9

I really want to prove myself (to my parents) by winning a proper bug bounty

How should I best prepare for this and go about actually finding bugs?

Edit So can anyone give some web sites which I could read that would help me understand better how to win, and what free training materials are useful? I'm working through pentesterlab already.

I've the looked up the most common vulnerabilities from OWASP things like XSS, SQL injection, PHP inclusion, CSRF, error disclosure. I've studied each of these and understand how they occur and how to demonstrate them.

I've tried to audit many lines of source code from open source projects looking for parts that haven't properly escaped user input or other important things. I also tried to do black-box testing for things like XSS on staged sites (ones hosted separate from the in-use production server, for the purpose of testing) but nothing has really turned up. I've also read the public disclosure writeups of the bugs other people found.

I understand that part of the problem is that there are people with years of experience who will find things first. And there are also people (like researchers) with much deeper knowledge in specific areas.

But even so I think I should be able to make a positive contribution if I work hard, so I would appreciate any guidance

Arminius
  • 43,922
  • 13
  • 140
  • 136
emberfang
  • 199
  • 8
  • 6
    When a company starts a bug bounty program, you can assume that they already invested lots of internal resources into finding and closing any obvious and easy to find vulnerabilities. Otherwise they would risk that such a program could become both expensive and embarrassing. In fact, bug bounty programs are often intended as a marketing campaign to show how much they trust the security of their product, not as a method to outsource their security auditing. – Philipp Jun 04 '14 at 23:27
  • @Philipp That is wrong. Many bug bounty programs of big companies such as Yahoo, Google or Paypal have yielded a high number of security issues and rewarded considerable amounts of money. For many companies BBPs *are* a part of their security concept and don't just serve as a marketing trick. – Arminius Nov 12 '16 at 11:05
  • 1
    @Arminius he's not saying it is a trick, just that the low hanging fruit are already taken care of. – schroeder Nov 13 '16 at 22:55
  • @schroeder My experience doesn't match with what Philipp suggested. Often companies initiate their programs without having taken care of the low-hanging fruits. Also, BPPs often do work as a way to "outsource" some of the security auditing. – Arminius Nov 13 '16 at 23:53

3 Answers3

11

The fact that you are trying to 'prove' something to someone else confuses the process.

  1. Look for bug bounty programs
  2. Look for the most error-prone service
  3. Use your knowledge to find a bug

If you try to look at the major products/services, you are aiming too high. Choose something small and overlooked.

schroeder
  • 123,438
  • 55
  • 284
  • 319
7

With my bug bounty experience, I would suggest certain things that would help and make the task easy:

1) If the website you are testing has any sub domains, please go for those first as the main website domain is the first which is tried by many.

2) Do not use automated tools as many of the results are false positives and those bugs have high probability of being reported already.

3) Do not go directly for SQL injection or XSS as they are the most common bugs out there and everyone tries them. Rather, go for Business Logic flaws which are equally important and less time consuming.

4) Last but not least, you should have patience. Don't jump from one website to another without testing one completely. Learn new exploit methodologies and try it on them as it will help you increase your knowledge, too.

As far as practice is concerned, there are many websites like hackthissite.org , hax.tor available outside to practice and also there are Virtual machines like DVWA, Mutillidae.

All the best.

PS: Focus more on gaining knowledge than winning bounty, you'll surely succeed

schroeder
  • 123,438
  • 55
  • 284
  • 319
paU1i
  • 181
  • 1
  • 3
  • 9
  • Last line: PS: Focus more on gaining knowledge than winning bounty, you'll surely succeed is very impressive – Jassi Mar 11 '16 at 10:59
1
  1. Follow hackers on Twitter, read, learn and reproduce their hacks. ( this is the best solution of your problem )
  2. Learn the OWASP top 10 vulnerabilities, learn and reproduce.
  3. Learn computer science (i.e I am a software engineer, it helps a lot).
  4. Read regularly about infosec, stay up to date.
  5. Try to find bugs and earn some money (it will motivate you).
  6. Stay patient, work regularly, don't give up.
  7. Do the good, be respectful and professional with others
  8. Learn and use an unix system.

HappyHacking ;)

Jakuje
  • 5,229
  • 16
  • 31