Beginner Tutorial - How to learn the Technical Skill and Hacker Mindset That Are Required to Find Your First Bug Bounty.

By
In 2023, there are so many bug bounty resources for beginners, much more than before. I believe this is a bad thing for beginners, because now, they have to deal with so much unnecessary distractions just from choosing and sticking to a learning path alone. The over-abundance of free resources also fuels procrastination, we usually see people jumping from one learning path to another, without actually touch a real target.

In this article, I will show you how much learning is enough. So you can get out of your learning rabbit holes and start hunting on a real target.

By the way, this article aims to help you find bugs in IDOR, Information Disclosure, Business Logics, Broken Access Control. It may not help you to find injections bugs or misconfiguration bugs. Because I don't know how hunt them myself.

# Technical Skill

If you can solve Practitioner labs in PortSwigger with relatively ease, you have enough technical skill to hunt bugs:
- https://portswigger.net/web-security/logic-flaws
- https://portswigger.net/web-security/access-control

You are free to learn technical skill from any resources/paths that you want. But let see the above PortSwigger labs as the bar exam.

# Hacker Mindset

After having the technical skills to sail around the target website and examine its details. You need an eye to spot what is bug. The key is to think for yourself, when see a detail, think about how you can abuse it to deal damage to website, in term of Confidentiality, Integrity, Availability.

Here is an exercise to develop this mindset: Imagine you are testing a website with Posts & Comments feature. Using your technical skill, you see it works as follow:

- The target website has self-sign functionality. Anyone can create an account here.
- Any users can create a post.
- A post has the following settings:
   + OP can set Visibility to Public or Invite-Only.
   + OP can freeze the comment section. (users cannot add new comments. Existing comments are still shown)
   + OP can choose to publish the post as anonymous or with identity.
- Any user can comment on a post.
- Any user can like a post.
- Any user can reply to other user's comments.
- Any user can like other user's comments.
- Any user can delete their own comment.
- Any user can edit their own comments.
- When a parent comment is removed, its replies are still kept.
- Any user can block any other user, when this happens, both users will have read-only access to the other's posts.

Now think of as many test cases as possible, where if this test case works, it may be a security bug.

---
Below are my test cases. I exclude CRUD cases out, such as edit/delete other user posts/comments, because they are pretty obvious. To stop you from taking an accidental peek, my list is encoded with base64.

LSBhZGQgY29tbWVudCBpbiBhIGZyb3plbiBjb21tZW50IHNlY3Rpb24uCi0gZWRpdCB5b3VyIGV4aXN0aW5nIGNvbW1lbnQgaW4gYSBmcm96ZW4gY29tbWVudCBzZWN0aW9uLgotIGRlbGV0ZSB5b3VyIGV4aXN0aW5nIGNvbW1lbnQgaW4gYSBmcm96ZW4gY29tbWVudCBzZWN0aW9uLgotIGxpa2UgYW55IGV4aXN0aW5nIGNvbW1lbnQgaW4gYSBmcm96ZW4gY29tbWVudCBzZWN0aW9uLgotIHNlZSBhbiBpbnZpdGUtb25seSBwb3N0LgotIGxpa2UgYW4gaW52aXRlLW9ubHkgcG9zdC4KLSBzZWUgY29tbWVudHMgaW4gYW4gaW52aXRlLW9ubHkgcG9zdC4KLSBsaWtlIGEgY29tbWVudCBpbiBhbiBpbnZpdGUtb25seSBwb3N0LgotIGFkZCBhIGNvbW1lbnQgaW4gYW4gaW52aXRlLW9ubHkgcG9zdC4KLSByZXBseSB0byBhIGNvbW1lbnQgaW4gYW4gaW52aXRlLW9ubHkgcG9zdC4KLSBkZWxldGUgeW91ciBleGlzdGluZyBjb21tZW50IGluIGFuIGludml0ZS1vbmx5IHBvc3QgKGlmIHlvdSB1c2VkIHRvIGJlIGludml0ZWQsIGJ1dCBraWNrZWQgb3V0IGFscmVhZHkpLgotIGxpa2UgYSBwdWJsaWMgcG9zdHxjb21tZW50IG1vcmUgdGhhbiBvbmUgdGltZS4KLSBzZWUgaWYgZGVsZXRlZCBjb21tZW50IGlzIHJlZmxlY3RlZCBpbiBpdHMgcmVwbGllcyBBUEkgcmVzcG9uc2UuCi0gc2VlIHBvc3Qgb3duZXIgaWRlbnRpdHkgd2hlbiB0aGUgcG9zdCBpcyBwdWJsaXNoZWQgYnkgYW5vbnltb3VzLgotIGxpa2V8Y29tbWVudCBvbiBhIHBvc3QgYmVsb25ncyB0byB5b3VyIGJsb2NrZXIuCi0gbGlrZXxyZXBseSB0byBhIGNvbW1lbnQgaW4gYSBwb3N0IGJlbG9uZ3MgdG8geW91ciBibG9ja2VyLgotIElmIHlvdSBibG9jayBzb21lb25lLCBhbmQgdGhleSBwdWJsaXNoIGEgcG9zdCBhcyBhbm9ueW1vdXMuIENhbiB5b3UgaW50ZXJhY3Qgd2l0aCB0aGlzIHBvc3Q/LiBJZiB5ZXMsIHlvdSBqdXN0IGZpbmQgb3V0IHRoZSBpZGVudGl0eSBvZiB0aGUgcG9zdCBhdXRob3Iu

---
After you master these two aspects, you are ready for a real target. This will be your next step: https://trieulieuf9.blogspot.com/2023/10/the-power-of-focus.html

Comments

  1. AnonymousNovember 3, 2023 at 12:56 PM

    "Thank you for sharing your insights in this article. You've addressed a significant challenge that many beginners face in the bug hunting field. The abundance of free resources can indeed be overwhelming, leading to distractions and a lack of focus. Your guidance on when to transition from learning to practical bug hunting is valuable.

    Thank you Trieu

    ReplyDelete
  2. Jean BolĂ­varNovember 7, 2023 at 6:06 AM

    Thanks for your insights. University has keep me busy these past few weeks, but now I will resume my hunting and hopefully find some vulnerabilities.

    ReplyDelete
  3. AnonymousMarch 29, 2024 at 6:55 AM

    you dont look for xxs or sqli?

    ReplyDelete
    Replies
    1. AnonymousMarch 29, 2024 at 6:55 AM

      i mean xss

      Delete
    2. AnonymousApril 12, 2024 at 2:02 PM

      Logic bug

      Delete
    3. trieulieuf9April 18, 2024 at 11:05 AM

      No, I don't look for these, because I am bad at it. But if you invest enough time in them, you will find many creative places/ideas to test for XSS and SQLi, just like my above examples.

      Delete
  4. Soufiane AbbadApril 9, 2024 at 7:37 AM

    How can "see if deleted comment is reflected in its replies API response" be a bug?

    ReplyDelete
    Replies
    1. trieulieuf9April 18, 2024 at 11:03 AM

      People delete their comments because they don't want it to be seen anymore. But attacker can still see it. That's against people's will. That's also against the expected behavior of Delete feature.

      Delete
  5. AnonymousJune 8, 2024 at 4:24 PM

    Thanks for your sharing

    ReplyDelete

Post a Comment

Comments are very welcome. I read all comments!

Popular posts from this blog

The power of focus

By
A quote in the movie John Wick 1: John Wick is the main of focus, commitment and sheer will Out of all the good traits, the movie writer chooses only 3 traits to describe how bad ass John Wick is. That shows how powerful focus is. I believe he also gets his excellence skills thank to these 3 traits. Focus, commitment and sheer will are pretty similar to each others, they show that the man can stick to something for a long period of time, without switching goal, despite inconvenient challenges. If we apply this to bug bounty, it means, we make a goal, and stick to it, despite all self-doubts. For example, Losef is a beginner, who tries to find his first bug, he sets a goal to hunt on a program for 7 days. In day 1, he feels overwhelmed by how much details his target has. In day 2, he tests features one by one, but finds nothing, he feels down. In day 3, he feels that you have hit a steel wall, which he cannot even imagine how to get pass it. In day 4, he notices the program stats, which
Read more

How to succeed in bug bounty as a non-talented bug hunter

By
Image
When I started bug bounty hunting about 4 years ago. I looked up information about top bug bounty hunter and wondered how are they hunting bugs and grow their H1 reputation so fast. 1 year later, when I found my 1st, 10th, 20th bugs. I still had this question. Because although I had found some bugs, it took me a few days to find one. Recently, as I get more mature in bug bounty. I start to develop a deep understanding for a program. I see many attack surfaces that other people don't realize. When this program releases a new feature, I check if this feature can be abused to attack the attack surfaces A, B, C or D. Oftentimes, at least 1+ bugs are found. When I keep hunting on this program and discover a new attack surface, I check if any existing features can be abused to attack this attack surface. Oftentimes, at least 1+ bugs are found. When there is no new released feature and attack surfaces. I sometimes  wander the program, looking at already tested features and to my surprise.
Read more