Getting started in Bug Bounty
While I write this up, it’s already 09–Nov–2018, Here in India, Today I’ve completed 5 good years on HackerOne. ❤
I will always be thankful to the whole information security community ❤
How to get started in Bug Bounties is a common question nowadays and I keep on getting messages on day to day basis. It’s not possible for me to respond to each and every message, so I thought I’d rather do a blog post and would direct all those beginners to this blog post.
I’ve been in bug bounty field for 5 years now. still, there is so much to learn each and every day, I'm yet not an expert and this post is NOT an expert advice. I am just sharing, what I’ve achieved in the past 5 years and doing continuously to improve my skills.
- Basic Technical things to get started.
- Choosing your initial path
- Books — I regularly take references from
- Youtube channels & playlists
- Practice! Practice! practice
- Tools you should master (*tool)
- Bug bounties and Mental Health
- Blogs you should follow
- Follow cool guys on Github
- Follow Active bug bounty guys on twitter
- Credits and Closing meme.
I’ve seen a lot of folks in Bug Hunting Community saying “I am not from the technical field that’s why I am not successful in bug bounty”.
This is the misconception that someone needs to be from the computer science background to be good in bug bounties. Being from the computer science background helps but it is not compulsory but you have to learn the computer science fundamentals yourself. So, If you are from the non-technical background you should get started only if you’re more interested in learning about the information security not ONLY interested in $$$$.
I am too from a Mechanical Engineering background but I am very much interested in the information security field from school time but joined mechanical field with the advice of family members but my main focus always been to Information security.
I can tell you many stories where people from the non-technical field are successful in the bug bounty or infosec field.
But, All of them have one thing in common that is “INTEREST” and willing to do the “‘hard-work’”.
If you think you will become successful overnight or over the week or over a month, this is not a field you should join. Doing bug bounties are very competitive, it might take a year at least to do good in bug bounty. you have to continue your learning, sharing & more and more practice. You must-have curiousness to learn about new things and explore the field on your own. There is huge education content out there for free.
Do not pay individuals telling you to make you successful in bug bounties overnight. Most of them are scammers.
The following are the things you should know before starting in infosec.
No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others.
“Do not expect someone will spoon feed you everything.”
How to ask a question?
You should behave responsibly when asking a technical question to someone.
You shouldn’t ask like “Here is the endpoint, can you please bypass the XSS filter for me?”
You should be on point when you ask a problem — that’s it.
You should not expect people will respond to you within minutes. They will respond as soon as they get free times or they might not respond at all because of their busy schedule or whatever reason. You should also respect that — do not ping someone unnecessary.
How to find Answer to every question?
This is what I did previously, Doing now and will definitely do in future. Using “Google” for everything. (you can use other search engines too :P )
2. Basic Technical things to get started.
I am assuming you have a basic understanding of how things work on the internet.There are many things you have to learn but I cannot list of all of them here. I’m listing a few important topics and you should learn more by yourself.
Linux — Command line
It’s also very important to have a better understanding about different types of vulnerabilities, as soon as you can, I’ve added Web Application Security Basics section below.
3. Choosing your initial Path
Choosing a path in the bug bounty field is very important, it totally depends upon the person’s interest but many of the guys choose the web application path first because according to me it’s the easiest one.
- Web application Security testing
- Mobile Application Security Testing
But not limited to these two. it totally depends upon the type of interest you have.
Web Application Security Basics.
Start from the 2010 list, so you can understand the types of vulnerabilities were in the top in 2010, what happened to them in 2017. you will understand it by learning about them and practice them
You don’t have to finish the testing guide and then start working, you should start working on the live (legal) targets, that's the only way you can improve your skills.
Mobile Application Security Testing.
As you get more experience you are free to switch between anything you like :)
One stop for all mobile application security need,
Mobile Security Wiki by Aditya Agrawal
AppMon - AppMon is a runtime security testing & profiling framework for macOS, iOS and android apps. It is useful for…mobilesecuritywiki.com
Application security Wiki also by Aditya Agrawal
5. Youtube Channels And Playlist.
You probably know about my channel. Here's a bunch of other content I enjoy. Patreon Pages of Cool People…www.youtube.com
Hi, I'm Pete. I develop video tutorials about the various things I'm learning related to web development and hacking…www.youtube.com
Security Conference talks you should watch
Akhil George — Created a playlist for bug bounty talks on Youtube.
How to Shot Web by Jason Haddix
6. Practice! Practice! Practice
It’s pretty important to keep yourself updated with the trends and new vulnerabilities. While playing around with the server information disclosures, keep a close eye on publicly available exploits to escalate the attack.
