How to Study Bug Bounty Hunting
Learning how to hack can be approached in a variety of ways. While there isn’t a clear cut path to follow simply providing a list of recommended resources isn’t always helpful to all types of learners
Learning how to hack and applying it to bug bounty can be approached in a variety of ways. While there isn’t a clear cut path to follow, simply providing a list of recommended resources isn’t always very helpful to all types of learners. Instead, I’d like to offer a coherent learning path using thoughtful resources and my comprehensive style course sponsored by Bugcrowd.
People will often say “if you want to learn to hack watch this course/video/article”, as if any other way is wrong. Learning to hack and then apply it to Bug Bounty can be approached in many different ways, and there is - truthfully - no best way or correct way to learn. But while there isn’t a clear path through resources simply providing a big list of recommended resources with no guidance isn’t always as helpful and mentors in the community would hope. So here’s my attempt at putting together a learning path using my comprehensive style course sponsored by Bugcrowd.
Understanding the Basics
Before delving into bug bounty hunting, it's essential to have a foundational understanding of how the internet and the web work. Familiarise yourself with the technologies that power websites, the underlying infrastructure, and the distinctions between HTML and JavaScript. If these areas are a little light for you, taking some time to improve your fluency will help you immensely. Mastering these areas should be your first step in grasping what occurs when you visit a URL and how your browser functions.
So you decide, I want to learn hacking, and you google around and find a whole heap of resources on SQL injections, Cross-Site Scripting, XML External Entities, and wait, do you even know what’s happening when you access a website? Before delving into bug bounty hunting, it's essential to have a foundational understanding of how the internet and the web work. Familiarise yourself with the technologies that power websites, the underlying infrastructure, and the distinctions between HTML and JavaScript.This could be in the form of programing a website for yourself, or just trying to capture what happens when you visit a URL on the backend.
Immersing Yourself in the Bug Bounty Community
Every hacker is unique and each person's learning is unique to them. It’s well known that learning styles vary among individuals, and rather than relying solely on one type, a combination of different approaches tends to be most effective. Additionally, learning from others and establishing relationships is crucial. Don’t be shy! Immerse yourself in the bug bounty and infosec community by subscribing to newsletters, reading blogs, engaging in discussions on Twitter, joining Discord channels, subscribing to YouTube creators, and similar activities. There are so many options for each individual's pace. Make it a habit to engage with bug bounty-related content regularly and you’ll notice your knowledge not only grow, but also you’ll begin to develop your own unique style of hacking as you incorporate your learnings from such a variety of mediums.
The community is one of the most powerful things about hacking and the subcommunity of bug bounty hunting, learning from others and establishing relationships is crucial. Don’t be shy! Immerse yourself in the bug bounty and infosec community by subscribing to newsletters, reading blogs, engaging in discussions on Twitter, joining Discord channels, subscribing to YouTube creators, and similar activities. There are so many options for each individual's pace. We covered a few of these when we talked about bug bounty hunting resources, but if you’re not sure where to start, how about the bugcrowd discord channel?. Make it a habit to engage with bug bounty-related content regularly and you’ll notice your knowledge not only grow, but also you’ll begin to develop your own unique style of hacking as you incorporate your learnings from such a variety of mediums.
Mastering Burp Suite
Burp Suite is a primary tool used in hacking. While it has a paid version, the community edition is sufficient for most purposes. To familiarise yourself with Burp Suite, try it out on a Capture the Flag (CTF) website. Gain hands-on experience with the tool, explore its features, and become proficient in using tabs such as sitemap and proxy history. Experiment with sending requests to repeater and modifying them. As you become more familiar with the tool you can start to experiment with other hacking tools or Burp suite addons (called BApps!).
Write-ups and Note-taking
One of the most valuable resources for learning is write-ups. They can range in technical detail from expert research conducted by some of the best hackers, to simple here’s how I found this bug. These reports provide valuable insights into actual vulnerabilities that people have discovered. Real-world vulnerabilities and their exploitations! Unlike traditional courses or books that may become outdated quickly, write-ups and related content allow you to stay updated on the vulnerabilities being found in the current year. By exploring disclosed reports, write-ups, and videos discussing write-ups. These can be found all over the internet but some good places to start are Podcasts, Medium, Twitter and Reddit.
Studying is imperative in learning a new skill. Along with studying, note-taking and developing a consistent, systematic learning method for yourself goes leaps and bounds and bounds in retaining new information. What’s really great is that although there are various approaches to note-taking, the many mediums for note-taking are flexible. You can use your existing note-taking app or try Obsidian if you don't use one already. I like to use Obsidian to create a note for each vulnerability I come across, and if I already have a note on a particular vulnerability, I’ll update it with additional information. Consider using resources like the Vulnerability Rating Taxonomy (VRT) as a master list of vulnerabilities and work your way through it. Study the methodologies used, understand how the bug's success was determined, and most importantly, learn how researchers identified and investigated the specific vulnerability. Over time, refine your own methods and expand your notes to develop a general methodology that can be applied to different targets.
