What I’ve learned from hunting bugs for 2 months?
Bug bounty hunting, a glamourous life of 100k bounties followed by Lamborghini pics on social media. If you are alive and in the part of the infosec community then it's obvious that you at some point have or thought about trying bug bounty hunting.
I will be answering the questions every beginner has and will share my own on what I generally think and tackle about this subject. Mistakes I made and how to avoid them.
CHAPTER 0: Background
Before I start I want to make it very clear that I am not a beginner and no way my intention is to defame or criticize any hacker in their respective fields.
I have well over 3 years of experience in IT and 2 in cybersecurity explicitly. This is important, and we’ll come to this later.
CHAPTER 1: Behemoth
I decided to start bug bounty for three reasons:
- I wanted to make a part of my name associated with different vendors and companies. This as an HR told me is highly sort after since not only do you demonstrate that you understand the attack but also yield the capacity to perform it in the real life.
- I wanted to actually understand where i stand in my understanding in web hacking.
- ̶H̶e̶l̶p̶ ̶a̶ ̶c̶o̶m̶p̶a̶n̶y̶ Money, respect, swag(Like come on!)
Firstly make a routine and I mean it, a primary mistake I made is not dedicating time. Know when to stop and got get overwhelmed, according to your ease select a time(3 hours every day) now sit down and try to consume content, learn and read for 2 and try to implement the attack.
Mistake 1: The pandemic of courses
Courses are a great way to learn, let’s cut the bs, no it isn’t, and here’s why. A creator who is creating a course has a lot of experience under his belt and he has a feel for most applications which is impossible to have as a noob. I would suggest, going through some books, and no it’s not the old web application hackers handbook. Don’t watch an entire course, go through a particular vulnerability and try to find it in several applications.
Book recommendation: Web Hacking 101
Mistake 2: Wrong target:
Here's the deal, you go onto HackerOne and select a random target and now you are stuck for hours trying to find bugs, but with no luck. Well, its because the platform is already secure and advanced bugs are out of your capacity. Remember most public programs will have low-hanging fruits already patched. At the most you’ll get a duplicate so go with wide scope programs:
Best wide scope programs: Redbull, Dutch Government.
Key takeaways: Don’t select popular targets, Don’t waste time on a 20 hour course.
CHAPTER 2: Antaeus:
So after you have chosen your target, you might want to apply a methodology, let's say a popular YouTuber has convinced you but its wrong and i can explain why, as a beginner, you lack the skill to know where bugs are. So those methodologies might be applicable to a tester with years of experience with a web app but for a beginner is a waste of storage, rather just learn about a simple bug, try to find it in most apps.
The simple deal here is to be persistent but also till the right amount, though there is no set amount of time, i usually restrict myself to 4 hours a day to find one bug. This is magical for me since it allows me to know when to reevaluate things.
Takeaways: Try smarter and not harder. Learn only one vulnerability at a time and look for it in a wide-scope program. Stop with ready made methodologies.
CHAPTER 3: Aergia
I had a friend who started 3 weeks before I did and I surpassed him in finding bugs when I found the reason why it was simple. He did not set up the machine and the tools properly. So he gave up on tools difficult to install and use.
When you are learning to find bugs, it is given that you’ll learn about new tools as i did so let’s understand why a percentage of beginners score more bugs, its simply because they set up their VMS and machines before with tools they need. Keep notes of commands that are unique and set up a tool and try it out, I have found various flaws with the most simple and nonpopular tool.
Takeaways: Set up your testing machine, with tools and keep proper notes on how to use them. Learn to use it automatically on several hosts at once.
So after your initial encounters with web apps, you’ll understand the way around and things will get less complex. It's just persistence, for me it took 24 days, take a 25 days challenge and do nothing but bug bounty and if you see results then great if you've not grown at all then just move onto something else, I know it's difficult but one should know where to stop.
After this, if you are persistent and you follow and learn from the mistakes then I can assure you that you will get few bugs and you’ll be proud of it.
After you get a few bugs, you’ll get invited to private programs, it is less competition and more money so don’t miss out and definitely go for them, you can spend more time in private programs than normal ones.
It takes a few things, time, effort, and understanding. If you have these three then I will personally guarantee your success.
Excellence is not a gift but a skill that takes practice — Plato