber security
  • Write blogs about you findings
Certifications
  1. OSCP, OSCE by offensive security
  2. CEH - certified ethical hacker
  3. CISSP, Security+
  4. + a lot more
  5. Not needed if starting with security/bug bounty
  6. Mainly a formal requirement in job descriptions

Conclusion
  1. Work hard
  2. Acquire the right skills
  3. Follow the methodology
At last hacking is not a one day learning process, you should do practice, practice, and practice to became perfect in this field. No technology is perfect if you didn't find bugs in you first stage do not loose your hope try harder and harder and I am sure you will pass this phase too. I hope you all enjoyed this article and I will add all the bountytips at one place later so stay tuned till now thanks for reading, signing off.
                                  And this article is incomplete without GIF

Credits-  I am thankful to these guys Ajay Kulal and Ranjit Pahan for proof reading this post.

Feedback are truly welcome and appreciated, you can share you feedback with me at below links.

         





Comments

Post a Comment

Popular posts from this blog

How I got access to Fastly account of dev.to

Hey Mates, Hope you all are Good, This is my first write-up about how i gain access to a company's(dev.to) fastly account.  One Day I got email that dev.to is going to open source on Github.
Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail.
Now Let's get started. Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github, first i visited their Github project at https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this.
with(headers: { "Fastly-Key" => "k15177t3dctdg27138b03c737688c84g" })
Dont't waste your time this is not an exact fastly api key let's move on.
Now it's time for fastl…

10 Rules of Bug Bounty

1.Targeting the Bug Bounty Program How long you target the program ? If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s. Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application. 2. How do you Approach the Target ?
If Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where y…