BASIC TERMINOLOGIES

Bug Bounty : A reward given for reporting a security vulnerability.

Bug Bounty Program : Companies or individuals that reward security researchers for reporting security vulnerabilities in their products. This term is commonly abbreviated to "BBP".

Bug Bounty Hunter : An individual that hunts for security issues on bug bounty programs.

Duplicate : A report describing the same issue as a previously submitted report is referred to as a "duplicate". Bug bounty platforms usually allow programs to set the status of a duplicate report to "duplicate" to inform the hunter that the issue has been submitted previously.

Exploit : Exploit is a code that takes advantage of a software vulnerability or security flaw to gain system access.

Full disclosure : When the entire report is publicly disclosed. Bug bounty hunters will usually request public disclosure of their report once the issue has been resolved or a certain number of days have gone by since the initial report.

Payload : Payloads are simple code or scripts that the hunter use to identify vulnerability.

PoC : Abbreviation for proof of concept, a detailed demonstration of a security vulnerability.

Scope : Outlines the rules of engagement for a bounty program. This includes a clearly defined testing parameter to inform researchers what they can and cannot test, as well as the payout range for accepted vulnerabilities.

Target : A target is the thing (web or mobile application, hardware, API) that the crowd test for vulnerabilities.

Vulnerability : A security flaw or weakness found in software or in an operating system (OS) that can lead to security concerns.

Bug Bounty Platforms

• ● AntiHACK
• ● Bountysource
• ● Bugbountyjp
• ● Bugcrowd
• ● CESPPA
• ● Cobalt
• ● Detectify
• ● FOSS Factory
• ● HackenProof
• ● HackerOne
• ● Hacktrophy
• ● intigriti
• ● Safehats
• ● Synack
• ● YesWeHack
• ● Yogosha
• ● Zerocopter

Bug Bounty List - All Active Programs in 2020 by Bugcrowd

HOW BUG BOUNTIES WORK?

THINGS YOU SHOULD KNOW BEFORE STARTING BUG HUNTING

What is Web? :

• ● Web - Basic Concepts

Programming Languages :

• ● Bash
• ● HTML
• ● JavaScript
• ● PHP
• ● Python
• ● SQL

Networking :

• ● Networking

Basic Linux Commands :

• ● Basic Linux Commands

LEARNING RESOURCES

Books :

• ● Android Hacker's Handbook
• ● Automating Bug Bounty
• ● Bug Bounty Hunting Essentials
• ● Burp Suite Cookbook
• ● Burp Suite Essentials
• ● Mastering Modern Web Penetration Testing
• ● OWASP Testing Guide
• ● OWASP Mobile Security Testing Guide
• ● OWASP Web Security Testing Guide
• ● Real-World Bug Hunting: A Field Guide to Web Hacking
• ● The Mobile Application Hacker's Handbook
• ● The Web Application Hacker's Handbook
• ● Web Hacking 101

Courses :

• ● Hacker101 Course
• ● Bug Bounty Hunting - Offensive Approach to Hunt Bugs
• ● Offensive Bug Bounty - Hunter 2.0
• ● Bug Bounty Courses

YouTube Channels :

• ● Black Hat
• ● Bug Bounty Hunting Methodology v2
• ● Bug Bounty Hunting Methodology v3
• ● HackerSploit
• ● Nahamsec
• ● OA Cyber Security Labs
• ● STÖK

Other Resources :

• ● Bug Bounties 101
• ● Bug Bounty Cheat Sheet
• ● Bug Bounty Guide
• ● Bugcrowd University
• ● Bug Hunter's Methodology (TBHM)
• ● Getting Started - Bug Bounty Hunter Methodology
• ● How to Become a Successful Bug Bounty Hunter
• ● OWASP Top Ten
• ● Researcher Resources - How to become a Bug Bounty Hunter
• ● Researcher Resources - Tutorials
• ● Resources for Beginner Bug Bounty Hunters by Nahamsec
• ● The life of a bug bounty hunter

PRACTICE LABS & PLATFORMS

• ● Acunetix Art
• ● Altoro Mutual
• ● bWAPP
• ● Damn Vulnerable iOS App (DVIA)
• ● Damn Vulnerable Web App (DVWA)
• ● Hacker101
• ● Hacksplaining
• ● HackTheBox
• ● Mutillidae
• ● OpenDNS Security Ninjas
• ● OWASP Juicy Shop
• ● Penetration Testing Practice Labs
• ● SQL Injection Practice
• ● TryHackMe
• ● Vulnerable GraphQL API
• ● Vulnhub
• ● WebGoat
• ● WPScan Vulnerable Wordpress
• ● Web Security Academy by PortSwigger

Local PentestLab Management Script - Bash script to manage web apps using docker and hosts aliases. Made for Kali linux, but should work fine with pretty much any linux distro.

