Guest Blog: How to Kick Start in Bug Bounty by worldwideweb


  •  
  •  
  •  
  •  

It took to me a day to pen down this post as I’m atrocious in penmanship. Anyhow I do not want to ebb your time by expounding what an atrocious writer I am. I have penned down my experience with what all I have got to know at my first attempt. I am not a professional; so you can know easily where I usually spend my day either in my room or at places which articulate the exquisiteness and freshness of natural surroundings.

Anyway, my bug bounty career took a start about a year and a half ago (almost two), honestly speaking that time I don’t even knew what bug bounty was, since that time this topic was not the topic on fire and so I got very few allegorical blogs to go through. But today it’s one of the hot affairs to discuss. I started off when I saw my friends name listed in Apple Company’s hall of fame which became an inspiration for me to dig into this security field of bug bounty. Just think how awesome it will be to see your name on the official pages of Apple, Google, Facebook where not many people are lucky to see their names inscribed! It’s fascinating to inform other’s about your name that is being listed in such a reputed company’s profile pages (and it’s also about money).

Around 2012, I stepped into this field, so it took some time to understand things better about this completely new security world of bug bounty but it was quite an infotainment process for me, since I have to answer to all my questions, due to the lack of resources. Anyhow if you are a beginner in this world of bug bounty or have a covet to enter this new world of bug bounty, this post will help you start in bug bounty hunting.

So let me introduce you with these tools, honestly speaking I don’t prefer any tools but if you are a ‘Mozilla Browser’ user then some plugins might help you to save a lot of time. Here I have mentioned few tools that I am using these days and hope to use till the end of my career in this field

Tamper Data: Tamper Data is a Firefox Extension which gives you the power to view, record and even modify outgoing HTTP requests. If you are not familiar with then just take a look at it once, It is very helpful in identifying the CSRF issues as well as Finding IDOR.
Downloadhttps://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Live http Headers: To be very frank I rarely use this extension, as it has exactly the same function as in tamper data the only difference is that, you can capture and reply within the same session.
Downloadhttps://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

Default user agent switcher: It gives your ability to change your user agent. Basically i use it to find mobile version of any site. And you may utilize it whenever you want to see the mobile version of any website. mostly developers host mobile version on m.xyzdomain.com, but sometimes website load mobile version after detecting the user agent. With this extension you can change user agent as mobile and view mobile version of the sites.
Downloadhttps://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string, ASCII conversion. This extension will help you in exploiting sql injections, XSS holes. If you know what you’re doing, this extension will help you do it faster. If you want to learn SQL exploitation, you can also use this extension, but you will probably also need a book, a lot of Google and a brain 🙂
Downloadhttps://addons.mozilla.org/en-US/firefox/addon/hackbar/

And last but not the least; we cannot forget the Burp Suite.

Burp Suite: Burp Suite is an integrated platform for performing security testing of applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

(It is one of the most awesome tools i have ever come across. there are a lot of features you can use, just make sure you understand each and every function from burp suite). I’m sure you know all the functionality will make your task way easier if it is related to security. But be sure to manually validate your findings as it does report false positives.
Download: http://portswigger.net/burp/download.html

Now we have loaded and ready to shoot some technical things. But before heading further I contemplate that, you have ample knowledge on OWASP top ten vulnerability. If you don’t, please take a pause at this point and have a look on OWASP topic. just Google it, if we talk about practical knowledge there is Damn Vulnerable Web Application aka DVWA which will help you to understand about OWASP in practical way, just install it on your local machine and try to solve the problems on your own (believe me it would be a quite infotainment process). Don’t go through it once and pretend to know everything otherwise it would be same as going to gym once and get your desired body in a day, it will take a time to reach to an expert level, so keep patience, keep that passionate fire burning within yourself in order to acquire your goal. If you have any doubt then I’m the happiest person to clear it. Also There are other experts too whom you can follow either on twitters or adds them on Facebook and ask your doubts. {Please don’t expect that they will reply you in a day because they have their own life so give them space 🙂 }

Anyhow if you are reading this part I contemplate that you have a knowledge about OWASP vulnerabilities. Now let’s discuss a little about selecting target’s, if you are at beginner stage then don’t directly break through on finding vulnerability in Google or Facebook , the only thing you would face would be disappointment (trust me i have gone through this stage, for week tried to find vulnerability in google.com and found nothing.). So start from small or random sites, just make sure to keep your analysis to yourself don’t show off on social media what you have found in xyz site, if site do not have responsible disclosure program. I would like to share that currently Bugcrowd holds all bug bounty companies list, so try one of them.

