Beginner Guide for Bug Bounty

Beginner Guide for Bug Bounty

With the amount of information there is on the web on this topic these days, you may be facing information overload which is usual and feeling overwhelmed as a beginner, which is totally normal. So you have to pick only a couple of quality resources to get started and then go hands-on i.e. practically try what you learnt.

So, how do you get started and where do you learn bug bounty hunting in websites?

For starters, you may want to understand HTTP requests, basic understanding of websites and then start with a particular common vulnerability like what an XSS vulnerability is and then focus entirely on XSS bugs. There is amazing cheat-sheet of XSS vectors to find XSS in different frameworks and many WAF bypasses, by Portswigger - Cross-Site Scripting (XSS) Cheat Sheet - 2021 Edition

You may also want to look at Business Logic vulnerabilities in applications which are very simple and easy to find once you have mastered the application’s workflow overall — Business logic vulnerabilities. These require understanding of how the application works on the surface then try to find edge cases, which may have a security or, business impact on the organization. For example — can you somehow bypass a paywall and use a product without paying for it? for example, Quora requires log in to read more than 1 article however by putting a ?share=1 at the end of any URL, you can bypass that sign up paywall ;)

Another very impactful type of bug is Information Disclosure, they can happen anywhere within an application. Your goal is to find information disclosures of other users or, some internal information of the organization that is inadvertently exposed — Information disclosure vulnerabilities, this category generally encompasses old data backups, API keys (not all are sensitive), source code, error or debug messages exposing application path. And any information that isn’t supposed to be public.

There are many more bugs that you may want to go through. But as a beginner, stick to one type of bug and try to find it on as many programs or, targets as possible. You may get some hits if you are lucky and determined enough. Bugs are always there in apps!

What most people say is to just read books and generally just start with and master the theory just like any other subject. While in bug bounties, that’s just something you need to avoid. I have seen people with a research background in live hacking events I went to, taking notes in pen and paper, but that’s a redundant process and they couldn’t find anything at all! Things change quite fast and books lose relevance quickly. New web technologies are being developed at a fast pace and most web app security books eventually become outdated by the time you read them.

So you have to quickly move from theory to practically finding and exploiting bugs in applications. You can also decide which way you want to go — master Reconnaissance or, focus on application specific bugs. There’s very little theory about Recon in general but I have achieved most of my success through Recon since I have done development work at some companies I know exactly which tools companies internally use and which areas they make mistakes in setting up these tools. Based on your prior knowledge you can identify those areas or, do your own research to master the art of Reconnaissance. It’s easier and generally if you have your own way of doing Recon the competition (other hunters) won’t matter much and you won’t run into duplicates (bugs submitted by other hunters first i.e. before your report, which companies don’t pay you for).

Firstly if you are not already familiar with web apps and web technologies in general, I would suggest you to get an understanding of the inner workings of a website and web browser. How it sends and receives web requests — simply open the Developer Tools in your browser, then switch to network tab, and observe how the browser sends web requests to the Quora server, when you make a change in an answer (to save your answer to their database using their GraphQL API on the backend) — Bug bounty hunters and penetration testers use an Man-in-the-middle proxy to intercept these web requests from browsers which is known as Burp Suite using which you can intercept and modify these web requests. Also learn how the internals of a web page look like, what the DOM is — how scripts interact, and how you can potentially inject scripts into the page maliciously (quora for instance protects itself from such attacks using a CSP)

Learning theory isn’t a practical way to find bugs. Finding bugs in any application is pretty simple — just finding out features that don’t work like they should, that’s the definition of buggy software but to find something that is buggy — you generally need to know how its intended to behave and what isn’t behaving as intended (security-wise). Now coming to security bugs, you need to know which bug would present a security risk in the context of that application — which differs from application to application. This needs deep familiarity of the application itself and knowledge of where vulnerabilities usually occur. Once you are familiar with the application you are hunting bugs in and the areas where vulnerabilities usually occur you are good to go.

There are also bugs which are kind of simple to find which most bug hunters go after — low hanging fruits and almost always you get duplicated by someone else who would have reported it before you, leaving you with a very low ROI of the time and effort you put in. So try to avoid going after easy bugs and analyze an application thoroughly before looking for bugs.

Before beginning you have to prepare yourself to actively learn and put in your own effort rather than passively consuming information. As bug bounty is a very dynamic field, and web app frameworks change every day, and defense mechanisms improve — there are no easy bugs these days like there used to be. The easy money has been earnt, now there’s only competition and the race to find quality bugs before hundreds of thousands on other hunters. This often leads to burn outs and frustration. So do balance your hunting, learning and other work — and do it part time. Don’t spend too much time on it initially.

Some good ways to know the areas where bugs generally occur and understand bugs practically are to go through —

Hackerone’s hacktivity — here’s a direct link to filter out popular disclosed reports from their Hacktivity which is useful if you want to read in depth about the kind of issues hunters are finding there and locate the places in applications where these bugs are found.Bugcrowd too has a similar feature called Crowdstream but it makes limited disclosures and not very useful from what I found.Reading bug bounty writeups and bug bounty blogs, which bug hunters write based on bugs they found after they have been fixed. A lot of people actually disclose their vulnerabilities in the form of writeups, like I often write on my blog.Portswigger Web Academy from the makers of the most popular mitm proxy, Burp Suite (an MiTM proxy to intercept HTTP requests), is the perfect place to start learning— this is highly recommended. They have all types of web vulnerabilities described and free labs for each type of vulnerability.Through Twitter, you can follow #BugBounty and #BugBountyTips hashtags to get the latest info on Bug Bounties. Twitter is a great resource, but you have to stay attentive and sometimes the tips shared on Twitter become so viral that these bugs turn out to be duplicates when you submit them and hence become a waste of time.

In 2021, there are hundreds of thousands of bug hunters on leading bug bounty platforms which makes it harder to get bugs, and this raises the bar of entry to a ridiculously high skillset. Often this leads to burn out and duplicates, its very hard to make a sane balance between time, effort and money you make —

On Hackerone alone there are close to a million reporters registered, and Hackerone just crossed 1 million bounty reports in total. Just imagine how working against nearly 1 million hunters — its very easy to find exactly the same bug which they found, or, by the time you hack that application — its already secured from most vulns. Hackerone is quite useful as for each program they display statistics like how many reports were received in the past 3 months (but that depends on the program if they decide to display the stats but this feature is useful to decide if you want to hunt on that program).On Bugcrowd, but they hide a lot of statistics, which makes it harder to decide which program to hunt on. But its overall a decent platform, and one of the leading bug bounty platforms!

But those are mainstream platforms which have gotten a lot of attention, which makes it harder to work on them as simultaneously a lot of people are hunting on the same targets for bugs, which increases the chances of duplicates. You may try some of the less popular platforms which came out more recently like these, which have lesser competition and hence more favorable for newer bug hunters —

YesWeHack — EU based newer bug bounty platform.Yogosha — EU based, French bug bounty platform platform that deals mostly with EU based companiesYou can also try Intigriti, EU based too, which is comparatively newer and hence lesser competition.

How much can you earn or, make through Bug Bounty Hunting?

There’s no limit and that’s the best part once you learn this art. You can make six figures in a day if you have that kind of expertise and select good targets. Examples are PayPal, Verizon and several other high paying bug bounty programs.

There are bug bounty hunters who are making millions a year[1], who do it full-time.

You can possibly even make $100,000 in a day. But it depends on your skill set. But usually companies pay between $50-$30,000 depending on the severity of issues (low to high).

All the best and do upvote if you found it useful, so that I know it helped you :)