Getting started in Bug Bounty

Sahil Ahamad
12 min readNov 8, 2018

Hi Guys!

While I write this up, it’s already 09–Nov–2018, Here in India, Today I’ve completed 5 good years on HackerOne

https://hackerone.com/ehsahil — A proud member since November 9th 2013

I will always be thankful to the whole information security community ❤

love you all ❤

How to get started in Bug Bounties is a common question nowadays and I keep on getting messages on a day to day basis. It’s not possible for me to respond to each and every message, so I thought I’d rather do a blog post and would direct all those beginners to this blog post.

I’ve been in bug bounty field for 5 years now. still, there is so much to learn each and every day, I'm yet not an expert and this post is NOT an expert advice. I am just sharing, what I’ve achieved in the past 5 years and doing continuously to improve my skills.

Index

  1. Introduction
  2. Basic Technical things to get started.
  3. Choosing your initial path
  4. Books — I regularly take references from
  5. Youtube channels & playlists
  6. Practice! Practice! practice
  7. Tools you should master (*tool)
  8. Bug bounties and Mental Health
  9. Blogs you should follow
  10. Follow cool guys on Github
  11. Follow Active bug bounty guys on twitter
  12. Credits and Closing meme.

1. Introduction

I’ve seen a lot of folks in Bug Hunting Community saying “I am not from the technical field that’s why I am not successful in bug bounty”.

This is the misconception that someone needs to be from the computer science background to be good in bug bounties. Being from the computer science background helps but it is not compulsory but you have to learn the computer science fundamentals yourself. So, If you are from the non-technical background you should get started only if you’re more interested in learning about the information security not ONLY interested in $$$$.

I am too from a Mechanical Engineering background but I am very much interested in the information security field from school time but joined mechanical field with the advice of family members but my main focus always been to Information security.

I can tell you many stories where people from the non-technical field are successful in the bug bounty or infosec field.

But, All of them have one thing in common that is “INTEREST” and willing to do the “‘hard-work’”.

If you think you will become successful overnight or over the week or over a month, this is not a field you should join. Doing bug bounties are very competitive, it might take a year at least to do good in bug bounty. you have to continue your learning, sharing & more and more practice. You must-have curiousness to learn about new things and explore the field on your own. There is huge education content out there for free.

Do not pay individuals telling you to make you successful in bug bounties overnight. Most of them are scammers.

The following are the things you should know before starting in infosec.

No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others.

“Do not expect someone will spoon feed you everything.”

How to ask a question?

You should behave responsibly when asking a technical question to someone.

You shouldn’t ask like “Here is the endpoint, can you please bypass the XSS filter for me?”

You should be on point when you ask a problem — that’s it.

You should not expect people will respond to you within minutes. They will respond as soon as they get free times or they might not respond at all because of their busy schedule or whatever reason. You should also respect that — do not ping someone unnecessary.

How to find Answer to every question?

This is what I did previously, Doing now and will definitely do in future. Using “Google” for everything. (you can use other search engines too :P )

2. Basic Technical things to get started.

I am assuming you have a basic understanding of how things work on the internet.There are many things you have to learn but I cannot list of all of them here. I’m listing a few important topics and you should learn more by yourself.

HTTPTCP/IP Model

Linux — Command line

Web Application technologies.

Networking basics

Learning Basics of HTML, PHP, Javascript. — These are only to get started, the list never ends, it totally depends upon the interest. You have to build your interest according to your need.

It’s also very important to have a better understanding about different types of vulnerabilities, as soon as you can, I’ve added Web Application Security Basics section below.

3. Choosing your initial Path

Choosing a path in the bug bounty field is very important, it totally depends upon the person’s interest but many of the guys choose the web application path first because according to me it’s the easiest one.

  1. Web application Security testing
  2. Mobile Application Security Testing

But not limited to these two. it totally depends upon the type of interest you have.

Web Application Security Basics.

OWASP Top 10 for 2010 OWASP top 10 for 2013 OWASP top 10 for 2017

Start from the 2010 list, so you can understand the types of vulnerabilities were in the top in 2010, what happened to them in 2017. you will understand it by learning about them and practice them

OWASP Testing Guide V4

You don’t have to finish the testing guide and then start working, you should start working on the live (legal) targets, that's the only way you can improve your skills.

Mobile Application Security Testing.

As you get more experience you are free to switch between anything you like :)

OWASP Mobile Top 10.

One stop for all mobile application security need,

Mobile Security Wiki by Aditya Agrawal

Application security Wiki also by Aditya Agrawal

6. Practice! Practice! Practice

It’s pretty important to keep yourself updated with the trends and new vulnerabilities. While playing around with the server information disclosures, keep a close eye on publicly available exploits to escalate the attack.

You can start working on vulnerable applications.

  1. Hacker101
  2. Bug Bounty Notes
  3. Pentesterlab
  4. Hackthebox
  5. Damn Vulnerable Web application
  6. XSS Game by Google.
  7. Vulnhub
  8. hack me

Setting up Security testing labs — I’ve written detailed blog posts. you can be find them below:

Bug Bounty Platforms — These are the great places to test your skill.Do not get discouraged if you haven’t found anything — you still have learned the reward of Experience, that is more important.

  1. Hackerone
  2. Bugcrowd
  3. Synack
  4. HackenProof
  5. Intigriti
  6. bountyfactory
  7. Bugbounty Japan
  8. Antihack

Twitter # tag you should follow

#bugbounty

#bugbountytips

#infosec

#togetherwehitharder

7. Tools you should master (*tool)

Burp Suite —

You should start practice using the Burp Suite free version or the community edition and start working on bug bounty programs and as soon as you got sufficient bounty, purchase the Burp Suite Professional edition. You will not regret it.

Note: Do not use the pirated version of the Burp Suite professional, You should respect the great work Portswigger team is doing.

There are too many free resources out there to learn more about Burp Suite pro but If you are willing to invest some money. I can recommend the following things.

  1. An online course by Pranav HivarekarBurp Suite Mastery
  2. Burp Suite Essentials by Akash Mahajan

For information gathering or reconnaissance — I’ve Written a detailed blog post on the same topic. you can find it below:

8. Bug bounties and Mental health.

Bug bounty field is a very competitive and you should also take care about your physical and mental health, that’s very important. nothing else matters. My good friend Nathan wrote a great post on this topic.

You should definitely read it.

11. Follow Active Bug Bounty Hunters on Twitter (But not limited to this list)

and others ❤ can’t add everyone here.

12. Credits

Thanks to these awesome guys Prateek Tiwari Rishiraj Sharma & Geekboy for proof reading this post :)

Feedbacks are always welcome.

until next time

--

--