For an absolute beginner, the field of bug bounty and the even larger field of cybersecurity as a whole can feel vastly overwhelming and confusing. False information is everywhere, and people are swamped with so much terrible information that it becomes rather difficult to find decent information amongst a sea of absolute crap. The purpose of this page is not to teach you cybersecurity, as that would be far too time-consuming.. instead, this page will help point you in the right direction and tell you which topics you need to focus on in order to properly get into cybersecurity. The onus is then upon you to actually go ahead and learn that information. We aren't going to hold your hand through this entire process – we will merely give you an overview of what topics are required to become at least somewhat competent at cybersecurity. Sorry in advance, but some people need to hear this: if you are expecting someone to hold your hand and teach you everything about cybersecurity one step at a time, then in all probability you lack the inquisitive and curious nature required to become competent in this field. This is not an attempt at “gatekeeping” or anything of the sort, we are just pointing out the fact that to ever become good at cybersecurity (or even programming for that matter) you must first become good at using google to find specific answers to your questions. So, as a quick recap as to what this guide is and what it isn't… This post will help you gain an understanding of what it is that you need to learn to become good at cybersecurity, but that is all. The rest is on you. What this post will not do is teach you “HoW To BeCoMe A HaCkEr”. In the words of a wise man; “Don't learn to hack, hack to learn”. Anyhow, enough rambling. Without further ado, let's begin.

Before you even consider getting into cybersecurity of any sort, you should ask yourself the following questions:

• Can you code? Do you have any programming experience?
• Do you understand how operating systems and CPU's work underneath the hood?
• Have you got any experience with developing web applications?
• Do you have an understanding of cryptography and concepts such as hashing and salting?
• Have you got experience using Linux? Do you know your way around a terminal properly?
• Do you have any background in networking? Do you have an understanding of the OSI Model? Do you know how HTTP Requests/Responses are formed? Do you know the meanings of specific HTTP headers? Do you know the purpose of specific HTTP verbs and when certain verb types should be used in place of others?

If you don't know the answers to the majority of these questions, then you should not be diving head-first into cybersecurity. You're just going to overwhelm yourself and will wind up quitting before actually giving it a proper chance. We have witnessed this countless times. Don't try to run before learning to walk. Honestly, a lot of the time, rather than focusing on trying to learn how to hack, you should instead be focusing on gaining an understanding of fundamental core concepts such as these, then, by default, you will begin to naturally gain an understanding as to how hacking works – As a whole, learning the fundamentals is a lot more productive and beneficial than confusing yourself by attempting to learn advanced hacking techniques as a newcomer. It's probably not the best of ideas to be trying to exploit flaws in code when you don't know the first thing as to how that code works, and you don't even have a grasp on basic conditional logic within programming. It wouldn't be the smartest of decisions to be capturing HTTP requests and analyzing them, without an understanding as to how HTTP Request/Response headers are structured or formatted. If you don't already know concepts like programming and networking, then you should not be attempting to learn how to hack right now. You should pause your attempts at learning how to hack, and instead spending your time focusing on learning how to code properly, and gaining an understanding of networking concepts such as the OSI Model.

Now, expanding on the list of questions above, we are going to release a new list that we personally think are important fundamental things you should learn before even attempting to learn how to hack. We will present them to you as a checklist of questions in some bullet points (note that these aren't necessarily “vital”, you can definitely learn to hack without knowing all of these things. These are just our personal recommendations for learning concepts that would make hacking a lot easier to understand. Please do remember though, that these are entirely optional, and you can continue on to the rest of the guide without covering these.):

• Do you understand how computers communicate with eachother? If not, then learn computer networking. Learn about how data flows throughout the OSI Model or TCP/IP Stack, and learn about different protocols and devices within each layer of the OSI Model. Specifically spend time focusing on learning and understanding HTTP as a protocol (within the Application Layer), as a large portion of time spent hunting on bug bounty programs will be spent analyzing HTTP requests and responses, then manipulating and resending them in attempt to identify vulnerabilities, thus it is crucial that you gain a solid understanding as to how HTTP requests and responses are formatted and what the meanings of certain headers are, or why certain HTTP Verb Types are used

• Do you write code in any programming or scripting language currently? If you don't know a programming language yet, then learn one. It doesn't matter which. just pick a language, stick with it, and learn it like the back of your hand. This will have countless uses during bug bounty hunting sessions. For example, you may be performing whitebox-style code analysis against an application during a bounty hunt, in which case you would need to understand how to read snippets of code.. or for example you may have found a vulnerability that requires you to send a few-thousand API requests in order to exploit it, in which case you would have to spend time writing a script that queries their API via opening a socket or whatever. Also, for bonus points, learn socket programming properly. By this I mean, learn it for C/C++ so that you learn how to construct raw sockets to open connections and so on – this will give you a much deeper and in-depth understanding of network programming as a whole, however, it will be difficult and time-consuming (the payoff will be huge though!). If you do decide to go down the route of learning socket programming properly, then Beej's guide which can be found here is absolutely perfect for learning. Alternatively, in languages such as Python you can take advantage of premade libraries to automatically construct sockets for you and allow you to handle data connections and so on, rather than having to deal with raw sockets (So, C/C++ programming with raw sockets for learning purposes, and Python w/ premade networking libs for ease-of-use / efficiency).

