Introduction to Hunting Bugs
Introduction to Hunting Bugs
Why do we learn to Hunting Bugs? It is difficult to answer this question in one sentence. There are several reasons, and reasons vary from person to person.
The first and foremost reason is we want to be better security professionals or researchers. When a security professional is able to hunt security bugs in any web application, it gains them recognition; and because they are helping the whole community to remain safe and secure, it earns them respect as well.
At the same time, the successful bug hunter usually gets a bounty for their effort. Almost every big web application, including Google, Facebook, and Twitter, has its own bug hunting and bounty program. So learning to hunt bugs may also help you to earn some extra money.
There are many security experts and researchers who make this their profession and earn regular money by hunting bugs.
Reading this book will give you insight into implementing an offensive approach to hunting bugs in web applications. However, that knowledge should never be used for malpractice. You are learning these “attacking techniques” for defending web applications as a penetration tester (pen tester) or an ethical hacker. As a security professional, you are supposed to point out those bugs to your client so that they can rectify the vulnerabilities and thwart any malicious attack to their application.
Therefore before moving any further, we should keep this important caveat in mind: without having permission from the owners, you may not and should not attack a web application. With permissions, yes, you may move forward to hunt bugs and make a detailed report of what can be done to defend against them.
There are also several good platforms (we will talk about them in a minute) that allow you to work for them, and as a beginner, you’d better get registered with those platforms and hunt bugs for them. The greatest advantage is you get immense help from fellow senior security professionals.
While you earn you will learn, and it is secured. You are hunting bugs or finding exploits and vulnerabilities with the owner’s permission. As a beginner, you should not try these techniques on any live web application on your own. In many countries, attacking the system without the owner’s permission is against the law. It may land you in jail and end your career as a security professional.
Therefore, it is better to be registered with the bug bounty platforms and play the game according to the rules. We urge you to use the information contained in this book for lawful purposes; if you use it for unlawful purposes and end up in trouble, the author and the publisher will not be responsible.
In my opinion, if you are only interested in the bounty, you will not learn anything and finally, you are not eligible to earn money and respect. Finding exploits and vulnerabilities demands a very steep learning curve. You need to know many things, including web application architecture, how the Web evolves, what are the core defense mechanisms, the key technology behind the Web (e.g., HTTP protocol, encoding schemes),etc. You must be aware of the mapping of the web application and different types of attacks that can take place. In this book, we will learn these and more together.
Now we can try to summarize the bug bounty program in one sentence. Many web applications and software developers offer a bounty to hunt bugs; it also earns recognition and respect, depending on how well you are able to find the exploits and vulnerabilities.
If you prefer a shorter definition than the previous one, here it is:
An ethical hacker who is paid to find vulnerabilities in software and web sites is called a bug bounty hunter.