A Simple Roadmap to Bug Hunting(Web)

Hey Folks! My name is Nitish Sharma and here’s my first write-up and i thought of sharing the most popular topic in this field for new comers.

Introduction

I’ve spent months reading articles on the same topic(Getting started in bug hunting) repeatedly and i know there’s a lot of struggle to get started in bug bounty, So without wasting time let’s jump into it.

The Basics(Theory)

To get started anything you first have to make a base and this is the most crucial thing that every beginner underestimate and almost skip.After reading a lot of articles, given below are the things that every beginner should clear.

Networking

1. Learn working of networking devices such as Switch, Router, Hub and Modem.
2. OSI Model, Mac Address, Subnet, TCP3 by handshaking, IPV4 vs IPV6,
3. Protocols to learn- HTTP, HTTPS, TCP/IP, UDP, UDSP etc
4. Learn How the web works(I think the most important)

Languages to be cover:

1. Basic HTML, JavaScript, PHP and CSS.
2. Python and Bash.
3. SQL( This is not a language but learning it will help you a lot )

Computer related things:

1. Different OS like Windows, and Other Linux distribution system.
2. Learn how to use windows command line and as well as linux command line.
3. Computer booting process

And that’s it for the basics, although there’s a lot of things to learn but that’s totally depends on your interest.

Resources to follow:

1. Books:

1. Web Application Hacker’s Handbook 2(The Bible)

2. The Hacker’s Playbook 1,2 and 3

3. Web Hacking 101

4. Real World Bug Hunting by Peter Yaworski.

5. Mastering Modern Web Application

2. Learn OWASP Top 10

Following these will help a lot

1. Twitter:

1. jason haddix

2. nahamsec

3. tomnomnom

4. heath adams

5. stok

2. Youtube:

1. Spin the hack(Hindi language)

2. Stok(English language)

3. Nahamasec(English language)

4. Hackluke (English language)

5. Liveoverflow(English language)

6. Bitten Tech(Hindi language)

Practical

3. Practical Labs(Free and Paid):

1. DVWA(Free)

2. Portswigger(Free)

3. Pentester Lab(Paid)

4. Pentester Academy(Paid)

5. Tryhackme(Free and Paid, Personally Recommended)

6. Hack The Box(Free and Paid)

Master Burpsuite

You can find a lot of bugs just understanding this tool.

My Tips:

1. First, my recommendation is to clear the basic and then jump into it.
2. Now, you have cleared the basics and know how a web app works, i recommend you to follow the “One Bug At a Time” approach.
3. I know the feeling of “Am i ready to hunt or when is the perfect time to hunt?”, So despite getting yourself confused with these questions, just pick a bug, learn it and start hunting.
4. Choose a target that is less crowded, that means, start with VDPs which provide Swags, HOF(Hall Of Fame) and after that jump into rewarding programs.
5. And guys burnouts will come and maybe you’ll end up getting frustrated and demotivated, so try to not to get demotivated , Good things takes time.

Stay Tuned!! i will be now sharing more articles with you guys.

PS: Sorry for any grammatical errors and feel free to correct any mistake.