Turning your time into bugs — zseano’s thoughts

Despite the fact i’ve complained that bugbounties have some problems, no other job out there enables you to sit in the comfort of your own home legally hacking websites in turn for money, and sometimes big money. Money is a massive factor in why people do bugbounties and it’s why many started them in the first place, however sadly a lot of people will end up spending hours finding nothing.

So, in this post I intend to give you some personal tips & advice on how to be successful in bugbounties and turn your time into bugs.

Firstly, be warned: Bugbounties are a risk as to when you will get paid, if you dupe someone, etc. Without risk there is no reward and before you start doing bugbounties you need to learn this. The industry is still growing and expanding. I can not express it enough that to be a successful hacker you have to find what works for you. Yes some payloads are “Do this, do that”, but when really digging into an application and doing recon etc, working out your own strategy will help you massively in being successful. Take a mental note of this!

You need to understand that when hacking you are literally limitless as to what you can try. Inject things into headers, try params. You are in FULL control, there is no failing, just learning!

Finding a target

The big question. “How to find a target?”, “Who do I hack on?”. When I got removed from one of my favourite programs on Bugcrowd for a disagreement I was faced with this very question. I will admit, I felt a bit lost on who to hack on and what to do so I focused on my own skills and it’s a major reason I started BugBountyNotes. I wanted to create a platform to share what i’ve been learning to help others going down my path and help them avoid the mistakes i’ve made and to help them further their learning.

I kept on trying to improve my hacking skills and was jumping from program to program finding random easy low hanging fruits bugs until I found a sweet spot. Remember what I said earlier, to be a successful hacker you have to find what works for you. And you also need to remember, nothing lasts forever and I know that eventually a dry spot of bugs will be on the horizon but when some companies are paying up to $20,000 for RCE, you need to be okay with that dry spot. That’s your relax time and time to work on yourself. We all deserve a break and you can’t hack 24/7.

No one can say “Go hack here, go hack there”. Sorry.. but it’s about what works for you. Ask all of the recon gods, the og hackers. Everyone has their own methodology when it comes to hacking & finding bugs, start writing your own hacker story and soon people will be asking how YOU found a certain bug. Seriously. I have personally mentored a few people 1 to 1 and they are finding bugs easily on their own. All it takes is getting yourself in that right mindset, especially if you want to do this full time.

With that said, here are my tips on helping you find a program:

  • Find the programs with big scopes. Lots to play with, new code pushed daily etc. Navigate the webapps and start learning how they work. The more you test and learn, the more likely you are to find a bug. There are lots of PUBLIC programs out there with bugs still on them, trust me! Do NOT be afraid to spend time on public programs. I personally found stored XSS on a very well-tested public program recently. Only jump from program to program when trying to find a new ‘home’ for the next few months, and then really dig your teeth into it. Don’t forget all of the other advice i’ve given you before: mobile apps, change country, user agent etc. You are limitless to what you can try!
  • Not every bugbounty program is on HackerOne, Bugcrowd, Synack, Intigriti. Expand your scope, there are lots of companies out there who want to work with security researchers. Put the time in to look around and see what’s available. Again if you want to do this full time, you’ve gotta put in the work :)
  • Know exactly what you want to achieve. For example for the last week i’ve been focusing on nothing but IDOR and i’m specifically looking for features which may contain an ID which I can try manipulate. I’ve done it so many times, open a target and start testing everything & anything. I have myself got burnt out pretty quickly from doing this. Set a goal!!! I feel this is a major reason a lot of people spend hours finding nothing. Blindly looking for the needle in the haystack.
  • Read, learn, practise & adapt. There are *SO* many disclosed bugs out there with amazing writeups attached. Keep up to date with what people are finding and on what programs. Practise your hacking skills on the various sites available. Test the bugs disclosed and see if you can break the patch, may get a nice payout of $12,000 like ngalog: https://hackerone.com/reports/409395 — he didn’t even have to find the vulnerable endpoint, it’s all in the disclosed report for him :)

Making your life easier

As with everything in life it can’t all be up and there are times you will feel like you’re finding nothing. The sooner you realise this may happen, the better. It can make you feel really sh!tty when people are sharing cool bugs and you’re sat there like.. :(( finding nothing over here! I’ve been there soooo many times.

But don’t fret. Because what has gone down, usually always comes back up. Here are some common mistakes i’ve made in bugbounties and my tips on avoiding burn out & staying sane:

  • Too much hacking. Yes it’s a thing, chasing the money, chasing the bugs. If you’re hitting a blank wall with everything you try, it’s time to either switch over to a new program, change goal as to what you’re trying to achieve, or simply take a break and ask yourself, “Is this site just THAT secure now.. or am I missing something?”.
  • Too much of a break.. but saved by your notes. Yup, i’ve taken a month out from hacking before and when I came back I was like.. “Sh!t, where do I begin?”. But this is why taking notes is CRUCIAL in staying successful. Write down the parameters, endpoints etc you’ve found vulnerable/interesting. Help yourself and give yourself somewhere to pick straight up from. I use Sublime Text Editor and I have a long list of random endpoints I revisit every now and again with new techniques i’ve learnt. Some endpoints disappear, but some have ended in bugs eventually (with some really weird bypasses).
  • I mentioned it before, but set a goal, seriously. Don’t wake up and think “Oh i’ll hack today… but where to begin?” Enter burn out before you’ve begun! Know exactly what type of report you want to be writing tonight for this program :)

Finding your first bug

As explained above it can be quite hard to tell people “Do this, do that. Get this result!”. If only hacking worked like that :) However here are my top tips for thinking outside the box and landing your first bug.

  • Real simple, but test the mobile web version (if available) and don’t forget to check iPad. Your reflection on the desktop site may be vulnerable on the mobile version. I have found lots of XSS that wasn’t vulnerable on the desktop but as soon as I switched to a mobile UA, it worked. Funny that :D
  • Change your country! Different geo locations have different features. Did you also know that here in the UK every site we visit has GDPR popups? ;) Oh you’d be surprised how many bugs i’ve found from that :) Do not forget to try out paid features (try test with test cc details.. double the bug?!)
  • Know what you want. I know i’m repeating myself but seriously. Open a site and think, “I want to really understand how the login flow works” and start poking. Compare that to “Oh I will hack today.. but who? And what am I looking for?” — Enter confusion before you’ve begun! If you want something that bad, you will do what it takes to get it. If you are just chasing $$$ then i’m sorry but you will fail :/ Hacking is fun, forget the $$$! (seriously.. it is very stressful waiting to get paid, it is not good to get too attached to the money, you will start to hate hacking)
  • Don’t rely on scanners when you have the best tool already. Your creativity. A lot of people ask me about my recon but sometimes I ignore running recon scripts and actually poke at the site, manually. I find 90% of my bugs from literally just manually poking at sites and understanding how they work. Maybe this is wrong for some, but again.. find what works for you.

Final remarks

Not everything in life will always go our way, but as long as you never give up, you’ll get there. As with everything, some things take time. How badly do you want to be a hacker?

Being a hacker is meant to be fun, don’t forget that (:

Happy breaking the internet!

-zseano