A while back, Gregoire Gilbert and Johannes Ridderstedt (then Lundberg) of the Uppsala Tech community asked me if I could write an article about bug bounty hunting for their upcoming magazine The Uppdate. Its first issue is now available at http://theuppdate.com and I’m very proud the be part of it. I recommend you to go there and download it to read the rest of the articles.
Uppsala Tech is a community that aims to advance the tech and entrepreneur scene in Uppsala, Sweden. Have a look at their site, and if you work in or with Uppsala tech, please have a look at http://www.uppsalatech.se and join the Uppsala Tech Slack group.
Without further ado, here is my text:
7 Reasons Why You Should Become a Bug Bounty Hunter
(First published in The Uppdate #1)
Software security is an increasingly important aspect when developing applications and other computer related products (such as IoT devices). The last few years more and more companies are trying out something called Bug Bounty Programs to make their software more secure.
The bug bounty programs allow anyone with sufficient skill to hack into systems and products owned by the company, as long as any security holes are reported to the company before disclosing them publicly. Often such reports are rewarded with money or swag (T-shirts, stickers, etc.) Those who find and report vulnerabilities are called researchers or white hats.
Why (should you do it)?
There are many reasons you should consider becoming a bug bounty hunter.
You will:
- Learn more about security
Gaining knowledge about how to break applications built by others will increase your security awareness when building your own applications. - Earn money
Many bug bounty programs pay from $100 and upwards. If you for example manage to find an XSS in a Google site you will probably be rewarded with $3,133.7 or more. - Have fun
The reason something is fun is bound to be different for each person, but imagine playing an advanced game that only a few people in the world are capable of, and when you succeed in conquering a particular challenge, you receive thanks and money. Sounds great, doesn’t it? - Use skills you already have, if you are a programmer
Programmers know how applications are built and in particular they know the shortcuts developers take, which may introduce vulnerabilities. I believe this gives programmers an edge over other hunters. - Make the world more secure
Many researchers are driven by this point, to improve security for everyone. Sometimes you find something that you know would have been a disaster for lots of users if it would have been found by an evil hacker (also know as a black hat). Reporting something like that feels good and motivates the company to keep their bug bounty program running. - Build your CV
By publishing your findings and ranking high on top lists you will display your skills to current and future employers. This may help you raise your salary or land you a new job. - Expand your network
There are lots of interesting people in the bug bounty community who gladly share their knowledge and are open for questions and even meeting up in real life.
What (should you look for)?
So, what kind of vulnerabilities are we talking about? In general, anything that allows you to do something you shouldn’t be able to do. Some of the usual vulnerabilities are:
- XSS – Cross Site Scripting. Injecting JavaScript code into a web page that another user is visiting.
- SQLi – SQL Injection. Injecting SQL commands into a SQL query that is run against a production database.
- RCE – Remote Code Execution. Running your code or commands on someone else’s server.
- IDOR – Insecure Direct Object References. When you access secret data by manipulating an ID (e.g. ?id=1234 -> ?id=1233).
- CSRF – Cross Site Request Forgery. Executing actions on another user’s behalf by secretly submitting a form to another site.
These are all web applications vulnerabilities, but all kinds of security holes are interesting, of course. Read more about web vulnerabilities at the OWASP Top 10 (see the Links section below).
How (do you do it)?
First, learn how to exploit IDOR, then CSRF vulnerabilities, they are common and easy to understand. To find an insecure direct object reference, all you have to do is to change a parameter in a URL (or sometimes in a POST request) to something that is not yours and see if you are allowed to access it anyway.
When you feel more confident, you can try out XSSes. These are also very common. Since they run in the browser, you can often find them without affecting other users. Begin by trying one of several online challenges, for example the XSS Game by Google (see the Links section below). When you get the hang of how to find XSSes, you can expand into other types. Recently, Krzysztof Kotowicz from Google held a presentation where he listed the things Google are looking for. Take a look at the slides (see the Links section).
So, you have found your first vulnerability, and now it is time to report it. This is mostly done through either special forms or plain old email. It is important to write a good report that make the vulnerability easy to reproduce and assess, but on the other hand, that is all you will have to do, except for confirming that the vulnerability has been fixed. No regression testing, no complete coverage, just report the bug and you’re done!
There are chiefly two types of programs: self-hosted, for example Google’s and Facebook’s programs, and managed programs. The latter kind of programs are run through “bug bounty platforms” where all communication and payment is done through a company specializing in bug bounty programs. The big platforms are HackerOne, Bugcrowd, Cobalt, and Synack. Create an account on each platform and look through their programs. You might be familiar with some of the sites that are targets, and that always helps a lot when trying to figure out what might be possible to abuse.
Who (are doing it)?
Bug bounty hunting is an international phenomenon, but there are several very skilled and high ranking bug bounty hunters from Sweden. I’m not going to mention any names, because that would probably mean I would forget someone. Take a look at the leader boards of the platforms to see who currently rank among the top hackers in the world: http://hackerone.com/thanks, http://bugcrowd.com/leaderboard, and https://cobalt.io/researchers (Synack has no top list, since they are rather secretive).
A great way to learn more is to follow these and other hackers on Twitter. Many of them often post write-ups about interesting bugs they have found.
Hopefully this has inspired you to go looking for security holes. Before you know it you will receive a mail announcing your first bug bounty!
Links and resources
Bug bounty platforms
Bug bounty programs
Bugcrowd’s big list of bug bounty programs:
https://bugcrowd.com/list-of-bug-bounty-programs
HackerOne’s directory with more than 1000 companies:
https://hackerone.com/directory
Google’s responsible disclosure page:
https://www.google.com/about/appsecurity
Facebook’s responsible disclosure page:
https://www.facebook.com/whitehat
Miscellaneous
OWASP Top 10:
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
Google’s XSS game:
Secrets of Google VRP. The bug hunter’s guide to sending great bugs:
https://sites.google.com/site/bughunteruniversity/behind-the-scenes/secrets-of-google-vrp
HackerOne’s resources for new hackers:
https://hackerone.com/blog/resources-for-new-hackers
Bugcrowd’s “How to become a Bug Bounty Hunter”:
https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter
Swedish podcast Säkerhetspodcasten interviewing Frans Rosén about bug bounties:
http://sakerhetspodcasten.se/pods/sakerhetspodcasten-avs-52-bug-bounties-med-frans-rosen
Thanks to Frans Rosén, Mathias Karlsson, Mikael Weckstén, Linus Särud and Mårten Mickos for very helpful feedback on this text.