TOOLS

• ● 100 Hacking Tools and Resources - HackerOne
• ● Researcher Resources Tools - Bugcrowd

Burp Suite :

Burp Suite is the world's most widely used web application security testing software.

Burp Suite - Application Security Testing Software : https://portswigger.net/burp

• ● Burp Suite Cookbook
• ● Burp Suite Essentials

Bug Bounty Forum Tool list :

A huge list of tools that can help you with bug bounty researching. (Recon, Exploiting & Scanning, Fuzzing & bruteforcing, Fingerprinting, Decompilers, Proxy plugins, Monitoring, JS Parsing and Mobile Testing)

• ● https://bugbountyforum.com/tools/

BugHunter - Tools for Bug Hunting :

Collection of Information Gathering, Mapping, Discovery and Exploitation Tools for Bug Hunting

• ● https://github.com/thehackingsage/bughunter

RECONNAISSANCE & ENUMERATION

• ● Get Subdomains and IPs and filter them
• ● Find Directories or Files (Fuzzing)
• ● Webpage and Server Information
• ● Open Ports and Services
• ● URL and Parameter
• ● Use Google, Github, Shodan, Censys, Spyse and Other Search Engines.

Let's Recon (PDF)

Passive Reconnaissance :

• ● BuiltWith
• ● Censys
• ● Shodan
• ● Spyse
• ● OSINT Framework

Enumeration Tools :

• ● Subfinder - Subdomain discovery tool
• ● amass - In-depth Attack Surface Mapping and Asset Discovery
• ● assetfinder - Find domains and subdomains related to a given domain
• ● GetAllUrls - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl
• ● Hosthunter - Recon tool for discovering hostnames using OSINT techniques
• ● Altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
• ● DNSGen - Generates combination of domain names from the provided input
• ● massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance
• ● httprobe - Take a list of domains and probe for working HTTP and HTTPS servers
• ● subjack - Subdomain Takeover tool written in Go
• ● GoSpider - Fast web spider
• ● Arjun - HTTP parameter discovery suite
• ● qsreplace - Accept URLs on stdin, replace all query string values with a user-supplied value
• ● gf - A wrapper around grep, to help you grep for things
• ● Linkfinder - A python script that finds endpoints in JavaScript files
• ● ffuf - Fast web fuzzer
• ● gobustter - Directory/File, DNS and VHost busting tool
• ● CeWL - Custom Word List Generator

Some Useful Links for Reconnaissance & Enumeration :

• ● CentralOps
• ● DNS Stuff
• ● DomainCrawler
• ● DomainSearch
• ● DomainTools
• ● Geographic Location
• ● Geo IP Tool
• ● Hurricane Electric
• ● Internet Domain Survey
• ● Internet Traffic Report
• ● Internet Wide Scan Data
• ● InterNIC
• ● IP-Address
• ● IPinfo Security Portal
• ● NerdLabs
• ● Netcraft
• ● Netinfo
• ● NetQuery
• ● Network Tools
• ● Reverse IP domain check
• ● RobTex SwissArmyKnife
• ● Visual Traceroute
• ● W3DT
• ● Wayback Machine
• ● Wayback Robots
• ● Wayback URLs
• ● WebTic DNS scan
• ● Who.IS
• ● Whois.net

WEB VULNERABILITIES

• ● OWASP Top Ten
• ● OWASP List of Vulnerabilities
• ● Web Application Vulnerabilities Index (Netsparker)

VULNERABILITY SCANNERS

• ● Acunetix
• ● Arachni
• ● Burp Suite
• ● Joomscan
• ● Nessus
• ● Netsparker
• ● Nexpose
• ● Nikto
• ● OpenVAS
• ● Sn1per
• ● Vega
• ● WPScan
• ● Wapiti
• ● Zed Attack Proxy
• ● W3AF

PAYLOAD / WORDLIST

• ● PayloadsAllTheThings
• ● XSS Payloads
• ● SecLists
• ● Probable Wordlists - Version 2.0
• ● fuzzdb
• ● All wordlists from every dns enumeration
• ● A masterlist of content discovery URLs and files
• ● Commonspeak2-wordlists

REPORTING

• ● Hacker101- Writing Good Reports

Tools :

• ● EyeWitness
• ● HttpScreenshot

POCS (PROOF OF CONCEPTS) AND WRITE-UPS

• ● Awesome Bug Bounty Write Ups
• ● BugBounty POC Archives - Security Breached Blog
• ● Bug Bounty World
• ● Researcher Resources - Bounty Bug Write-ups
• ● Netsec on Reddit
• ● PentesterLand Bug Bounty Writeups
• ● The Unofficial HackerOne Disclosure
• ● XSSes - Bug Bounty POC Collection DB