11 min read

Baby steps towards Bug Bounty Hunting — an arduous yet exciting journey

Wanting to know what a brute-force attack was, I accidentally came across the term “Bug Bounty”. After some reading, I understood on a superficial level, that organizations or application vendors ran something called a “bug bounty program'“ and rewarded ethical hackers if they found security vulnerabilities in their applications. Interesting.

Being an entrepreneur, I entertained the idea of learning another skill that could potentially help me earn money in the future. I was not naïve to think it was easy, but had the courage to take the plunge. I mean I had nothing to lose (of course, "time" was an important resource that I had to trade in order to learn the craft).  

Update (29th July 2021)

On hindsight, I was naive indeed. I underestimated the sheer depth of how much knowledge, experience and practice one requires to become a competent bug bounty hunter. Especially the amount of time required for someone like me without a background in IT. Not that I was not ready to clock in the hours. Honestly, I realised I did not have the leverage to spend so much time.

So, what’s the deal with this blog post?

When I started out learning, I found there was no dearth for learning resources (blogs, videos, courses). You have to give it to them, the hacker community is amazing that way! However, I still, to this day hunt for hackers’ personal learning experiences, hoping it would personally resonate with me. An article that would give me solace and maybe telepathically tell me, I am on the right track. I feel knowing someone else’s personal learning curve and experience would immensely help. Knowing that your fellow hacker, went through the same emotional and learning hardships would give great comfort and motivation.

  • What did the individual learning web app hacking go through?
  • Did he/she have any prior experience with IT or computers in general?
  • What were the mistakes he/she made during his/her learning curve?
  • What learning resource helped the individual as opposed to some other resource
  • How much time did he/she dedicate to learning.

This is something I always searched for as a beginner. I did read/listen to (through podcasts) many hackers’ personal learning experiences, but I had to do a lot of digging and searching! This blog post would be an attempt in that direction.

How long have I been at this?

I started learning web app hacking in June 2018. I continued to learn and train (with labs) for a year (don’t get me wrong here, I still continue learning. It never ends!) without any serious bug hunting. I started bug bounty hunting in the month of June this year (2019)and have continued to do so (along with learning) consistently for the last four months. I have so far submitted 4 reports with 2 being duplicates, 1 being invalid and 1 earning me a three figure bounty. I have such a long way to go, but hope this is a start of sorts.

The beginning is the toughest!

You see, I have no background in Information Technology or Security, whatsoever. The amount of frustration, overwhelm and discomfort that I had to go through to learn something ridiculously new, is something I cannot express in words. This was because I had already spent 10 years learning dentistry. I had to put in conscious effort to re-wire and learn something new altogether (from scratch)! I should say, however, that I kept at it solely because I found it interesting and intellectually challenging (apart from a major motivation being the bounties/cash rewards successful bug bounty hunters got :P). Being an entrepreneur (and having that mindset) helped me stay motivated. I went through the same emotional overwhelm when I founded my company 3 years back. So that helped (mentally).

How much time did I dedicate in the beginning?

I am a full time entrepreneur, hence learning was tough in the beginning. I probably dedicated 5–12 hours per week for the first 3 months, learning the basics. I used to most often dedicate time in the morning between 6–8 AM or sometimes at night between 8–10 PM. Many a times I compromised my Sunday mornings to learn for 4 hours at least. I was never paranoid about how much time I had to put in, but I disciplined myself to consistently put in a minimum of 5 hours a week.

After the first 3 months, I lost some motivation. I had a lot of work at hand and couldn’t maintain consistency. I was tired and exhausted after work. I used to somehow irregularly maintain some reading so that I did not jeopardize the hardwork I had put in the previous 3 months. There was this phase of at-least another 3 months where I used to read stuff and read them again, because I kept forgetting stuff (as a result of the inconsistent reading and learning).

What did I read in these first 6 months?

The first 6 months were the toughest phase for me in learning web app hacking. I was distracted, demotivated, impatient and sometimes bored to death. But I hung on.

