Bug Bounty Hunting as a Beginner (My Honest Thoughts)

Introduction

Within the past 3 years of the rise in YouTube ethical hackers and the rumor of 5G smart cities, there is a thought to get into Bug Bounty research due to growth in attack surface.

The thought of attacking a service or application in order to receive a reward from that company is intriguing, but there are some things that I have learned very quickly. This blog will dive into my thoughts on the reality of bug bounty given I am now at 10 weeks slowly getting better at it.

Get Rich Quick Scheme?

Diving into the Bug Bounty field I thought there would be some ease due to videos on YouTube showcasing automaton, Automation is important to quickly test methods that have worked, however every application is slightly different. Leading to the need to understand the core of how applications function. This takes time and patience, from my short experience so far at least.

Not only does it take time to understand the different technologies being used, I have found it important to review current Common Vulnerabilities and Exposures (CVEs) associated to also gain an understanding of what could potentially be vulnerable.

Although there is much more that can be said to prove it is not a get rich quick scheme, but lastly finding the right testing point. From my first 3 months learning I have fallen into "honeypot" like URLs that I believe something is there, but that was not the case.

Overall the key factor to finding vulnerabilities comes down to consistently checking the application and updating knowledge about the website along with allocating time effectively. This ensures that time is allocated into the areas that are likely to have a vulnerability.

Make an EXCELLENT Report

I see myself as new into the Bug Bounty space being only on my first third month and would classify myself in the learning phase. I say this because the biggest takeaway I have had is what goes into a report.

The first key is showcasing the report with detailed reproduction steps to not takeaway from researchers.

The next key is impact. This is where I have fallen short. However, I have learned that some things to check off to ensure impact is relate it to a current CVE, ensure it is reproducable and was I able to access customer data or another accounts data? From asking these questions I have doubted a lot of reports but have a more clear mind to move forward.

Lastly, I believe screenshots or videos also helps showcase the report and quickly validate on the Bugcrowd reviewing end. Although, I have not gotten feedback to solidify this (it is what I do though).

How to get better at Bug Bounty?

Even though it may be disappointing to be reading as the first statement, but there is no guide. Sometimes a guide may help, but a lot of cases each application is different. There can be general guides to follow such as Recon, Enumeration, Vulnerability testing then reporting. However, a detailed guide to find a vulnerability can be difficult to find due to difference in application and likely chance researchers may not share there proven methods.

From my experience, following a path on youtube most likely will not find a vulnerability, Do not worry though, this is ok due to every application being slightly different. I have learned rather than following one guide picking bits of information that is relevant to the application being tested has worked better for me. Along with this understanding what goes on.

So how to get better? I am still learning so take this lightly, but I believe it comes down to understanding to application to the point of being able to "break" it. From this I have changed my method to spending hours and hours understanding the technology. I then look at CVEs associated to the tech stack that is found and create an image of what I would like to hunt for.

After this time is spent understanding the application, I then recommend recon work and enumeration. However, I have started also looking at the technology again and how it differs. Then on differences I try to reunderstand where I can potentially perform XSS, RCE, LFI and other vulnerabilities.

Although not finding any paid bugs yet, switching to a way of approaching the application with intent and understanding has helped me find 3 informational bugs in 3 months.

Conclusion

Overall, Bug Bounty may seem like a way to get rich quick but it is not. This space takes a lot of time, but opens a lot of doors. Testing can be done on public platforms like Hackerone and Bugcrowd, but are not limited when the knowledge is there. In addition, a more secure method of testing can be obtained by pursuing pentesting, threat analyst or security administration positions.

If it is approached with the idea of money there will not be a valid vulnerability paid out due to not enough impact. I know this due to approaching this space with the wrong mindset at first.

Lastly, staying consistent and not giving up essential due to some bugs taking days to find. This is where mental battles can break the will to continue, but continuing gives an infinitely greater chance of finding a bug than not trying, I wish you all happy hunting!