Hello I’m joshua, I read @samhouston post on how to become a bug bounty. The point in it which grabs my attention is the one which says one should have an area whereby he is an expert in it, but I don’t understand it, is it that I choose web application hacking upon mobile application hacking or I am an expert at XXE than CSRF ?
Please I want to know, as I found that tip helpful for it tells me I can’t do everything which truly no one can.thank you.
To be honest, if you wanna be a successful researcher, you cannot focus on just a topic. You should firstly learn software development so it will help you to understand how the related platform is working. For example, you can learn PHP so it will exactly improve your server-side exploiting skills. Also, JavaScript will help you to understand basic programming and client-side vulnerabilities.
But its not enough. If you don’t know anything about mobile and internals, you will see that actually you know ‘nothing’. In a day you will exactly need to know the network. Or in a project, you need to work with hardware so you have to know at least basic information about hardware. Its same in bug bounty, look at most successful bug hunters, they are always who ‘knows the system better’ and ‘understand how it works’.
If you planning to start with the web (or which is most enjoyable for you) You can start with OWASP Top 10 right now to do bug bounty. Meanwhile, I exactly suggest that:
- Watch PoC videos of disclosed reports,
- Solve vulnerable applications like DVWA, bWAPP,
- Learn any programming language which is related to your target platform.
But just knowing the ‘web’ will never enough for you, in the future. Take your time, carefully!
Now I understand when people say hacking is a lifetime journey,anyway thanks for the answer. I really appreciate as it point out to me what I need to do, " TAKE MY TIME CAREFULLY".Thank you @numaN
Hi Joshua
I’m going to disagree with numaN on this one. You don’t need to be a software developer to be a successful bug hunter (although it will certainly provide you with some useful skills). A lot of good hunters aren’t very good programmers. With that said, you definitely should know some basic Javascript and have some understanding of PHP/SQL as well as common web technologies (JSON, Base64, cookies, SOP…)
When people say you need an area of expertise, they mean a specific type of bug. A lot of hunters specialize in XSS, some specialize in XXE, some in SSRF etc. The reason is that there is a lot of competition in bug bounty, so to succeed you need to know something that most others don’t. In other words, it’s better to be really good at file upload vulnerabilities and clueless about all other bug types than to know the basics of each bug type. With that said, you should still familiarize yourself with the most common vulnerabilities (OWASP Top 10).