Getting started:
First things first I would like to say that Santa isn’t real,i.e Bug bounties are not as easy as they are advertised, and the field of security is so dense and heavy you will never learn everything and as you started getting dipped into it there will be more things to learn learn, as its a gaping never ending void. It will take a lot of time to learn something significant and make a difference, you would want to dedicate a good amount of time to be successful. In this post, I aim to help you start helping yourself and the best practices for learning, so here we go:
1. Where to start? and How to start?
The first step should be reading about computer network how does it work and understanding what requests and responses mean and how they reach from your computer to the server, what is in the middle and why is that specific thing in the middle. Some essentials of linux knowing how to use GNU utilities like cat
awk
sed
grep
would help you a lot and please do not start to look for really complex vulnerabilities like web cache poisoning without knowing how cache works and how can you abuse it to do something unintended. I know its tempting but start with something easier to handle like Cross site request forgery(CSRF) attacks rather than a vague and really difficult attack. I recommend following this path
CSRF => XSS => learn javascript and how to make XHR requests => CORS => XML injection => learn XML basics => XXE attacks => Follow your curiosity
https://portswigger.net labs would be able to help you a lot. Read the material, understand how the attack works, solve the lab and then try implement in real life scenarios. Use google to your advantage, If you master how to research you can save tons of money by not buying courses.
2. Understand whats going on:
This is the most crucial part, before starting to do anything just know how things like HTTP requests work, whats the difference between HTTP/0.9,HTTP/1.0, HTTP/1.1, HTTP/2 protocols, what types of attacks are possible on those protocols for example: HTTP request smuggling and CRLF injections are not possible in HTTP/2 protocol. Thus, saves you some stress and time helping you decide what not to look for. This advice is also applicable to help you use your tools effectively, always know what a tool does by reading the documentation also helping you use the tools efficiently and utilizing every applicable feature. for example: Not a lot of people use Burp Suite to its full potential. also knowing how the target works will help you find cool bugs.
3. How to ask for help?
Please kindly read this https://www.nohello.com and http://www.catb.org/~esr/faqs/smart-questions.html . Following the advice from these two blogs and this https://www.youtube.com/watch?v=3IEAfyQqUKc will save yourself from being answered RTFM and ignored.
TLDR; Don’t ask for the sake of asking but ask for solving a problem.
4. Know what to test for:
Good reconnaissance always includes knowing what the target is using, Find out what cloud service they use, look for what libraries they use. know what firewall they use. I happen to rule out testing for XSS if they use cloudflare or akamai. Make a checklist for yourself on what to look for on what is being used like URL based parameters are always a candidate to test for SSRFs. Sometimes there will be CVEs on some libraries being used on a target just waiting for it to be exploited.
5. Use whatever edge you have over other people to your advantage:
If you have a dev background then use it to automate some vulns you understand, its a really good feeling to wake up and see your automation has found some bugs ready to be reported, thus you can focus on what you were learning or difficult vulnerability types while having some cash flowing in. Having a dev background is a nice thing to have on this field a lot of successful people do it, use your skills to your advantage. Also about the fact “You don’t need to have programming skills and tech background to be a successful hacker” is a false statement. Hacking is a really technical thing if you lack something the chances of you being successful drops significantly.
6. Write good reports:
Like in every other field communication is the key, If you find a bug but write a really bad report, i.e unclear steps to reproduce, not demonstrating impact and poor communication with the triaging staff is a bad practice. I recommend following this guide for writing a good report: https://blog.intigriti.com/hackademy/how-to-write-a-good-report/ . Learning to chain different vulnerabilities never hurts and sometimes brings in a bonus also including one run exploit scripts on your reports will eliminate a human factor and also helps you win bonuses.
Bonus:
Find what differentiates you from the crowd, find your own niche, that will make it less likely to burn out and face imposter syndrome.
TLDR; Bug bounties are not as easy as advertised, There are lot of things in learn over one lifetime, spending and dedicating time productively is the key, understand whats going on and learn the flow of the application you’re testing. understand the fact you’re asking for someone else’s time when ask someone a question so make it worth it for both the parties, learn what to test for on different applications and infrastructures, If you have an edge on something use it to your advantage. good reports equals good bounties and also bonuses