New Hunter ,, help me please >> ^^


#1

hello …,
i want to become a bug bounty hunter
but i don’t know how to start or what programming languages\tools i need
specially it’s not my field in the college

currently, i know c# and HTML5 only

now, guys could you help me and tell me what programming languages i need to be a bug bounty hunter

thanks and have a wonderfull day ^^


#2

Hi Mahmoud97,
if you wan to start hunting on web applications I may suggest the following:

  1. Download Burp free edition
  2. Install Firefox
  3. Configure Firefox to go through Burp (the guide is available in the website of Burp)
  4. Read about the kind of vulnerabilities that exist, the common ones like XSS RCE and things like that
  5. Find blogs of bug hunters focused on web applications and read them all, usually people blog with the subjet “how I hacked blah blah” :smiley:, but seriously you may be able to find on Google a lot of blog posts about findings by active hunters. I would suggest to not read posts too old because sometimes it would be a waste of time because technology evolves and the vulnerabilities too.
  6. Start looking for bugs in the programs that pay, even if you don’t understand what you are doing, there will be a moment where you would be able to understand, it takes long hours (at least for me)
  7. Keep reading and learning at the same time you are looking for bugs
  8. Focus on programs that pay so if you find a valid bug they will reward you and you will be encouraged to find more bugs!
  9. If you don’t understand something, try to figure out by yourself
  10. If you can’t figure out by yourself, think about what is holding you back. Is it something you can google and read about it? Do it. Is it something maybe an experienced hunter can answer? Do it, but before that do the previous one. That way you would have some context to ask a question to the hunter.
  11. Don’t give up.

Maybe I missed something. Let me know if you need any help.
Have a wonderful day you too!


#3

Sorry, I forgot to answer about the programming languages: I would suggest that you do every course on codecademy.com, because it gives you an understanding about almost every language that is used in web which is great for looking for bugs. However, you don’t really need to be a programmer to find bugs on web applications, you are going to notice that reading blog posts about bugs found. And sometimes being ignorant in some area allows you to focus in other areas. Anyway, try to figure out by yourself what is the kind of bugs that give you satisfaction and things like that, and then focus your energy in learning and looking for bugs of that kind.

Let me know if something is not understandable. I’m not a native English speaker.


#4

Thanks alot for your help you’re so understandable … I opened codeacademy
Are (JS-PHP-IQuery-Html&Css-python)
I know some of them and gonna know the rest my question is . Are they enough for me to start hunting and find bugs?

Another something^^ i want to make like 20000$ for my engineering college from bugs hunting
Is that so hard or immpossible.? How much time it takes

Maybe i bothered you with silly questions but remembre yourself when you were a beginner like me and need someone to help you ^^ maybe you make someone’s life better …

Thanks aloot and have a wonerfullday steef


#5

I think it’s enough xD


#6

If you’re already familiar with programming languages maybe you don’t need to do the codecademy courses, but I recommend them because they give you some understanding about the technology the companies use. Are they enough? They are enough if you don’t skip the other steps I mentioned.
It’s good that you have a milestone already of 20,000! I would say that it totally depends on the time you spend and how good you get on finding bugs. There are programs that pay 20,000 for the more critical bugs, so it could be just one bug that gives you that money :slight_smile:. I haven’t found one bug worth 20k but I found one worth 13k one time (in my first year finding bugs), so it’s possible.
Anyway, you can do the math: the minimum usually is 50 for valid bugs, you have to find 20,000/50 = 400 bugs. However you would probably find better bugs if you learn enough and spend enough time (this is critical, and don’t forget to eat and sleep :slight_smile: or you will be wasting your time). You may not find something for 1/2 weeks but maybe the 3rd you find something. Patience is your good friend.


