Turning your time into bugs — zseano’s thoughts

Despite the fact i’ve complained that bugbounties have some problems, no other job out there enables you to sit in the comfort of your own home legally hacking websites in turn for money, and sometimes big money. Money is a massive factor in why people do bugbounties and it’s why many started them in the first place, however sadly a lot of people will end up spending hours finding nothing.

So, in this post I intend to give you some personal tips & advice on how to be successful in bugbounties and turn your time into bugs.

Firstly, be warned: Bugbounties are a risk as to when you will get paid, if you dupe someone, etc. Without risk there is no reward and before you start doing bugbounties you need to learn this. The industry is still growing and expanding. I can not express it enough that to be a successful hacker you have to find what works for you. Yes some payloads are “Do this, do that”, but when really digging into an application and doing recon etc, working out your own strategy will help you massively in being successful. Take a mental note of this!

You need to understand that when hacking you are literally limitless as to what you can try. Inject things into headers, try params. You are in FULL control, there is no failing, just learning!

Finding a target

The big question. “How to find a target?”, “Who do I hack on?”. When I got removed from one of my favourite programs on Bugcrowd for a disagreement I was faced with this very question. I will admit, I felt a bit lost on who to hack on and what to do so I focused on my own skills and it’s a major reason I started BugBountyNotes. I wanted to create a platform to share what i’ve been learning to help others going down my path and help them avoid the mistakes i’ve made and to help them further their learning.

I kept on trying to improve my hacking skills and was jumping from program to program finding random easy low hanging fruits bugs until I found a sweet spot. Remember what I said earlier, to be a successful hacker you have to find what works for you. And you also need to remember, nothing lasts forever and I know that eventually a dry spot of bugs will be on the horizon but when some companies are paying up to $20,000 for RCE, you need to be okay with that dry spot. That’s your relax time and time to work on yourself. We all deserve a break and you can’t hack 24/7.

No one can say “Go hack here, go hack there”. Sorry.. but it’s about what works for you. Ask all of the recon gods, the og hackers. Everyone has their own methodology when it comes to hacking & finding bugs, start writing your own hacker story and soon people will be asking how YOU found a certain bug. Seriously. I have personally mentored a few people 1 to 1 and they are finding bugs easily on their own. All it takes is getting yourself in that right mindset, especially if you want to do this full time.

With that said, here are my tips on helping you find a program:

  • Find the programs with big scopes. Lots to play with, new code pushed daily etc. Navigate the webapps and start learning how they work. The more you test and learn, the more likely you are to find a bug. There are lots of PUBLIC programs out there with bugs still on them, trust me! Do NOT be afraid to spend time on public programs. I personally found stored XSS on a very well-tested public program recently. Only jump from program to program when trying to find a new ‘home’ for the next few months, and then really dig your teeth into it. Don’t forget all of the other advice i’ve given you before: mobile apps, change country, user agent etc. You are limitless to what you can try!

Making your life easier

As with everything in life it can’t all be up and there are times you will feel like you’re finding nothing. The sooner you realise this may happen, the better. It can make you feel really sh!tty when people are sharing cool bugs and you’re sat there like.. :(( finding nothing over here! I’ve been there soooo many times.

But don’t fret. Because what has gone down, usually always comes back up. Here are some common mistakes i’ve made in bugbounties and my tips on avoiding burn out & staying sane:

  • Too much hacking. Yes it’s a thing, chasing the money, chasing the bugs. If you’re hitting a blank wall with everything you try, it’s time to either switch over to a new program, change goal as to what you’re trying to achieve, or simply take a break and ask yourself, “Is this site just THAT secure now.. or am I missing something?”.

Finding your first bug

As explained above it can be quite hard to tell people “Do this, do that. Get this result!”. If only hacking worked like that :) However here are my top tips for thinking outside the box and landing your first bug.

  • Real simple, but test the mobile web version (if available) and don’t forget to check iPad. Your reflection on the desktop site may be vulnerable on the mobile version. I have found lots of XSS that wasn’t vulnerable on the desktop but as soon as I switched to a mobile UA, it worked. Funny that :D

Final remarks

Not everything in life will always go our way, but as long as you never give up, you’ll get there. As with everything, some things take time. How badly do you want to be a hacker?

Being a hacker is meant to be fun, don’t forget that (:

Happy breaking the internet!

-zseano

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store