Bug Bounty Bootcamp

1. Choose Bug Bounty Programs Strategically

Finding the right program to target is the first step to becoming a successful bug bounty hunter.

Asset Types and Scope. Selecting a bug bounty program requires careful consideration of asset types (web, mobile, API, hardware) and program scope (in-scope vs. out-of-scope assets and vulnerabilities). Beginners should target programs with broad scopes and assets that align with their skill sets, such as social sites or general web applications. Understanding the program's scope is crucial to avoid legal issues and focus efforts effectively.

Platform vs. Independent Programs. Decide whether to participate in programs hosted on bug bounty platforms (HackerOne, Bugcrowd) or independently hosted programs. Platforms offer transparency and streamlined logistics, while independent programs may be less competitive and provide direct interaction with development teams. Consider the pros and cons of each to determine the best fit.

Payouts and Response Times. Evaluate the program's payout structure (VDP vs. monetary rewards) and average response times. Prioritize programs with fast response times to accelerate learning and receive timely feedback. Also, consider the program's reputation and treatment of researchers.

2. Craft High-Quality Vulnerability Reports

A bug bounty hunter’s job isn’t just finding vulnerabilities; it’s also explaining them to the organization’s security team.

Descriptive and Clear. A well-written vulnerability report is essential for effective communication with security teams. It should include a descriptive title, a clear summary of the issue, and step-by-step instructions for reproduction. Assume the reader has limited knowledge of the application and provide all necessary details.

Severity Assessment and Impact. Include an honest assessment of the bug's severity (low, medium, high, critical) and a description of the potential impact and attack scenarios. This helps security teams prioritize fixes and understand the business implications of the vulnerability. Tailor the assessment to the client's business priorities.

Mitigation and Validation. Recommend possible mitigations and validate the report for technical errors and clarity. This saves the security team time and contributes to a positive relationship. Always communicate with professionalism and respect.

3. Cultivate Relationships with Security Teams

Your job as a hacker doesn’t stop the moment you submit the report.

Understanding Report States. Familiarize yourself with the different report states (need more information, informative, duplicate, N/A, triaged, resolved) and respond accordingly. Provide clarifications promptly and help the security team fix the issue.

Conflict Resolution and Partnership. Handle conflicts professionally and respectfully, and strive to form long-term partnerships with organizations. This can lead to smoother report resolutions, bigger bounties, and even job opportunities. Avoid spamming, pestering for money, or verbally abusing the security team.

Communication Style. Learn the communication style of each organization and customize your reports to make the reader's job easier. Support the security team until the issue is resolved and offer advice to help mitigate the vulnerability.

4. Master Internet Fundamentals and Security Controls

Finding web vulnerabilities is all about exploiting weaknesses in this technology, so all good hackers should have a solid understanding of it.

Client-Server Model and HTTP. Understand the client-server model, DNS, internet ports, and HTTP requests and responses. Learn about common HTTP methods (GET, POST, PUT, DELETE) and status codes (200, 302, 403, 500). These are the building blocks of web communication.

Encoding and Encryption. Familiarize yourself with content encoding schemes (Base64, URL encoding) and encryption techniques. Learn to decode encoded content and understand how encryption protects data privacy. These are essential for analyzing and manipulating web traffic.

Session Management and Authentication. Grasp session management, HTTP cookies, token-based authentication, and JSON Web Tokens (JWTs). Understand how these mechanisms are used to identify users and protect resources. Also, understand the same-origin policy (SOP) and its role in preventing cross-site attacks.

5. Conduct Thorough Reconnaissance to Maximize Impact

Spending time on recon gives you an incredible advantage over other hackers, because you’ll be the first to notice the bugs on all obscure assets you discover, giving you better chances of finding bugs that aren’t duplicates.

Scope Discovery and Asset Mapping. Always verify the target's scope and map out all in-scope assets (domains, subdomains, IP addresses). Use WHOIS, reverse WHOIS, certificate parsing, and subdomain enumeration techniques to discover the target's attack surface. Tools like Sublist3r, Amass, and Gobuster can automate subdomain enumeration.

Service Enumeration and Directory Brute-Forcing. Enumerate services hosted on the target's machines by port scanning with Nmap or Masscan. Use directory brute-forcing tools like Dirsearch or Gobuster to discover hidden directories and files. Take screenshots of discovered pages with EyeWitness or Snapper.

OSINT and Third-Party Hosting. Utilize OSINT techniques (Google dorking, job postings, LinkedIn profiles) to gather information about the target's technology stack and infrastructure. Look for S3 buckets and other third-party hosting services used by the organization.

6. Exploit Common Web Vulnerabilities Methodically

In this book, Vickie explores a variety of different vulnerability types to advance your understanding of web application hacking.

