Learning path for Bug Bounty
Audience:
The target audience of this blog is mainly the people who are an absolute beginner, or someone who is thinking to get started into bug-bounty or someone who is planning to change their field. So if you’re anyone of them, I think the content and path might will work for you and if you’re someone who is in this field for a while, then humble request to share it and help in spreading the words. :)
Source of motivation to write this blog:
I actually was getting lots of queries on LinkedIn and twitter, and most of them were asking the same common question and that is, “HOW TO GET STARTED INTO BUG-BOUNTY OR SUGGEST SOME RESOURCE FOR LEARNING etc.” But it was really tedious to reply all of them. So I thought, Okay, I should write a blog.
So This is gonna be my first blog, I am expecting to get a positive response. Though the criticism is welcome :-\ but I would really appreciate if I will get suggestions or feedback to improve myself. :) I seriously was planning to write it from past two months. But wasn’t sure if I should write it or not. Special Thanks to Manasjha (Twitter) for proof reading, listening my points and motivating me in writing this.
Why am I writing this?
The InfoSec is Huge, It is really vast ocean to dive and play around so the content and resources as well. Back in time, When I started, I was getting overwhelmed as the learning resources, too much of redundancy, all the things are really hard to digest for someone who recently started exploring this field.
Well this is not gonna be some same blog where I will list down all the resources (A big and fancy list). Here actually, I am explaining my way of learning and approaches that really helped me so far, in an organized step by step manner. A few tips and tricks and an announcement at the very end of this blog. :p
Learning Path
Starting with Learning a little bit about Linux and bash scripting. (Kali is off-course not necessary for hacking but I found doing stuff like this on Linux Based OS is really very handy and for bash scripting you can find basic tutorials from YouTube like this).
(*Knowledge of Python, JS and PHP is optional but if you know about it. Then its totally a plus point and it is surely gonna help you).
Learn tools like burp very well. (You can find free tutorial on Udemy, you can go with this).
Setup your Lab environment on cloud. (Digital Ocean is what I prefer and its free for 2 months with 100$, You can use my referral link to avail this offer). I suggest to pick a 15$ box with variation of 2 GB RAM and 2 core processor with server location of NYC having Ubuntu in this box. (I personally find the NYC servers fast and this 15$ box is suitable for heavy enough tasks). Setup the ~/.bashrc or ~/.bash_profile for setting up Go path (It sucks,if you never did it before) and you can do this simply by running this script BBHT by Nahamsec.
Learn Recon. (As it will expand the scope to Hack on). Do watch Nahamsec Behrouz Sadeghipour Youtube channel videos with twitch thumbnail, the first four. (These 4 videos are very basic and will give you a very clear idea, how to setup everything on cloud, how to utilize the power of cloud and few stuff like the bash scripting that you have learned earlier, how to implement that learning in your Recon workflow, Bash alias and a little bit of automation). Note: The crt.sh part for finding subdomain with wild card % won’t work anymore. :( So keep this in your mind.
Books are always best resource to learn, no matter what you’re learning. Bug Bounty Playbook(Management is the key, this book explains this point well and things like how to setup everything, how to approach a Target and various other resources like Tools, Wordlist, ASN/CIDR stuff and a few famous bugs) by ghostlulz and Web Hacking101 (It contains multiple H1 disclosed reports, also it gives an Idea how to write a report for the particular bug, Its general impact and description) by Peter Y.
In mean time practice as well on OWASP Juice shop (You can setup this on Heroku with a single click). You can also get some hints and walk-through by the great thecybermentor’s youtube channel’s playlist, DVWA (The setup sucks at some place and it is really very basic) and WebGoat (This really contains some very good exercises).
For Advanced attacks you can go for PentesterLab (20$ per month subscription and for students its 35$ for 3 months, you can sign-up using my referral link) on top of that they are just too awesome and made some of the labs public for free, make sure you have solved all of them for sure (go to here and filter out free, if you enjoy solving these labs, consider taking subscription) and WebSecAcademy (This is completely free) by PORTSWIGGER. (For reference and walk-though, you can follow this youtube channel).
Okay, Enough practice :/, now its time to perform in battlefield, Make an account on Hackerone/Bugcrowd (Intigriti is also good). And start with Points Only Program having Wild Card Scope (*.site.com). Implement your leanings, whatever you have learned so far in previous days. BugCrowd University has some LevelUp conference talks, and trust me these talks are something must to watch. (Will help in exploring different domains of this field as well).
Learning is lifelong Journey, so for getting better and making your methodology strong, Pick Checklist of Bugcrowd that is Bugcrowd VRT. OWASP is also good but Bugcrowd breakdown the complexity and categorized it in P1,P2,P3,P4 and P5. (This made it very simple that any newcomer could understand it very easily and well). Okay So Go to Google. And search the Vulnerability Name listed in this list. Every single day, try to learn different bug classes. (Like for P4 type bugs give One day, for P3 give 2 days. For P2 give 4 days and for P1 invest a week) in learning a single bug class & its test cases. With time, you will find yourself covering all the different bug types. (So it will be something like, Okay I picked the topic 2FA bypass, I went to google and search for 2FA byspass, it will return various hackerone Disclosed reports, various Medium writeups etc. You will see redundancy here as well, but you might get pretty unique test cases such as Getting OTP in response, Bypassing OTP because of rate limit, Bypassing OTP protection by Response Manipulation and many more testcases, make sure you’re writing these test cases with the bug-class, that you’re learning so at the end of the day, you have got pretty unique cases for this bug-class, Pick a program and apply these test cases you have learned. And I hope you will definitely get some cool findings and maybe bounty as well XD). Here I just gave an example of single Bug-class, you can apply this learning approach for almost each and every bug type. Pick a bug type from checklist, learn it, List down the test case and you’re good to go. Just keep practicing on Bugcrowd and Hackerone programs.
For continuous learning, read blogs/writeups, HackerOne Hactivity. You’ll find some good blogs on Bugreader, PentestLand, YourNextBugTip (https://twitter.com/YourNextBugTip), https://twitter.com/Unknownuser1806. These sites and twitter handles shares some really nice stuff. And how I can forget the Intigriti’s BugBytes. Keep an eye on all these resources as well.
Later on, for further leveling up you can read books like Web Application Hacker’s Handbook, Real World Bug Hunting, Modern Web Application Penetration Testing etc.
YouTube channels that you should follow, are Sean (zseano)(Channel Link : His Hacker mindset is Amazing) and Katie (Youtube Channel: she explains everything from elementary level).
P.S. I am not saying this is an absolute path to follow, but this is the path that I have followed and suggested to many. It worked for me and for many of others, so I hope it will help and work for you as well. (I haven’t included HackTheBox and TryHackMe. Off course stuff there is also good but HTB is mainly good for Network PenTesting and for free sub on TryHackMe, I don’t think if anything left that I haven’t mentioned previously).
Okey dokey, enough talks, now its time for some cheap tricks or maybe smart work.
Everyone loves Private programs, Isn’t it? :p
Use Google dork “powered by bugcrowd” -site:bugcrowd.com (You will get many of the Bugcrowd Private bugbounty program). This tricks works for hackerone as well with dork (“submit vulnerability report” -site:hackerone.com) but this do not returns with good amount of programs. You can also find some good programs to hunt on here at disclose.io.
Well well, Sometimes I also got this question, from which particular platform and program I should start?
Platform: I personally like Bugcrowd, and they are really friendly from Newcomers perspective. The reason is, on other platforms when you’re a newbie & submit any of your finding and incase if it went Dupe, you won’t get reputation or Hall of fame or any private programs for your work. (And Honestly it sucks and kinda demotivating). But on the Bugcrowd, if unfortunately the Bug you reported went Duplicate, you still get 1/5th of the reward point, Your name mentioned in the Hall of fame and a few private program from the section Programs->Joinable under your Bugcrowd Profile.
Program: From what program you should hunt on. This depends upon a few basic factors (a. Scope of the program : Bigger the scope, higher chance to find unique vulnerabilities b. Response time of the program c. Reward Range). The scope, response time and Internal team of few programs is really amazing. From my past experience I am sharing a small list of Public programs:
b. https://bugcrowd.com/indeed
c. https://bugcrowd.com/comcastvdp
d. https://bugcrowd.com/tripadvisor-vdp
One more common question that I do get very often, What to do after recon. What should be done after getting all this data etc. So here I am sharing my mindset (not methodology) for approaching a target.
I have got 3 different approaches depending upon the program, I got private invitation or on what I am hunting on!
a. Pool Program or On Demand Program (These are basically private programs only, those are about to start within upcoming next 2–3 days also known as Virgin Program). That means no one have ever tested on these programs before. I prefer, try finding all the low hangings on these programs. (Such as Session Related issue, Rate limit flaws, EXIF Meta-Data, Open Redirect, SPF/DMARC issue etc) in the starting first hours. And later on go with better findings. (Run Nikto, nuclei, and dirsearch as well).
b. Private/Public Programs with limited scope: If the scope is limited and program is a little bit older, I personally don’t find this a wise idea submitting low hangings. As 95% of the time It will be dupe. For such programs try submitting Business logic Bugs, some bugs with your own out of the box approach or bugs that takes a good amount of time to find.
c. Programs with wild card scope: For programs like this, here RECON is the key. The better you’re in Recon, higher the chance you will get unique bugs. For finding any critical, it just takes that one unique domain that no one have ever looked into. So work on this point.
