How to start Bug bounty?
As we know bug hunting had become one of the interesting domain to look into.For all those who wanted to start their career in bug bounty , this blog will help u to boost up you in this domain.
Let’s jump into it……
1) Basic knowledge of languages like : HTML, JavaScript, PHP etc….
2) What is web application? How it works? How to made basic web application ? What are the functions a basic web application have and how they work?
What is http,http headers,http security,http secure policies..etc
Also study about web security,CORS,Same-origin policy
Reading up all this gives you a big picture , Next you can learn about web applications
→ https://www.acunetix.com/blog/web-security-zone/http-security/
3) Next thing is you have to go for OWASP top 10
→ https://cheatsheetseries.owasp.org/Glossary.html
→ https://owasp.org/www-community/attacks/
→ https://portswigger.net/web-security
4) After this you can move to next step and read as much as you can and try to understand each and every topics. here i will suggest some books and some daily thing which you can refers :
- The web application hackers handbook-1.
- The web application hackers handbook-2.
- Penetration testing — A hands on introduction to hacking.
- Web Penetration testing with kali linux.
- Web Hacking 101.
- The hacker playbook 1 practical guide to penetration testing.
- The hacker playbook 2 practical guide to penetration testing.
- Hackerone 101 Video Lessons : https://www.hacker101.com/videos
- Hackerone unofficial for reading daily reports : http://h1.nobbd.de/
- Also you can checkout bug bounty hunter blogs.
[NOTE : All books are good for learing but now it’s up to you what you want to go for.]
5) Now it’s time to real game and that is RECON :
https://medium.com/@maverickNerd/recon-everything-48aafbb8987
That’s all i have to share with you i hope it will help you with your bug bounty journey.
Best of Luck.
Additional sources
Tokens
The Ins and Outs of Token Based Authentication
The Anatomy of a JSON Web Token
Stackoverflow: What is token based authentication?
10 Things You Should Know about Tokens
OAuth
Dancing with OAuth: Understanding how Authorization Works
Access Token
Why use an authentication token instead of the username/password per request?
Refresh Token
Why Does OAuth v2 Have Both Access and Refresh Tokens?
How secure are expiring tokens and refresh tokens?
Other Links
What should every programmer know about security?
Learn more about web security,http,cookies
→ Web security Vulnerabilities
#My checklisy for bug hunting recon
In short
Here are list of things that you need to learn before jumping into bug bounties.
- How internet Works
- Understanding (TCP/IP|OSI) model
- How DNS Work
- How web Servers Work
- How to setup web server
- HTML
- JavaScript
- PHPClient-Server Architecture
- How CDN’s Work
- How Load Balancers Work
- Understanding HTTP communication
- How Linux work
- Understanding Linux Shell
- Understanding Linux File System
- Learn some Linux tools Like (sed/grep/cut/dig/curl/wget)
- How to use Burp-suiteat this point, you can pick some of your favourite bugs and start practising them.
And the interesting things about the whole process you can code your own labs(vulnerable code snippets)
and modify them to have much clear understanding of vulnerabilities and their exploits.
Follow me on 🦿