Hey Everyone ! Today we learn how you can start your bug bounty journey and how you make a successful bug bounty hunter !

My name is Surendra Pander. A Security Researcher, ethical Hacker, Bug bounty hunter & Online cybersecurity educator From India. If you want personal training from me, you can message me on Instagram or Twitter; Links are given below.

This Blog is Divide in three major :

1. What is basic requirement Before you start bug bounty .

2. What you need to learn in bug bounty {Mainly we focus on web application bug Bounty}

3.How to start doing bug bounty in real world{How to pick target , make methodology , recon and other…..}

So without a further Do let’s Get into it ………..

+++++++===================++++++++++++++

1. What is basic requirement to start in bug bounty -

Bug bounty is a part of cybersecurity Not whole cybersecurity ! so before start learning bug bounty , you need to learn basic of hacking . so you can start your bug bounty journey happily .

There are many student come and say I want to learn bug bounty but when I ask , are you have basic knowledge of computers , basic hacking terminology {such as zero day , exploit and other}, computer networking {Routing, Firewalling, SSL, TLS, Ports, Protocols, IP, TCP, UDP, MAC, } , Linux OS , Basic tool of hacking such as Nmap , hydra ! and many other… Most of Student say No. I made a particular video on that how to become a ethical hacker in 2022 where I show you many resources and detail overview of what is basic cybersecurity requirement before choosing any specified filed where you are interest such as Bug Bounty.

Video —

SO make sure , when you start learning , First refer this video and I promise this give a clear overview of starting .

========================================

2. What you need to learn in bug bounty {Mainly we focus on web application} -

After clearing your basic and learn about basic of hacking now you can choose your path where you can go deep into your favorite portion ! and because you choose bug bounty and assuming that most of you choose website side of bug bug bounty !

Before diving deeper into how to test for Web Application Security, it is essential to know various concepts about Web Application, their communication, and components. This includes understanding how an HTTP Request is formed, how HTTP Response works, what are the various security headers, browser security features, what is CSP and CORS, etc. This is a basic concept and will eventually help you throughout your journey as Application Security Guy! Because without knowing how thing works , we can’t break it .

Resources to learn Basic Concepts

About HTTP: https://developer.mozilla.org/en-US/docs/Web/HTTP

HTTP Headers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

HTTP Security: https://developer.mozilla.org/en-US/docs/Web/Security

Content-Security Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

HTTP Cookies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies

Web Security Cheatsheet: https://infosec.mozilla.org/guidelines/web_security

Cross-Origin Resource Sharing: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Now you know basic concept of web application , It’s time learn about vulnerability's which is in web applications

I highly to learn first about OWASP top 10 vulnerability which a standard which follow by many company.

OWASP Web Top 10: https://owasp.org/www-project-top-ten/
OWASP API Top 10: https://owasp.org/www-project-api-security/

Resource For OWASP top 10 Web — Complete Playlist in Hindi

Getting Started with Web Application Security

OWASP Testing Guide explaining a wide range of security issues and how to test for them. This should be the initial reference guide to know and explore various security vulnerabilities.

After OWASP Reading OWASP testing guide — Refer Portswigger

Portswigger Web Security Academy is the practical version of Web Application Hacker’s Handbook. You will get good learning resources (short and crisp) followed by Labs to master the things you are learning.

Bugcrowd Vulnerability Rating Taxonomy talks about multiple security issues and an associated severity with them. This is also a helpful resource to know multiple security issues.

OWASP Juice Shop is a real-life application and gives you a flavor to test multiple security vulnerabilities ranging from Injection, Access Control to XXE.

Cobalt.io Vulnerability Wiki is yet another great resource that includes a brief explanation, proof of concept, and risk ratings for various security issues based on OWASP ASVS.

PayloadAllTheThings is an open-resource GitHub Repository that contains a huge list of payloads for all security issues and this is a good resource to know some of the new security issues as well.

Learn365 is my own GitHub Repo which contains all the learning resources I am following in my #Learn365 challenge, these include various attack vectors including Web, Mobile, Network, Cloud, etc.

HackTricks GitBook is a great collection of resources about various Network, Mobile & Web Attack vectors.

Writeups -

InfoSec Writeups, PentesterLand & HackerOne Disclosures are great resources for looking at the Bug Bounty Writeups and learn how various hackers approach different bugs and different applications.

A highly recommend advice which you never — ever ignore if you want learn hacking or bug bounty ! it’s must ….. I suggest to you that order at least two book now so you can read them. if you skip book then it’s decrease your knowledge .

Some Books Which given me a lot of knowledge in bug bounty and Hacking .

1. The web application hackers handbook — https://amzn.to/3qzjAGj

2. Real-World Bug Hunting: A Field Guide to Web Hacking — https://amzn.to/36t4gEx

3.Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
= https://amzn.to/3iCQWQp

4.Mastering Modern Web Penetration Testing — https://amzn.to/3iECvex

5.Hacking: The Art of Exploitation — https://amzn.to/3Dai2I8

6. Penetration Testing: A Hands-On Introduction to Hacking — https://amzn.to/3Ljzcpk

Tool & Recon & Methodology -
Burpsuite
nmap
sublist3r
dirbuster
Fuff

Recon -

Highly recommend namhsec YouTube live stream video . read writeup on medium about people recon method , people share it a lot .

Methodology -

JSON Haddix methodology is highly recommend to check out .
And also read writeup and make your own by methodology .

A Personal Advice is that — Make your own methodology , don’t follow other methodology but you can refer other methodology to make you own .

Some Course which can be helpful you in bug bounty -

040: Burp Suite: Zero to Hero

Link — https://thexssrat.podia.com/burp-suite-zero-to-hero/swdoy

002: Uncle Rat’s Bug Bounty Guide -

Link — https://thexssrat.podia.com/uncle-rat-s-ultimate-bug-bounty-guide/swdoy

005: API testing and securing guide-

Link — https://thexssrat.podia.com/free-api-testing-and-securing-guide/swdoy

— — — — — — — — — — — — — — — — — — — — — — — — — — — — -

3.How to start doing bug bounty in real world

Choosing a platform — For starting i don’t recommend any platform because in starting try program which not listed . After experience — Hackerone , bugcrowd , Integrity , yeswehack & a lot other.

choosing a program —

Check This think before selected target -

Bigger scope , More function , more subdomain , good response time , easy resolve , Good payout .

Report

Simple Language + Verbose Report + Step to reproduce + add video or picture + clear company impact

=======================================================================================

Ending & Bonus tip -

Never learn so much , learn less but learn in deep .
Be penitence

If you want to support my effort, you can buy a coffee for me -

https://www.buymeacoffee.com/surendrapander

You can subscribe to my YouTube channel for future hacking-related videos and updates In Hindi !!
Channel link — https://www.youtube.com/c/TechnicalSurendrachannel

I hope you like this Blog , if yes make sure you clap this and Follow me on twitter & share this with friends.. IF you have suggestion related to future blog please comment down or message me Instagram or twitter .

I will see you next blog like this ……….. till then keep learning … keep hacking.

Peace ✌!

My social medial accounts -
Tweeter — https://twitter.com/technicalSure
YouTube — https://www.youtube.com/channel/UCZq87M0I0-zEfLuyyfEeE6Q
Instagram — https://www.instagram.com/surendra_choudhary1241/
Linkedin — https://www.linkedin.com/in/surendra-pander-4066761b7/