Beginner Bug Bounty Guide - Part 1
Next: Beginner Bug Bounty Guide — Part 2
Note: These articles are my take (opinion) on “How to start Bug Bounty”, inspired by security community. These details will be updated as an when I learn new insights. These articles are for ethical and educational purposes only.
Below is a flow diagram based on my experience on how you should start your bug bounty journey. Irrespective of your technical background, this flow diagram is applicable to all. The diagram could be blurry refer to the .drawio file to get high res image.
The above image could be blurry, check the below github repository for high resolution image. For the latest flow diagram use the .drawio file.
The above image format will not have all details, to get all details download the .drawio file
Things you can do before actually starting Bug Bounty
“These details are for those, that dont want to start bug bounty right away, but what to know what preparation they can make which could make bug bounty easy whenever they will actually start doing it.”
Note: If you are currently started bug bounty, you can learn these things on the go, it will take time to learn small things, but it is the best approach. So unlike me don’t waste time in preparing for bug bounty. Simply start learning bug bounty according to the workflow (.drawio file).
What you need to learn is “Programming”.
1. You should know JavaScript.
- JavaScript Complete Documenation
- JavaScript ES6 (If you are not familiar with the JS ES6 syntax)
- Mastering JavaScript (Interview focused for testing your knowledge)
2. Master 1 Programming language
- Which programming language to choose depends on how much comfortable are you with the language, and also which language has support for HTTP request and good string processing libraries.
- I use
Python
for on the fly tasks. I usego
for building custom scripts and tools. - How much should we master? End goal is to automate repetitive things (w.r.t programming language). Instead of repeating an action, one by one write a script and store the result, this result you can feed into further processing. You must create script only the fly.
- Is mastering 1 language enough? Yes, it is enough. In practice, you may have to learn new language frequently, but you dont need to remember all of them. You simply are required to read any language source code to understand the flow data and how the data is processed. Example, you should know how to read PHP source code to identify bugs, but you will never write PHP code for automating a task.
3. Learn Regular Expression
- Don’t simply read regular expressions, try to use it in your programs and scripts, to make good script better. This is the best way to learn regular expression.
Bug Bounty Security community and search for good Mentor
This is absolutely very important to learn anything new that you do not, is to take guidance from a mentor who has gone through all the learning process and now is an experienced bug bounty hunter. You dont have to be in direct contact of the mentor to learn from him/her. If they are ready to guide you personally then good, but I highly recommend to explore things on your own first. The best way according to me is joining a telegram or discord channel where bug bounty hunter connect with each other. I only know few of them, search for it you will find many good communities.
- Nahamsec Discord Channel
- Infosec Writeups (Very good channel for people who want to know how other people do bug bounty)
- Cyber Security Technologies
If you still feel that you are still confused and need more guidance, explore youtube, look for people in youtube who give tutorial, tips, and show how to do bug bounty. Create a list of such people. Check on the internet if any of them offer a course on bug bounty. You will find such courses in Udemy (If you buy Udemy course, use the Q&A section of the course to ask all your questions and to get tips on bug bounty). If you want to know which programs I bought, refer the Beginner Bug Bounty Guide Diagram. Such courses are an indirect way of learning from mentor.
Finally, when you are yourself become an experienced Bug Bounty hunter try to help beginners and give back to the community.
How to choose a Bug Bounty Program
Below are some details on how you could choose the first Bug Bounty program from Platforms such as HackerOne, Bugcrowd, Integrity, etc.
- In bug bounty its all about quantity. Choosing a program where you can access many endpoints, website, domains, etc. In this way you could find as much low hanging fruits as possible.
Free Bug Bounty Program List
- Bugcrowd (Make sure to read Guidelines first before starting)
- HackerOne (Make sure to read Guidelines first before starting)
- Integrity (Make sure to read guidelines first before starting)
Other Bug Bounties
- There are also Private Bug Bounty Programs.
- You could also check if a website has a bug bounty program. Example Google has a bug bounty program — GoogleVRP
Bounty Program to look for (Beginner)
If you are a beginner and you want to get your first bug then avoid the below types of bug bounty programs. In short only
- Business to Business Website (There will be a lot of good functionality for attack). Businesses that help other business to grow, like HRM application, Asset Management application, etc.
- Program with Broad Scope (Choose a program that has wide scope, the more number of page the more chances to get a bounty). Organizations with a broad scope generally, will keep adding new code daily to their application. Also, these bounty programs have a lot of subdomain, so it help beginner to improve their methodology and incorporate little automation, as manually doing all these will take forever. Program like “US department of defense”, “IBM”, “Facebook” (separate program), “Google” (separate program).
