How to start practicing Bug Bounty? This question is very common, and I continue to receive it in messages day by day. I can not answer every message, so I decided to write an article and send all newcomers to read it.
I have been doing Bug Bounty for five years now. However, there are many things that I don’t know, and I myself am not an expert, so please do not consider this article as advice from an expert. I’ll just share what I have achieved over the past 5 years, improving my skills every day.
I saw a lot of people in the Bug Bounty community saying, “I'm not a techie, so I am not very good at Bug Bounty.”
In fact, it is a misconception that only someone from the computer sphere can be a good specialist in Bug Bounty. If you are familiar with computer science, this will certainly help, but it is not necessary, you can fully learn the basics yourself. However, if you do not have a technical background, you should only deal with bug bounty if you are more interested in learning about information security rather than making money.
By education, I belong to the field of mechanical engineering, but I was interested in information security from the school bench, however, I went to get education in mechanical engineering on the advice of my family, but I always focused on information security.
I can tell a lot of stories about how people from the non-technical sphere achieve success in the field of information security and bug bounty.
However, all of them had common qualities, namely “interest” and a willingness to engage in “hard work”.
If you think you will succeed in one night, a week, or a month, this is not what you should do. There is a lot of competition in bug bounty, because a good “bug hunt” can take a whole year. You should constantly continue learning, share experiences, and practice. You should be pursued by curiosity, you should strive to learn something new and explore this area on your own. Now there is a very large amount of free educational content.
Do not pay people who say they will make you a specialist in bug bounty in one night. Most of them are scammers.
Below are the things you need to know before you get started with information security.
No one can tell you everything about this area, study is a long way that you must go alone, using the help of other people.
“Don't expect everyone to bring you on a plate with a blue border.”
How to ask questions?
When asking someone a technical question, do it with all responsibility.
You should not ask questions like: “Here is the end point, could you get around the XSS filter for me?”
You should ask questions essentially – that’s all.
And do not expect people to be able to answer your question in a few minutes. They will answer as soon as they have free time, or they may not answer you at all because of their busy schedule or for some other reason. Respectfully consult consultations – do not ping who is not necessary.
How to find answers to all your questions?
Well, I did it before, doing now and will do in the future. I use Google. (you can use other search engines: P)
Basic technical skills for a beginner
I assume that you have a basic understanding of how everything works on the Internet. There are many things you need to learn, but I can’t list them all here. I will list only a few important topics, and you will learn the rest yourself.
HTTP Protocol – TCP / IP Model
Linux – Command Prompt
Web Application Technologies
Basic networking skills
It is also very important to get an idea of the various types of vulnerabilities as quickly as possible. To do this, I added the "Web Application Security Fundamentals" section.
Choosing the right path in the field of bug bounty is very important, and it will completely depend on your interests, but many guys choose to start with web applications for themselves, and I myself think that this path is the easiest.
- Web application security testing.
- Mobile application security testing.
However, do not limit yourself to these two points. I repeat, this is a matter of interest.
Web Application Security Basics
OWASP TOP-10 2010
OWASP TOP-10 2013
OWASP TOP-10 for 2017
Start in 2010 to understand what vulnerabilities were in the top that year, track what happened to them in 2017. You realize this by studying them and practicing.
OWASP V4 Testing Guide
You do not need to learn this testing guide and immediately go to work, you need to start working on living (legal) goals, because this is the only way to improve your skills.
Mobile Application Security Testing
Once you get more experience, you can freely switch between areas that you like more.
OWASP TOP-10 Mobile Application Vulnerabilities
There is one stop to be made on the road to mobile app security:
Mobile Application Security Wikipedia from Aditya agrawal.
Application Security Wikipedia also from Aditya Agrawal
Books that I periodically refer to
- Web Application Hacker’s Handbook
- Mastering Modern Web Penetration Testing
- The Hacker Playbook 1, 2 and 3
- The Mobile Application Hacker’s Handbook
- Breaking into information security
- Web hacking 101
Youtube Channels and Playlists
- Web development tutorials
Conferences you should watch
Akhil George – created a playlist about bug bounty on Youtube.