DEV Community


Posted on

Tools and Skills to be the Bug Bounty Hunting.

Bug bounties are a perfect way to obtain cybersecurity expertise while still earning some extra cash. I strongly believe that engaging in bug bounties is an excellent way to get into the cybersecurity industry.
People have been wondering about the next move since I published “How to Get Into Bug Bounties”: how do I find the first bug? What are some of the qualities I'll need to do that?

The bug bounty scheme, commonly known as the vulnerability rewards programme (VRP), is a crowd-sourced platform that helps businesses to compensate individual hackers for their efforts in finding bugs in their applications.The bug bounty policy should be integrated into an organization's processes to help with compliance audits and risk reviews, complementing the overall information security approach.Nowadays, a range of tech and device providers have developed their own bug bounty schemes, in which hackers who discover bugs in their programmes are rewarded.

Commands to keep your Linux Environment Secure:

To install the updates automatically you can use the command
apt install unattended-upgrades and then when we want to install the updates on to the linux kernel you need to run a command that is

dpkg-reconfigure --priority=low unattended-upgrades

then afterwards a old game like window will be made available thus you have to just go and enter the yes command and you are ready to get the new updates. This is just some basic guide for you to become a bug bounty hunter that is you should be up to date when are working, then complete this article with all the tools that I have mentioned here and also read some about the techniques as you will get an idea about what is really required for the industry.

Never set a time or a date to study cybersecure if you delay it even by some days you might lag thus what you have to do is you need to learn to learn when you have decided to learn.SELF STUDY IS THE BEST OPTION

So as you are starting just start by reading about OWASP10 and then about OWASP dvwa,dvsa and many more this will give you a basic idea about the tools that you need to study and this article becomes even more clear to learn about and also you will learn a lot about the Bug bounty hunting.

Let's take a look at the qualities you'll need to excel at bug bounties and what you'll need to do to get started as a hacker!

Choosing the platform that you want to evolve as hunter. Are you a web hacker or a mobile hacker?

Other types of bug bounty programmes exist, but smartphone and network hacking capabilities are the most useful for most bug bounty programmes.
Are you a mobile hacker or a web hacker? There are other kinds of bug bounty programs, but mobile and web hacking skills would be the most useful for most bug bounty programs.

Learning about online hacking is perhaps the most straightforward way to get started with bug bounties.
The vast majority of bug bounty services on websites are web-based. And the majority of organizations that host bug bounty services have a website that they want checked. - which makes you good for web hacking

As a result, learning about online hacking will be the fastest way to get started hacking and will have a decent return on investment for your time.

Hacking of mobile devices ,Mobile hacking, on the other hand, has a few more requirements and takes longer to get started.
However, because of the higher barrier to entry, smartphone programmes are less crowded and pay more. And, although mobile programmes are not as popular as web programmes, they are becoming more common as more businesses introduce complicated mobile devices! -this makes you a mobile hacker

Must know Skills- Prerequisite Qualifications

First, regardless of whether you go the web or tablet path, you would need the following skills.
Learn how to use a proxy server.
One of the most valuable skills to learn before you begin hacking is how to use a proxy. A proxy is a server programme that serves as a go-between for your browser and the server of the target application.

Using a proxy is critical since proxies allow you to:

  • Perform recon by inspecting and analyzing traffic to and from the server.
  • Examine interesting requests for potential bugs.
  • Exploit them by tampering with requests.

Burp Suite, Zed Attack Proxy (ZAP), and Tamper Data are three proxies that are especially common with bug bounty hunters. Burp Suite has the most features, while ZAP is a free option to Burp. Tamper data is a plugin extension that only allows you to edit HTTP headers and POST request parameters.

Each proxy's website contains instructions about how to use it. Keep in mind that before you can decrypt any traffic, you must first follow the guidelines for configuring your browser to work with the proxy.

The fundamentals of web technology
Understanding how network technology work is also important. Here are few terms to familiarize yourself with:

  • The HTTP protocols
  • HTTP status codes, headers and network security fundamentals, various encoding methods such as hex, base64, and ASCII
  • Cryptography fundamentals
  • Same-Origin Policy (SOP), and Cross-Origin Resource Sharing.