Cross-Site Scripting (XSS). Understand the mechanisms, types (stored, reflected, DOM-based), and prevention techniques for XSS. Learn to hunt for XSS by looking for input opportunities, inserting payloads, and confirming the impact. Master techniques for bypassing XSS protection.

Open Redirects. Learn how open redirects work, how to prevent them, and how to hunt for them by looking for redirect parameters. Master techniques for bypassing open-redirect protection, such as using browser autocorrect, exploiting flawed validator logic, and using data URLs.

Clickjacking and CSRF. Understand the mechanisms and prevention techniques for clickjacking and cross-site request forgery (CSRF). Learn to hunt for these vulnerabilities by spotting state-changing actions and looking for a lack of protections. Master techniques for bypassing clickjacking and CSRF protection.

IDOR, SQL Injection, and SSRF. Understand the mechanisms and prevention techniques for insecure direct object references (IDORs), SQL injection, and server-side request forgery (SSRF). Learn to hunt for these vulnerabilities by creating two accounts, discovering features, capturing requests, and changing the IDs. Master techniques for bypassing IDOR, SQL injection, and SSRF protection.

Insecure Deserialization and XXE. Understand the mechanisms and prevention techniques for insecure deserialization and XML external entity vulnerabilities (XXE). Learn to hunt for these vulnerabilities by finding XML data entry points and testing for classic and blind XXE. Master techniques for bypassing insecure deserialization and XXE protection.

Template Injection, Application Logic Errors, and RCE. Understand the mechanisms and prevention techniques for template injection, application logic errors and broken access control, and remote code execution (RCE). Learn to hunt for these vulnerabilities by learning about your target, intercepting requests while browsing, and thinking outside the box. Master techniques for bypassing template injection and RCE protection.

7. Automate Recon and Vulnerability Discovery

By learning a programming language such as Python or shell scripting, you can automate these tasks to save yourself a lot of time.

Bash Scripting Basics. Learn the basics of bash scripting, including variables, conditionals, loops, and functions. Use bash to automate recon tasks and create custom tools.

Saving Tool Output and Adding Options. Implement input and output redirection to save tool output to files. Add options to choose the tools to run and schedule automatic scans using cron jobs.

Parsing Results and Building Reports. Use grep and other command-line utilities to parse tool output and build master reports. Create function libraries to reuse code and build interactive programs.

8. Review Source Code for Hidden Vulnerabilities

By learning how vulnerabilities manifest themselves in source code, you can develop an intuition about how and why vulnerabilities happen.

White-Box vs. Black-Box Testing. Understand the difference between white-box and black-box testing. If you have access to source code, conduct a white-box review to identify vulnerabilities more efficiently.

Fast Approach: grep and Pattern Matching. Use grep to search for dangerous functions, leaked secrets, weak encryption, outdated dependencies, developer comments, and debug functionalities. This is a quick way to find common vulnerabilities.

Detailed Approach: Important Functions and User Input. Focus on important functions (authentication, password reset, state-changing actions) and code that processes user input. This will help you identify potential vulnerabilities more effectively.

9. Adapt Web Hacking Skills to Mobile Applications

Hacking mobile applications requires the skill set you’ve built from hacking web applications, as well as additional knowledge about the structure of mobile apps and programming techniques related to the platform.

Setting Up a Mobile Proxy. Configure your mobile device or emulator to work with a proxy like Burp Suite. Install the proxy's certificate on your device to intercept HTTPS traffic.

Bypassing Certificate Pinning. Learn to bypass certificate pinning using tools like Frida or Objection. This allows you to intercept traffic from applications that implement certificate pinning.

Anatomy of an APK. Understand the structure of Android APK files, including AndroidManifest.xml, classes.dex, resources.arsc, and the lib folder. This knowledge is essential for analyzing mobile applications.

10. Secure APIs to Prevent Data Breaches

A secure API implementation is key to preventing data breaches and protecting customer data.

API Reconnaissance. Perform reconnaissance on APIs to understand their functionality and endpoints. Look for API documentation and use tools to discover hidden endpoints.

Testing for Access Control and Info Leaks. Test for broken access control and information leaks in APIs. Try to access resources without proper authentication or authorization.

Testing for Rate-Limiting and Technical Bugs. Test for rate-limiting issues and other technical bugs in APIs. Look for vulnerabilities that can lead to denial-of-service or other security problems.

11. Prioritize Ethical Conduct and Legal Compliance

Remember to wield this power responsibly! The information in this book should be used strictly for legal purposes.

Obtain Permission. Always obtain explicit permission before testing any system. Only attack systems you have permission to hack.

Respect Scope. Adhere to the scope defined in the bug bounty program's policy. Avoid testing out-of-scope assets or vulnerabilities.

Report Responsibly. Report vulnerabilities responsibly and professionally. Provide clear and concise reports with detailed steps to reproduce the issue.

Last updated: April 18, 2025