this post is just a mirror to my five weeks to your first bug challenge. A mini seri on getting into bug bounty hunting. this guide aim to help absolute beginners .
Table of contents
Becoming a bug bounty hunter is a relatively straight forward process, your favorite terminal, and execute this.
$ make me a BugHunter
Unfortunately, that's not the case . Doing bug bounties is hard labor. Its result based, and when you are a beginner, there is a high chance of duplicate bugs, which means someone else found the same bug as you. Which means you make $0 doing a lot of work!
But Hey! Don't give up hope yet; this guide is all about reporting your very first vulnerability in 5 weeks ! you have to spend 3 hours per day. It will take you ~100 hours. This guide only focuses on finding your first cross-site-scripting vulnerability. Why cross-site-scripting? Because it's the most common vulnerability, and it's easy to exploit.
How to begin?
This guide assumes you have a primary computer, software, and info-sec skills. You at least know theoretically what vulnerability and an exploit mean. And most importantly, you have a curiosity that drives you nuts to know more.
Besides time which is the most critical factor, you have to clear your head and change your mindset from making quick cash to learn and practice what you've learned.
Due to its nature bug bounties aren't for everyone. The likelihood of burnouts and imposter syndrome is higher than many other tech jobs.
The best way to prevent thse issues is by taking baby steps. Don't force yourself to get results, relax, sit back, and enjoy the journey.
What it really bug bounty?
A bug bounty program is a deal offered by many websites, organisations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organisations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square,, Microsoft. , and the Internet bug bounty.
Well said, wiki. In straightforward words, you will join your favorite team as a freelance security researcher. But you will only get paid if you find an issue with a security impact.
Now, if you have what it takes, And you are determined to make this path, Let us begin!
The first week is all about the preparation you can google for bug bounty platforms and find one you like. Here are a few popular ones.
Open these sites and read their docs, rules to get familiar with the platform itself. Next, head over to program directory on each and check which software you enjoy working on it; is there any program in the list you are using as a user? That can significantly help you, also register a user on your chosen platform. Make sure you understand some programs offer money, and some don't those who are not paying are easier targets to sharpen your skill and report your first valid vulnerability.
Try to find as much as assets (sub-domains, urls, etc) belong to the target you've chosen.
By the end of this week, you should be able to use the burp suite for intercepting HTTP and https also; you should have a better understanding of the recon process
<?php $xss = $_GET['XSS']; // user input echo $xss; // vulnerable no sanitisation echo htmlentities($xss, ENT_QUOTES); // Not vulnerable ?>
Next Is stored cross-site scripting, the only difference with reflected one is data is stored in some database and later on revealed to use. Here is how the code at the backend lookalike.
... $SQL = "select title from user where id=10"; // image this return <script>alert(0)</script> $result = $conn->query($SQL);echo $result; // it will reflect <script>alert(0)</script> to user ...
so in this case we used following string for our title.
//let's say here is the code located at http://127.0.0.1/xss.html var pos=document.URL.indexOf("xss=")+4; document.write(document.URL.substring(pos,document.URL.length));
this can be simply exploited.
So this is it very similar to our backend example, but it's on client-side code. The impact is high as the previous one and can be exploited like past issues.
by end of this week you should be able find and exploit simple DOM based XSS vulnerabilities.
We are facing a sad pandemic nowadays. If you are in quarantine, you can use your extra time and report your first issue.
Stay focus. Don't try even to learn more about other issues; focus only on XSS if you want to learn more about XSS. Imagine you have not learned it yet before you submit your first valid XSS issue. Cut all the noises and juicy information around you focus only on cross-site scripting.
This week you practice everything you learned on your target if you started with a paid program and can't find anything move on to another target which offers swag and points, but your end goal here is to find and report your first "valid" XSS vulnerability can be DOM, Stored, OR reflected.
There are so many vulnerability types, which makes it very hard to create series like this on each of them, but know you already have a working methodology to deal with new issues. You spend some time to learn and practice the issue then take your gained knowledge and test real-world targets.
I can't wait to see you've found and reported your first XSS vulnerability. if you have done it contact me !