#7

Hi i suppose you’re arabian like me could you leave me your Facebook account to add you , i wanna make some friends who are interested in this field :wink:


#8

hi stefe
Final inquiry i promise
now i learned htmL&css what partically should i learn after that i know things about what’s next but i wanna make sure while i’m learning that i’m in the right way and not wasting me time ,tell me “in the order” languages you learned when you started hunting , another thing in the course HTML&CSS there is the part of styling the page and ETC… will i need that while i’m hunting ?

if u don’t mind stef leave me your Facebook account so i can contact you directly and ask you ,i wanna make some friends interested in that field too! …

thanks for you patience :blush:


#9

Hi Mahmoud97,
I understand your hurry, but you need willingness to “waste your time” because it’s the way you are going to figure out what interest you the most and it’s the only way to learn in my experience. When I started on bug bounties I already knew a little about every language on codecademy, so it’s not the same situation. I wrote 11 steps to guide you but there is not perfect path, if there were a perfect path everyone would be making a lot of money from bug bounties. And something important: you shouldn’t follow the same steps that everyone else because that way you will only find the same bugs that everyone else, which is frustrating.
Answering you question: it totally depends on what interest you the most (which probably you haven’t figured out yet), you can even learn all the languages at the same time because one language doesn’t require the knowledge of another one. However if you insist, I would say you learn this way: Javascript, Python, SQL, Ruby, and now everything else.
You won’t probably need the styling thing, but I would say that you are going to understand better the code you are reading. When finding bugs, the more you know the better in my experience, even if it seems not technical.

I don’t have a Facebook account, but you can find me on Twitter or Snapchat. On Twitter I am @stefano_soy and in Snapchat I am @stefanohoy. Anyway, don’t forget that I’m not your teacher neither your employee, so take your time to learn with the steps I gave and when you are really stuck and in no way you can’t figure it out, contact me. I’m glad to help.


#10

I clicked “Reply” but for some reason it didn’t appear as my reply to your message. Here is the reply New Hunter ,, help me please >> ^^


#11

Yeah Sure, fb.com/T4H4R.4MiN3


#12

hello stef ,
i downloaded burp suit pro but when i tried to configure the proxy in the firefox i did that but i doesn’t want to open any sites at all
it’s only works when i turn off proxy on mozilla
note ; i’m using windows
please answer me ^^


#13

Why Burp suite pro? The free edition is more than enough.
You are starting with the wrong foot… This is the easiest thing you are able to solve by yourself following the installation guide on the official website of Burp Suite or googling but instead you are already asking for help because it didn’t work out of the box? I don’t see how much willingness would you have to learn many things and try many times until you find some bugs.


#14

Hello ,
First, i chosed the pro edition cause i read that it has more options than the free one
Seconde , i searched for 2days for a solution for this problem but i found nothing
Let me clear it and explain again my problem

i’m trying to configure burp suit with Firefox but when i enable proxy settings internet doesn’t want to work anymore
It keeps give me “Secure Connection faild” problem


#15

Did you buy the Pro Edition?
Guide to install Burp, configure it, and everything about Burp, follow ALL the steps: https://support.portswigger.net/customer/portal/articles/1816883-getting-started-with-burp-suite


#16

I just noticed you just downloaded a pirated version of Burp. Why? I told you the Free edition was enough.
Sorry, I’m not willing to help you anymore.


#18

Thanks for all the information! This leads me to know that we can learn anything by just asking on this kind of forums.


#20

I want to add that maybe some book like this one could help: https://leanpub.com/web-hacking-101.
I haven’t read it, but read a little from the free sample and seems to cover many topics that will really help if you are starting from zero.


#22

Hi @Harinath_samala,

I think I shared enogh informaiton already related to starting out. However, I realized that it’s difficult to offer some guidance that fits all except that it takes time and willingness to learn and fail. Maybe if you give me more context about your background, how much time available you have and things like that I can give you some guidance based in my experience. Also, explain what you mean with “perform advance attack”, because I’m not sure that’s what I do.


#23

i understood all basic attack but, how to improve my skills i can’t understand what i do next step i stuck in this place and which languages are most IMP…etc.etc
pls you can help me