Review of BugBountyHunter
This is a review about the learning platform BugBountyHunter) where want-to-be hackers can come and learn the ropes through hands-on experience with the guidance of its creator https://www.twitter.com/zseano and the throng of talented people over at their discord. Before we get on with the review though…
Who is the writer?
On the interwebs, I usually go by one of two handles “eliee” or https://www.twitter.com/elieehel; it used to be the name of my pointy-ear main character in a popular MMORPG back at the start of 2000 but now serves as a general nickname.
I initially started looking at hacking back in 2020 after finding the report from the hackers who managed to find a vulnerability in Google’s Firebase messaging platform. Upon reading the disclosed report, I was surprised to learn that they’d earned over USD 30k across multiple programs while also wondering what’d it take to be paid to hack. As it turns out, there are several platforms that mediate between hackers and companies, and thus my journey into cybersecurity started.
Since I hadn’t the slightest about where to start with any program, googling lead me to YouTube which eventually lead me to TryHackMe and HackerOne’s Hacker101. Working a day job as a full-stack dev it turns out that hacking is not all that different from ensuring produced code runs as expected, and I completed a bunch of the CTF challenges at Hacker101 quite quickly. As there are several fields present on TryHackMe, I tried focussing on what seemed to fit with web vulnerabilities and at the time of writing, I have achieved level 0xB.
With that out of the way, it should be clear I don’t have that much experience with actual hacking and we can now get going with what you’re probably here for — the review!
BugBountyHunter.com provides its users with not one, but two vulnerable web applications — Barker and Kreative — for its users to hack on. These two applications combined contain a total of 139 vulnerabilities to be found, ranging from CSRF issues and CORS misconfigurations to SQLi and RCE, all baked into products that emulate real-world websites and make it feel like you are looking at a proper target. On top of that, most of the bugs present are based on findings by https://www.twitter.com/zseano when hacking. This is all nice and cool and all that, but apart from the bugs being based on real ones, it doesn’t really set the platform apart from other companies. There is still one core feature to this service that I haven’t touched on — all vulnerabilities found throughout the provided web applications are to be reported (as in, you write a real report on what you found and the finding’s impact) and this report is, in turn, triaged by BugBountyHunter.com staff! This gives the platform a definite edge over its competitors since you get your report looked at just like on a real program. You also receive input on what you’ve found, what you might have missed, and what you could do better.
There is one slight drawback to this, however: you actually have to wait to have your shiny new finding triaged and accepted. For people used to CTF style platforms where you receive instant feedback — Yay, you found the flag, well done — it can feel a bit slow in the start. That said though, response times are way better than some real programs out there and this very much emulates how bounty platforms operate and as such you get a feel for what it’s like to report something and wait to hear whether the finding is valid or not.
Barker and Kreative
Out of the two applications available, Barker is the bigger one — at least for now. The application emulates a social network service centered on dogs where you can post messages and pictures, create groups, like posts, and … yeah, you get the idea. The usual stuff for interacting with people through the internet these days. While the implementation of this platform might not look and behave in fancy ways like other big platforms, the core functionality is certainly there. When you want to hack on either platform, you are provided with your private instance on which to hack without disturbing — or being disturbed — by anyone else hacking. Barker at first gives the impression that it is securely coded, but after pulling at its threads a bit it quickly becomes evident that the supposed creator has kernel panicked a few times while implementing the features across the webpage. As a dev myself, I can, unfortunately, say that similar errors and “thinking failures”, certainly happen in actual companies, and sometimes they make it through code review to production. Or the one “reviewing” the code is the one who wrote it. Or there is no code review policy in place at the particular company because of technical debt.
Either way, the sort of bugs you can expect to find throughout Barker are sometimes small misses in logic, like failing to sanitize user input before it is output. Other times, it gives off the feeling that the supposed dev didn’t have the full application in mind when implementing a particular feature, i.e. they didn’t stop to consider how the feature could be misused. It certainly helps teach hackers just starting out to think about how the application is structured and try to find weak spots where the implementation is poor or logic has gone missing.
Kreative is currently a complement to Barker that ties in with some features and further pushes the users to think about how things are interacting with each other. After poking about for a bit, I found myself thinking “This feature which lets me pull a public profile, is it connected to the database? Or is it talking to an API? If it’s an API, can I find and access it directly? If I can’t, can I leak access keys or access it internally somehow?” It works well to get you to think about the how of things, like how the dev might’ve intended for things to work.
