The Ultimate List of Bug Hunting Resources for Beginners

TL;DR- If you’re new to cybersecurity, you’ll absolutely want to take a look at one of the highest earning activities for white-hat hackers — Bug Bounties.

Introduction

In this post, I’ll be reviewing the absolute basics of bug hunting, and a ton of great tools and resources. We’ll take a look at what bug bounties are, basic tech skills, and how to become a skilled pen-tester.

If you’re into programming, you can even develop your own bug hunting toolkit! Stick around and I’ll showcase my personal scripts that I’ve used for numerous bounties.

Note: This post does contain affiliate links for some of the resources, which don’t add any extra cost to your purchase, but helps me out through a small portion of the proceeds.

What is bug hunting?

More and more organizations and companies are starting to create programs that allow vulnerabilities to be reported legally, and with monetary rewards. While you could utilize vulnerabilities you’ve found to expose user data on the dark web (like a black-hat hacker), there’s also a great legal option.

These programs enable developers to identify and fix bugs before the general public is aware of them, preventing widespread abuse. A large number of organizations, including Facebook, Google, Twitter, Microsoft, Uber, Github, and many others have implemented these sorts of programs.

Companies like Yahoo and Uber frequently pay out $50K+ bounties, with some of the highest payouts coming from Google and Apple at $170K and over $2m respectively.

Even companies outside of the technology industry, including government branches such as the US Department of Defense, have started to use bug bounty programs hosted on HackerOne.

Remember…

1- You’ll have plenty of help from others, but you’ll need to put in a lot of work to see significant results.

2- You will not become a world famous bug hunter overnight.

3- Bug bounties are very competitive. You’ll want to start small, not even worrying about the money aspect until you get good enough to move to websites with small bug-hunting programs. Here are a few tips —

Basic tech & terminology:

You need to have a basic understanding of how the internet works. You can reach out to find help on social media and certain forums, but there’s a ton of trial and error in bug hunting. Here are a few important topics —

HTTP/HTTPS

HTTP is a method of communication, which stands for HyperText Transfer Protocol. It was created to allow web browsers and web servers to communicate with each other. I’d highly recommend you read the following resources to get a basic understanding of HTTP protocols, HTTP requests, responses, status codes, encoding/decoding, and more.

You can more or less break these status codes down into 200’s succeeding and anything in the 400+ range failing (for various reasons). You’ll want to learn a bunch more than that though if you’re looking to find good bugs.

You’ll absolutely want to familiarize yourself with HTTP requests, responses, and everything in between for bug hunting →

Links from TutorialsPoint on HTTP →

Basic Networking:

This is a helpful skill if you’re getting into cybersecurity, and knowing the absolute basics about things like IP addresses and networking packets can be helpful when exploiting websites. Here are some great, fundamental resources that I’ve used myself →

Common ports for machines (web servers, computers, gaming consoles, the whole lot) →

More links and information on DNS (Domain Name Servers) and network security →

Linux Commands →

It’s a great idea to start with a knowledge of different Linux operating systems, and be able to use the command line (preferably on a variety of platforms).

If you’re not familiar with Linux, I suggest purchasing one of the popular books below or reading online articles to learn more.

Three great books I’ve read on Linux:

The Ultimate Kali Linux Book

The Linux Command Line, 2nd Edition

Linux for Beginners: A Practical and Comprehensive Guide to Learn Linux

Programming/Coding:

You don’t need to know how to program in order to be a successful bug bounty hunter, but it does help with troubleshooting and allows access to more potential bounties.

If you understand the code, you can increase your chances of successfully identifying and exploiting vulnerabilities.

You might also need to understand the syntax of a target website’s code to escalate a bug to a much higher severity, landing 3 or 4 times the original bounty.

Here are some resources on each programming language prominent in bug hunting →

HTML

PHP

JavaScript

SQL (Structured Query Language)

Understanding the languages listed below will allow you to code your own tools, comprehend many other widely used tools, and modify them as you see fit.

I’d highly suggest getting a subscription to Amazon’s Kindle Unlimited, it’s cheap and there’s a ton of surprisingly up-to-date resources for hacking and bug hunting tips.

Personally, I use Bash to code scripts for hacking automation, here’s one of them if you’re interested →

Bash

Learning The Bash Shell

Ruby

Python

Python Web Penetration Testing Cookbook

Great resource links →

Golang

Mastering Go: Create GoLang Production Applications

Go Programming Cookbook: Over 85 Recipies

Take these tips one step further if you’re advanced enough, and check out another post on becoming a skilled red-team hacker →

Hopefully you learned some helpful tips and got a couple of resources that you can use as a starting point. If you enjoyed this post, check out similar articles on bug bounties and computer science from The Gray Area.

Support my writing and help me create more content by subscribing to a Medium membership with my referral link, giving you access to all of my posts (and everyone else’s on Medium)! →

Thanks!