漏洞赏金蓝图:初学者入门指南

本文详细介绍了漏洞赏金猎人的入门指南,涵盖基础知识、技术技能、常见漏洞类型、工具使用、实战案例及报告撰写,帮助初学者系统学习并实践网络安全技能。

Bug Bounty Blueprint: A Beginner’s Guide

by MuhammadKhizerJaved

A Guide to Getting Started In Bug Bounty Hunting | Muhammad Khizer Javed | @KHIZER_JAVED47 Updated: August 17th, 2023

Back in 2019, I penned an earlier version of this guide to Bug Bounty Hunting (Mirror 1) & (Mirror 2), aiming to provide aspiring hunters with a solid foundation. The response was overwhelmingly positive accompanied by a large amount of questions from newcomers. While the previous version of this guide served its purpose well, the ever-evolving landscape of the Bug Bounty Market has ushered in changes and innovations that necessitate a fresh perspective. In light of these transformations and the continued enthusiasm of the bug bounty community, I have decided to craft an update for this guide. Drawing on both the wisdom gained from the past and the insights garnered from the present, this new version aspires to be an even more valuable resource for those venturing into the world of bug bounty hunting.

Introduction to Bug Bounty Hunting

Bug Bounty Hunting is an inspiring field that has gained tremendous momentum in recent times. In simple terms, a Bug Bounty involves rewarding ethical hackers for identifying and disclosing potential security vulnerabilities found in a participant’s web, mobile, or system applications. Since you’re already here, I assume you have a basic understanding of bug bounty hunting. So, let’s dive into the essential elements as It’s important to understand what bug bounty hunting and ethical hacking really involve.

Bug Bounty Hunting a Challenge

For me, Bug bounty hunting surpasses traditional penetration testing in its intensity and demand, Bug Bounty Hunting is like penetration testing on steroids. It is a lot harder because of the following factors:

  • Significant Vulnerabilities: Bug bounty programs typically focus on bugs that exhibit genuine business Impact, setting a higher bar for the kind of vulnerabilities that are accepted.
  • Competition Among Bug Hunters: You will be competing against hundreds of other hunters, and only the first one to report a bug is rewarded.
  • Novice Difficulties: As a newcomer, the initial stages may be hard, involving the identification of valid bugs and striving to be the first to uncover them.

With this guide, I will try to cover the following key areas to get you started: 

  • Understanding the fundamentals of Bug Bounty Hunting.
  • Developing the necessary technical skills.
  • Learning about common vulnerabilities and exploits.
  • Finding and choosing bug bounty programs.
  • Writing effective reports to maximize your bounty potential.

Remember, the journey of becoming a successful bug bounty hunter requires dedication, patience, and continuous learning. Let’s embark on this exciting journey together!

About Me

I’m Muhammad Khizer Javed, I am a Cyber Security Professional specializing in web and mobile application penetration testing. I have over six years of experience as a Bug Bounty Hunter & Ethical Hacker. My focus lies in uncovering vulnerabilities, weaknesses, and misconfigurations using diverse penetration testing techniques. I work as the Lead Penetration Tester at SecurityWall. Beyond my professional pursuits, my passion for cybersecurity fuels my dedication to continuous learning and knowledge-sharing within the community.

The Attitude of a Hacker

Before going further, it’s crucial to grasp the attitude required for successful bug bounty hunting. A seminal article by Eric S. Raymond, “How To Become A Hacker,” serves as an excellent starting point. This article outlines essential attitudes that aspiring hackers need to cultivate, emphasizing the importance of competence over mere posturing.

Is there a future for you in Bug Bounty?

I’m confident that bug bounty hunting is the way forward when it comes to securing many businesses, and here’s why:

  • Always Watching: Bug bounty programs keep going as long as the program itself is running.
  • Experts from Everywhere: Bug bounty taps into the knowledge of people from all over the world.
  • Rewards for Digging Deep: There’s a real reason for hackers to find and report vulnerabilities in bug bounty programs.
  • Safe and Exciting: It’s a safe and fun space to tinker around and learn.

I’m pretty sure that bug bounty hunting isn’t going anywhere; it’s only going to get better and stronger. The rise of Web3 is already changing how bug bounties work, breaking down barriers have a look below.

Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi. The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record. https://t.co/xKDGxfFLjA— Immunefi (@immunefi) May 20, 2022

Not only Web3 but our good old web2 bounties are also getting interesting and big.

So, whether it’s about traditional web stuff or this new Web3 world, bug bounty hunting is a solid bet for those who want to put in the effort and come out ahead.

Mastering the Basics!

Before embarking on your bug bounty journey, it’s essential to establish a solid grasp of the foundational elements that underpin the world of cybersecurity. This section lays the groundwork for your exploration, ensuring you have the necessary knowledge to navigate the intricate web of networks, systems, and programming languages.

