If you're looking to have a rewarding job, with the ability to work in an exciting industry. You might want to consider bug bounty programs as a way of earning money while also giving back to the community.
Bounties are basically an incentive for hackers to find bugs in your code. You can reward them with money and even ask your customers to do some testing too. That's why bug bounty programs are gaining popularity nowadays.
A Bug Bounty is a program in which companies share the responsibility to reward security researchers for finding and reporting certain vulnerabilities. These rewards are generally paid out via a small bounty. Unlike other programs, where you will be rewarded for found security issues, you will not receive any rewards if your submission results in system downtime or unauthorized access.
HackerOne was created to help developers and organizations become more secure by offering bug bounty programs. A good hacker led to fewer security breaches and better software development. HackerOne allows organizations to use the hacker talent they already have while also turning their loose beta testers into an army of third-party security auditors, able and motivated to hack vulnerable systems.
These programs are also gaining momentum in the cryptocurrency community as they offer another way to earn and learn.
There are a lot of different types of bug bounty programs. Some programs offer monetary rewards for finding vulnerabilities, while others offer rewards for identifying issues. It is important to consider the type of bug bounty program that is right for your company.
Some things to consider when choosing a bug bounty program include the scope of the program, the types of vulnerabilities that are accepted, and the deadline for submissions.
But not only do these programs offer you money as a bounty there are programs that offer you swags, and there are vulnerability disclosure programs (VDP) which will offer you hall of fame on their websites and much more.
Before you start hunting for vulnerabilities, it’s important to understand the basics of bug bounty hunting.
How you can learn to hack/do bug bounty
Read Blogs- People from the infosec community regularly post bug bounty articles. So from them, you can learn about how they approached their target. What are the things which they consider while hunting for bugs? Also, you can learn from their experience what are the things you need to do and what things you don't need to do. So for that read their blogs. You can read the blogs we post about bug bounty and ethical hacking stuff on our website.
Communicate with the community- As everyone says communication is the key so it is also applicable to bug bounty or hacking. So communicate with hackers and I assure you that our infosec community is really great in terms of helping their fellow hackers. You can find them on Twitter, Linkedin, Facebook, Instagram, and many others. You can also drop me a message on any of my social media profiles. (Bonus Tip: Join our channels on Discord, Facebook, Instagram, and Telegram. Links)
CVE- It's difficult to find an organization that does not have anything to do with cybersecurity. However, how do you know if the infosec team is up-to-date with the latest security news and issues? New vulnerabilities are discovered every second. The list of CVEs is provided to you by the CVE website and updating your applications is important too. A lot of times, organizations don't actually follow the CVEs, or they update their systems to make them less secure. Keeping yourself updated with the latest CVEs and other daily updates they provide is a good practice if you want to work with safety-oriented products or apps. Such information provides a great overview of possible vulnerabilities in various applications, from new ones to old ones. If you are a hacker or bug bounty hunter then it's a must that you are keeping yourself updated about all the changes in the code base for these types of applications! The best way to stay updated with the latest CVEs is to subscribe to their emails. It's detailed enough for a beginner but also provides a lot of information that you might want to know as well. When I was starting out with penetration testing, I relied on their emails in order to keep up with new vulnerabilities and make sure that my toolset didn't get outdated.
Twitter- The best content creators, ethical hackers, and bug bounty hunters are out there on Twitter. Connect to them Read their articles, Learn about the new vulnerabilities they found, read their vulnerability disclosure reports, and much more.
Read Reports- Read the latest public reports on bug bounty and apply the methods that those security researchers apply. You will learn to hack like them and also learn to write good quality reports. You will also learn how to communicate with the security teams. For reading publically disclosed reports you can check HackerOne. Their hacktivity page is really great so check that out.
What do you need to learn first and my short intro about them?
Internet: A worldwide system of computer networks and is a network of networks.
Http: Http is a "Hypertext markup language". It is the protocol that is used to transfer data through the web.
TCP/IP: It's a suite of communication protocols used to interconnect network devices on the internet. TCP/IP is also used as a communications protocol in a private computer network.
Networking: It is the practice of transporting and exchanging data between nodes over a shared medium in an information system.
Linux: It is an operating system that is said to be of hackers. It is a hacker's operating system.
Programming language: Any 1 programming language of your choice. You can refer to our blog "Programming for hackers".
Owasp top 10: It provides rankings of—and remediation guidance for—the top 10 most critical web application security risks.
Types of Bug bounty hunting or pen-testing?
Website or Web application pen-testing
Android Applications or apps pen-testing
IOS Application pentesting
Where to find Bug bounty programs?
Hackerone
Bugcrowd
Intigriti
Open Bug bounty
Synack
Hackenproof
And also you can find any bug bounty program for any company by simply typing responsible disclosure after their name. Like, google responsible disclosure.
Writing Vulnerability reports?
STEP 1: Tell about the bug name.
STEP 2: Then tell about the bug and its description. Here you will tell about what the bug is and what it can do to their organization.
