Bug Bounty and Burp Suite for beginners

Hi guy,

If you don’t know anything about bug bounty, don’t worry we will teach you. LET HUNT BUGS!!!

Bug bounty programs are mechanisms where companies pay hackers for
revealing the details of vulnerabilities that they discover, providing the
companies an opportunity to correct the issues.

There have three ways to hunt: Manual, Recon, 50/50, and Zero-day.

Manual: we need to understand the application more than the one who creates this =), and find out what we can mess up here. This way is quite difficult but you will learn a lot, and your money will be stable grow up.

Recon: You should create your tool, or upgrade the tool you downloaded in open source. Go this way, you will have many many hard times but when you succeed… 💵💵💵, just run the command and have fun:)

50/50: is just 50% recon and 50% manual

Zero-day: There have many new vulnerabilities daily, many guys look at that juicy meat, and often they have the team create a zero-day scanner.

In three-way have each successful person:

Eric (full recon)

Ron Chan (full manual)

Frans Rosén (50/50)

Shubs (full zero-day)

(Hit the link and look for their success)

This tool was created by Portswigger. All of you installed Kali, right? Open Burp Suite and find out the main feature of Burp. (Open Burp → Next → Start Burp)

→ Go to proxy → Open Browser

a) Repeater:

In that browser, search any website you like Yahoo, Facebook,… → Go to HTTP history

Click any request you like → Right click → Send to Repeater

Go to Repeater, you can change any information you like. Click “Send” and you will get a response from the server

=> Some vulnerabilities you can find with repeater: injection by HTTP header, IDOR, Parameter Pollution,…

b) Intruder:

→ Go to HTTP history → Right click → Send to Intruder → Go to intruder

This extension is a tiny hydra:). I always use this to brute force XSS, LFI, SQLi payload, and API,... (of course, you can brute force passwords and usernames if you like (～￣▽￣)～ ).

highlight the value that you want to inject.

Press Add button → Go to Payloads

Paste your payload here → Start attack →wait for the result

That is two main features (of the community edition). If you want to use Burp Professional don’t worry about most of the extensions in Github.

Substitute of Collaborator (super extension to find blind SSRF, blind Command Injection,…) https://replit.com/ → You can do more things with this.