In this blog I will try to give an introduction to Bug Bounty Program and some basics on what are the basics, prerequisites and the approach to perform a Bug hunting.
Web Application Security is a vast field and with the advent of Web 2. 0 the attack surface has increased exponentially. Internet has become wilder with the number of web applications that are getting hosted every day. Doing business and reaching to the end user has become easier with the web application revolution.
While hosting these web applications there is seldom importance given to the security. Developers concentrate more on functionality and with the time lines on their head it becomes a little difficult for them to keep security in mind. Though I will agree that security has now taken pace and people have become more aware but where there is code, there are chances of vulnerability.
Big firms have realised this that it is very difficult to hunt down all the bugs before they set to release in the market. So there came the concept of Bug Bounty program.
This program was initially introduced to narrow down the number of security bugs with the help of security researchers around the world. The concept was very much similar to the earlier concept of the Bounty Hunters who were hired by the police to catch hold of notorious guys. To appreciate their contribution they were paid a good amount of money which also helped them to keep going.
This programme with the advent of time has converted into a process wherein people/security researchers/evangelists/developers can responsibly disclose the potential bugs on the web applications.
Here the word RESPONSIBLE DISCLOSURE has to be kept in mind. May be I will write some other day on what it is all about.
These guys who hunt down the bugs are usually referred to as BUG HUNTERS. To reward them the companies have chosen variety of ways which can be anything from a monetary reward to some cool tee shirts to an entry in their HALL-OF-FAME.
This is a very good way to develop your skills on Web Application Security domain meanwhile earning a bit as well. Though the main attractions are money oriented, but you cannot deny the fact on how cool Tee-Shirts and fame you get along with it.
Let’s get down on what are the pre requisites which can get you going for a Bug HuntingJ
To start hunting it is very important to know the basic concepts on how a web application works. A normal architecture concept really helps in the real scenario.
There are various websites and material available on internet through which this can be done.
The Web Application Hackers Handbook is a very good book which explains the concepts from very basics and is a must read for every guy in web application security domain or who wants to jump in this domain.
Apart from this one should also be well acquainted with the OWASP Top 10 vulnerabilities. (You can get more details about OWASP on its website www.owasp.org).
Tools are the ammunition that you will want while hunting those bugs down. You can always write scripts to do the job but tools come in handy.
Some tools which are awesome are as under:
The very famous BURP SUITE: It is the most famous and widely used proxy which helps you modify requests on the fly. This is famous because of its versatility of use (The web application hackers handbook uses this proxy with respect to its research and examples)
Apart from this there are 100 of different tools available which can be used as per the requirement or the type of vulnerability you are hunting for.
Most importantly you should sign up for some security blogs which help you understand different aspects on how to find bugs and learn. There are a lot of security researchers who also disclose on how they have performed the hunt post having a consent with the company they have found bug on and submit complete reports which are readily available for studying purpose.
Apart from this you should also sign up for websites who have started the programme of hosting bug bounties on behalf of the participating firms. This makes the job of the bug hunter very easy as such wherein they can submit reports in a common format and track the progress.
Some common websites are:
The most important part in any bug hunting program is on how you report them. There are different ways of submitting. An email explaining the scenario or a video will be helpful as a part of POC.
Be polite to the guy on the other side of the table. Just think about his job on handling so many issues J
There are many criteria’s which actually decide on the amount of bounty or reward that you are entitled. Every company has their own rules on which they decide to do this.
DO get disheartened if you receive less money. Do it for the fun of itJ
Things To Remember: READ READ READ READ.
Some useful resources: