Effective Note-Taking For Bug Bounties

This guide was written and submitted by security researcher/bug hunter, @iBruteSec. Be sure to check him out and give him a follow!

In my opinion, note-taking is one of the most important thing you can do when you’re hacking on a target. Just writing down your thoughts/features of the application can help you understand better and constructively create attack scenarios especially if it’s a really complex web app.

A lot of the times I was able to think of weird edge cases that has lead onto bugs just by writing down all the the features of the web application and it’s intended behavior. Everyone has their own way of learning and taking notes. Some people do not rely on digital notes and rely on physical notebooks and that’s perfectly fine too. I personally don’t take any physical notes as I feel it’s much harder than taking digital notes. It’s all about what works for you. If you’re new to digital note-taking and want to understand how other people take digital-notes, then I’d recommend reading on.

In this guide, I’d like to share how I take notes and the program that I use when I’m going through a bug bounty program. I personally like to use Evernote and I’m aware of other programs such as Notion. I started using Evernote before Notion was even a thing so I haven’t bothered to switch because Evernote seems to work perfectly for me. I’d recommend giving both a try and see which one fits you better. However, this guide is going to be based on EverNote, but you should be able to replicate the same with a similar note-taking program.

Once I’ve selected a target and know what to hack on, I’ll go ahead and create a ’New Notebook’ on EverNote.

Now, this is the time where I’d spend hours just using at their web application. If it’s a fairly complex web-app, it can days/weeks to fully understand all the features from the back of your hand. If I find a few small issues/low impact bugs within the first few minutes of looking, I’d note it down and probably report it if I can’t see a way to chain it to a higher impactful bug.

So it’s day 1 and I’ve found some few issues/bugs within the first few minutes of looking, I’d write it down something like this:

As I go on, I try to understand some of their basic features and continue writing what the application has to offer.

The features list gets appended as I continue to understand more about the web app. Once I've understood a few basic features that the web app has to offer, for each feature, I try to look for possibilities of IDORS and see if there's anything that I can do to abuse it.

Another great feature of Evernote is, it’s very easy to import your request/endpoints screenshot with the help of the screenshot feature. By using that, the screenshot gets directly added to your notes when you take one. This is extremely handy to recall the endpoints you’ve tested already. You can also use the search feature on Evernote to search for text within an image which is super handy too.

You can pretty much do this for anything and not just while hunting. Evernote allows you to nest notes, which is pretty good if you’re taking a course/training.

Let’s say you’re interested in watching all the videos that zseano has put together on YouTube. I’d make nested notes like these:

This way, I can easily recall what advices, tips he’s given on specific video without rewatching all of his videos again from scratch.

This is pretty much the way I write notes really. As I go along hunting, I’m always noting down interesting parameters, js files, weird requests with screenshots so that I can recall exactly on a later date if I find a way to exploit that certain behavior. At first, this might seem a lot of work and unproductive, but trust me, It get’s easier with time and in the long run you’d think otherwise.