Step1: Creating environment for bug bounty
Welcome to the 3rd post of the Bug Hunting Learning Path, here you will learn how to setup a Hacking Environment for Bug Hunting. Step 2: Creating environment for bug bounty
First of all join us on the discord channel, where we have created different sub-channel to solve their doubts and have an interaction with the community. Link: https://discord.gg/7CgA2TUacd . SUBSCRIBE to YouTube Channel !!Click to SUBSCRIBE!! . And follow us on Our Redd-it Page, link: https://www.reddit.com/user/Net_Solution/
Now i hope you have go through the previous post , i.e.:
Learning about Networking Fundamentals and Hacking Mindset
Learn HTTP and Javascript from https://w3schools.com
Learn Basics of Networking, especially OSI Model
So we were starting up our career in bug bounty and the next part is- Tools. Instead of installing particular tools on a Windows PC, it’s preferred to install Kali Linux. It’s more convenient to hack on Kali Linux.
Step 2: Installing Kali Linux in your Environment
Either you can install Kali Linux as the principal OS on your PC, or you can install it on Virtual Machine within your Windows PC. I’d suggest, installing it on a virtual machine to have freedom with your own system also. Or else you can also go for WSL ( Window subsystem for Linux ). But while using WSL there will be some network mis-configuration which can be fixed but will take a lot, so better go for Virtual Machine or Dual Boot
Use this tutorial if you want to install as principal OS – https://www.kali.org/docs/installation/hard-disk-install/
Installing on Virtual Machine
Here is the steps to follow for Installation:
- Download and Install Oracle VirtualBox from here- https://download.virtualbox.org/virtualbox/6.1.26/VirtualBox-6.1.26-145957-Win.exe
- Now download Kali VirtualBox file from – https://images.kali.org/virtual-images/kali-linux-2021.2-virtualbox-amd64.ova (If you’ve 64 bit PC) and this if you’ve 32 bit PC download from here- https://images.kali.org/virtual-images/kali-linux-2021.2-virtualbox-i386.ova
- Download and install this VirtualBox extension to avoid any errors – https://download.virtualbox.org/virtualbox/6.1.26/Oracle_VM_VirtualBox_Extension_Pack-6.1.26.vbox-extpack
- Start VirtualBox , it will ask for a virtual machine image file, select your newly downloaded Kali file (in step 2) and proceed with all the default settings.
Now, double-click on the icon of Kali on the VirtualBox app to start Kali. It will ask for a username and password. Enter “kali” in both places.
Now moving to a main phase of Bug Hunting, that is learning about Encoding. To understand a URL parameter like :
https://example.com?page%09login
Step3: Now Diving into Encoding Part of Bug Hunting
Each character is encoded following the rules of a specific language or system. For instance, the capital letter “A” is represented as 01000001 in binary code because that’s how computers interpret it. Similarly, there are various encoding types, such as URL, HTML, Hex, and Unicode, each designed for specific purposes and systems.
For a deeper understanding of encoding, you can read this article: Different Types of Encoding Schemes – A Primer.
That’s all for today’s post! I hope you’ve grasped the concepts from the previous post. If not, don’t worry—you still have time this week, as the tasks are fairly simple.
Step 4: Creating a Hacker account for Bug Hunt
Firstly, don’t focus solely on earning bounties right away; instead, prioritize contributing to Vulnerability Disclosure Programs (VDPs). This will help you build confidence and enhance your skills without the pressure of monetary rewards.
There are numerous platforms that host bug bounty and VDP programs for companies, while some organizations manage their programs independently. Among the most popular platforms are HackerOne and BugCrowd, which together offer hundreds of programs and thousands of websites and applications to explore for vulnerabilities. Exciting, isn’t it? 😊
Other noteworthy platforms include Intigriti (focused on European companies), HackenProof, BountyFactory, Synack, and Zerocopter. However, note that Synack and Zerocopter are invite-only platforms. For beginners, it’s ideal to start with platforms like HackerOne, BugCrowd, Intigriti, HackenProof, and BountyFactory. While you can create accounts on all of these platforms, I recommend starting with HackerOne and BugCrowd to get familiar with the process and gradually improve your expertise.
Step 5: Moving Forward with VDP with Google Dorking
There are some methods to find VDP Programs by the help of Google Dorking, will be learning more about it in up coming part…!.
Below here are some Dorks for finding VDP:
site:example.com inurl:bug inurl:bounty
site:example.com inurl:security intext:bounty
site:example.com inurl:security ext:txt
site:example.com inurl:responsible-disclosure
site:example.com inurl:/.well-known/security
site:example.com intext:bug bounty program
site:example.com intext:responsible disclosure program
site:example.com intext:vulnerability disclosure program
site:example.com intext:security rewards
site:example.com intext:bug bounty payout
site:example.com inurl:security ext:txt -inurl:hackerone -inurl:bugcrowd -inurl:synack
site:example.com inurl:responsible-disclosure -inurl:hackerone -inurl:bugcrowd -inurl:synack
site:example.com intext:bug bounty -inurl:hackerone -inurl:bugcrowd -inurl:synack
This much for Now..! Stay updated for further new Post….!
This is really interesting, You’re a very skilled blogger. I’ve joined your feed and look forward to seeking more of your magnificent post. Also, I’ve shared your site in my social networks!