Beginner’s guide to Bug Bounty hunting

December 31, 2017

Wanna know how to start with Bug Bounties and why do thousands of security researchers from all over the world spend most of their time on public bug bounties, then yes, this post is for you.
Bug bounties are something which is really on trend nowadays. Cybersecurity job today is not confined to only penetration testing or vulnerability assessments. Independent security researchers are breaking in this field by solely depending upon Bug Bounties.

Possible Reasons?

Yes, there are quite a few.

  1. It really feels good when you find a bug in an application which is being used by millions of people across the globe. Getting it fixed, make you feel that you have impacted a lot of people’s life by saving their personal data and information.
  2. The second possible reason is the thrill of finding the vulnerability. In a world, where hacking is considered illegal and it’s always a chance of getting jailed due to illegal hacking, hacker wannabes are getting a chance to legally do hacking for various companies.
  3. The most popular reason and even if people try to deny it by giving the above 2 possible reasons is the “NAME, FAME and MONEY” associated with it. You can easily get your name in the Security Hall of Fame for different companies and you will even be getting some good rewards for it, be it either money or swag.

Recommended books:

Since you have just started we would definitely recommend knowing about as many bugs as you can.
For things like this, go through these books in any order which you like. You don’t have to finish the page by page but give them a read whenever you are stuck or you think, you do require something more.

  • Web Hacking 101
  • The Web application Hacker’s handbook, 2nd edition
  • Modern Web APplication Penetration Testing
These 2 books are must read according to me. But don’t just keep reading. After getting a grasp of what you need to do, just start with Bugcrowd or Hackerone. You can also keep the book Web Hacking 101 open while you are trying to find bugs.

Tips for Bug Bounties:

  1. Choosing the target. Yes, this is the most important thing. Choosing targets like Google, Facebook or Microsoft on your first try won’t land you anywhere. It will, of course, feel good to find a bug in some of the world’s biggest companies but hey, if you could have found one why would you even bother reading this post? So chose a topic efficiently. There are lots of potential targets on Hackerone and Bugcrowd.
    Choose some target that has a good number of domains in scope so that you can spend some good amount of time with it.
  1. The second most important thing is start as soon as you can. Keep checking these websites so that you won’t miss out when they start a new program. It’s not like “Early bird gets the most delicious worm”. Hahaha, but the early bird will definitely get a worm in most of the cases so that it doesn’t starve in the end. What is actually happening is these applications are first of all tested by the internal penetration testing team for any bugs, after that these are being tested in Private bug bounty programs. And only after that, it is being made accessible to the public for testing. Now you can think that how remote there is a chance for finding bugs. But companies always push new code and there is nothing like a 100% secure application. So start early if you can and if you can’t no worries, just keep trying you will get definitely get some cool ones.
  1. See the scope of the target with open eyes. Just submitting a bug won’t do. Companies explicitly mention where you must test. So take a note of the scope carefully. Breaking the rules or testing where you are not allowed to can lead to you getting banned from the program altogether.
  1. Let’s suppose all the domains are in scope. Then you must have the knowledge to enumerate all the subdomains. A subdomain enumeration tool like Subbrute can be of great help. Google dorks are always helpful in these cases. So now you know where you need to test. Make a proper list of that.
  1. Don’t use Automated scanners carelessly. Automated scanners make much noise and can affect the working of an application which will affect the company. As a result, you can be banned and can even have to face some other legal problems. So try to do manual testing as much as possible.
  1. Try to find even some low hanging or P5 vulnerabilities. You can see the Priority chart at Bugcrowd’s page here. No matter what anyone says, submitting a bug is a reward on its own. But just be sure that it’s valid at least and press the Submit report button.
  1. Keep reading reports and different books to know about other tools and about other kinds of vulnerabilities and different methods to find them. Reading reports are something which we practice even now and we have learned many methods from that. This is a cool site which maintains all the reports from Hackerone. Here is the link to it.
  1. Many times you won’t be getting any rewards or swag saying that the report is duplicate but they will give you some Kudo Points. So don’t get disheartened. These points will then help you to get some private bug bounty programs and you will get to find a hell lot of bugs there. There is always a way to cheer up.

Capture the Flag

Now another way to practice for Bug Bounties is to participate in CTF challenges. It’s like the name says “Capture the Flag”. There are several challenges for you to solve which deals with real-world vulnerabilities. The more you practice on these challenges the more you will learn about the different technologies required to break into an application or a system.
Here are some good practice websites:

So this was all, which we wanted to say for this blog and OWASP guides is always your savior to read more about any vulnerability. Just keep practicing and start with any project. Bug bounty is a trending topic and it’s a full-time job for many of the people we have met on the internet today. You can also step into this territory if you have something called patience and you can devote much time to sharpen your skills. Its like Lincoln said,

“If I have 6 hours to cut a tree, I will spend the first 4 hours sharpening my ax.”

We guess you must have got a good amount of knowledge now of where to start. So start hacking and find some bugs.:)