A Simple Roadmap to Bug Hunting(Web)
Hey Folks! My name is Nitish Sharma and here’s my first write-up and i thought of sharing the most popular topic in this field for new comers.
Introduction
I’ve spent months reading articles on the same topic(Getting started in bug hunting) repeatedly and i know there’s a lot of struggle to get started in bug bounty, So without wasting time let’s jump into it.
The Basics(Theory)
To get started anything you first have to make a base and this is the most crucial thing that every beginner underestimate and almost skip.After reading a lot of articles, given below are the things that every beginner should clear.
Networking
- Learn working of networking devices such as Switch, Router, Hub and Modem.
- OSI Model, Mac Address, Subnet, TCP3 by handshaking, IPV4 vs IPV6,
- Protocols to learn- HTTP, HTTPS, TCP/IP, UDP, UDSP etc
- Learn How the web works(I think the most important)
Languages to be cover:
- Basic HTML, JavaScript, PHP and CSS.
- Python and Bash.
- SQL( This is not a language but learning it will help you a lot )
Computer related things:
- Different OS like Windows, and Other Linux distribution system.
- Learn how to use windows command line and as well as linux command line.
- Computer booting process
And that’s it for the basics, although there’s a lot of things to learn but that’s totally depends on your interest.
Resources to follow:
- Books:
1. Web Application Hacker’s Handbook 2(The Bible)
2. The Hacker’s Playbook 1,2 and 3
3. Web Hacking 101
4. Real World Bug Hunting by Peter Yaworski.
5. Mastering Modern Web Application
2. Learn OWASP Top 10
Following these will help a lot
1. Twitter:
1. jason haddix
2. nahamsec
3. tomnomnom
4. heath adams
5. stok
2. Youtube:
1. Spin the hack(Hindi language)
2. Stok(English language)
3. Nahamasec(English language)
4. Hackluke (English language)
5. Liveoverflow(English language)
6. Bitten Tech(Hindi language)
Practical
3. Practical Labs(Free and Paid):
1. DVWA(Free)
2. Portswigger(Free)
3. Pentester Lab(Paid)
4. Pentester Academy(Paid)
5. Tryhackme(Free and Paid, Personally Recommended)
6. Hack The Box(Free and Paid)
Master Burpsuite
You can find a lot of bugs just understanding this tool.
My Tips:
- First, my recommendation is to clear the basic and then jump into it.
- Now, you have cleared the basics and know how a web app works, i recommend you to follow the “One Bug At a Time” approach.
- I know the feeling of “Am i ready to hunt or when is the perfect time to hunt?”, So despite getting yourself confused with these questions, just pick a bug, learn it and start hunting.
- Choose a target that is less crowded, that means, start with VDPs which provide Swags, HOF(Hall Of Fame) and after that jump into rewarding programs.
- And guys burnouts will come and maybe you’ll end up getting frustrated and demotivated, so try to not to get demotivated , Good things takes time.
Stay Tuned!! i will be now sharing more articles with you guys.
PS: Sorry for any grammatical errors and feel free to correct any mistake.