TL;DR: This guide is tailored for complete beginners. Learn how to hunt down digital bugs, improve cybersecurity skills, and earn $$$$$ along the way!
The majority of the assets are web. So it’s essential to learn web technology. It’ll help you to understand the game better & keep you ahead of the table. Learning languages like JS helps a lot. Once you know the basics of web (front-end, back-end, DB) flow, you can learn how to break it!
Your machine is your weapon! Learn OS, Be a pro in CLI. It’s essential in your journey. Most of the kids in this era already knew this stuff. Still, it should be mentioned.
Learn the basics: OWASP Top 10, CWE, CVE, CVD, 0day & their differences.
Research & Learn more about CWEs & where they can be visible. For example, in CWE-79: Cross-site Scripting, you must investigate the corresponding bug, where it can be reproduced & why it occurs (root cause). Then, you can think as a developer (you learned at the beginning) how this is possible at the code level. Then, you will understand how to prevent this.
Focus more on OWASP-TOP-10 vulnerabilities (Web, API, Android, whatever). And investigate the latest CVEs for those bugs. After doing this and familiarising yourself with the industry, you can slowly move on to practice.
Skill Assessment: Sharpen your skills by doing Labs like Portswigger, PentesterLab, Secure Code, etc. Read the related blogs once you find it difficult to solve these challenges. Use a keyword and google it. Learn more & pwn the challenge later. Read Blogs and write-ups daily (it’ll only take a little time). Subscribe to bug bounty blogs.
Watch videos of:
LiveOverflow
InsiderPhd
Bug Bounty Reports Explained
NahamSec
Farah Hawa
Rana Khalil
John Hammond
Ippsec
rs0n_live
Intigriti
etc.
Their contents are outstanding.
Learn more about Public, Private, & VDP BB Programs and understand how it works. You can start hunting from a less competitive environment (up to you); people always suggest beginning with VDP.
Platforms for hunting bugs: https://www.trustradius.com/bug-bounty
Apple, Meta, Google, etc. have their reporting end-points (don’t forget)
How to escape from Duplicate:
Build your methodology. You can learn from public resources & apply, but make some changes from what you learned from the public. It’ll take time; you must try harder & maintain the consistency to get to that level.
Important: Don’t share your methodology; you can share the resources & knowledge (Sharing is caring, but spoon feeding isn’t. I hope you understand).
Join discord & telegram channels (Bug Bounty/Infosec communities).
Please don’t stay inside any “Toxic community” that kills your peace of mind; you don’t have to carry criticism of idiots & charlatans. Only stay inside the healthy circle and share the contents.
Let’s learn and grow together.
For more updates about Offensive-Security & Hacking,
Follow me: 7h3h4ckv157