BASIC TERMINOLOGIES
Bug Bounty : A reward given for reporting a security vulnerability.
Bug Bounty Program : Companies or individuals that reward security researchers for reporting security vulnerabilities in their products. This term is commonly abbreviated to "BBP".
Bug Bounty Hunter : An individual that hunts for security issues on bug bounty programs.
Duplicate : A report describing the same issue as a previously submitted report is referred to as a "duplicate". Bug bounty platforms usually allow programs to set the status of a duplicate report to "duplicate" to inform the hunter that the issue has been submitted previously.
Exploit : Exploit is a code that takes advantage of a software vulnerability or security flaw to gain system access.
Full disclosure : When the entire report is publicly disclosed. Bug bounty hunters will usually request public disclosure of their report once the issue has been resolved or a certain number of days have gone by since the initial report.
Payload : Payloads are simple code or scripts that the hunter use to identify vulnerability.
PoC : Abbreviation for proof of concept, a detailed demonstration of a security vulnerability.
Scope : Outlines the rules of engagement for a bounty program. This includes a clearly defined testing parameter to inform researchers what they can and cannot test, as well as the payout range for accepted vulnerabilities.
Target : A target is the thing (web or mobile application, hardware, API) that the crowd test for vulnerabilities.
Vulnerability : A security flaw or weakness found in software or in an operating system (OS) that can lead to security concerns.
Bug Bounty Platforms
- ● AntiHACK
- ● Bountysource
- ● Bugbountyjp
- ● Bugcrowd
- ● CESPPA
- ● Cobalt
- ● Detectify
- ● FOSS Factory
- ● HackenProof
- ● HackerOne
- ● Hacktrophy
- ● intigriti
- ● Safehats
- ● Synack
- ● YesWeHack
- ● Yogosha
- ● Zerocopter
Bug Bounty List - All Active Programs in 2020 by Bugcrowd
HOW BUG BOUNTIES WORK?
THINGS YOU SHOULD KNOW BEFORE STARTING BUG HUNTING
What is Web? :
Programming Languages :
Networking :
Basic Linux Commands :
LEARNING RESOURCES
Books :
- ● Android Hacker's Handbook
- ● Automating Bug Bounty
- ● Bug Bounty Hunting Essentials
- ● Burp Suite Cookbook
- ● Burp Suite Essentials
- ● Mastering Modern Web Penetration Testing
- ● OWASP Testing Guide
- ● OWASP Mobile Security Testing Guide
- ● OWASP Web Security Testing Guide
- ● Real-World Bug Hunting: A Field Guide to Web Hacking
- ● The Mobile Application Hacker's Handbook
- ● The Web Application Hacker's Handbook
- ● Web Hacking 101
Courses :
- ● Hacker101 Course
- ● Bug Bounty Hunting - Offensive Approach to Hunt Bugs
- ● Offensive Bug Bounty - Hunter 2.0
- ● Bug Bounty Courses
YouTube Channels :
- ● Black Hat
- ● Bug Bounty Hunting Methodology v2
- ● Bug Bounty Hunting Methodology v3
- ● HackerSploit
- ● Nahamsec
- ● OA Cyber Security Labs
- ● STÖK
Other Resources :
- ● Bug Bounties 101
- ● Bug Bounty Cheat Sheet
- ● Bug Bounty Guide
- ● Bugcrowd University
- ● Bug Hunter's Methodology (TBHM)
- ● Getting Started - Bug Bounty Hunter Methodology
- ● How to Become a Successful Bug Bounty Hunter
- ● OWASP Top Ten
- ● Researcher Resources - How to become a Bug Bounty Hunter
- ● Researcher Resources - Tutorials
- ● Resources for Beginner Bug Bounty Hunters by Nahamsec
- ● The life of a bug bounty hunter
PRACTICE LABS & PLATFORMS
- ● Acunetix Art
- ● Altoro Mutual
- ● bWAPP
- ● Damn Vulnerable iOS App (DVIA)
- ● Damn Vulnerable Web App (DVWA)
- ● Hacker101
- ● Hacksplaining
- ● HackTheBox
- ● Mutillidae
- ● OpenDNS Security Ninjas
- ● OWASP Juicy Shop
- ● Penetration Testing Practice Labs
- ● SQL Injection Practice
- ● TryHackMe
- ● Vulnerable GraphQL API
- ● Vulnhub
- ● WebGoat
- ● WPScan Vulnerable Wordpress
- ● Web Security Academy by PortSwigger
Local PentestLab Management Script - Bash script to manage web apps using docker and hosts aliases. Made for Kali linux, but should work fine with pretty much any linux distro.
