Which methodology should we use?
Methodology
राम राम सा, In this blog I will try to clear all your doubts related to Bug Hunting Methodology.
There are so many Methodolody such as Jhaddix TBHM, Zseanos Methodology, Godfatherorwa, Apex, Thehackerish etc.
None of these methodologies are suitable for you, YEAH That's Right.
You can learn from them but do not follow them completely. You should create your custom methodology as the form you like.
For Example,
When I saw Jhaddix's TBHM for the first time, I found that it has everything a Pro Bug Hunter should do, but it was not made for me. It has lots of things that I don't want to do. So what I do is I pick out a few methods that I really like, and create my custom methodology from them and do the same to the rest of the methodologies.
From one Methodolody I found really cool way to complete one particular task, and from second methodology I found another really cool way to complete another task.
Links
StartBasics
Recon
Vulnerability
Doubts
Let's learn step wise
Rule No. 1 => Do not purchase any bug bounty course, everyting is free on Internet (Pay only if you like your mentor)
There are two types of teams,
1. Blue Team who build system such as Frontend, Backend and Fix vulnerabilities.
2. Red Team who breaks the system, exploit vulnerabilities, Find loopholes
1. Basics
1.1 Programming Languages
1.2 Networking
1.3 Operating System
2. Recon
2.1 Know your program
2.2 Active Passive
2.3 Tools
3. Vulnerability
3.1 Vulnerability Basics
3.2 Checklist
3.3 Bounty
1. Basics
Before Breaking the code You should know that how it works.
1.1 Programming Languages
Learn Basic Programming Languages such as HTML, CSS, JavaScript from your Favorite Channel on Google and YouTube. If you confused? Watch This Channel CodeMan**not sponsored**
1.2 Networking
Learn How this Internet Works, What is Ports, IP, Protocols, DNS, WEB, VPN etc. You can learn all of these from Youtube and STH Networking Ebook.
I created a eBook called "Networking: How The Computer Works" and started selling it for ₹39, I belive in Free Education, but now i can not sell it for free because if i do then what about the people who already buyed it.
This eBook is appreciated by Pro Bug Hunters even so I'm not recommending it because it's paid. BUT There are some methods to read it freely (You Know).
1.3 Operating System
Learn linux terminal(Bash Scripting) and complete your mostly tasks with it. You can run Linux(Ubuntu, Kali Linux) on Windows with Virtual Box(GUI) or WSL(CLI). cmdchallenge**not sponsored** Here you can learn and practice Basics to Advance Linux Commands
2. Recon
You can get DigitalOcean for 2 Months with $200 for free (use jupiter debit card)**not sponsored**
2.1 Know your program
You can choose programs from Bugcrowd and Hackerone, Read Program Policies carefully because there are some rules that you must follow.
Now you can use Jhaddix's TBHM v4 Methodolody for knowing your program. Subdomains, Acquisitions, ASN Enumeration, Reverse WHOIS, Port Scanning. Don't be confused by these words, whenever you can't understand any topic such as ASN, research it on google first.
2.2 Active Passive
Scan Your Target Actively and Passively, for finding Subdomains, IPs, Ports, URLs, JS Files, Paramters, Secret Keys(S3, APIs) you can create a simple bash automation script for complete all these tasks automatically. Don't forget to add DNS BruteForcing and Alteration while finding subdomains.
2.3 Tools
Hunters like tomnomnom are put there so many time and effort to create tools, we should respect that and use there tools. I suggest you to use multiple tools, like for finding subdomain don't use amass only, Use every tool configured with the APIs(Free), I use 16 tools for subdomain enumuration. Always choose Accuracy over Speed.
Do not use complete recon automation scripts like ReconFTW as they are, First understand full code(It's very easy to understand bash scripting code) and logic, then you can use it OR Second, You can create you own automation script with the help of it.
3. Vulnerability
Critical level Vulnerabilities are easier to find rather than lower one. You just need to do something different.