• Have you gained an understanding as to how CPU's work and learned about different types of memory (stack, heap, etc)? Personally I did this by reading the book “The fundamentals of computer architecture” and pairing the things I learned there with a 16bit CPU Emulator named JASPer which can be downloaded here. This allowed me to introduce myself to ASM in a simple manner, using an instruction set with only around 255 opcodes in total so that it wasn't overwhelming. You don't need a super in-depth understanding of this stuff, especially not for bounties (Unless you're doing a Pwn2Own or something) however it would be good to at least have a basic understanding as to how the CPU works under the hood.

• Are you familiar with Linux? Have you used it as your Primary daily operating system in the past? Are you able to quickly and efficiently navigate your way through a terminal and perform most commands via CLI? The vast majority of web servers are running Linux… what happens if you hack a server, then you aren't able to do anything whatsoever with your access because you don't know how to run Linux commands? You'd be the worst hacker ever!

• Do you know the difference between ring-3 and ring-0? userland vs kernelmode? Do you understand the concept of things like horizontal or vertical privilege escalation? Do you understand the significance of root user accounts on Linux or SYSTEM/NT-AUTHORITY on Windows? Do you understand how different access controls work? How about differnt internal security measures on your machine at an OS-Level?

• Have you ever developed your own fully-functional web applications before? Do you have a good understanding of the design process that goes into building a web application? Do you understand which functions in server-sided webapp langs are potentially vulnerable? Do you understand how you would write web applications that patched these vulnerabilities on the fly? Can you look at some particular functionality within a web application and have enough web development experience to be able to get a good feel for what kind of code must have been written in order to implement that particular/specific functionality?

• Have you learned cryptography? Do you understand things like hashing and salting? Do you understand the pros and cons of different algorithms? Do you have an understanding of the concept of 'keys' within cryptography? Do you know what cryptographic breaks are and do you have an understanding as to how some of them have worked in the past?

If you learned all of these topics by yourself in-depth over time, then, by the time you were done doing all of that, you would already have a pretty decent undertanding as to how hacking works. Even if you may not yet know the names of specific attack types or how exactly they are carried out, you will at least have a pretty general idea as to how the process works. The materials within this Wiki are going to be primarily focused on web application security, due to the fact that the majority of bug bounty programs are still web-based… However, we will still be branching out into other areas that are becoming eligible for bounties, such as DeFi, Cloud Security, and Mobile-based security. Despite this, we will still mostly be focused on web application security, with that making up around 80% of our total content. Seriously, if you take anything whatsoever from this guide, it should be that you need to avoid wasting your time attempting to learn “how to hack” and instead just focus on learning these fundamental core tech-related concepts.. the deeper understanding that they will give you will allow hacking-related concepts to begin to be picked up and understood more “naturally” by you in future, if they are disucssed around you (as opposed to if you hadn't learned these core concepts).

After having learned some of the fundamentals, and taught yourself some basic networking and programming concepts, hacking-related concepts should now be a lot easier for you to understand. For example if someone is talking about sending their payload via a HTTP POST request, you will now know exactly what they mean.

There are a bunch resources which you should learn like the back of your hand, and use as a near-constant refernece. There are lots of decent books on web application security and bug bounty hunting. Some examples that come to mind that I think are worth taking a look at are Jason Haddix's book, and Zseano's book. Bookmark the OWASP Top 10 + The OWASP Wiki and OWASP Cheatsheet Series. Personally, I think the old wiki link is a better option than teh current cheatsheet series links. The original wiki link can be found here. You should also keep an eye on bug bounty related feeds, to ensure that you are staying up to date with recently disclosed reports. I personally have a bot which feeds reports from the hackerone.com “hacktivity” feed into my Discord or IRC chat rooms, so that we are frequently being updated with newly-released bug reports. I also follow the @disclosedh1 twitter account, which shares the links to recently-disclosed hackerone reports. In addition to this, two other pages that are definitely wortwhile bookmarking are the PayloadAllTheThings github (you can use this as a reference while testing for various types of web-based vulnerabilities) and additionally the seclists github (you can use these lists paired with things like subdomain enumeration tools or fuzzers).

There are a number of tools that you should download in preperation for learning bug bounty. The operating system that you decide to use is a matter of personal preference. I often see people saying that it's not possible to hack on Windows, but it most certainly is! Most people will either use Windows or Linux. Personally, I run both ArchStrike (a fork of blackarch made to be a lot more modern and efficient, so essentially it's Arch Linux for pentesting) and additionally I run Win10 + Win-KeX via WSL2. In terms of tools, while it is possible to hack webapps and do bug bounties via your browser alone, it is a lot more efficient to utilize a handful of tools. It is worth pointing out that while some tools are useful, others should be avoided like the plague - in particular, vulnerability scanners should be avoided. The reasoning for this is that they are noisy (e.g. they produce lots of logs), they have a high rate of false positives (stuff that isn't vulnerable being marked as vulnerable), and they have a high rate of false negatives (actual vulnerabilities being missed). The only times you should actually be relying on tools or automation are for the following circumstances:

