Documenting Bug Bounty Journey and Current Approach
Backstory :
Alright welcome everyone, this is my first writeup in the upcoming series of plenty more writeups where basically I’m documenting everything I’m learning and practicing completely in context of Bug Bounty
I’ve been learning and following up on the cybersecurity community in general for about 2 years on and off. But I was never really serious or disciplined about learning them and practicing it over the live targets.
But as I’m approaching last year of my Master’s degree in Cybersecurity, I’ll soon be tasked to land a job that not only pays decent but also align with my career goals, which is to work in cybersecurity.
As of now I’m not quite sure about which domain do I want to work in, obviously I’m more inclined towards Malware and Forensics aspect of cybersecurity but the sad realization is that no one will hire a noob fresher like me, that too without experience.
SO WHY BUG BOUNTY?
Well there’s a couple of things in my mind I can gain from getting involved in bug bounty scene.
- Money : I mean obviously one of the biggest reason why anyone would want to do it is because of those shiny dollars.
- Skill Analysis : A lot of interviews that I appeared in asked for some sort of proof where I’ve demonstrated my skills in certain areas. But I had none.
- Experience : I believe that this whole thing might result in providing me with enough experience that these job postings require me to do other than also equipping me with required skillset.
Current Position….
Like I said, I’ve never done this before, only solved a few dozen labs here and there but even that I’m not sure if I can do again.
Although this past 15 days I’ve started learning and became more disciplined with my learning curve, I believe being persistent for a long time will definitely yield me rewards I’m looking for.
I’m starting from complete scratch, so its definitely gonna take me a long time to learn and practice everything. But its fine, and I’m ready to tackle this issue.
I’ve got enough patience.
Present Approach and Resources…
As of now I’m depending on a course on YouTube by Defronix Academy called Bug Bounty Free Training.
Although this is just for reference and I am aware that no amount of coursework is gonna take me to become a bug hunter other than myself hunting on the targets and practicing.
Which is why another resources for me includes practicing one vulnerability at a time on Portswigger’s Web Academy
Apart from these obviously, everyone’s favorite recommendation to read medium articles on latest bug hunting and other people’s report on Hacktivity.
Till now I’ve got the whole process on theory and just waiting to setup my VPS on Oracle Cloud but for some reason I’m unable to signup.
Bug I’m looking for…
I’m aware that there are many vulns out there and a lot of them are really difficult to find, reason is that they are in technologies that I’m not familiar with.
But with time I’m going to learn them, get comfortable and finally hunt for those bugs too.
As of now my primary focus would be to find :
- Sensitive Information Disclosure using some of the known Google Dorks
- IDOR — Insecure Direct Object Reference
- Broken Link Hijacking
- Sensitive information disclosure in JS Files
- HTML Injection and SSTI
I believe for starting these would really help me get some confidence alongside making impact and actually finding valid bugs.
What targets will I hunt…?
With enough discussions and understanding of the Bug Bounty scene I’m aware that there’s a lot more competition on the BBH platform that too for the high paying companies which I understand the reasoning of.
Which is why I’m gonna start small in some VDPs and gain confidence through them before getting my hands dirty on Private or Public Programs
I’m almost ready with everything, and in coming few days I’m finally going to start with my Bug Bounty journey.
Wish me luck guys, also if anyone is reading and has any tips/remarks, then all those are whole-heartedly welcome.
Thanks if you’ve read so far, will see you in next article.
