We have all envied Bounty Hunters growing up. You know, the long flowing hair, black leather jacket, sweet motorcycle, and the rush of adrenaline you would get from catching a criminal and turning them in.
What if you could get the same adrenaline rush but without the theatrics? Welcome to the world of Bug Bounty Hunting.
Finding the first bug.
I talked to a long-time Bug Bounty Hunter who goes by the alias Xorist and asked him questions about the first bug he discovered.
What are some resources you used to learn how to find vulnerabilities?
“Nmap, burp suite pro, Linux, various programming languages, various pre-packaged programs like Node and Apache. To get good at hacking and finding bugs you have to practice studying and writing the code that typically goes into making the systems you're testing. I am still learning to this day and I'm certain I will never stop. I learn as much as I can about anything I can get my hands on.”
Cybersecurity requires you to constantly be on your toes because as new technology arises, new exploits are being made. It is important to learn about these exploits to find a way to stop them.
For your first bounty, what type of vulnerability did you find and for which application?
“The first notable, officially recognized bug I found that had been given a CVE ID was privilege escalation in PostgreSQL. The first bug I found and was paid for through a bug bounty program was an Open Redirect in AirBnB. They gave me a total of $1000 USD for that one, after it was all said-and-done.”
CVE stands for Common Vulnerabilities and Exposures, and when given an ID, the bug is considered a publicly disclosed security flaw.
An open redirect vulnerability is when users can be redirected to a malicious website by an attacker.
What are some tools you used to find the vulnerability?
“Speaking strictly about the one I'm sure you're most interested in, the one I got paid for, I found it using Burp Suite Pro and my own eyes. I started by exploring the website, making sure all the traffic ran through Burp. Once I did that, I looked for any occurrences of the words that indicated a redirection might take place. Things such as "redirect", "path", "location", etc. I gathered together all of the places this occurred and tested them manually. I was happy to see one one of them had an open redirection flaw. Of course when a white-hat finds a bug, it's always a bitter-sweet; especially if you're getting paid to tell someone about it. You hate that the bug is there, but you're excited about the potential cash coming your way.”
Using your own eyes to identify a vulnerability is just as important as using a program such as Burp Suite Pro.
What was going through your head when you found your first bug / what emotions were you experiencing?
“For that AirBnB bug, I was ecstatic. It would be the first time I made money hunting for bugs in a freelance capacity through one of these bug bounty programs. Of course, you think about what potential this bug has in terms of damage it could do. With an open redirect vulnerability, often times the worst you can do is phishing. Sometimes the power of knowing a flaw can get to your head, but it's important to continue to recognize that it is not all about the money.”
If you could give advice to yourself when you first started bug bounty hunting what would you say?
“Learn. To. Code! You can spend as long as you want using tools that other people created, but as long as you're riding in someone else's wake, you'll never overtake them. You'll never find the big ones, or at least not nearly as often. You'll almost always be left with what low-hanging fruit that someone else didn't catch. Learning the commonly used programs inside and out, learning the programming languages and libraries that are commonly used in creating the things you're testing; these are the sort of things you should do to help you grow and succeed in this field. A lot of people think it's way easier than it actually is. In reality, this is not an entry level field. More often than not, I run into people who are severely misinformed and yet they think they're doing great in the bug hunting field. Then I see they're wasting astronomical amounts of time waiting for tools they didn't write to perform tests for vulnerabilities that aren't even compatible with the system they're testing! For example, it's senseless and a waste of time to test for template injection vulnerabilities in a static website. It makes no sense to test for SQL injection vulnerabilities in a website that uses Elastic Search. You could go on literally infinitely with this list, so long as technology continues to change. Those who spend the time to learn the aforementioned would skip useless tests very quickly, because they actually spent the time to learn that stuff so they know exactly what to do when they approach a new target.”
Xorist is right. Bug Bounty Hunting is not some quick way to make cash, it takes a lot of time and effort to get good at it, and the best way to start is by learning. Researching the various vulnerabilities and the tools Bug Bounty Hunters use is a great way to start.
As I begin my Bug Bounty Hunting journey, I will definitely utilize these tips, learn as much as I can, and have fun in the process.