Journey Towards The Life as a Bug Hunter

It Has Been a Year since I wrote my last Blog Post, Exploiting a Single Parameter, After getting free from my startup and some bug hunting, I decided to set up a proper publication on Medium and hopefully now you will see more blog posts in the future.

Everyone in the Info-sec community has an interesting story of their journey towards Hacking. So I decided to share mine also, maybe this can help the guys who are just getting into Bug Bounty.

Introduction

My name is Hisham Mir and I am 18 years old, living in Pakistan. I am the
Co-Founder of SecurityWall and I have been doing bug bounty from the last 4 years.

The Start …

It all started back in Mid 2013 When I used to manipulate values in games and hacking 8 ball pool coins and GuideLine using Cheat Engine and then searched on Google about how to hack a facebook Account and GOD knows how many FBHACKER V3.0 AKA RAT’S I ran on my computer.

Meme Time

Nobody :
13 year old Me seeing a Random Youtuber hacking with FBHACKER V3.0:

After that, I got into hacking my Neighbours Computers using Armitage with the Famous Windows XP exploit MS08–067, TBH all I did was follow steps from a youtube video, hadn’t had any idea what the fuck was going on.

Then I used the ninja technique which everyone used in the start, of using Google dorks and using Havij to extract admin passwords to shell the website, tough right :P?

How did I get into Bug Bounty?

One day I was scrolling through Facebook and saw a post by a good friend of mine Osama Mahmood, that he got $50 for a clickjacking bug.

And I was like what the hell is this thing, searched a little about clickjacking and it seemed so easy, and I reported clickjacking to around 20 websites. After getting responses I understood it isn’t that easy.

How did I better myself?

1. HackerOne Public Disclosure was a big help in the start, going through every disclosed report on the hactivity and h1.nobbd.de did a great job by managing all the disclosed reports in one place. I recommend all the beginners who are just starting to go through all the public disclosures. It will help you understand other’s methodologies and what types of issues are being reported. And using this you can develop a methodology of your own.
2. DVWA (Damn Vulnerable Web Application), It helped me understand the OWASP 10 and understand how they are executed.
3. Practice makes a man perfect, hunting swag sites as they are easy to hunt as compared to the paid programs to get a taste of the vulnerabilities in a live scenario.

My First Swag

Believe me, my first swag played a big role in boosting my confidence and helped me being consistent. After I received my first swag at least I knew I wasn’t wasting my time and some company sent me a t-shirt straightaway from USA. It was an immense achievement for me.

It’s my perspective for the beginners to go for swag sites, as directly going for Paid programs with minimal knowledge and finding nothing can make you all frustrated and make you want to quit.

Funny story: The team sent me an XXL shirt instead of Medium. However, it was my first swag, so I went to the tailor and got it fitted for myself.

Meme Time

Team :

Me waiting for first swag:

My First Bounty

After spending some time hunting on swag websites and while watching other Bug Bounty Hunters posting Screenshots of their bounties. It made me question me, “If people can, why can’t I?” so, I decided to go big and hunt Facebook. I spent around 2 days hunting Facebook and finally, I found a CSRF in Oculus. The Bug got triaged and after few weeks of waiting anxiously, I finally received the mail I wanted to see. And that’s how I got my first bounty.

First Bounty and that too from Facebook, Cool right? But, now comes the critical time of self-doubt, which I believe every hacker, even the big ones go through.

Self Doubt, Maybe it was a Fluke?

Determined and motivated after my first bounty, I spent many nights searching for bugs but found nothing. This led me to doubt my skills. Self-doubt is the time when you feel frustrated, can’t hunt for bugs and feel like doing nothing(useless). I began to believe that maybe the bounty from Facebook was just a Fluke?.

The best way to overcome self-doubt is to get some time off and by taking a step back, learning new things and then come back more strong.

How taking a Step Back Helped?

After taking some time off, I decided to take a step back and learn more. One thing I learned is, you should never forget the basics and always Focus your Learning on the things which you know you can perform better in.

Reading tons of writeups and the area which interested me more was the Business logic flaws. Reading interesting writeups made me get back to Hunting for Bugs.

I still remember there was a family event that I refused to go to and preferred staying at home and decided to hunt Shopify. After spending around 5 straight hours of hunting Shopify and finding nothing, I changed the target and started hunting Coinbase. Within 20 minutes of hunting, I found an interesting bug. Which was triaged and paid in 1–2 days. Fun thing, the Facebook bounty was in the pipeline yet.

Show off time

Motivation Time

Final Thoughts

The Journey towards life as a Bug hunter was a really interesting one. It was full of passion and urged me to learn and try new stuff. Through this journey, I have made some great friends from the infosec community both in Pakistan and India, who’ve been really helpful throughout my journey.

My Advice for the guys who are just getting into Bug Bounty would be to be consistent, passionate about what are you doing. Info-Sec field is a sea of knowledge and you have to educate yourself, learn and try new stuff to go with the flow. Every new stuff you will learn will never go in vain.

Thank you very much for reading and we will end it here with a meme :P

Meme Time

People: How much you have earned from bug bounty so far?
Me: