Bug Bounty Hunting : 1'+sleep+(7)#

"The harder you work, the luckier you get." - Gary Player

When you work hard, luck starts working on its own.

Hello hunters,

1. Easy vs Simple

    Bug hunting is a very simple process but not easy.

    Give it your next 12 months, learn everything from scratch. Everyone in this field is always ready to help you, so don't hesitate to ask anyone anything. ;D

2. Where & what to learn

    Google, Youtube and Articles

    Start with basic networking, then learn to use Linux and its commands and then learn web-vulnerabilities such as Client Side vulnerabilities (XSS, CSRF, BAC), Server side vulnerabilities (SSRF, SSTI, SQL Injection XXE).

        [Search for `Owasp Top 10`]

    Here are some resources but not limited to these:

        1. Networking : Networking-basics  E-Book

           2. Basic Linux : CodeWithHarry  WsCube

            3. Vulnerabilities : SpinTheHack  BugHuntingCourse  BBHCourse 

                                                  Farah Hawa  Nahamsec

3. Error

   You watch a video where he taught you a Linux command but when it comes to doing it yourself, you forget it because you read it but don't understand. If you understand the origin of that command at that time and make notes, then this problem will not arise.

    Just reading all this is not enough, to be successful in this field you have to understand everything and always keep a notebook with you in which you can write down notes.

    Learning is not enough, understanding is more important. If you know full form of command `cd` then you will never forgot it.

4. Selecting the program

    Go to https://hackerone.com/opportunities/all, here you can choose targets by their technologies and asset types. Such as, PHP targets, PostgresSQL targets, Executable targets, Android apps etc.

    In the beginning, hunt either large asset targets or targets with fever hunters such as android, executables. But you will definitely find a bug in the depths.

        Choose a program from :

            Bugcrowd, Hackerone, Intigriti, YesWeHack

5. One bug vs One Program

    Both methodologies are correct, The ultimate goal is learning and finding vulnerabilities. Totally depends on you that you hunt on a single program or master a single vulnerability.

    I have spent a few months finding the same vulnerability on multiple targets and I have received multiple bounties from this method, you just need to master that vulnerability. And if it is P1 or P2 then it is great.

    Try both method yourself.

6. Labs

    It depends person by person, I personally don't enjoy solving labs that much, The reason behind it is they are build to hack, but i fully recommend you that you must try it once. Here is recommendation lab.

    Portswigger

    Hacksplaining

Contact : 

TG  : https://t.me/shinchina

WEB : https://shinchina.in

#bugbounty #seriesA1