Diving into Bug Hunting and collecting Bounties #1

Recently I heard about the topic of Bug Bounty Programs and that you could make money by finding vulnerabilities in web applications and on websites. Since I am a software engineering student doing my master in System Security I thought this would be the perfect way to combine learning with a potential side hustle. This blog is therefore devoted to my hacking journey and to boost my motivation to learn something about hacking everyday, so that I have something to write about.

Day 0:

One of the first platforms that pop-up when you search for Bug Bounties is HackerOne. I browsed the website for a bit and then decided to create an account and try to find my first bounty there. But it’s not that simple, in order to find bugs on websites and apps you need to know where to look, so instead of diving head first into a program, I began with a Youtube tutorial. A content creator called PhD Security gave a comprehensive introductory course, so I began with watching that video.

After watching an hour of the video and installing Kali Linux and getting to know Shodan and Burp Suite, I decided to switch things up a bit and try some CTF’s. A CTF in this context is a gamification of hacking, where you visit a website specifically made with vulnerabilities and it is your task to find and exploit them. After successfully finding the exploit, you get a text string called a flag that you submit to earn points. This is a very fun and engaging way of learning hacking and I completed 5 in a row. You can find the same challanges through the HackerOne website and clicking into the Hacker101 CTF’s, https://ctf.hacker101.com/ctf.

The challanges I completed had exploits of the type:

Cross Site Scripting (XSS) — This is an exploit where a hacker might inplant malicious code onto a website. One of the simples examples is the scenario where a website has a commentary section where users can write and then diplay their text to others. There a hacker might write something like:

<script>alert(“Hey you”)<script>

which will trigger your browser to execute a script and display an alert dialog saying “Hey you”. Often times a hacker will inplant more malicious code than that, and it is therefore very important to sanitise user input before it is saved and diplayed on any website.

SQL Injection — Another type of exploit that I found was a SQL Injection which is when a hacker sneaks in a command to the backend that performs some form of database operation. In this case the SQL could be added to a HTTP-request parameter like:

exploit.com/edit/exploit/<exploit-number>add SQL here

The SQL statement that I added was a string terminator (‘) which is used to end SQL text strings. If not used correctly it can generate an error in the code and potentionally crash the server.

Anyways that’s all for today folks, I will continue posting as my journey progresses. Thanks for reading, hope to see you next time!