Its important how you start off when beginning something new, especially when trying to start something in a new field altogether. Its very tempting to begin with the best books in the market, but you see, it doesn’t help one’s cause. You need to know where you stand and reverse engineer in order to even know what you have to learn. Let me explain.

When I started googling how to learn web app hacking, the overwhelming response from the community was to read “The Web application hacker’s handbook”. You see, the community is right. It is one hell of a book! But I had to be self aware and understand that jumping off with that book wouldn’t help. I didn’t know shit about technology, web applications or how they work. Heck, I didn’t know how the internet worked!!

I tried searching for something like IT for dummies or something in that front and I found this book called “How to Speak Tech. The non-techie’s guide to technology basics in business” authored by Vinay Trivedi.

How to Speak Tech - Vinay Trivedi
How to Speak Tech - Vinay Trivedi

This is an amazing book, especially for one’s who are completely ignorant of how technology works. The very first chapter starts off with “how the internet works”. It has chapters like hosting, back end and front end programming languages, API, Databases and stuff like that. Of course, it offers a very basic layman explanation of these concepts. I complemented this book with YouTube videos (on the same topics I was reading)wherever I had to and started getting a hang of the technology jargon. The YouTube videos I initially watched were basic and included videos such as “How the Internet Works in 5 Minutes”. This YouTube playlist called “How the Internet Works” by the channel Code.org is great.

A lot more YouTube videos later, I started making a deep dive on to web application basics. The 3rd chapter in “The Web application hacker’s handbook” (Dafydd Stuttard & Marcus Pinto) is badass!

The Web Application Hacker's Handbook
The Web Application Hacker's Handbook

I mean, the book itself is great, but I can’t tell you how many times I had to read this chapter. This chapter has all the basics, HTTP protocol, Methods, Requests & Responses, URLs, cookies, basic web technologies and so on. It was in no way easy to understand (at least for me). I have no qualms in saying I kept re-reading this chapter, I used to read it, watch YouTube videos on the same, come back and re-read it. Every time I read it, my understanding improved.

But beyond this, I started struggling to grasp concepts in other chapters in the book. I was stuck and started searching to see if there was an even more basic book that could help my cause. I didn’t quite understand which knowledge gap I had to fill, in order to make progress with the hacker’s handbook. I came across this article “So you want to be a security engineer?” written by Niru Ragupathy. The article was a great read and it gave me some impetus as to where I could head next.

But the game changer for me was this book titled “Web application security: A beginner’s guide(Brian Sullivan and Vincent Liu). It helped my understanding so much, I started becoming confident moving forward.

I feel this book is understated and I highly recommend this book for beginners starting to learn web app hacking from scratch. This book is written from a defense perspective and makes the basic concepts of web applications and web app security so easy to understand. Especially concepts of Authentication and Authorization. It greatly helped set my understanding of authentication, sessions and session management, cookies and in general how web applications work. It also has this great chapter explaining XSS and CSRF. It is tailor made for beginners (but I should say I did struggle to understand XSS and CSRF initially).

After this going back to “The Web application hacker’s handbook” was easier than before. I started making some progress comprehending stuff. I never, entirely read the book though. I used to jump across blogs and videos, according to my personal comprehension of topics. Boy, were these 6 months tough!

Two months of deliberate practice

Interestingly after that period, I experimented with deliberate practice. As an entrepreneur I know for a fact that one can learn a lot more by executing/doing. I learnt to set up a virtual lab (I used the OWASP Broken Web Applications) and spent a few hours a week (around 5–15 hours) learning how to use Burp Suite (free/community edition), capturing and tampering data and whatever little I learnt, to poke around the apps in the virtual lab. I also went a notch further, by participating in Zomato’s bug bounty program.

I tried reading disclosed Hackerone reports, going back to books and blogs, reading reports again and back and forth. All this while also doing bug bounty hunting on Zomato. Honestly, most of the time, I didn’t know what the heck I was doing when bug hunting. After 2 months of doing this, I realized, I had to stop. It was fun but I was wasting time, I had to discipline myself to go back to reading. But, this was by far the best learning phase. After this, books and articles were a lot easier to understand!