Reading up on these topics will provide you with a broad understanding of how the Internet operates and how it is protected. This will provide you with a stable basis upon which to develop.

Problems with session scheduling

It is also important to understand how current web systems handle session control. For eg, what are the various methods of defining a user? What exactly are cookies, and how do they function? Authentication headers are what they sound like. How are session IDs created, reused, and destroyed?

Now that you have a firm grasp on web technologies and how they work, it's time to learn about different vulnerability forms and how to detect them!

Cross-Site Scripting (XSS) is the most popular and simplest to detect bug type.XSS can be classified into three types: stored XSS, mirrored XSS, and DOM XSS.
XSS helps attackers to insert custom scripts (Javascript, VBScript, and others) into pages that other users see. These scripts are used to intercept data and circumvent access restrictions.

While new XSS vectors are often found by hand, fuzzing is a good way to test a site for already existing XSS vectors:

Open redirects are often ignored as minor flaws, but they are a component of many error chains that have a greater effect.
Open redirects occur when an HTTP parameter or URL parameter contains a URL value and the web application redirects the request to the required URL.

Open redirects, on their own, contribute to phishing. They will, however, be used to circumvent URL blacklists and whitelists. As a result, open redirects are often used to escalate an SSRF or to smuggle session tokens off-site.

Direct Object References That Aren't Protected (IDOR)
IDORs are yet another kind of bug that can be found in virtually every web application.
When access control is not correctly enforced and references to data structures (such as a file or a database entry) are predictable, IDORs occur. Because of the possibility for sensitive data leakage, they also contribute to extremely critical vulnerabilities.

Cross-Site Request Forgery, or CSRF, is a tactic that enables hackers to do unauthorised acts on behalf of a victim. When sites do not enforce random CSRF tokens for any state-changing request, they cause CSRFs to occur.
The effect of CSRF is highly dependent on the intervention that the request initiates. CSRFs will also lead to crucial bugs and even account takeover.Other times, CSRFs are insignificant flaws that need not be reported. As in every other flaw analysis, please weigh the market effect of the bug before drafting the report!

SSRF is a flaw that occurs when an attacker is able to submit requests on a server's behalf. It enables attackers to "forge" the insecure server's request signatures, granting them privileged access to a network, bypassing firewall locks, and obtaining access to internal resources.
The effect of SSRFs may also vary. However, if you know how to chain it, it has a lot of promise.However, if you know how to chain it and intensify it, it has a lot of promise! Minor SSRFs can result in data leakage and internal network scanning. However, when combined with other flaws such as poor access control and open redirects, SSRF will result in the leak of sensitive data and even code execution on reachable machines!

SQL injection is a type of attack in which malicious SQL commands are injected into an executed SQL expression. When user feedback is wrongly filtered and escaped, this occurs. They will result in the leak of confidential data and the execution of commands.SQL injections are less popular nowadays since most web interfaces have built-in mechanisms to guard against them. However, if you do find one, they are usually critical flaws with large payouts.

Insecure deserialization is a vulnerability that occurs when an attacker may exploit the serialised object and trigger unexpected effects in the program's flow. This can result in denial of service, authentication bypass, or even RCE.
When web applications grow more sophisticated, deserialization problems become more popular.

Clickjacking, also known as UI redressing, is an attack that deceives a user into clicking on something other than what the user expects. It is accomplished by concealing the victim programme behind another page using HTML page overlay techniques. It is used to get around CSRF security.

When an attacker is able to run arbitrary code on a target computer, this is referred to as remote code execution. There is no particular method for accomplishing this, although it is commonly accomplished by leveraging vulnerabilities such as unstable file upload, remote file inclusion, server-side template injection (SSTI), or unsafe deserialization.

Creating vulnerabilities that lead to RCE often necessitates a more in-depth technological understanding of an application. So, after you've mastered discovering the simplest vulnerabilities, there is something to strive for.

When developing a proof of concept for RCEs, exercise caution since it is possible to overstep the limits of the bounty policies and inflict unintentional harm to the targeted platform. Reading a non-sensitive file or generating your own file under a random direction is often sufficient to demonstrate your results!

