As we all know Learning bug bounty hunting is a great idea for anyone looking to break into the cyber security field. It can provide you with valuable experience in identifying and remediating system vulnerabilities, as well as an understanding of the ethical procedures and principles involved in the bug bounty process.
It can also help you build connections with the bug bounty community and gain recognition in the industry. Furthermore, it can be a great way to make money, as bug bounty hunters are often rewarded financially for their efforts.
Let’s look at some of the points that can help you in starting your journey 🙂
1. Learn how the Internet works, and how internet security works (encoding, session management, SOP, etc) use any medium for this like TryHackMe & Hackthebox Academy
2. Learn about the most common security tools used in Bug Bounties like —
- Burp Suite
- OWASP ZAP
- Fiddler
- Wireshark
- Nmap
- Hydra
- Metasploit
- Visual Code Grepper
- SQLMap
- Nikto etc…
3. Learn about how to do proper Reconnaissance, manual & automatic. Whois and reverse Whois, Subdomain Enumeration Service Enumeration Directory Brute forcing Third-party hosting, etc.
4. Writing your own scripts in Bug Bounty can help you hone your skills in finding and exploiting security vulnerabilities, Additionally, it allows you to customize the scripts to your own needs, making it easier to find the exact issues you are looking for. (not mandatory)
5. Learn about Web vulnerabilities (same goes for other targets) XSS, Open redirects, Clickjacking, Cross-site Request forgery, and many more. but but but don’t just learn all vulnerabilities, learn one and then give it 1 week and try to find it on real targets (VDPs)
Don’t just jump from one vulnerability to another, learning one and trying your best to find it will be best for you 🙂 Try to solve CTF related to the same vulnerability. Such as @picoctf
6. You can also use vulnerable machines to practice but spending more time on these machines is not advisable. eg. OWASP WebGoat, WebSecurify, and Buggy Web Applications
7. Feeling confident enough? Awesome 🙂 Join a bug bounty program and start submitting valid bug reports. Now you are hunting on real targets so Duplicates will be a part of your journey, but you don’t have to give up, dups means you are finding real vulnerabilities 🙂
8. Network: Connect with other bug bounty hunters and the security community in general. By networking with other bug bounty hunters, you can gain access to valuable resources and knowledge, and get help when needed.
9. Keep learning: Keep learning and stay up-to-date with the latest security research and trends.
Some resources:
Books:
The Bug Hunter’s Methodology
Web Hacking 101
Bug Bounty Bootcamp
Bug Bounty Hunting Essentials
Real World Bug Hunting by Peter
Hacking: The Art of Exploitation
The Web Application Hacker’s Handbook
Labs
PortSwigger Academy
Tryhackme
Hackthebox
Pentesterlabs