3.1 Vulnerability Basics
As a beginner you should learn basics of every vulnerability for your knowledge(If you accidently find a bug, you must be aware of it), watch PoC on YouTube and read Hackerone Reports. After that choose one vulnerability that you really loved while learning basics, It could be IDOR, SSRF, SQLi, XXE, XSS etc(Choose higher priority vulnerability) and master it from Google, Youtube, Twitter, Articles.
You can practice it on vulnerable web apps such as Portswigger Labs(Free). I suggest you to start checking the vulnerability on real targets after some good knowledge so you can also got an idea of real life servers behavior.
3.2 Checklist
There are many checklists availble on internet for checking yuor targets such as Forgot Password Checklist, Account Takeover Checklist, File Upload Checklist etc.
You can aslo create your custom checklist by learning from them. Some checklist are really useful because they won't let you forget common methods that you should check.
This Simple List called Checklist make your work easy
3.3 Bounty
Many Bug Hunters says One Program Multiple Bugs spend time on a single target, so you can understand there logics and server behaviour. But in my case i don't like this method I was bored on same program, so i started One Bug Multiple Programs means I started finding one bug on different programs.
And I got many bounties with it. But I know that this is not a good idea so that's why i'm not recommend it to you.
Doubts :
Q1. Should we learn programming language?
Ans. You can start you Bug Hunting career with learning HTML, CSS and a little bit JavaScript, Then After spending some time in finding vulnerabilities you can learn more programming languages such as Python, Go, Bash for automation. It will helps you to write more impactful reports.
Q2. Should we learn every vulnerabilities deeply?
Ans. No, You only need to know the basics of every vulnerabilities, So if you accidently find a vulnerability, you must be aware of it. But You should master some P1 or P2 Level Bugs.
Q3. Should we use automation?
Ans. Yes you can use automation for recon like finding subdomains, urls, IPs, Ports, JS Files etc.
And for finding bugs you can also use it But you shouldn't rely solely on it. For example You found a rxss on one subdomain's parameter, now you can create nuclei automation script to finding the same rxss bug on another subdomains.
Q4. Is Bug Bounty career secure from AI?
Ans.Yes. In the future, AI will be able to find some vulnerabilities, but not all Because it does not have human level mindset, creativity. In this time there are so many VulnerabilityFinding Tools such as Nessus, Acunetix, Netsparker, SolarWinds but all the companies are not able to pay them.
Now you know.
Q5. I want to learn Bug Hunting, Where to Start?
Ans. Just start it, its not like a step wise thing, it's like a tree you can start from anywhere just remember this : Networking -> Linux -> Vulnerability -> Hunt -> Reward
Q6. There are so many Resources Tools, Articles, which one should we choose?
Ans.Yeah There are so many resources, so which one we should read is,
Most of resources are same, there are miner difference between them.
Example : you want to learn IDOR Vulnerability, collect all resources availble on internet and create short Notes out of them so you can easily understand them in the future.
Focus on resources from trusted authers like GodfatherOrwa, Anubhav Singh, Stok, Nahamsec, Aditya Shende, Remonsec, bombon etc.
Conclusion
This is not a complete methodology, There are so many Pro Hunters who shared there personal methodology(Shared on starting), you can learn from them. This blog might be helpful for beginners who just stared their career in Bug Hunters.
If you are new to Bug Bounty focus on learning new things every days, just don't fall on finding real life vulnerabilities in starting days. This is the Best Field in the Eorld, Everyone supports you including Pro Hunters. Ask you doubts on twitter you will surely get help from this community.
Do not join this field for its money and power but join to make Internet safer, secure peoples and organisation Data.
Here are some resources that gives you motivation and knowledge:
1. GodfatherOrwa Medium (Think Out Of The House)
2. Aditya Shende Medium (Easy Bugs)
3. Bombon Medium (Focus)
4. David Schutz (Breaking the Hardcodes)
5. Linkshare (Limited but Best Articles)
If you read it completely please send me your thoughts Here. It could be Good or Bad, Just tell me.