In the previous article, we had a brief introduction to Bug Bounty. Now let us explore the best way to get into this industry. Many people who enter this journey ultimately fail. It is because they do not have passion in this field. Very often you hear bounty hunters earning huge sums of money. What happens behind the scene, though, including all the hard work and strife remains to be not seen. As such plenty of people have this false idea that they can start in bug bounty and immediately start to earn money.
Sometimes the best way to learn something is to take the advice of those who are already at the top. Don’t trust anyone that promises you that you’ll become a master of something in a few days. Nearly everything takes a lot of hard work, failures, and errors. bug bounty is no different. In my opinion, one of the best pathways to join bug bounty is the one outlined by Farah Hawa. Farah is currently a Youtuber who publishes teaching content relating to Bug Bounty.
Farah’s journey to success
She has made a name for herself in the community and also participates in many online workshops. However, before becoming a bounty hunter, she was a web developer and worked in building websites. Therefore, when she joined the bug bounty industry, she already knew what to look at to find the bugs. Below we will try to dissect the information that she has provided in her bug bounty journey video.
The first type of resources that Farah recommends to the viewers is books. They are beginner-friendly books aimed mainly at explaining web application concepts and weaknesses. One upside of the first book is that it can be bought as a paperback. Very often, technology enthusiasts only make PDF books, much to the disappointment of many users.
The Web Application Hackers Handbook – The book explains all bugs in detail and also guides you to where you can find the bug according to Farah. Similarly, It also explains step by step where to find the bug and how to exploit them. You can buy this book from Amazon using this link – https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
OWASP testing guide – This book is also similar to the above book. However, it is a bit less descriptive and maybe not that beginner-friendly. However, it is still very beneficial and enjoys updates from many of the industries leading experts. The OWASP testing guide doesn’t have a paperback version and is available to download for free. The OWASP book states that :
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible”, so that people and organizations can make informed decisions about application security risks. Every one is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
The second type of resource that Farah mentions are Blogs. To find the best blogs and writeups, she encourages the viewer to be more active on Twitter and Linkedin. It is good advice because a lot of the best hackers are on these platforms and regularly share valuable content. You can even send them a message if you needed some motivation and most of them will get right back to you. Just be keep in mind to not ask to be spoonfed every single little concept. Farah’s recommended blogs are linked below.
Vickie Li’s blog – https://vickieli.medium.com/
600 writeups – https://github.com/devanshbatham/Awesome-Bugbounty-Writeups
One more tip that Farah gives is not to follow the blogs and writeups like a parrot, only to copy-paste commands and re-do actions. Instead, She asks us to be more open-minded, to think out of the box and to absorb the hacker mentality from these blogs and writeups. Such that you will immediately know what to do and where to look for to find bugs.
The third resource that Farah talks about is labs. It also happens to be one of my favourites. Labs are virtual environments that will simulate a vulnerable website or application. It allows you to practice your skills and master them in a safe environment without harming anyone or getting in trouble with the law. It is about hands-on learning. Farah recommends :
Pentester lab – It is updated regularly, and hence there is a monthly subscription. The lab has got the praise of many professional security analysts such as Shubham Singh, Chris Green and Andy Acer, to name a few. You can access pentester lab via this link – https://pentesterlab.com/pro
PortSwigger – it is free and has lots of writeups regarding bugs. One interesting fact about PortSwigger is that the tutorials there are made by the same team that built Burpsuit. Burpsuit is a tool you will use a lot when doing bug bounty hunting as you will see in future tutorials. In simple terms, it allows you to intercept requests between the client and the server. Therefore you can manipulate input which is going into the sever, and this might have been otherwise impossible due to client-side controls. However, if there aren’t significant server-side controls, Burpsuit can wreak havoc on your server. You can access PortSwigger academy by this link – https://portswigger.net/web-security.
This is a topic many wannabe hackers seem to set aside. There is this common belief that programming languages are not helpful and useful in hacking. However, this is very far from the truth. Knowing programming languages allows you to understand in-depth how a program works and why a problem occurs. Similarly, you might also need to make your tools to exploit specific vulnerabilities. It is because a lot of the commonly available tools have a signature and the tool is easily detectable by intrusion detection systems. By having a custom-built tool, you can evade this and also work faster because the tool will only have the things that you need.
That’s it for another tutorial on bug bounty, we look forward to seeing you on future tutorials relating to this topic.