Why do we learn to hunt bugs? It is difficult to answer this question in one sentence. There are several reasons, and reasons vary from person to person.
The first and foremost reason is we want to be better security professionals or researchers.
When a security professional is able to hunt security bugs in any web application, it gains them recognition; and because they are helping the whole community to remain safe and secure, it earns them respect as well. At the same time, the successful bug hunter usually gets a bounty for their effort. Almost every big web application, including Google, Facebook, and Twitter, has its own bug hunting and bounty program. So learning to hunt bugs may also help you to earn some extra money. There are many security experts and researchers who make this their profession and earn regular money by hunting bugs.
Reading this book will give you insight into implementing an offensive approach to hunting bugs in web applications. However, that knowledge should never be used for malpractice. You are learning these “attacking techniques” for defending web applications as a penetration tester (pen tester) or an ethical hacker. As a security professional, you are supposed to point out those bugs to your client so that they can rectify the vulnerabilities and thwart any malicious attack to their application.
Therefore before moving any further, we should keep this important caveat in mind: without having permission from the owners, you may not and should not attack a web application. With permissions, yes, you may move forward to hunt bugs and make a detailed report of what can be done to defend against them.
There are also several good platforms (we will talk about them in a minute) that allow you to work for them, and as a beginner, you’d better get registered with those platforms and hunt bugs for them. The greatest advantage is you get immense help from fellow senior security professionals. While you earn you will learn, and it is secured. You are hunting bugs or finding exploits and vulnerabilities with the owner’s permission.
As a beginner, you should not try these techniques on any live web application on your own. In many countries, attacking the system without the owner’s permission is against the law. It may land you in jail and end your career as a security professional.
Therefore, it is better to be registered with the bug bounty platforms and play the game according to the rules. We urge you to use the information contained in this book for lawful purposes; if you use it for unlawful purposes and end up in trouble, the author and the publisher will not be responsible.
In my opinion, if you are only interested in the bounty, you will not learn anything and finally, you are not eligible to earn money and respect. Finding exploits and vulnerabilities demands a very steep learning curve. You need to know many things, including web application architecture, how the Web evolves, what are the core defense mechanisms, the key technology behind the Web (e.g., HTTP protocol, encoding schemes), etc. You must be aware of the mapping of the web application and different types of attacks that can take place. In this book, we will learn these and more together.
Many web applications and software developers offer a bounty to hunt bugs; it also earns recognition and respect, depending on how well you are able to find the exploits and vulnerabilities.
An ethical hacker who is paid to find vulnerabilities in software and web sites is called a bug bounty hunter.
Bug Bounty Platforms
As I have said, as a beginner one should try the bug bounty platforms first and stick around for a long time to learn the tricks and techniques. In reality, not only beginners but many experienced security professionals are attached to such platforms and regularly hack for them.
There are many advantages. First, we should keep lawfulness in our minds. Through these platforms, you know what you may do and what you may not do. It’s very important. Another essential aspect is you can constantly keep in touch with the security community, getting feedback and learning new things.
Hackerone
Bugcrowd
BountyFactory
Synack
Hackenproof
Zerocopter
Japan bug bounty program
Cobalt
Bug bounty programs list
AntiHack
However, before registering to any of these previously mentioned bug bounty platforms, you should understand a few things first. You need to know how to use a virtual machine and the hacker’s operating system Kali Linux. You must learn to operate tools like Burp Suite, OWASP ZAP, WebGoat, and a few others. You need to sharpen your skill in your virtual lab. There are a few web applications that allow hacking them, or they are made intentionally vulnerable so that beginners may try their newly adopted hacking skill.
We will discuss them in the coming sections.
Introducing Burp Suite, OWASP ZAP, and WebGoat
To start with tools like Burp Suite, OWASP ZAP, and WebGoat, you need to install Kali Linux in your virtual box. We will do that for one reason: Kali Linux comes up with all these tools by default. Therefore you don’t have to install them separately. I strongly recommend using the virtual machine and Kali Linux; do not use these hacking tools in your own system, be it Windows, Linux, or Mac. They either can break your system or do not work properly.
We will talk about the Kali Linux installation process in great detail in the next chapter. After that, we will learn to operate three essential tools: Burp Suite, OWASP ZAP, and WebGoat. As we progress, we will see that more tools are needed. We will learn those tools also when the situation demands.