Getting started in Bug Bounty
Hi Guys!
While I write this up, it’s already 09–Nov–2018, Here in India, Today I’ve completed 5 good years on HackerOne ❤
I will always be thankful to the whole information security community ❤
How to get started in Bug Bounties is a common question nowadays and I keep on getting messages on a day to day basis. It’s not possible for me to respond to each and every message, so I thought I’d rather do a blog post and would direct all those beginners to this blog post.
I’ve been in bug bounty field for 5 years now. still, there is so much to learn each and every day, I'm yet not an expert and this post is NOT an expert advice. I am just sharing, what I’ve achieved in the past 5 years and doing continuously to improve my skills.
Index
- Introduction
- Basic Technical things to get started.
- Choosing your initial path
- Books — I regularly take references from
- Youtube channels & playlists
- Practice! Practice! practice
- Tools you should master (*tool)
- Bug bounties and Mental Health
- Blogs you should follow
- Follow cool guys on Github
- Follow Active bug bounty guys on twitter
- Credits and Closing meme.
1. Introduction
I’ve seen a lot of folks in Bug Hunting Community saying “I am not from the technical field that’s why I am not successful in bug bounty”.
This is the misconception that someone needs to be from the computer science background to be good in bug bounties. Being from the computer science background helps but it is not compulsory but you have to learn the computer science fundamentals yourself. So, If you are from the non-technical background you should get started only if you’re more interested in learning about the information security not ONLY interested in $$$$.
I am too from a Mechanical Engineering background but I am very much interested in the information security field from school time but joined mechanical field with the advice of family members but my main focus always been to Information security.
I can tell you many stories where people from the non-technical field are successful in the bug bounty or infosec field.
But, All of them have one thing in common that is “INTEREST” and willing to do the “‘hard-work’”.
If you think you will become successful overnight or over the week or over a month, this is not a field you should join. Doing bug bounties are very competitive, it might take a year at least to do good in bug bounty. you have to continue your learning, sharing & more and more practice. You must-have curiousness to learn about new things and explore the field on your own. There is huge education content out there for free.
Do not pay individuals telling you to make you successful in bug bounties overnight. Most of them are scammers.
The following are the things you should know before starting in infosec.
No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others.
“Do not expect someone will spoon feed you everything.”
How to ask a question?
You should behave responsibly when asking a technical question to someone.
You shouldn’t ask like “Here is the endpoint, can you please bypass the XSS filter for me?”
You should be on point when you ask a problem — that’s it.
You should not expect people will respond to you within minutes. They will respond as soon as they get free times or they might not respond at all because of their busy schedule or whatever reason. You should also respect that — do not ping someone unnecessary.
How to find Answer to every question?
This is what I did previously, Doing now and will definitely do in future. Using “Google” for everything. (you can use other search engines too :P )
2. Basic Technical things to get started.
I am assuming you have a basic understanding of how things work on the internet.There are many things you have to learn but I cannot list of all of them here. I’m listing a few important topics and you should learn more by yourself.
Linux — Command line
Learning Basics of HTML, PHP, Javascript. — These are only to get started, the list never ends, it totally depends upon the interest. You have to build your interest according to your need.
It’s also very important to have a better understanding about different types of vulnerabilities, as soon as you can, I’ve added Web Application Security Basics section below.
3. Choosing your initial Path
Choosing a path in the bug bounty field is very important, it totally depends upon the person’s interest but many of the guys choose the web application path first because according to me it’s the easiest one.
- Web application Security testing
- Mobile Application Security Testing
But not limited to these two. it totally depends upon the type of interest you have.
Web Application Security Basics.
OWASP Top 10 for 2010 OWASP top 10 for 2013 OWASP top 10 for 2017
Start from the 2010 list, so you can understand the types of vulnerabilities were in the top in 2010, what happened to them in 2017. you will understand it by learning about them and practice them
You don’t have to finish the testing guide and then start working, you should start working on the live (legal) targets, that's the only way you can improve your skills.
Mobile Application Security Testing.
As you get more experience you are free to switch between anything you like :)
One stop for all mobile application security need,
Mobile Security Wiki by Aditya Agrawal
Application security Wiki also by Aditya Agrawal
5. Youtube Channels And Playlist.
Security Conference talks you should watch
Akhil George — Created a playlist for bug bounty talks on Youtube.
How to Shot Web by Jason Haddix
6. Practice! Practice! Practice
It’s pretty important to keep yourself updated with the trends and new vulnerabilities. While playing around with the server information disclosures, keep a close eye on publicly available exploits to escalate the attack.
You can start working on vulnerable applications.
- Hacker101
- Bug Bounty Notes
- Pentesterlab
- Hackthebox
- Damn Vulnerable Web application
- XSS Game by Google.
- Vulnhub
- hack me
Setting up Security testing labs — I’ve written detailed blog posts. you can be find them below:
Bug Bounty Platforms — These are the great places to test your skill.Do not get discouraged if you haven’t found anything — you still have learned the reward of Experience, that is more important.
Twitter # tag you should follow
7. Tools you should master (*tool)
Burp Suite —
You should start practice using the Burp Suite free version or the community edition and start working on bug bounty programs and as soon as you got sufficient bounty, purchase the Burp Suite Professional edition. You will not regret it.
Note: Do not use the pirated version of the Burp Suite professional, You should respect the great work Portswigger team is doing.
There are too many free resources out there to learn more about Burp Suite pro but If you are willing to invest some money. I can recommend the following things.
- An online course by Pranav Hivarekar — Burp Suite Mastery
- Burp Suite Essentials by Akash Mahajan
For information gathering or reconnaissance — I’ve Written a detailed blog post on the same topic. you can find it below:
8. Bug bounties and Mental health.
Bug bounty field is a very competitive and you should also take care about your physical and mental health, that’s very important. nothing else matters. My good friend Nathan wrote a great post on this topic.
You should definitely read it.
9. Blogs you should follow —
There are other great blogs out there, I can’t list them all, you need to find them according to your need.
10. Follow cool guys on Github.
Consider donating small part of your bounties to them to support their open source contribution or you can contribute in other ways too. Only If they accept donation.
11. Follow Active Bug Bounty Hunters on Twitter (But not limited to this list)
and others ❤ can’t add everyone here.
12. Credits
Thanks to these awesome guys Prateek Tiwari Rishiraj Sharma & Geekboy for proof reading this post :)
Feedbacks are always welcome.
until next time