Using notes to building intuition
The most important part of your vulnerability notes is the “how did they know to look for this bug”, this is building your intuition. For example if you see a file upload, what kind of bugs do you look for? Unrestricted File Upload? EXIF data not being scrubbed? And maybe you test it and it doesn’t work, well what next? It is tempting to go “well this isn’t a bug” but actually maybe the file name is reflected onto another page, maybe the upload hasn’t got access control on it. If you’re too busy looking specifically for file uploads and only testing for unrestricted file upload well you might be missing a really straight forward bug. To get started watch the videos on information disclosure, access control and cross-site scripting (XSS) and start to look at disclosed reports, write ups and tweets on those topics.
Building intuition takes time, and it is what actually sets apart newbie hackers and experienced hackers. But once you feel confident in your hacker instincts, you’ll be able to move around with much more speed and accuracy. A crucial element in intuition is understanding how researchers knew to search for specific bugs. Putting yourself in the shoes of other hackers will go far in developing your intuition. For example, if you encounter a file upload functionality, what types of vulnerabilities should you look for? Is it an unrestricted file upload? Are there issues with unscrubbed EXIF data? Even if your initial attempts fail, don't dismiss the possibility of a vulnerability. Use your intuition to consider scenarios where the file name is reflected on another page or where access control is lacking. To start, watch videos and explore resources on topics like information disclosure, access control, and cross-site scripting (XSS). Start with the videos and build upon them, look up write ups, blog posts and disclosed reports!
Nothing will teach you more about hacking than actually hacking does, it’s very easy to tell ourselves we don’t know enough yet. I promise you, you will never feel ready to get hacking, you’ll constantly tell yourself one more CTF, one more video, oh I need to know more about input boxes or APIs. You should be hacking from day 0, use Burp and use it on a real website. If you focus too much on CTFs you’ll see very simple websites, with a single or a few interesting requests and responses, on a real website you’ll see a mashed up soup of requests, 3rd parties, analytics platforms, several requests for a simple login, OAuth, websockets, technology you’ve never heard of. The real world of the web is messy, disorganised and hard to process, and nothing will make that easier. The first few times you’ll look at the site map or proxy history and all you will see is that soup of requests and responses. As you do this you’ll also find yourself drawn to trying out new tools, whether that be open source tools like ffuf, or Burp addons, you can spend this time experimenting with your methodology.
Get out there!
There’s no replacement for real-world experience. It’s effective, it’s effective, it’s practical, it’s authentic and it’s a real adventure. Avoid falling into the trap of constantly feeling unprepared or waiting to acquire more knowledge before starting. You’ll never feel 100% ready, so just dive in! Begin hacking from day one, using Burp Suite and experimenting with different tools on real websites. While Capture the Flags (CTFs) can be helpful, real-world websites present a more complex and realistic environment. Embrace the messy and disorganised nature of the web. As you navigate through various requests, third-party integrations, authentication mechanisms, and unfamiliar technologies, you will refine your skills.
Continue to build your experience and gain intuition by going through the bug-finding motions. You don’t need to find bugs all the time, you just want to build up that intuition. The first few times hacking, choose a really clear functionality, log in, create a resource, edit something, create an account, and identify which requests in which order need to be sent to the server to do that function, label it or take notes. This will help you recognise potentially vulnerable functions from the actual noise of an application. You’ll eventually start to recognise signs of vulnerabilities from your notes! Now, you can try it on a website using your methodology and see if it’s vulnerable!
In conclusion
Not every website or technique you try will end up being vulnerable. It’s important to see hacking as a fun activity you enjoy doing, and that even if you find nothing you are still learning. The biggest mistake I see are people who don’t have an interest in hacking, they want quick money, and they try it once, and wonder where the bugs are. Inevitably if you get caught up in finding a bug you will just burn out after it doesn’t happen. I’ve found bugs in just a few minutes, and I’ve also not found bugs for months. While you can tip the scales of luck by taking notes, focusing on a single target, and building your intuition, there is still an element of luck, and looking in the right place. And yes it is crushing when a bug you thought was there is NA or downgraded in severity, but you always need to be looking to the next, not obsessing over a single vulnerability.
Remember, the goal at the initial stage is to familiarise yourself with the basics, play with tools and build intuition rather than solely focusing on finding bugs. Hacking can be unpredictable, and luck plays a role in discovering vulnerabilities, but the journey is what makes it exhilarating! As long as you maintain an interest in hacking as a fun and enjoyable activity, rather than solely pursuing quick monetary gains, you’ll find success. Stay curious, keep learning, and always look ahead to the next opportunity.
Always remember; When you’re starting out: focus on learning not earning.
Love seeing other content creators pop up on bug bounty. Let’s get the Substack community going with it!