Usually, you’ll see Mobile Applications as well in the scope.
So if the Android App is in scope. You can download the apk from here and simply extract it and look for sensitive data (like apikeys, secret, S3 bucket URLs, bearer token, auth Token, hardcoded credentials for 3rd party services etc) within AndroidManifest.xml or strings.xml under directory ( →res →value). In the stings.xml only, search for firebase URL. Copy the url and append /.json at the end and open this in browser (https://company-name.firebaseio.com/.json). If the response is something other than “Permssion Denied” then congratulation you just got a bug. For further exploitation read this blog.
If the iOS application is there then I found it hard to get .ipa but if you got it somehow, simply extract the .ipa file and look for the data into pinfo.list by using command on terminal (strings pinfo.list)
You can also use this amazing framework MOBSF and for more learning, you can look for the YouTube Videos of B3nac Channel link.
There are some very good tools out there. I am listing down some of my favorite Repos here. All these repo consist truly amazing tools worth giving a try and finding ways to implement in your own methodology by using them:
Tools by Inside ProjectDiscovery
Custom Scripts by Gwen001.
You can also try to write your own custom tools, and I do this task in bash. I find myself comfortable with it. You can do the same with any language, you’re comfortable with. And honestly there is no need for making everything from scratch. I found this dumb to start making things from scratch but to use the existed tool in your script to make some of the portion automated with your innovative ideas and cleaning the output and eliminating the false-positive.
Well Bug Bounty is more of a game and this is really very additive. These rank system, rewards, hall of fame and swags are really fascinating. And because of this, sometimes we totally forget about out mental health and reach in the state of Burnout (Exhausted Mentally and physically) without even knowing. So make sure, you’re following a healthy routine, a good sleep and sometime away from the computer and close to nature. :D
I know getting duplicate also sucks, and kinda very demotivating but trust me its a clear symbol that you’re on the right path of finding bugs and getting rewarded. The only thing is that you’re a little bit late. So be positive and just score your first bounty.
The community is amazing, I have learned so much from the community and trying to give it back by some way or another. A small list of people who can be really helpful and you can expect reply from them as well but pick your questions wisely, make sure you’re following them on twitter:
- Aditya Shende (Twitter)
- Harsh Bothra (Twitter)
- Pratik Dabhi (Twitter)
- Sean (zseano) (Twitter)
- Harshit Sengar (Twitter)
(The list is huge, can’t put them all) :(
Finally, I am at closing note of this blog. All the information that I have shared above is based on my past experience being an active member of this community.
Oops, I forgot to introduce myself.. 😐 I myself is a BugBounty Hunter. I mostly hunt on Bugcrowd and occasionally on HackerOne as well. I started learning and doing bug bounty stuff from last year April, 2019. Currently I am among all time top 250 researchers on Bugcrowd globally having 75+ hall of fames :p. I am also Synack Red Team Member and Bugcrowd Ambassador. I was recognized by Indian Government for submitting various vulnerabilities to them and recognized by Bugcrowd as (MVP 2020-Q1, Bounty Slayer Q2–2019 and Bounty Slayer Q3–2019) Apart from all this I just completed my B.Tech from Computer Science and Yes (College Degree matters so just don’t drop out from the college for bug hunting stuff). Well, I was getting too many requests for start giving training/mentoring sessions. So I am here, open for this request. If you find the content that I just shared in this blog useful and want to learn more in a proper and detailed manner, you can let me know about this by filling this GoogleForm. It will motivate me to contribute more to the community. If you’re reading this blog, make sure you have filled this.
Though, giving live mentoring/training sessions is still just a plan only. Based on the response that I will get on this blog and in that google form, I will think about it, if I should start doing it or not.
Once again, thanks for making it till here to the very end. :D All the feedback and suggestions are welcome. For any quick query or getting in touch with me. You can follow me on Twitter or Instagram or connect with me on LinkedIn.
Here is the link for that Google Form: https://forms.gle/1oHkQa9FnL6SdiA1A
I will also giveaway a PentesterLab Pro Subscription to someone from the response list, who will fill this form.
Happy Hacking everyone. Love you all.. ❤