A race condition attack, also known as a Time of Check/Time of Use attack, occurs when a server is required to execute commands that are meant to be executed sequentially at the same time.
This attack takes advantage of the fact that security checks must be performed prior to performing the critical activity in order for them to be successful. For example, suppose you want to withdraw $2000 from your bank account but only have $1000 saved. Normally, the bank will not allow you to borrow funds that you did not have.

However, if you can get the bank to lend you money before checking to see if you have enough cash, you can withdraw money that you don't have.

Race environments have the greatest effect on financial, trading, and e-commerce websites.

You should also be aware of other failed access control problems that are typical in mobile applications. For instance, how do attackers manipulate cookies? What are the most popular locations for information leaks? What are the URLs and directions that always lead to secret developer panels?

The more you learn about web application design and creation, the better you will be at finding these flaws.

Mobile phone hacking is somewhat close to desktop application hacking. However, there are few additional skills you can master before hacking smartphone devices.

First, you'll need to find out how to configure your mobile computer to use a proxy. This usually entails downloading the proxy's certificate on your computer and changing your proxy's settings.

In order to intercept the traffic of better-protected users, it is often important to circumvent certificate pinning. If you have successfully configured your mobile computer to use a proxy but are still unable to see the traffic of your target programme, it is likely that the app has introduced certificate pinning.

Certificate pinning, also known as SSL pinning or cert pinning, restricts an applicant to trusting only a pre-defined certificate. It is seen as an extra layer of defence against Man-in-the-Middle (MITM) attacks. If you wish to decrypt and decode an application's traffic that uses cert pinning, you must first bypass the cert pinning.

The method for bypassing cert pinning can differ depending on the system you are using. There are three primary methods for accomplishing this in Android applications:
Make use of a Frida Hook.
Replace the pre-installed certificate with your custom certificate.
Change or disable the certificate validation code for the programme.

Mobile apps are an ideal way to look at additional web bugs that aren't present in their web framework counterpart. This is due to the fact that smartphone applications often use special API endpoints that might not be as well checked as web API endpoints. Look for IDORs, SQL injections, file upload flaws, and other common network security flaws.

Using Burp Suite to intercept traffic coming out of the mobile app during sensitive actions is a good way to detect these vulnerabilities.

In addition to standard web vulnerabilities, there are a few types of bugs unique to mobile apps that you should be aware of.

Hardcoded credentials

Mobile applications may contain hardcoded secrets or API keys for the application to access certain web services.

*Insecure data storage: *
Some applications will store sensitive data insecurely within the application’s source code. Look for things like session data, financial information, and personal information.

Session administration
In mobile devices, session control is often achieved by the use of a session token transmitted by a header. As a result, an open redirect to a foreign server could lead to account takeover.
Session management issues that plague web applications, such as insufficient session expiration and reusing session tokens, which also plague mobile apps.

Some systems use custom implementations for encryption or hashing. Look for unstable algorithms, bad implementation of well-known algorithms, and hardcoded encryption keys.

One of the most important bug bounty abilities is recon: the ability to discover new properties and attack surfaces. Good recon skills will help you stay ahead of the game and spot bugs before others.

It is also beneficial to learn how to read JavaScript. Reading JavaScript can tell you a lot about how the programme works and can help you find bugs quickly. Many top hackers have said that their secret sauce is reading JavaScript in order to find hidden endpoints, insecure front-end logic, and hardcoded passwords. I've also discovered a huge amount of information leaks in JS source code.

It's also a good idea to learn how to script and automate tasks. There are several routine activities that must be completed in bug bounties that can be quickly automated. You can simplify these functions and save a lot of time by learning a programming language like Python or Shell Scripting.

Finally, after you've learned the fundamentals, never stop practicing! New types of exploits are continually being found, and keeping up to date with the latest methods would mean that you are not discovering new glitches.

Marcus Hutchins, a computer security researcher, found an unintentional kill switch by registering a domain that the ransomware was coded to scan.The WannaCry ransomware attack was a global cyberattack in May 2017 carried out by the WannaCry ransomware cryptoworm, which encrypted data and demanded Bitcoin ransom payments from computers running the Microsoft Windows operating system. It spread through EternalBlue, an exploit created by the US National Security Agency (NSA) for older Windows systems.

A community called The Shadow Brokers stole and leaked EternalBlue at least a year before the attack. Although Microsoft had recently released patches to close the exploit, much of WannaCry's spread came from companies who had not implemented these patches or were using outdated Windows programmes that had reached the end of their useful life.