STEP 3: Now tell about the vulnerable URL.
STEP 4: Now tell them about the payload used. (If any)
STEP 5: Now tell about the details of the bug. Like the version they are using which is vulnerable and the latest version which they have to switch to. Also, the OS in which the bug is found by you.
STEP 6: Now tell the Steps to reproduce the bug. It should be easy to trigger the bug cause.
STEP 7: Now tell them about what is happening and what should happen from this. This means like when changing passwords it should log out of other sessions running but if not it's a vulnerability.
STEP 8: Other information like traces, crash reports, screenshots, and videos.
STEP 9: If possible suggest the way by which the organization can fix the vulnerability.
Some of the things to consider like:
Be careful with your tone in the report.
Don't use bugs to trigger other developers or any other users.
If the program doesn't have any responsible disclosure then first ask before Hacking on and ask about their responsible disclosure.
Vulnerability priorities:
P1 -Critical: Vulnerability score is 10.0. Services that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
P2 -High: Vulnerability score is 7.0 and 9.9.Services that affect the security of the software and impact the processes it supports.
P3 -Medium: The vulnerability score is 4.0 and 6.9. Services that affect multiple users and require little or no user interaction to trigger.
P4 -Low: The vulnerability score is 0.1 and 3.9. Services that affect singular users and require interaction or significant prerequisites to trigger (MitM).
P5 -Informational: The vulnerability score is 0. Non-exploitable bugs in functionality. These services are by design or are deemed an acceptable business risk to the customer.
Now let's dive into some practical parts.
Identifying the tech-
As a security researcher first of all, while hacking on a bug bounty program you will have to know what tech those assets of your target are using so that you can attack them and test their security. So for that, we will use
Wappalyzer - It is a browser plugin that will detect the technologies your target website is using. But wait it is a great plugin but it will not identify every tech that your target website is using also from this you can only detect the technologies of only one website but what if you are hacking multiple websites then command line tools are better.
Buildwith.com - It is a website just like wappalyzer which will detect the technologies and will also detect all the technologies which the websites of the companies are using.
Detecting the Vulnerabilities which are present in the version a site is using.
Now you know what technologies a site is using. So the next step will be to identify the vulnerability that the site has.
For that, we will be using
Google - So after finding the tech, our target website is using then we will find the vulnerability in that version so for that we will be using google search. Type Technology version exploits Technology version security vulnerabilities
ExploitDB - It is a tool used to search and download the exploit code.
For using it first go to https://www.exploit-db.com/
and now type the tech which you want to find the exploit or vulnerability. For a command line tool use https://github.com/offensive-security/exploitdb install the tool and after installing use ./searchsploit Technology and it will tell you the exploits and vulnerabilities in the tech.
CVE - Common Vulnerabilities and Exposures(CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. Visit https://nvd.nist.gov/vuln/search And search for the tech and it will tell you the cve.
Now as you are familiar with these things then we will move to some other things
Learn to use Google: As hackers or bug bounty hunters, we need to know what to search for and how to use google as a reference while hunting for bugs.
Find the vulnerability which you love to find: Finding your own specialty is the key to success. This means finding out which bug you find easy to exploit and detect I love to find SQL injection and XSS sucks for me. There may be cases you may like to find ssrf and SQL may not be interesting to you. (You need to learn SQL too but for starting focus on one bug at a time)
Keep yourself up-to-date: Tech is changing every day so it is important to know which tech is upgraded and what CVEs are on the previous version.
How to Choose Bug Bounty programs
Bigger scope
Functions
Subdomains
response time
easy resolve
fewer security researchers on the program
new program
rewards program
pay well for your hard work, a good bounty amount
have account functionality
fix the bug in less time
if don't pay then award with swags ( for beginner hack on the programs which don't pay you money
There are many resources for bug bounty but some of them are listed below.
Some Bug Bounty Tools
Subdomain Enumeration:
subfinder
assetfinder amass
chaos
sublist3r
massdns
findomain
subomy
domained shuffledns censys subdomain finder Turbolist3r censys-enumeration tugarecon as3nt Subra Substr3am altdns brutesubs dns-parallel-prober dnscan knock hakrevdns dnsx crtndstry VHostScan scilla sub3suite
Port scanning:
masscan RustScan naabu Nmap sandmap ScanCannon
One-liners for bug bounty
Find Subdomain with subfinder:
subfinder -d target.com -silent | httpx -silent -o urls.txt
Find Subdomain with Gospider:
gospider -d 0 -s "https://site.com" -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew
Find .git/head:
curl -s "https://crt.sh/?q=%25.tesla.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew
Find XSS:
gospider -s "https://www.target.com/" -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt
There is much more you can find on https://github.com/twseptian/oneliner-bugbounty
Last words
The best tip I can give you as a pentester:
Bug bounty is a stressful job.
Don't give stress on your mind. it happens to every security researcher.
If you find yourself getting overwhelmed after not finding vulns, remind yourself that some apps are just more secure than others.
Comments