1. You are making use of reconnaissance tools for mapping out your potential attack surface and performing discovery / asset identification against your target environment. Automation of your reconnaissance procses is not only acceptable, but it is far more efficient than performing recon manually.
2. You are using a tool to proxy HTTP traffic through it, allowing you to view, edit, modify/manipulate, and (re)send HTTP requests for hacking-related purposes. Tools such as Burp Suite Pro or OWASP Zap for example. These tools allow you to perform in-depth analysis of HTTP traffic within web applications, and allow you to modify HTTP requests to include malicious values withni them, in order to identify potential vulnerabilities.
3. You are automating some awkward part of the exploitation process, for example explotiing some weird time-based boolean SQL Injection vulnerability via a tool such as sqlmap, or exploiting some out-of-band SSRF with very limited functionality.

Usage of tools is acceptable in the three scenarios above. Within scenario 3, you should only be using tools such as this if you already have an understanding of how the technique works manually (and you are just using the tool to save a lot of time by automating the process). As a general rule of thumb, if you're not capable of writing a tool that performs the same actions and makes use of the same concepts, then you have no business using such a tool in the first place. You should only ever be automating stuff that you're capable of doing manually, because if you rely on autoamtion for everything, then how do you expect to ever learn properly and expand your skillsets?

Here are some tools that I personally use, which fit into the categories above. I will name each of the tools and also write a brief description explaining a usage case for each tool:

• Sublist3r, recon-ng, altdns, amass, dnsrecon, knock, subbrute, axiom - These are all subdomain enumeration tools for mapping out subdomains in use by a domain name. This is particularly useful when we have a scope like *.com on one of our bounty targets. I've found it is best to use a combination of multiple subdomain tools and then aggregate the results from each of them into one single dataset. I'll discuss subdomain enumeration in much more detail within the “Reconnaissance & Discovery” section of this wiki.

• dirb or gobuster - These are tools that I use specifically for filename and/or directory bruteforcing. They allow me to run a wordlist of my choice against a directory path of my choice, and it will attempt to make requests to each word in my list to see if any files or directories exist by that name. This is a useful tool for mapping out the internal infrastructure of your target by seeing which files or directories are in place.

• nmap - I use this tool for a number of Port/Services enumeration related functions, such as generic port scanning, stealth scanning, various methods of scannnig which will circumvent firewalls and IDS/IPS, custom NSE scripts for all different kinds of more advanced exploitation, and additionally stuff like OS detection.

• masscan - I use this tool as an alternative to nmap, except for while I am using nmap for fine-tuned scans against a single target, I am using masscan for scanning of entire IP ranges at once. For example I would use masscan in place of nmap if I wanted to quickly scan an entire subnet, or if I wanted to probe the entire internet for a specific vulnerable service.

• shodan.io, censys.io, intelx.io, publicwww.com, crt.sh, hackertarget.com and many other sites - These are a number of websites which can be used for various passive/active reconnaissance purposes while doing bug bounties. Many of these platforms have both free versions and paid versions. They allow you to correlate domains together based on stuff like matching SSL Certs or matching favicon.ico images, and some of these tools even allow you to search internet-connected devices for things like specific headers, or to search the source code of websites for specific strings.

• Burp Suite Pro or OWASP ZAP - These are tools that you can install which you can route HTTP traffic from your browser through them. This allows you to analyze HTTP requests, and modify then re-send ones that look interesting, in order to test for various exploitation scenarios and identify potential vulnerabilities. While this can be done using the 'network' tab via browser devtools, it is a lot more efficient to use one of the aforementioned tools. Even the free version of Burp Suite (Community Edition version) is a much better option than using browser devtools.

• Burp Collaborator, simplehttpserver on a VPS, or dnslog.cn - These tools are used to confirm the existence of out-of-band vulnerabilities such as SSRF by generating a custom URL which you can make a DNS request to, then you can check these tools to see whether the DNS request was actually made, to confirm whether or not an out-of-band vulnerability actually exists.

• xsshunter.com or xsshunter app installed locally - These are used for confirming the existence of Blind XSS vulnerabilities. For example, if your payload is being reflected to an admin panel that you don't have access to, you can use these services to craft custom payloads so that when an admin loads your XSS payload, it makes a request to your XSSHunter server, allowing you to confirm the existence of the vulnerability.

• sqlmap - You would use this tool to automate the exploitation process of awkward/annoying SQL Injection vulnerabilities. For example if you had a time-based blind boolean SQLi, you'd probably want to automate this even if you were well-versed in manual SQLi, due to the fact that this manner of SQLi is exceedingly annoying to exploit.

It is also worth noting, that in addition to all of the tools listed above, many of the tools you wind up using will very likely be your own. Probably 80% of the tools I personally use for reconnaissance are my custom bash scripts or custom nmap NSE scripts. Over time you'll learn to write custom scripts for custom reconnaissance against specific targets. You'll build your own recon scripts suited to those particular targets, and you'll also wind up using custom wordlists, subdomain lsits, or fuzz lists, or even building your own based off of permutations using tools such as altdns.