TOOLS
Burp Suite :
Burp Suite is the world's most widely used web application security testing software.
Burp Suite - Application Security Testing Software : https://portswigger.net/burp
Bug Bounty Forum Tool list :
A huge list of tools that can help you with bug bounty researching. (Recon, Exploiting & Scanning, Fuzzing & bruteforcing, Fingerprinting, Decompilers, Proxy plugins, Monitoring, JS Parsing and Mobile Testing)
BugHunter - Tools for Bug Hunting :
Collection of Information Gathering, Mapping, Discovery and Exploitation Tools for Bug Hunting
RECONNAISSANCE & ENUMERATION
- ● Get Subdomains and IPs and filter them
- ● Find Directories or Files (Fuzzing)
- ● Webpage and Server Information
- ● Open Ports and Services
- ● URL and Parameter
- ● Use Google, Github, Shodan, Censys, Spyse and Other Search Engines.
Let's Recon (PDF)
Passive Reconnaissance :
- ● BuiltWith
- ● Censys
- ● Shodan
- ● Spyse
- ● OSINT Framework
Enumeration Tools :
- ● Subfinder - Subdomain discovery tool
- ● amass - In-depth Attack Surface Mapping and Asset Discovery
- ● assetfinder - Find domains and subdomains related to a given domain
- ● GetAllUrls - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl
- ● Hosthunter - Recon tool for discovering hostnames using OSINT techniques
- ● Altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
- ● DNSGen - Generates combination of domain names from the provided input
- ● massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance
- ● httprobe - Take a list of domains and probe for working HTTP and HTTPS servers
- ● subjack - Subdomain Takeover tool written in Go
- ● GoSpider - Fast web spider
- ● Arjun - HTTP parameter discovery suite
- ● qsreplace - Accept URLs on stdin, replace all query string values with a user-supplied value
- ● gf - A wrapper around grep, to help you grep for things
- ● Linkfinder - A python script that finds endpoints in JavaScript files
- ● ffuf - Fast web fuzzer
- ● gobustter - Directory/File, DNS and VHost busting tool
- ● CeWL - Custom Word List Generator
Some Useful Links for Reconnaissance & Enumeration :
- ● CentralOps
- ● DNS Stuff
- ● DomainCrawler
- ● DomainSearch
- ● DomainTools
- ● Geographic Location
- ● Geo IP Tool
- ● Hurricane Electric
- ● Internet Domain Survey
- ● Internet Traffic Report
- ● Internet Wide Scan Data
- ● InterNIC
- ● IP-Address
- ● IPinfo Security Portal
- ● NerdLabs
- ● Netcraft
- ● Netinfo
- ● NetQuery
- ● Network Tools
- ● Reverse IP domain check
- ● RobTex SwissArmyKnife
- ● Visual Traceroute
- ● W3DT
- ● Wayback Machine
- ● Wayback Robots
- ● Wayback URLs
- ● WebTic DNS scan
- ● Who.IS
- ● Whois.net
WEB VULNERABILITIES
- ● OWASP Top Ten
- ● OWASP List of Vulnerabilities
- ● Web Application Vulnerabilities Index (Netsparker)
VULNERABILITY SCANNERS
- ● Acunetix
- ● Arachni
- ● Burp Suite
- ● Joomscan
- ● Nessus
- ● Netsparker
- ● Nexpose
- ● Nikto
- ● OpenVAS
- ● Sn1per
- ● Vega
- ● WPScan
- ● Wapiti
- ● Zed Attack Proxy
- ● W3AF