How to Get Started into Bug Bounty | Complete Beginner Guide
Hello guys, After a lot of requests and questions on topics related to Bug Bounty like how to start, how to beat duplicates, what to do after reading a few books, how to make great reports. I am here with my new Updated Blog and answering all of such questions. I am starting from basic as prerequisites to tips and labs along with report writing skills. I have also included some of my personally recommend tips and how to write great reports. Hope you all like it.
What is Bug Bounty?
If you go to Google Baba & Search What is Bug Bounty you will get :
A reward offered to a person who identifies an error or vulnerability in a computer program or system Identification and reporting of bugs and vulnerability in a responsible way.
What to study?
- Internet, HTTP, TCP/IP
- Networking
- Command-line
- Linux
- Web technologies, java-script, PHP, java
- At least 1 programming language (Python/C/JAVA/Ruby..)
- Owasp top 10
Choose your path:
- Web Pentesting
- Android Application Pentesting
- IOS Application Pentesting
Books:
For Web:
- Web app hackers handbook
- Web hacking 101
- Mastering modern web pen testing
- Bug Bounty Playbook
- Real-World Bug Hunting
- OWASP Testing Guide.
For Mobile:
- Mobile application hacker’s handbook
YouTube Channels: English
[+]Nahamsec
[+]STÖK
[+]zseano
[+]Hackersploit
https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q
[+]Cyber Mentor
[+]InsiderPhD
[+]Farah Hawa
[+]codingo
[+]The XSS rat
[+]Cristi Vlad
[+]Hakluke
[+]Hacking Simplified
[+]Bugcrowd
[+]Hackerone
[+]Hacksplained
[+]RougeSMG
YouTube Channels: Hindi
[+]Bitten tech
[+]Technical Navigator
Follow these guys on Twitter
[+]nahamsec
[+]Jasson Haddix
[+]zseano
[+]TomNomNom
[+]stokfredrik
https://twitter.com/stokfredrik
[+]Jensec
[+]cybermentor
https://twitter.com/thecybermentor
[+]Harsh Jaiswal
https://twitter.com/rootxharsh
[+]Rahul Maini
[+]aditya Shende
https://twitter.com/adityashende17
[+]Harsh Bothra
https://twitter.com/harshbothra_
Write-ups, Articles, Blogs:
[+]Intigriti Bug Bytes
[+]Medium (infosec writeups)
[+]HackerOne Hack activity
[+]Pentesterland
[+]Security Workbook on Application Security
[+]HowToHunt
Practice:
Practice like you’ve never won, Perform like you’ve never lost. !
Resources to Learn:
Testing Labs:
- bWAPP
- Webgoat
- PortSwigger Academy
- Pentester Lab
- BugBountyHunter
- pentester academy
- TryHackme
- Hack the box
Tools:
- Burpsuite
- Nmap
- dirt buster
- Sqlmap
- Netcat
- OwaspZap
- Ffuf
- Project Discovery
Types of Bug Bounty program:
- Only Hall of Fame
- Hall of Fame With Certificate of Appreciation
- HoF with Swags / only Swags
- Hall of Fame with Bounty
- Only Bounty
Bug Bounty Platform
Bug Bounty Program:
- Open For Signup
- Hackerone
- Bugcrowd
- hackenproof
- Bugbountyjp
- Intigriti
- Open Bug Bounty
Invite based Platforms:
- Synack
- Yogosha
Points To Remember
Choose wisely (Initially, don’t think about bounties)
Select a bug for the hunt
Exhaustive search
Not straight forward always
Report Writing/Bug Submission:
- Create a descriptive report.
- Follow responsible disclosure policy.
- Create POC and steps to reproduce
Sample format of the report:
- Vulnerability Name
- Vulnerability Description
- Vulnerable URL
- Payload
- Steps to Reproduce
- Impact
- Mitigation
Vulnerabilities Priorities:
- P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
- P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.
- P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
- P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.
- P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.
Looking for more programs using Google Dorks
- inurl:”bug bounty” and intext:”€” and inurl:/security
- intext:bounty inurl:/security
- intext:”BugBounty” and intext:”BTC” and intext:”reward“
- intext:”BugBounty” and inurl:”/bounty” and intext:”reward
Words of wisdom:
- PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
- Do not expect someone will spoon feed you everything.
- Confidence
- Not always for bounty
- Learn a lot.
- Won’t find at the beginning, don’t lose hope
- Stay focused
- Depend on yourself
- Stay updated with InfoSec world
Thanks, everyone for reading:)
Happy Hacking ;)
Support me if you like my work! Buy me a coffee and Follow me on Twitter.
Website:- https://www.pratikdabhi.com/
Instagram:- https://www.instagram.com/i.m.pratikdabhi
Twitter:- https://twitter.com/impratikdabhi
Youtube:- https://www.youtube.com/impratikdabhi
