First, choose a topic to start focusing on, such as web applications, mobile applications, IoT or reverse engineering. Once you have chosen a topic, the first thing you should learn is how the technology you are testing actually works. Understanding how something works is at the heart of every hack. You can't hack something unless you first understand how it works.
Let's take a simple, non-digital example to demonstrate why this matters.
Imagine you're trying to unlock a padlock without a key but the lock is transparent, so you can see how it is built from the inside. You simply don't need a key anymore to open it, right? You can see how the padlock works, so you could create a new key yourself to unlock it. The transparency represents the knowledge of what you are testing. The more you play with it, the clearer its functionality and potential vulnerabilities becomes. This generates additional possible ways to successfully hack your target.
Almost everyone who starts with bug bounty quickly realises that it is not not that easy. You will have to learn new skills and will find yourself in many frustrating situations. You will succeed but also fail many times during the learning process, but you should see each failure as a new experience rather than a failure. Every time you "fail" at something while you are learning, it is an improvement for the next time. Your experience will slowly improve over time and the more you try, the more experience you will get.
It is impossible to know when you will find your first vulnerability, but it generally takes a while for most new hunters. Patience, persistence and self-confidence are the key: don't give up and, step by step, you will get closer and closer to your first valid bug.
Programming knowledge is certainly useful when starting out, but it's not necessary when you just starting out in with bug bounty hunting (it depends on your area of focus). When you get more experience, programming languages can increase your knowledge of your target applications. You don't have to be a full-fledged developer, but understanding how code works and how it is used in different situations will definitely improve your testing results.
You wil get experience as fast as you start doing bug bounty hunting and accepting that failure is a necessary route to success. The more time you spend hacking, the better your tests will be and eventually your chance of finding vulnerabilities. However, you can also sharpen your hacking skills by tackling the free trainings and CTF-style challenges on Dojo.
As long as you invest time in bug bounty hunting, learning about hacking and practising your hacking skills, you will improve! Remember that even experienced hackers aften feel frustrated at an apparent lack of progress. This is very common and it is something that almost everyone has to learn to deal with. Setting small goals will help you stay motivated. As an example, imagine you are doing bug bounty hunting and find a functionality on the application you are testng that allows you to change the username on your account. You can set a simpel goal as: "Digging deeper into this functionality and focusing on testing it until you either find a strange behavior or run out of options on how to continue your tests."
The answer to this question depends on the bug bounty Program you're hunting on. But there are some general questions you should always ask yourself before reporting a bug:
- What is the potential impact?
- Does the bug potentially expose some security risk?
- What damage could the exploitation cause to the organization and/or its customers?
- Can I use the bug to affect additional components or organisations?
- Is the vulnerability within scope, as defined by the program policy?
You can start with any vulnerability type, but some bugs typically take longer to learn than others. It all comes down to your technical knowhow and what you feel comfortable with.
However, these bugs are usually more friendly to start with when you are a new hunter:- Cross Site Scripting (XSS)
- Insecure Direct Object References (IDOR)
- Server Side Template Injection (SSTI)
These are good starter bugs because they usually give you feedback in the application response. In contrast, vulnerabilities found using techniques such as out-of-band (OOB), response time and/or blind-based are usually more difficult for hunters since they often require deeper of how the application is built and configured.
To facilitate your learning, we offer numerous vulnerable-code snippets for some of the most common vulnerabilities on our GitHub repository: Vulnerable code snippets. This way you can learn how different vulnerabilities typically occur and how their code might be written.
Absolutely. New programs may have been more heavily tested than private (invite-only) programs, but there always bugs to be find in any program. After all, many public programs are regularly updated with new scopes and features that expand the attack surface even further.
It depends on your methodology, your targets and the vulnerabilities you're focusing on. The following tools are popular and effective in the hacking categories outlined (but not necessarily limited to use for those categories).
Reverse engineering, IoT
Code Analytics
Be creative, persistent and patient. Try to look at different perspectives on how the target you are testing works and see what type of testing opportunities it creates. How can you change a functionality's intended behaviour to a behaviour that effect the programs security?
It's possible to start bug hunting with little or no previous experience in cybersecurity or computer science. It might take longer to understand the subject, but with enough patience and motivation to continuous learning, people from a wide variety of backgrounds can become successful bug bounty hunters.