These fixes are critical to an organization's cyber-security, but often were not implemented due to the need for 24/7 service, the possibility of programmes that used to operate breaking, discomfort, or other factors.

Seyfarth Shaw Malware Attack this is one of the largest attacks when consider. Seyfarth Shaw LLP, a major multinational law firm headquartered in Chicago, was the target of a “aggressive malware” assault. The company later announced that this was a ransomware attack. According to a corporate release, the malware attack occurred on October 10, 2020, and fully shut down the firm's email infrastructure.

According to the firm's statement, there was no indication of improper entry or removal of client or firm records. However, all of the devices were discovered to be encrypted, prompting the company to shut down all of them as a precautionary step.

This is a kind of attack that you need to case study. The multinational law firm alerted authorities, and the FBI has also begun an investigation. Aside from that, little detail was provided on how the attack happened or what kind of ransomware was used to attack the company.

The ImageTragick flaw, for example, was discovered in 2016. ImageTragick is a critical flaw that could result in RCE. Bug bounty hunters were continuously finding insecure instances in the wild a few months to years after the detection. (As well as requiring banks to announce it to businesses!) So, as a hacker, it certainly helps to stay up to date on the latest security headlines!

Eavesdropping happens when a hacker intercepts, deletes, or modifies data sent between two computers. To access data in transit between devices, eavesdropping, also known as sniffing or snooping, depends on unsecured network communications.

These are some of the tragic attacks to consider when we are

When you first start out, it is common to receive a large number of duplicates and informative. So don't be disheartened by them!
Keep in mind the dupes and informative just say one thing: you were scientifically right! It's either that someone else discovered the flaw before you, or that the organization is unable to take the gamble at this moment.
They are not dismissive of the caliber of your work. Even if you don't make money or have a job, and if you don't make money or a good name, you would have learned experience from the learning experience.
Just keep walking, and you'll establish your own distinct technique and begin discovering rare, useful bugs!

Just at the end let me conclude by saying what you need to study and learn.

  • XSSScrappy: XSS/SQLi spider that is fast and detailed. If you give it a URL, it will check any connection it finds for cross-site scripting and SQL injection vulnerabilities. For further information on SQLi identification, see the FAQ.
  • dirsearch:
  • MobiSRF:Mobile Appliation testing)Mobile Security System (MobSF) is an integrated, all-in-one mobile device pen-testing, malware analysis, and vulnerability evaluation system capable of conducting static and dynamic analysis (Android/iOS/Windows). MobSF accepts mobile app binaries (APK, XAPK, IPA, and APPX) as well as zipped source code and offers REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.You may use the Dynamic Analyzer to conduct runtime security assessments and immersive instrumented monitoring.

And some more list of the core tools like:

  • FoxyProxy : FoxyProxy is a sophisticated proxy management application that entirely removes Firefox's meagre proxying capability. Please use FoxyProxy Basic for a simplified tool with less sophisticated configuration options.
  • OWASP Zap Proxy: The OWASP ZAP scanner is a free and open-source web application security scanner. It is intended for use by both newcomers to device security and experienced penetration testers. It has been designated as a Flagship project and is one of the most active Open Web Application Security Project initiatives.
  • PortSwigger Burp Suite : Disclaimer: Only use Burp on domains that you have permission to scan and attack. Using Burp Suite on domains you do not own can be illegal. Stay safe and use intentionally vulnerable applications for practice. This is also a kind fo proxy and you can learn about it.
  • Builtwith or Wappalyzer is a Firefox and/or Google Chrome plugin extension that reveals the technology used on websites. It recognizes 80 common content management systems, site shops, web servers, JavaScript frameworks, analytics tools, and other applications. Restart the tab after installing the Addon. This is a very handy tool when you start and still is used by some of the advanced professional.

All these tools are the default tools that we use when we are doing bug bounty and in the bounty forums you can also find in the description what your limitations are thus you have to stay within the rules and test and run it, if you find even some beyond it report it immediately and you will find the reward you will be given if not you will learn something new.

And there many more but it's all that you need folks to start with the bug bounty hunting and later if you get well versed you can design your won tools and work with it.

Thank you.

Top comments (0)