From zero to hero in bug bounty [Pt. 1]

Introduction:

Hi there! So you want to learn to find security vulnerabilities in web applications and report them lawfully in exchange for awesome (often monetary) rewards/bounties? If so, you've found the right place!Welcome to my zero-to-hero bug bounty guide! At the end of this series, you'll be able to understand how the web works, learn to work with the most used tools such as your browser and proxy interceptor and learn how to find and fully test common (OWASP Top 10) security vulnerabilities! This is a weekly newsletter, I will send out each part every week (hopefully at the same time and day)!Below is a small summary of what this series will cover:

Table of contents:

1. A quick introduction to bug bounty, basic requirements and what to expect more (Part 1)

2. How the web works (the HTTP protocol, common request/response headers, etc)

3. Networking basics (explain basic networking concepts that you will be dealing with a lot, like what is an IP)

4. Introduce you to common web app pentesting tools such as your web browser's console and a proxy interceptor

5. Go through OWASP's top 10 vulnerabilities. These are common vulnerabilities that are found in websites. I'm also going to tell you where and how to find them (based on my real findings, you really do not want to miss out on this)

6. Once we got the basics on web app security vulnerabilities, I will teach you how to find suitable programs to start working on them (and get your first bounties in ;).

7. After that, we will go ahead and start automating a lot of repetitive work (again, you do not want to miss out on this as well, I'll be revealing some work that I do for @novasecio).

8. I will cover some advanced bypasses as well (another thing that you don't want to miss out on)

I might add more to this table depending on your feedback ;)!And if you are excited as I am, Go ahead and Tweet about it! Before we move on to the requirements and who I am. Let me first help you understand the concept of "Bug Bounty" and also let me clear up some misconceptions first to avoid any kind of disappointment.

What is Bug Bounty?

Bug bounty or bug bounty hunting is a type of activity where an ethical hacker or web application penetration tester is looking for impactful security vulnerabilities inside a pre-defined scope and under an agreement with the company. If the "bug bounty hunter" succeeds in finding a security vulnerability, he/she can report it to the company in exchange for a (monetary) reward, also commonly referred to as a "bounty".Anything outside of the pre-defined scope is usually mentioned as "out-of-scope" or "OOS" for short. These vulnerabilities are often not rewarded as you did not adhere to the program rules.It can also occur that 2 independent bug bounty hunters report the exact same vulnerability. Usually, the first submission gets accepted, and any other submission following it will be rejected as a "duplicate" and is also in most cases not eligible for a (monetary) reward.You will usually report security vulnerabilities through bug bounty platforms as they provide extra coverage and guidelines that both parties, you and the company, should adhere to.

Bug bounty Misconceptions:

• First of all, bug bounty is not a get-rich-quick game. It requires you to work hard, stay consistent but most importantly, keep learning new things! (Also, just to save you some time on further research, there are no (legal) get-rich-quick jobs anywhere.)

• Bug bounty is not about finding a vulnerability, it's about finding impact. You only get paid if you find something that can impact other users or cause direct harm to the company. If you are looking to get paid for every worked hour, web application penetration testing might be a good fit for you. Also, bear in mind that companies still have the last say in what and how much they reward you.

To not completely demotivate you or push you away from bug bounties, I've included some upsides as well!

Bug bounty Upsides:

• One of the big upsides is of course the rewards, you could go a few weeks long without finding a single vulnerability until that one moment when you find a critical security issue and earn your entire monthly (or even yearly salary) in just a few hours/days of actual work (this is of course backed by your years of experience and knowledge).

• Second upside? If you take bug bounty seriously and stay consistent every day, you can easily gain a lot of knowledge and experience to apply for a job as a web application penetration tester! I've done it and there are a lot like me that got there too! With or without certification!

Now that I covered what bug bounty is all about, let me quickly introduce myself.

WHOAMI:

I am @0xblackbird, an 18-year-old bug bounty hunter with 3 years of experience in web application penetration testing and a deep background in computer programming!I wrote my first line of code when I was 11 (almost 12) years old and was into game development shortly after that, I made a couple of switches (game dev, 3D animating, ...) until I discovered web application penetration testing! I liked the fact that you can get paid (serious cash) for breaking websites and I stuck with it!At the moment, I'm a full-time bug bounty hunter, I do some pentesting work on the side as well, and I'm also building @novasecio, a Pentesting as a Service-based platform (I can't reveal more, it's private only at the moment but you're gonna love it)!I usually hunt on Intigriti (I rank in the top 200 at the moment), but last few months, I've been hunting on a few platforms as my favourite programs are not all on the same platform. I will link the most popular bug bounty platforms in the next posts when I teach you which program to look for.Let's not waste any more time and let's move on to the requirements!

Requirements:

You are most likely going to need a machine that you're quite familiar with. Windows, Mac or any Linux distro will do it. Just be comfortable with it.I know some people are hacking from their phones but it's extremely unreliable, as first of all, it's a very small screen, and secondly, you're going to waste a lot of your time on small simple tasks. I recommend you get yourself a PC or desktop (it's an investment in yourself, you can fully control your return on your investment by staying consistent).The following requirement is optional but I hardly recommend at least holding a grip on basic web development as you'll be dealing with a lot of client-side stuff. It's only going to help you understand things better and help you find more bugs (more on this later).

Here are a few Youtube videos on front-end web development:- 2 Hours course on HTML for beginners- Full Javascript course, learn it in 3.5h- Full CSS course in 6hYou are also probably going to start to automate your stuff later. Having the ability to program will help a lot in automating repetitive tasks! Any language is okay as long as you are comfortable with it, and it does the job.Python3 is the easiest to learn (syntax is easy to understand) and gets recommended a lot as a first programming language. However, you can also learn Ruby. If you want speed Rust, C/C++ or Golang are the way to go.If you're working on a Linux distro, bash is a must-have. Here's a 3h course on bash.Some Youtube videos to get you started:- Learn Python3 (6h course) or go for Python3 (4.5h course)- Ruby 4h course- Rust 1.5h course- Learn C++ (31h course) 😂- Learn Golang (6.65h course)Again, this is optional but highly recommended. You can also skip this part until later.

One final note

I do not intend to make these parts long, I want to keep my newsletter posts short and easy to follow! Any feedback is highly appreciated! You can jump into my DM's or reply to this email if you're reading this from your mailbox!If you do not have Twitter (yet), I would highly recommend you create an account as Twitter is where the biggest infosec community is.You can follow me & direct message me anytime: @0xblackbird

A last task of today:I recommend you to go through my following list on Twitter and follow every account that I follow that is related to infosec (skip the aviation stuff) to get your Twitter feed filled with bug bounty content.That's the best way to keep up with the latest news on bug bounty, you get writeups, payloads, and news about latest CVEs (more on this later).This is where I end part 1 of this zero-to-hero bug bounty course. See you in the next part where I will start explaining the concept of HTTP and how the web works!