- Multiple level of users (If a website has multiple level of users like, administrator level, employee level, guest level, then it will contain a good attack surface).
Bounty Program to avoid (Beginner)
If you are a beginner and you want to get your first bug then avoid the below types of bug bounty programs.
- Newspapers Websites (There will be a lot of pages, and not many good functionality for attack).
- E-commerce Websites (Due to its complex workflow, a beginner should avoid these website, but if you are comfortable you can choose it). Note that E-commerce does not include Banks. Example, online shopping, buying things, etc…
- Banks (The will generally be hardened than the normal targets, but if you are comfortable you can choose it). Example, online shopping, buying things, etc…
- Block-chain Websites (The workflow is different from normal websites, you may need know more about blockchain working, so a beginner should avoid these website).
- Mobile Applications (These are mobile applications like .apk or other mobile apps, which are different from your normal website, you may need know more about the working of mobile application and then how to find vulnerabilities in it, so a beginner should avoid these applications).
- Desktop Applications (Similar to the above, these are application like .exe which has their own type of vulnerabilities, so a beginner should avoid these applications)
- IoT Devices (Similar to the above)
How to get your first Bug Bounty
Not only choosing a bug bounty program is important, but also how you approach the bug bounty program is equally important, below are some of details that can help you to get your first bounty.
- I would highly recommend to know as many attacks as possible. Practically it means you should have all the test cases for all the learned attack which you need to test on the website, the more you know the more you can detect bugs and unusual behavior. You can use open source tools, but in any case you should exactly know what data is sent via the tool, if there is some test cases missing, you need to find a way to test them.
- Discover as many path, endpoints, domain (in-scope) as possible, this will increase the attack surface, which will increase your chances to get a bug.
- You need to test all these test cases for each and every feature and functionality of the website. Even if does not seems vulnerable it is always. Try to find functions that are “hidden” or not easy to read.
- Always aim for high severity attack, because, why not? No matter how much time it takes, you should always combine less impact bugs to get a high impact severity.
If you want to filter program specific to your skill set then you can do so by using the below filter in Hackerone. Similar filters are present in Bugcrowd also.
Important Points
- The most time consuming part will be to read the complete scope of the bug bounty program, from the first word till the last (as sometimes in description you could find some useful information).
- Take a program that you are comfortable with. Example, if you are a PHP developer, choose a prefer a program that uses PHP. or, if you are android developer, then choose a program that has their android app in scope of bug bounty (given you know mobile bug bounty).
- In your first bounty program you could feel that.
I am not able to find any bugs…
- It is OK to think as you are beginner, but note that this is not the end. First thing to keep in mind is test all test cases whatever you know of + search in GitHub for more test cases, wordlists, payloads and test again… keep trying for 10–15 days. Second thing, you could try to learn more from bug bounty writeups, improve your test cases, learn to identify unusual website behavior, etc. then repeat these 2 things again and again….
When to drop a bug bounty program
- During information gathering phase your found the the website uses a very different functionality that your are not comfortable with, example, the website uses GraphQL API, but your are more comfortable with REST API. Then as a beginner you try to find some other bug bounty program that has REST API in it.
- When after trying for 3–4 weeks you are not able to find anything interesting, I think you should move on to other course. This could also mean you need to learn more, but, it could also be that you are simply wasting time, given there are many other program, that will have low hanging fruits. Hence, it is very important to have a sweet point on when to drop a bug bounty program.
What Next?
- You should now focus on “How to” bug bounty.
- Learn API testing as quick as possible, as now-a-days nearly all websites use API.
- Learn burpsuite and JavaScript in depth. Check the burp plugin store to find popularly used plugins
- Doing all thing manually is not a efficient approach, in bug bounty you need to find bug quickly else somebody else will. So always use automated tools/plugins as a 1st phase of attack. Automated tools are a good way to get low hanging fruits. Now, you can build an attack chain combining the different “low hanging” vulnerabilities to get a High severity attack.
- See how bug bounty hunters configure scope and other configuration on burpsuite. Uncle Rat Beginner Guide.
- Try to look for mentors who can guide you.
- Keep Engaging with security community. Ask more experiences people about their way of doing things, analyze them, and then take decision. You should always have your opinion on it, else what is the difference then?
- Read writeups and Case Studies on Attack Chaining and converting a low severity bug to a high severity attack. This is the reason why people have opted for a bug bounty program, as normally this is not detected easily due to time restrictions on delivery deadlines.
- Collaborate with other security researchers to create new tools that solves a particular problem or improve capability of existing open source tools.