Day 0: From Newb to Bounty Hunter

In about a month, I begin a job with a large internet company in Seattle running analytics for a business unit. So starting today, for the next month, I’m going to devote my free time to earning a paid bug bounty. This could be the lowest bug bounty offered on any site, but as long as the payout is money, it’ll count.

My hope is that you’ll join me on this journey to laugh with me at my mistakes and offer up suggestions! Also, hopefully I’m successful in my goal and this blog can some day serve as a kind of guide for those that may be interested in security research and ethical hacking but don’t really know where to start.

Actual image of me at a computer

whoami

I’ve always had a passing interest in infosec but never really made the plunge. My field is primarily data science and analytics focused around answering business questions. That said, I attended DefCon a few weeks ago and was super impressed by the curiosity and passion of the community.

In that sense, I’m not exactly starting from zero as I do have programming and computer skills. To level-set, here are some of my skills/gaps

Can do work in: Python, SQL, HTML/CSS, Unix/Linux, AWS

Can sound smart in: Javascript, PHP, Apache, Virtualization

Basically clueless: Lower level languages (C, C++, Java), Networking, Crytography, lots and lots of other things

Getting Organized

Being a bug bounty newb, I do what newbs do and Google how to get started in bug bounty programs. After opening about 20 tabs, the general consensus is that reading is the best way to get started. After that, a good next step is trying to exploit sandbox environments. Additionally, reading successful bug bounties seems to make sense to me. Below are a list of resources I’ve compiled.

Note 1: I will probably update this list throughout the course of my process as more things come to my attention.

Note 2: The focus will be web applications since most bug bounty programs are focused in that domain.

Reading List

  • The Web Application Hacker’s Handbook [amazon]
  • Open Web Application Security Project (OWASP Top 10 Vulnerabilities List [site]
  • Open Web Application Security Project (OWASP) [wiki|pdf]
  • The Hacker Playbook 2 [amazon]
  • Penetration testing [nostarch]
In all seriousness, I’ve picked up these books and am working through them, but this blog will be focused more on hands on learning.

Sandbox environments

These are typically intentionally insecure web applications that are out on the web or downloadable for local pentesting. They provide relatively safe targets to begin building some basic skills.

  • Damn Vulnerable Web Application (DVWA) [github]
  • Gruyere Web Applications and Defense [site]
  • OWASP Webgoat [site]
  • Pentester Lab [site]
  • Vulnhub [site]

Tutorials

There seem to be endless tutorials on hacking, here are a couple that I saw mentioned more than once.

Successful Vulnerability Reports

Reading some great examples of successful write-ups will give me an idea of the kind of thinking needed to be successful

Bug Bounty Programs

When I’m ready, this is where I’ll test my knowledge and persistence to get paid for a bug!

If you have any suggestions or comments, please leave them below!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.