Many might believe hacking to just be throwing some payload at this or that webpage, receive confirmation that the target is vulnerable, report, profit, but Barker and Kreative make it painfully clear that there is much more to be found and reported than what can be scanned for. While the bar is certainly high to find such vulnerabilities for newcomers, after grasping at every dangling thread you think you can see, pulling at it, reporting it, and then receiving an email saying what you found was an actual vulnerability does help push people. I, for one, find it to be one of the best features of the platform; you pull your hair out looking for that something, and when you finally find it you get this enormous boost of confidence that encourages you to push on and learn.
That said, going long times without finding anything can also be a drawback. When you look and look and look and find nothing, you start doubting yourself. Is this really what I should be doing? Am I good enough? Truth is, bug bounties seem to not be only a battle fought with others, but also a war of attrition with your own mind. Not everyone has the mental fortitude to tackle hacking and Barker + Kreative can certainly help people find whether it is for them or not.
There is help to be had, however — if you find yourself stuck you can always reach out to the members of BugBountyHunter through discord. You can even reach out to https://www.twitter.com/zseano himself and he’ll likely do what he can to help you on your way.
Along with the membership comes access to a dedicated discord server where you can talk to the other members of the platform about anything general to specific hacking-related concepts or even particulars of certain bugs on the platforms. Lots of people from different walks of life with a shared interest in hacking and helping make the community a friendly and inviting one — a request for help is likely to be answered quickly by one of the other members, ensuring you won’t be stuck for long. On top of this, events are arranged now and then for the members of the platform. Sometimes it’s for particular members who’ve excelled at one thing or another, other times it’s for members of level x. One particular kind of event that should be mentioned is FirstBlood — which is a third vulnerable web application used for the sole purpose of simulating a live hacking event.
During the live hacking event, members meeting certain criteria will get access to the event and be allowed to report any vulnerabilities found. The event runs for a set amount of time — the last event was a week — and once the event concludes, bounties are paid to the contestants. You read that right, the platform pays bounties for bugs found during the events just like any real-life live hacking event target would. I managed to secure a shared third place during the last event, an achievement better than any bounty as it proved how much I’ve managed to learn while trying to hack Barker and Kreative.
So I had some experience with CTF and vulnerabilities before joining — what about those who have no previous experience? Won’t it be difficult getting started? To which the answer is yes, it probably will be difficult to get started. There is, however, help to be had. https://www.twitter.com/zseano provides users of BugBountyHunter with a PDF copy of his own, personal methodology which details his approach including what to look for and where, how certain classes of vulnerabilities can be expected to both be found and exploited along with filter bypasses and a general suggestion for with which mindset to tackle the world of bounties.
This will definitely serve to mitigate some of the stress newcomers are bound to feel when first starting out by giving them a sort of framework to go by initially, but make no mistake — even though the platform is aimed at people wanting to learn to hack, the difficulty of learning something completely new remains the same; you will have to throw hours of your time at certain aspects and to be perfectly honest, this requirement is likely to remain even after you learn how to hack. Nothing comes free and this is particularly true in a field where new software is released and deployed on a daily basis.
Should this discourage you, though? Definitely not. BugBountyHunter is a great platform for starting out, just don’t expect to be spoonfed as you will have to look things up and study on your own as well.
Like all things awesome, BugBountyHunter comes with a couple of catches, and the membership fee is one of these. At £250 for lifetime membership, or £150 for one year, it’s no small investment for someone not knowing whether hacking is for them or not. While the price certainly is fair given the amount of information, content, and effort put forth by https://www.twitter.com/zseano & co, it still deserves a fair amount of thought (unless you, unlike me, have all the money you need). The money gets you a lot of things, however, and all things considered, I consider it money well spent. If you aren’t going to hack and earn it back, though… Well, perhaps it’d be better spent elsewhere?
At the time of writing, sign-ups have been closed. The platform has seemingly hit its current limit for what it can handle in terms of triaging reports while also progressing development and dealing with all the other things that come from running an actual company. In other words, at the moment there is no actual way of joining the platform as its staff has met the — reasonably set — throughput threshold, at least for now.
There is also a rather low rate-limiting requirement for fuzzing, likely because the costs of running a private instance for each member would skyrocket otherwise, which is fair. It should be said that many real programs also enforce similar rate-limiting policies, so it also goes to give the impression of hacking on a real target since you must abide by the company set policy. I would, however, like to be able to fuzz faster… A selfish request, certainly, but my fuzzer has been made to go brrrrr.
BugBountyHunter.com provides its members with solid support, nice, realistic websites with bugs based on real findings, and the feeling of hacking on a real target where your reports are triaged by a real person. While somewhat pricy, particularly if just starting out and you don’t know whether hacking is for you, it should pay off in the end if you stick to it and apply yourself. I am happy and content as a member of BugBountyHunter, and certain that it has helped grow my skills as I’ve found quite a few real bounties since becoming a member. If you are truly interested in learning how to hack, I look forward to seeing you around the discord chats.