You can start working on vulnerable applications.
- Bug Bounty Notes
- Damn Vulnerable Web application
- XSS Game by Google.
- hack me
Setting up Security testing labs — I’ve written detailed blog posts. you can be find them below:
I am setting up a new lab for me and thought to document the process, so anyone wants to do same can take references…medium.com
Bug Bounty Platforms — These are the great places to test your skill.Do not get discouraged if you haven’t found anything — you still have learned the reward of Experience, that is more important.
Twitter # tag you should follow
7. Tools you should master (*tool)
Burp Suite —
You should start practice using the Burp Suite free version or the community edition and start working on bug bounty programs and as soon as you got sufficient bounty, purchase the Burp Suite Professional edition. You will not regret it.
Note: Do not use the pirated version of the Burp Suite professional, You should respect the great work Portswigger team is doing.
There are too many free resources out there to learn more about Burp Suite pro but If you are willing to invest some money. I can recommend the following things.
For information gathering or reconnaissance — I’ve Written a detailed blog post on the same topic. you can find it below:
8. Bug bounties and Mental health.
Bug bounty field is a very competitive and you should also take care about your physical and mental health, that’s very important. nothing else matters. My good friend Nathan wrote a great post on this topic.
You should definitely read it.
9. Blogs you should follow —
How I made LastPass give me all your passwords " Hacking Slack using postMessage and WebSocket-reconnect to steal your…labs.detectify.com
A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub…medium.com
Making sense of application security for everyone. Follow us to get a pragmatic view of the landscape including hacks…blog.appsecco.com
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive…medium.com
There are other great blogs out there, I can’t list them all, you need to find them according to your need.
10. Follow cool guys on Github.
Penetration tester from Australia. Current maintainer of NoSQLMap, VHostScan, Reconnoitre. Co-contributor to subfinder…github.com
Doing security stuff! Automating things because of my laziness to the fullest. - Ice3man543github.com
Fixaholic, problem solver, coder, Go lover, car modifier, hedonist, AV nerd, knife enthusiast, foodie, not really a…github.com
Security Researcher, Red Team Manager, Gopher, Founder and Project Lead of OWASP Amass - caffixgithub.com
Web developer reconverted to security researcher, playing bug bounty sometimes :) - gwen001github.com
Consider donating small part of your bounties to them to support their open source contribution or you can contribute in other ways too. Only If they accept donation.
11. Follow Active Bug Bounty Hunters on Twitter (But not limited to this list)
The latest Tweets from Frans Rosén (@fransrosen). Dev/Security/Founder at @centrahq/@detectify/@shipwallet. Stockholm…twitter.com
The latest Tweets from Mathias Karlsson (@avlidienbrunn). Web security fiddler. Bug bounty bastard. CTF with…twitter.com
The latest Tweets from dawgyg@Home (@thedawgyg). Wall of Fame: Yahoo, Mail.Ru, Mapbox, Imgur, GM, Adobe, AOL, Zynga…twitter.com
The latest Tweets from Olivier Beg (@smiegles). Head of researchers at @zerocopter, Co-founder @bugbountyforum…twitter.com
The latest Tweets from Jobert Abma (@jobertabma). I tweet about security and my experience as a hacker. Co-founder of…twitter.com
The latest Tweets from STÖK (@stokfredrik). Hacker - Creative - Red Team Lead - Advisor - Conscious Fashion store owner…twitter.com
The latest Tweets from Gerben Javado (@gerben_javado). Security Engineer @Facebook. Into bug bounties. Personal…twitter.com
The latest Tweets from Tanner (@itscachemoney). Somewhere between a builder and a breaker. San Francisco, CAtwitter.com
The latest Tweets from Ben Sadeghipour (@NahamSec). Hacker | Co-founder @bugbountyforum | Hacker Operations Lead…twitter.com
The latest Tweets from Yassine Aboukir (@Yassineaboukir). Wearing my security analyst hat @Hacker0x01 by day and put on…twitter.com
