Hello everyone, After a lot of requests and questions on topics related to Bug Bounty like how to start, how to beat duplicates, what to do after reading a few books, how to make great reports. I am here with my new Updated Blog and answering all of such questions. I am starting from basic as prerequisites to tips and labs along with report writing skills. I have also included some of my personally recommend tips and how to write great reports. Hope you all like it.
What is Bug Bounty?
If you go to Google & Search What is Bug Bounty you will get :
A reward offered to a person who identifies an error or vulnerability in a computer program or system Identification and reporting of bugs and vulnerability in a responsible way.
What to study for hunt bug ?
Internet, HTTP, TCP/IP
Networking
Command-line
Linux
Web technologies, java-script, PHP, java
At least 1 programming language (Python/C/JAVA/Ruby..)
Owasp top 10
Choose your path:
Web Pentesting
Android Application Pentesting
IOS Application Pentesting
Books:
For Web:
Web app hackers handbook
Web hacking 101
Mastering modern web pen testing
Bug Bounty Playbook
Real-World Bug Hunting
OWASP Testing Guide.
For Mobile:
Mobile application hacker’s handbookTools:
Burpsuite
Nmap
dirt buster
Sqlmap
Netcat
OwaspZap
Ffuf
Project Discovery
Types of Bug Bounty program:
Only Hall of Fame
Hall of Fame With Certificate of Appreciation
HoF with Swags / only Swags
Hall of Fame with Bounty
Only Bounty
Bug Bounty Platform
Bug Bounty Program:
Open For Signup
Hackerone
Bugcrowd
hackenproof
Bugbountyjp
Intigriti
Open Bug Bounty
Invite based Platforms:
Synack
Yogosha
Points To Remember
Choose wisely (Initially, don’t think about bounties)
Select a bug for the hunt
Exhaustive search
Not straight forward always
Report Writing/Bug Submission:
Create a descriptive report.
Follow responsible disclosure policy.
Create POC and steps to reproduce
Sample format of the report:
Vulnerability Name
Vulnerability Description
Vulnerable URL
Payload
Steps to Reproduce
Impact
Mitigation
Vulnerabilities Priorities:
P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.
P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.
P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.
Looking for more programs using Google Dorks
inurl:”bug bounty” and intext:”€” and inurl:/security
intext:bounty inurl:/security
intext:”BugBounty” and intext:”BTC” and intext:”reward“
intext:”BugBounty” and inurl:”/bounty” and intext:”reward
Words of wisdom:
PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
Do not expect someone will spoon feed you everything.
Confidence
Not always for bounty
Learn a lot.
Won’t find at the beginning, don’t lose hope
Stay focused
Depend on yourself
Stay updated with InfoSec world
Thanks, everyone for reading:)
Happy Hacking ;)
--thankyou For reading my blog
read and enjoy my blogs
ReplyDeletePost a Comment