To effectively engage in bug bounty hunting and ethical hacking, a firm grasp of the fundamental building blocks is crucial. Begin your journey by acquainting yourself with the following key concepts:

Understanding Network, Web, and Communication Basics

Network Basics: Acquire a basic understanding of networking principles, an essential knowledge for anyone delving into the realm of computers. Explore resources such as

  • Networking Basics: What You Need to Know (CISCO)
  • The Fundamentals of Networking (IBM)
  • Basics of Computer Networking (Geeks for Geeks)
  • Computer Networking Complete Course – Basic to Advanced (9 Hours YouTube Course)
  • Fundamentals of computer networking (Microsoft)

Web: For an overview of the web, you should give a read to any two of these. These will not only refresh your web basic fundamentals but also prepare you for what’s coming ahead.

  • Web – Basic Concepts (Tutorials Point)
  • Web Fundamentals (Google Developers)
  • Web Basics and Overview (Kent State University)

**Communication Protocols:**In order to learn something, you must learn how it works and how data is exchanged within or between computers. In our case how an application works and what its flow is we need to learn how it communicates with you. For that purpose, I believe you must go through the following list to understand Network Protocols and their uses.

  • Communication protocols (Wikipedia)
  • Official Internet Protocol Standards (RFC Editor)
  • MDN Web Docs Glossary: Definitions of Web-related terms (Mozilla)
  • HTTP (Mozilla)
  • HTTP Related Protocols (W3.org)
  • Types of Network Protocols and Their Uses (W3 Schools)

**Database:**You must learn about Database basics and understand it as this is one of the crucial parts of what you’ll gonna be attacking as a hacker in many cases.

  • Basics Of DBMS (Toppr)
  • Database basics (Oracle)
  • Database Basics: Concepts & Examples for Beginners (Lido)

Choose an Operating System:

According to Eric Steven Raymond, “The single most important step any newbie can take toward acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes, install it on a personal machine, and run it. Trying to learn to hack on a Microsoft Windows machine or under any other closed-source system is like trying to learn to dance while wearing a body cast.“

Whichever OS you choose, ensure to familiarize yourself with essential commands through cheat sheets like this below:

Coding Proficiency: The Path to Mastery:

While becoming a proficient programmer might not be mandatory, having a solid understanding of programming languages is undeniably beneficial in the realm of bug bounty hunting.

HTML:

  • HTML Tutorial (W3 Schools)
  • Learn HTML (Code Academy)

PHP:

  • PHP Tutorial (W3 Schools)
  • Learn PHP (Code Academy)

JavaScript:

  • Learn JavaScript – Full Course for Beginners (freecodecamp.org)
  • Learn JavaScript (Code Academy)
  • Build anything you want with JavaScript (learnjavascript.today)

SQL (Structured Query Language):

  • SQL Tutorial – Full Database Course for Beginners (freeCodeCamp.org)
  • SQL Tutorial (W3 Schools)
  • Learn SQL (Code Academy)

Java:

  • Learn Java (Code Academy)
  • Java | How to start learning Java (Geeks for Geeks)
  • Learn Java Online (learnjavaonline.org)
  • Java Beginner Course – Get Started Coding with Java! (freeCodeCamp.org)

C/C++

  • C/C++ Full Course Playlist (freeCodeCamp.org)
  • Learncpp (Learncpp.com)
  • Learn C++ (Code Academy)

What You’ll learn from these is not just Programming languages but the proper way of web and systems to communicate that you gonna test or build. I’m also a student in Programming so sharing the resources I’m currently following.

Embrace Automation:

“Never send a human to do a machine’s job”

To truly excel in the world of bug bounty hunting, mastering automation is essential. Automation empowers you to work faster, more efficiently, and continuously while reducing repetitive tasks. Have a look at the slides below and read an awesome article on “Conference notes: Automation for Bug Hunters (Bug Bounty Talks)“

Strengthen your automation capabilities with these languages, If you can grasp hold on to one or more of the following languages you can easily & very happily automate your work and earn in a better way.

Python:

  • Real Python Tutorials (Real Python)
  • Hacking with Python – 7 Best online courses for ethical hacking (By AIMEE O’DRISCOLL)
  • The Python Tutorial (Python.org)

Bash:

  • 10 Best Linux Shell Scripting Tutorials for Beginners (Quick Code)
  • Learn Shell (learnshell.org)
  • Shell Scripting Tutorial (Tutorials Point)

Golang:

  • Learn GO (go.dev)
  • Learn Golang (Code Academy)
  • Go Tutorial (Tutorials Point)

Ruby:

  • Learn Ruby (Code Academy)
  • Learn Ruby Online (learnrubyonline.org)

By mastering these foundational components, you’ll empower yourself to code tools, understand various software aspects, and embrace the world of automation. Remember, this is your bedrock for growth – refine your skills, practice consistently, and lay the groundwork for your bug bounty journey.

Learning About Vulnerabilities

This part is all about building your skills, learning about how to identify weaknesses, and arming yourself with the tools to become a bug bounty hunter. Choosing the right path to start in Bug Bounty is very important. Your choice should align with your interests and aspirations. While some opt for the Web Application route due to its approachable nature, others may delve into the realm of Mobile. Here, I’ll be focusing on Web and Mobile paths, reflecting my own area of expertise.