Another 4 months of learning

This was a phase, where I somehow forced myself to level up. I started learning the basics of HTML and Javascript (Freecodecamp, Code-academy, Colt Steele’s course on Udemy) learnt how to use the Chrome and Firefox console, used to deliberately look at the page source code of websites, kept reading Hackerone reports and other technical blog posts/writeups and started watching talks given by hackers like Jason Haddix (the Level Up series). I also taught myself through courses in Udemy (Said Sabih’s course) and Pluralsight (Troy Hunt’s course). I know many fellow hackers advise against this, but as a beginner, shelling out a few bucks for the right course really helps. This was along with practicing on vulnerable web apps, not to forget reading and re-reading books.

Bug Bounty Hunting

After a year I thought I should seriously give some time for bug bounty hunting. I started in June 2019 and initially for 2 months, I dedicated a day or two per week solely for this (around 6 hours/day). However, in August and September, I tried experimenting with bug bounty hunting for at-least 35–40 (effective) hours a week (this included bug hunting, reading & research and making notes). My business partner was kind enough to compensate and cover up for my work in our business. So I gave it a shot. These 2 months have been amazing. I can’t tell you how much I have learnt.

My first 2 months in bug hunting was just random testing. There was no plan, no methodology I specifically followed. In knew I had to take a step back to do something about this. I would recommend not to rush into things and do random monkey testing. It yields frustrating results. You have to give yourself the time to do some research and experimenting to come up with your own methodology. Develop a pattern, your own style of bug hunting, put some effort to organize it. It need not necessarily be thorough (at least as a beginner), but IT HAS TO BE DISCIPLINED & ORGANIZED. You have to know what you want to do next and when to move on when things don’t work as planned. By no way am I having any roaring success following this, but it has disciplined my bug hunting and makes my bug hunting a notch easier. These are some resources I leveraged to come up with my methodology-

  1. The 21st chapter in the The Web application hacker’s handbook. This would give you a detailed overview, as to how you could go about testing a web app. I’ll be honest, I found this a little overwhelming, though.
  2. The 7th chapter on testing and methodologies in “Breaking into information security” by Andy Gill. This is sort of a broken down, briefer view of the one given in The Web application hacker’s handbook. This was more digestible.
Breaking into Information Security
Breaking into Information Security

3. Peter Yaworski’s Web hacking Pro tips video series on YouTube. In this series he interviews successful hackers and picks their brains as to how they go about their hacking. How they started, how they train, how they go about hacking/testing web apps, their tips and tricks. Carefully listening and taking down notes can give you tremendous insights into how you could go about bug bounty hunting.

4. I would highly recommend leveraging BugCrowd’s forum. The forum has hundreds of questions by beginners that have been patiently and very nicely addressed by seasoned hackers.Take your time and go through the forum. Dig deep and you would find gems when it comes to methodology, tips and tricks.

5. There are 2 videos in Stok’s YouTube channel I found particularly useful, as far as methodology was concerned. One was “I accidentally started a live stream and it turned into #askstok” and the other BUG BOUNTY METHODOLOGY TIPS TO ALWAYS TEST FOR! with Jason Haddix.

I spent a lot of time patiently doing the above to come up with my own unique method to bug hunt. Not that its perfect, but I take efforts to keep experimenting and changing it if necessary.

This is just the beginning

The last 1 year and 4 months seems like a long time, but ironically I have just started :P My article comes to an end here, because honestly I am a rookie and don’t have any tips or tricks to offer. After all, I am just 4 months old (the time I have been bug hunting) :)

Update (29th July 2021)

I don't do bug bounty hunting anymore. I know, I quit! Not that I don't entertain the idea of coming back to it, but at least for now, it is not for me (stressful/frustrating). However on the plus side, I realised that I have a natural inclination towards wanting to learn Open Source Intelligence (OSINT). I find OSINT more interesting. And it is challenging. In fact I have picked up the most recent (8th) edition of Michael Bazzell's book on the same. Hopefully my OSINT journey would be a great learning experience.