Zonduhackerone
6 min readJun 22, 2020

There are lots of guides on how to start into Bug Bounty Hunting but I will share my personal experience of getting into bug bounty hunting without previous knowledge of coding or web development and will also share some useful resources as well as answering some common questions.

How I started?

I started hunting for bugs without knowing any web development. I joined H1 without knowing what XSS was. It took me a little more than a year to be where I am. Constant learning and studying. This is a competitive field, you can earn money but it won’t be easy, you need to earn it.

I had no idea how a lot of things worked but eventually I learned about them. Now I can proudly say I found all Top 10 Owsap vulnerabilities like SQLI, RCE, XXE apart from many more, but it took a lot of hard work, it didn’t happen from one day to another.

Right now this is my full time job.

Where to start?

When starting you may get overwhelmed with all the information there is out there, and that’s fine, but I recommend to learn one thing at the time, once you are done with that you move up to another thing/topic. For example, pick a vulnerability type and learn in deep about it, then move to another, etc.
What vulnerabilities every bug bounty hunter knows?

There are too many and some are fairly new like HTTP smuggling, so I will just mention some of the ones I think you should start with. You will learn others along your journey..

Also, they are not in order, so you can pick any of them to start:

- XSS
- CSRF
- IDOR
- Open Redirect
- SSRF
- SQL injection (the basics, since can be hard when starting)

This are common web vulnerabilities but there are many more. So when starting from zero I would pick one of the above, and try to learn about it. Then repeat. If you already know all of them, then search for others.

Where can I learn about them?

There are a lot of resources to learn every vulnerability type, everything is out there. I will just mention some of useful websites that you can start learning now, completely free.

PortSwigger’s labs → https://portswigger.net/web-security

They explain almost all vulnerability types that exist. They give a really good summary on what the vulnerability is, and also have a lab that is a controlled environment where you can hack it exploiting that vulnerability type.

Hackerone’s Hacktivity → https://hackerone.com/hacktivity

The search function inside Hackerone sucks, so you can use google to search for this: “Hackerone XSS” in google will give you results of other hacker’s findings on real websites about XSS. Personally, I used this a lot when starting, and still look at it almost every day so you can get a real vision of how the vulnerability looks at a real website and how hackers find and report them.

CTFs (Capture The Flag)

CTF is where you hack into a controlled environment to find a “flag” that will prove you completed it.

I honestly don’t like CTFs and never really got into it, but some people do and learn a lot about it. Can be useful to improve your skills and some people just enjoy doing them.

Hackerone Discord → https://discord.com/invite/32ZNZVN

I just can’t think of what would be of me if I have never found this discord server. I joined there without knowing what XSS was. I didn’t know any web vulnerability. It took a lot of work and a lot of desire to learn to get where I am, and eventually paid off.

There are a lot of people there that will point you in the right direction in this server, feel free to ask questions there.

Do I need to use any special tool?

When you start, all you need is the free version of burp suite to intercept and log traffic and a browser. Eventually you will start using other tools or developing your own and that’s normal, but you don’t need to learn 20 tools to start hunting for bugs… just a browser and burp suite.

Do I need to know how to code?

Well, you don’t need to know, but it definitely helps. I knew a bit of python when I started in the bug bounty world and it helped me to automate some basic tasks and recently I used it a lot for “complex” PoCs of my last reports.

I would recommend to learn a bit of bash script and python so if you want to automate a task you can do it.

It is also important to know the basics of javascript and html to actually know how to get an XSS, you should definitely learn a bit about them too.

How to write a report?

You need to be clear in what the bug and the impact is. There are awesome reports in Hackerone that you can take as guide.

Also check here → https://docs.hackerone.com/hackers/quality-reports.html

When should I start looking for vulnerabilities in real websites?

Well, this is a hard question. Everyone makes his own journey. Some prefer to do CTFs, some like to do a lot of labs.. some like to read some books like “the web application hacker’s handbook” and just then jump into a program and that’s totally fine. Everyone has his own journey.

Personally I don’t like CTFs. I didn’t do any labs apart from 2 or 3 from PortSwigger of HTTP Smuggling. I did read a hacking related book and understood nothing about it.

What I did was jumping directly to old bug bounty programs and started searching for the vulnerabilities I learned about and that’s it. Pretty simple right?

Being a Bug bounty Hunter or Security Analyst means you will always be learning new things, new vulnerabilities, new techniques, etc. There isn’t any hacker that can say “i know it all” and just stops learning.

So start looking for vulnerabilities whenever you feel like to do it. There isn’t a “right” moment. I would recommend that you learn a few web vulnerabilities before trying to hunt for bugs but you are always free to do whatever you want, remember, every journey is different.

Do I need to get a certification like CEH?

Definitely not. You can get it if you want to work for a company but won’t give you any special advantage in the Bug Bounty world when finding and reporting vulnerabilities. A lot of hackers are self-taught like me.

You can learn everything without spending a single dollar in any cert or any website that claims you can become a hacker in 2 weeks by buying their $500 course from them. Don’t trust them.

Automation

Automation can be from automating simple tasks such as a big command you do every day to a large script to do multiple things. This isn’t a “must”, but will definitely save you time and maybe you get more bugs..

General rule every hacker (or just linux users) knows:

  • If you write the same command (that is relative long) 2 or more times a day, then make a function in bashrc or make a script and move it to /usr/local/bin to call it from everywhere. This will save you time.

I recommend watching Nahamsec youtube videos where he does recon and shows some cool techniques and how you can automate your workflow.

What I recommend:

  • Automate subdomain enumeration and discovery.
  • Automate brute-forcing directories.
  • Automate visualization of live subdomains.
  • Automate everything that takes “long” time to do it manually so you can focus on something else while it is running.

Conclusion + Tips

  • The bug bounty field is competitive.
  • Everything is in internet, just ask Mr. google.
  • This is not for everyone.
  • Try to avoid being overwhelmed with information. Take breaks.
  • Send this to the people that ask you “Can you teach me how to hack?”
  • Work hard and you will eventually get it.
  • Some people in Twitter share useful resources, tips, etc. follow them!
  • Good luck.

If you want to buy me a coffee because you liked this guide, feel free to do it here: https://www.buymeacoffee.com/zonduu

Follow me on twitter https://twitter.com/zonduu1 so you can see where I publish new write-up in my own website.

Hope this is useful for some people,

zonduu.