The Web Application Security Path:

The Web Application path is a popular starting point due to its accessible nature. Begin by understanding the intricacies of web applications and the vulnerabilities they can harbor. Resources like:

  • OWASP Top Ten Project
  • Web Application Security Basics (Mozilla)
  • PortSwigger Web Security Academy

Equip you with the foundational knowledge and insights needed to navigate this domain.

The Mobile Application Security Path:

For those intrigued by the mobile landscape, the Mobile path beckons. Immerse yourself in the world of mobile application security, uncovering potential vulnerabilities that lurk within. Key resources such as:

  • OWASP Mobile Security Project
  • Android Security Documentation
  • iOS Security Documentation

Will serve as your guiding beacons, leading you through the intricate mobile security landscape.

Key Resources:The Platforms below should be your first stop toward learning about security.

  • HackerOne Hacker101
  • Bugcrowd University
  • Intigriti Hackademy

These platforms offer a wealth of resources and lectures that can significantly enhance your learning journey. They provide invaluable insights, often surpassing what I might share here.

Exploring Web Application Security: Building Your Foundation

In this phase, we’re delving into the exciting world of exploring Web Application Security.

To fortify your understanding of Web Application Penetration Testing and Security, delve into the following essential resources:

  • Mastering Modern Web Penetration Testing
  • The Hacker’s Underground Handbook
  • Web Hacking 101
  • The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
  • The Tangled Web: A Guide to Securing Modern Web Applications
  • OWASP Testing Project

These resources offer comprehensive insights into the intricacies of web application penetration testing and security assessment.

Embrace OWASP:

Make it a priority to familiarize yourself with the OWASP Testing Guide and OWASP Top 10 Vulnerabilities. These invaluable references provide guidance and understanding:

  • OWASP Testing Guide
  • OWASP Top 10 for 2023
  • OWASP Top 10 for 2017

These resources provide a solid foundation for comprehending common vulnerabilities and security practices.

Exploring Common Web Application Vulnerabilities

This is a crucial phase of your bug bounty journey, where we learn about common web application vulnerabilities that you’re likely to encounter while hunting for bugs. In this section, my focus is on providing you with valuable resources to understand and learn about these vulnerabilities effectively.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery is a potent attack that exploits the trust a web application has in the authenticated user’s browser. By coercing the user into unknowingly performing actions they didn’t intend, the attacker can manipulate the application’s functionalities and wreak havoc.

Delve Deeper with These Resources

  • Imperva: Understanding CSRF – Cross-Site Request Forgery
  • OWASP Cross-Site Request Forgery (CSRF)
  • Netsparker Blog: Demystifying CSRF – Cross-Site Request Forgery

Uncover Real-World Scenarios:

  • CSRF Account Takeover famebit by Hassan Khan
  • Hacking PayPal Accounts with one click (Patched) by Yasser Ali
  • Add tweet to collection CSRF by vijay kumar
  • Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun by phwd
  • How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
  • Story of a weird CSRF bug by Sudhanshu Rajbhar
  • Bumble Full account takeover using CSRF by Mahmoud G
  • Uber CSRF Account Takeover by Ron Chan
  • Messenger.com CSRF that show you the steps when you check for CSRF by Jack Whitton

Cross-Site Scripting (XSS)

Cross-Site Scripting, commonly known as XSS, empowers malicious actors to inject client-side scripts into web pages, potentially compromising the security of other users who view those pages. These scripts can execute in a victim’s browser, leading to unauthorized actions, data theft, or the spread of malware.

Resources for Deepening Your Knowledge:

  • OWASP Cross-site Scripting (XSS)
  • PortSwigger Web Security: Cross-site Scripting
  • Excess XSS: A Comprehensive Tutorial on Cross-Site Scripting

Practical Examples and Proof of Concepts:

  • AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy
  • Uber Self XSS to Global XSS
  • How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
  • XSSI, Client Side Brute Force
  • postMessage XSS Bypass
  • XSS in Uber via Cookie by zhchbin
  • Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans
  • XSS due to improper regex in third party js Uber 7k XSS
  • XSS in TinyMCE 2.4.0 by Jelmer de Hen
  • Pass uncoded URL in IE11 to cause XSS
  • Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
  • Years ago Google xss
  • xss in Yahoo Mail Again, worth $10000 by Klikki Oy
  • Google Account Takeover
  • God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
  • Three Stored XSS in Facebook by Nirgoldshlager
  • Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen
  • An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
  • Stored XSS in *.ebay.com by Jack Whitton
  • Complicated, Best Report of Google XSS by Ramzes
  • Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek
  • Command Injection in Google Console by Venkat S
  • Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
  • Yahoo Mail stored XSS by Klikki Oy
  • Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
  • Youtube XSS by fransrosen
  • Google XSS subdomain Clickjacking

SQL Injection

SQL injection is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

Resources for Deepening Your Knowledge: For a comprehensive grasp of SQL Injection, these resources are your go-to:

  • OWASP SQL Injection
  • PortSwigger Web Security: SQL Injection
  • W3Schools: SQL Injection

Real-Life Scenarios: Proof of Concepts

  • SQL Injection Vulnerability nutanix by Muhammad Khizer Javed
  • Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
  • GitHub Enterprise SQL Injection by Orange
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次