Subjects

• Prerequisites
• Choose Your Website
• Recon/Hacking
• Writeup
• Resources

Prerequisites

Mindset

So you want to get into bug bounty? Great, but I highly recommend you come in with this mindset: Be positive, be persistent, and play the waiting game.

Operating Systems

Now let's pick an operating system:

• Linux
• macOS
• Windows

Any of these should do. I would personally not recommend trying to do bug bounty on ChromeOS, as many of your tools would be browser plugins. If you're still new to cybersecurity, you're just making your transition into this field a lot harder, unfortunately.

Tools

With any of the previous operating systems, you want to go ahead and install either OWASP ZAP or Burp Suite as you'll need a proxy to intercept requests being made to your target website. The Community Edition (free version) of Burp Suite is perfectly fine for just starting, and if you want some of those premium features, then perhaps try OWASP ZAP or consider buying Burp Suite Professional.

Now that you have a proxy, you can decide if you want to use the built-in browser that comes with ZAP/Burp. But if you want to use your own browser, then you'll have to get something like FoxyProxy. More information on how to install can be found here: SETTING UP BURP SUITE.

With all the proxy stuff figured out, let's move on to handy tools while doing bug bounty:

• Cookie Editor: Used for editing values attached to cookies
• Wappalyzer: Version and service check for the whole web app instead of having to manually find them

Note Taking

With all technical tools out of the way, now we move on to one of the most important things in cybersecurity: DOCUMENTATION. Find a note-taking app that fits you best, but make sure to take as many notes as you can when learning or testing out anything for web applications, as you'll never know when those notes may come in clutch.

Note Taking Apps:

• Joplin
• OneNote
• Cherry Tree
• Evernote
• Kate

Text Editors:

• Visual Studio Code
• Vim
• Notepad++
• etc.

Choose Your Website

Now that you have set up your device for bug bounty, let's find the right website for you. To familiarize yourself with bug bounty terms, consider the following:

• Platform: The websites providing links and access to their partners' VDPs, as well as triaging
• Triage: The process of remediating or reviewing bug bounty reports to decide on the appropriate action to take
• Vulnerability Disclosure Program (VDP): The process that accepts, fixes, and discloses bug bounties
• Disclosure: Allowing bug bounty hunters to post write-ups or speak publicly about the bugs they found

Now, there are numerous ways to choose a website, but personally, I believe it's best to view disclosures. If it feels like you would work well with their team, then try that company's VDP. Here are some platforms to try out:

• HackerOne
• BugCrowd
• Intigriti

Requires Application:

• Synack
• Cobalt

If you feel like you're a boss at bug bounty, then perhaps you may want to consider VDPs directly from companies like Google, Facebook, Apple & Medium. If you feel the opposite, then consider perhaps opening up a VDP for a website you use a ton. But tread with caution, as they may ask if you have a bug, and if you go beyond their non-existent rules of engagement (ROE), they might get mad and get you in trouble LOL.

Recon/Hacking

Reconnaissance

You've picked your website, but now you need to get more information about them. Personally, I'm very much a visual person, so I like to build out a tree representing the website's layout & structure:

• Website Domain
• Subdomains
• Directories
• Input/Output Fields
• Buttons
• Etc.

Once I have an idea of what's laid out, I can mark this tree to keep track of what sections of the website I have tested and document how I've tested it in our notes. If you're looking for an easier win, then some good tools to use would be Shodan, Google, and Wappalyzer to check for keywords or versions that would show a CWE or CVE.

Hacking

With all that information, you should now have some sort of target narrowed down from the scope given and the tree we created. Common weaknesses to look for in a web application can be referenced here: OWASP Top 10 2021. If the OWASP Top 10 doesn't seem to lead you anywhere, then try web app checklists provided by other bug bounty hunters online. After everything, if nothing is sticking, then you have two options:

• You just need to learn a little more, so study and find your niche in bug bounty to make that money.
• Try a different website; sometimes some bounty programs just have skilled engineers or strict triagers.

NOW, whatever you do, please don't follow these tips: meme. Stick to the rules of engagement, or else: JAIL TIME or some really fat fines LOL.

Writeup

So you found a bug on a website? Great, let's get into what sort of content your writeup should have.

1. Exploit Title
• Exploit, domain & impact in a sentence
2. Summary of Exploit
• Breakdown the exploit into a paragraph
3. Severity
• Define severity (Tools: CVSS / H1 Rating)
4. Reproduce Vulnerability
• Like a summary, except basically a walk-through
5. Proof of Concept
• Video, pictures, or scripts to reproduce exploit
6. Impact
• Describe how it would affect a client or company (VERY IMPORTANT)
7. Solution
• Do you know why the vulnerability exists, drop a suggestion (Optional)

Once you finish those sections for your report, then go ahead and review it with a friend or by yourself and compare it with previous disclosures from that bug bounty program to ensure the best chance of your bug being accepted.

Resources

Now you're officially a bug bounty hunter, at least in my eyes :))

If you feel like you need more resources to get better at bug bounty, then here are some tips & resources!

Learning Platforms:

• Port Swigger Academy
• Hacker101 (can get you into private programs for HackerOne)
• TryHackMe
• HackTheBox

Content Creators:

• NahamSec
• The XSS RAT
• PwnFunction

Books:

• Bug Bounty Bootcamp
• The Tangled Web (more so for code review, but a great resource regardless)