Getting started with Bug Bounty.

Hey, guys! This post is dedicated to all those who want to do bug bounty. Although I am not a *top* ranker like my friends Sandeep, Osama, Parth, Arbaz, etc I learned many things throughout my way in bug bounty and I want to share them in this post 🙂

What should you know before getting into bug bounty? 

  • First of all, you should know basic things about web app(ofc. bug bounties are not limited to it) have what is HTTP? What is HTML? What are HTML Forms? What is JavaScript? What does JS do? Structure of a web app(Nowadays all web apps have MVC). IMO this thing matter. A book like Web Hacking 101 will help a lot.
  • Keep learning new things, How?  HackerOne’s Hactivity (Web Hacking 101 also covers this section), Other Hunters blog, And just dig in whenever you see weird term or thing, Maybe you end up learning a good thing?
  • Play with Burp, Explore it 😉

Approaching a target

  • If you’re new don’t just focus on reward only sites, go for points in this way you will learn by hunting and gaining some rep. points also.
  • Don’t change your target frequently, Give at least 2-3 days if you’re new to hunting it won’t be easy for you to find your first bug in minutes or hours.
  • Before hunting for bugs, Explore the web app see what type of app it is, Get some idea of its basic. I always checkout API Docs which gives me a quick overview of web app.
  • If you think that a part of site should have something or something can be bypassed, Dig in it, Don’t give up, Just a few days back Osama and I was hunting an endpoint and he ended up bypassing a fix, I gave up but he didn’t ;).
  • Try to bypass their filters,waf most of the time there will be a bypass for their filters,waf a quick example;

Recently I came across a target there was a WAF (sitewide) which prevents user to input any input which contains JS Event, Such as onmouseover, onload etc I tried on%0Bload but it was getting reflected as %0B itself, So I tested their API to create a post bIt I was doing it with API Console which had WAF so I manually made a request to with my payload as content of post and boom it executed 🙂 This way I managed to get more XSS in it 😀

  • Don’t be lazy, In above example Manual request bypassed it but not the API console cause API Console was hosted at which had WAF.

That’s all for now but there will be a second part of this part i will share some more fun things in it.

If you liked it do share 🙂

Thanks for reading.
Harsh from Bugdiscloseguys!