My Experience on Bug Bounty Hunter.
"The only true wisdom is in knowing you know nothing." ~Socrates
This was me when I first got into Bug Bounty. I knew nothing and I was very aware that this would be a challenge.
I started out young, learning about hardware and modding, because games are expensive when you're a kid, which led to modding xboxes, PlayStations, Wii’s, Routers and Hardware hacking, as well as building my own data centre in my basement.
About a year ago when I was trading, I watched Bloomberg for current events, stock prices and news. They had a spotlight segment about a hacker named Dawgyg and how he was able to make a living hacking doing something called Bug Bounty. I have never heard of this guy or bug bounty, so I did some research and spiked my interest. I did some searching on YouTube on the topic and came accross another interview with a hacker named File Descriptor. In the interview, he had recommended a book called: The Web Application Hackers Handbook 2nd Edition. So I went on amazon and purchased it, and started reading.
It was purley then by chance, another hacker named Zseano showed up in my youtube recommended videos to watch. So I started watching his videos, which led me to the Bug Bounty Hunter website. From there I signed up and started this journey.
I tested myself with the information I read in Web Application Hackers Handbook and found a few bugs. When things got tough, I read Zseanos methodology, which is great and it led me to finding even more bugs. Then, when I was really stuck, I turned to the Discord Help Channel. At this point I had no web coding knowledge, still very much a noob. I always had the ability to make things work, I couldn't write code, coming from assembly and Python and c, and basic. I could vaguely understand what was going on. So upon asking in the discord help Channel, I was given tips and if I still didn't understand, I would continue to ask around. Then I saw the number 1 hacker (at the time) was online (Jomar), so I sent him a dm.
Like everyone who is new to something, I had so many questions as I worked my way through. I’m sure I annoyed Jomar, as he basically had to walk me through a lot of things that I didn't understand. But like any good mentor, he was honest with me and even told me I was straight out asking him for the answers. In my defense, I had no idea what the end goal of this specific bug was, so I had no idea that I was close to the answer.
After that, I would try my hardest to not ask until I was at least 90% of the way to solving the bug, until I just needed a little nudge to figure out the solution. This would be a pattern from I'd say the first 10 bugs up to 25. Then things started clicking and I was able to figure out more and more on my own. Around the 50th bug or so, I was stuck on 2 bugs that I had no clue, so I messaged zseano and he helped thought them.
After that I was doing well, found my self in the top 25, then the top 10 and finally in the top 3 (#2 being Good and #1 Jomar.)
This is when the fun started. I was ready to start thinking about the gold. Good and I, we bounced between 2nd and 3rd for a while. At this point there were only 60 bugs or so. Until an update came out and suddenly there was 100 bugs to find. Good and I made a deal to help each other. We NEVER revealed the answers outright, only giving each other tips and subtle hints. Working together, we leaned a lot. The fact that we both thought very differently helped us through and taught us even more. I seemed to get stuck on the super easy and obvious bugs (and still do) but seemed to have a much easier time with the more complex bugs like the OOB XXE, that to my knowledge, I am still the only one who found it that way. So then we found ourselves at 100 bugs and both tied for #1, mission accomplished! After so many hours (see my stats for just how much time), we basically hacked 24/7 for 4 months straight. From there, I just poked around and found a few more bugs and that's where I am at today. Once 100 bugs were found, zseano himself, presented us a letter of recognition.
The moral of the story is, anything is possible. Through determination, a lot of hard work, many hours of struggling and tons of googling and combing through stack overflow, it was a success. I approached things differently. Instead of just finding one way to make a bug work, I tried to find as many ways as possible to get the same bug. My thinking was it will never be the same on a live site. That's why I have so many dupes and submissions. Never be afraid of rejects or bugs you think are "dumb", you would be suprised what gets acceptad and paid out. The unexpected side effect of this method was, I would look for one bug say ATO, and never find that actual bug I was looking for, but yet stumble on to 10 others. Strange how that works, just keep poking and messing with things until something works or completely breaks. I had to restart barker many times from it being completely unresponsive after messing around too much. But that did not deter me.
So my advice to anyone is, read the Web Application Hackers Handbook, Zseanos methodology and do the xss module on pentester lab (I only paid for 1 month) it's well worth it, and just copy/paste what ever code you don't understand into google. The answer is usually there. If not, don't be afraid to ask the community. I still ask Zseano and Jomar from time to time, trying to work through and learn how they found certain bugs etc. Read writeups, Twitter can sometimes help, and find someone to have a friendly competition with and push each other, it works wonders. As of this write up I am #1 on barker and bugbounty hub.
I can't thank Jomar and Zseano enough for their huge amount of help and patience in getting me where I am today. It's not easy being a full time hunter(as of May 2021) but I am doing well for now and I still continue to learn even more.
I hope this will give anyone reading this some insite and motivation, and realize anything is possible. It's up to you to put the countless hours in, have the drive to keep learning and hacking no matter how frustrated you may get and always trying new techniques.
Best of luck to everyone, Happy hunting, Prime.