Before signing out I would like to share some quick tips which may help you when you deal with bug bounties.

Some quick tips if you want to earn money from Bug Bounty

  1. Don’t just look for web applications, sometimes company do have iOS and android version, so expand your knowledge to learn about mobile app testing, it will give you more chances to get your bug valid (if you report correctly)
  1. Don’t just look for xss, as I see many times that people just look for xss vulnerability and at the end they have to face the duplicates, so don’t stick with xss look for other vulnerabilities too like CSRF, subdomain takeover, Business logical issues etc. etc. Bug Bounty is same as attacking on any clan, the more attack you know the more chances you get to inside castle.
  1. Try to learn from other researchers (from their results), some awesome researchers love to write about their finding (results), sometimes they are unique. So follow some researchers on twitter, Facebook, subscribe to their blogs.
  1. Be relaxed and cool at the time of testing, if you don’t get anything then just close your laptop or pc and take a fresh air and come back with fresh mind, be sure bug bounty needs a lot of patience and it will test you at end of your level.
  1. Read the bug bounty rules twice (if you don’t understand them), if you have read the Google VRP rules, you will find that the acquisitions are also in scope. So try to find acquisitions list and try to hunt on their domains.
  1. Try to find subdomains, there are lot of companies subdomains or owned domains which are still vulnerable so just use your skills to find them all.
  1. Try to learn more about burp suite, also if possible get pro version because it has some awesome features which will save your time .e.g. generating auto csrf poc , lot of features i am not able to explain here but in one word those are just awesome.
  2. Now at last you know these big companies need to update their system daily basis. So keep your eyes of their blog post, mostly company’s write about their new products or new service or new changes on their official blog. Like for e.g. Twitter recently started Fabric SDK for public use. So if you check twitter bug bounty’s rules you will find that fabric SDK is under scope.

Hope this post has inspired curiosity of finding more about bug bounties. You might be having a shower of questions inside you. Don’t let them be wasted. Use those drops of doubt to create new source of knowledge for yourself, feel free to ask anything on this topic. It would be our pleasure to answer your questions to teach, learn, and share thoughts with each other. I along with Satish and Archita will be at Nullcon BugCrowd Bug Bash Event, so it’s a Hi to all of you who are coming to attend Nullcon and we would like to have selfie with you guys along with Bugcrowd stickers. With this I am going to put my pens down guys. Be blessed keep searching … keep hunting … keep thought process on till you make your Victim (goal) off. At last heartily thanks for reading my post guys.

About the Author:

A serious tech nut, developer and a passionate security researcher, Atul currently holds a Bachelors of Computer Science Degree from Pune University – India, while his Master level program is underway. Some of you may know Atul as the core course instructor and founder at Suruji.com, a platform that he invested several years of hard work and continual skill development into founding. Atul has a series of endorsements and acknowledgements from popular companies such as, but not limited to: Google, Twitter, Facebook, Etsy, Redhat, Apple, Microsoft, Github, Ifixit, Ebay, Constantcontact, 37Signal, Nokia,Tuneti and many more.


Senior Community Manager at Bugcrowd. Sam's passionate about working to foster the best researcher community on the web. Prior to joining the security industry Sam worked for Couchsurfing, Electronic Arts, Playfish, and gamerDNA.
Learn the ins and outs of Crowdsourced Security, Managed Bug Bounty and Vulnerability Disclosure ProgramsDownload the Guide
+