The latest Tweets from Geekboy (@emgeekboy). Full time bug bounty hunter 💥💥. Indiatwitter.com
The latest Tweets from Patrik Fehrenbach🤖 (@ITSecurityguard): "I recently scored a 4000$ bounty by using visual recon…twitter.com
The latest Tweets from Ed (@EdOverflow). Web developer & security researcher. | FA98 07A5 F836 9C61 A8C2 AC3B A4A3 3C72…twitter.com
The latest Tweets from Nathan (@NathOnSecurity). Infosec and such. "Confront the culture of power with the power of…twitter.com
The latest Tweets from Th3G3nt3lman (@Th3G3nt3lman). Security Researcher / Bug Bounty Hunter / Red Devil. Hashemite…twitter.com
The latest Tweets from Uranium238 (@uraniumhacker). Tweets does not mean endorsement and does not represent employers'…twitter.com
The latest Tweets from Santiago Lopez (@santi_lopezz99). 1# researcher on @Hacker0x01 #bugbounty. Insta…twitter.com
The latest Tweets from Rahul Maini (@iamnoooob). https://t.co/F8Xu6Nh4Wb | https://t.co/ZCLtc0QXbx |…twitter.com
The latest Tweets from Brett Buerhaus (@bbuerhaus). Blizzard Entertainment. Digital bounty hunter. Co9.io. 26-9-15-20…twitter.com
The latest Tweets from Harsh Jaiswal (@rootxharsh). You know. Indore, Indiatwitter.com
The latest Tweets from Paresh (@Paresh_parmar1). bugbounty hunter/ gamer /. Ahmedabadtwitter.com
The latest Tweets from Joel Margolis (@0xteknogeek). Mobile security researcher, bug bounty hunter. RIT dropout. AppSec…twitter.com
The latest Tweets from Abdullah Hussam (@Abdulahhusam). I don't trust bio. Iraqtwitter.com
The latest Tweets from zseano💫 (@zseano). WebApp Security Researcher with a focus on bugbounties which lead me to…twitter.com
The latest Tweets from Parth Malhotra (@Parth_Malhotra): "Yay, I was awarded $18,000 in bounties on @Hacker0x01 from…twitter.com
The latest Tweets from Prateek Tiwari (@prateek_0490). Security @Zomato | Security Nerd | I do nothing but eat, drink &…twitter.com
The latest Tweets from Pranav Hivarekar (@HivarekarPranav). REST-API Lover | Loves #bugbounty | Proud INDIAN 😎 Runs…twitter.com
The latest Tweets from Jigar Thakkar (@jigarthakkar39). Security Researcher | Pentester | Logical Thinker | Application…twitter.com
The latest Tweets from nikhil (@niksthehacker). SRT member at @SynackRedTeam , Bug Bounty Hunter at @Hacker0x01 …twitter.com
The latest Tweets from Rishiraj Sharma (@ehrishiraj). Application Security Engineer at SecurityEscape. Indiatwitter.com
The latest Tweets from pwnmachine 👾 (@princechaddha). OSCP | Synack Red Team | Eat Sleep Pwn Repeat…twitter.com
The latest Tweets from Bull (@v0sx9b). Because i had to.....| https://t.co/bkoGpbvpqP | https://t.co/jBwjU1nqnv |…twitter.com
The latest Tweets from naffy (@nnwakelam). CEO of Hackers Helping Hackers. My tweets are my own. STC is the greatest…twitter.com
The latest Tweets from shubs (@infosec_au). continuous security, @assetnote hack the planet, @hackershelping. halcyontwitter.com
The latest Tweets from Inti De Ceukelaire (@securinti). Ethical hacker and bug bounty hunter. Founder of…twitter.com
The latest Tweets from Artem (@mskwsky): "That feeling when you do not want to leave Kiev. Thank you @HackenProof for…twitter.com
The latest Tweets from Bhavuk Jain (@bhavukjain1). Programmer https://t.co/St09FSu3Dw. Delhi, Indiatwitter.com
The latest Tweets from Avinash Jain (@logicbomb_1). Lead Infrastructure Security Engineer @groferseng | DevSecops |…twitter.com
The latest Tweets from Emad Shanab (@Alra3ees). Lawyer & Ethical Hacker & Every Law has its own Bugs…twitter.com
The latest Tweets from Ebrahim Hegazy (@Zigoo0). #H1_Triage team member & Vulnerabilities Hunter since 2013. Egypttwitter.com
The latest Tweets from Yasser Ali (@garagosy). Someone who adores Information Security!. Dubai, United Arab Emiratestwitter.com
The latest Tweets from Akhil Reni (@akhilreni_hs). I TWEET AS AKHIL RENI !twitter.com
The latest Tweets from ak1t4 🇦🇷 (@akita_zen). [ Bug Bounty Hunter - Zen Monk] "Beautiful things don't ask for…twitter.com
The latest Tweets from mongo (@mongobug). I like bug bounty programs and breaking things other people built. ::1twitter.com
The latest Tweets from Arbaz Hussain🐛 (@ArbazKiraak). cat /etc/arbaz | grep Machine Learning && Bug Hunter 👨🏭…twitter.com
and others ❤ can’t add everyone here.