Bug Bounty Roadmap from Scratch
Lots of us have been involved with computers since we were born and were amazed by hackers in movies and their magics. But what if we want to have a similar career?
The number of interested people in this field is growing, and they might come up with various questions regarding expanding their knowledge and career. Thus, we have decided to make our suggested roadmap.
This roadmap is designed for all levels. Junior, Medior, and Senior you can follow the suggested topics to visualize the obstacles in front of you that you should bypass to become a successful Security Researcher.
Here is the preview of the roadmap. Click here for the complete roadmap image, it looks like this:
To become a Pen Tester, Bug Hunter, or Security Researcher there are several obstacles in the way that we should keep in mind. The most important point is that the knowledge in this field is evergrowing, and won’t be finished. Keeping that in mind, we can’t ever expect ourselves to know everything, even top Security Researchers are learning new techniques daily.
On the other hand, to become successful in this field, we need to have lots of passion, patience, and eagerness to learn to hack and break into stuff. This roadmap is our suggested way of deducing your time in this field, by no means do we know all of that stuff, but the suggestions are based on our knowledge and experience over the past few years of working in the Application Security field.
There are various materials and books suggested in this blog, and these are our preferences based on our experience and readings. You can find various other resources on the mentioned topics by yourself too, so do not restrict yourself.
This is the ideal roadmap for expanding your career in application security, meaning that some topics might not be a necessity to find vulnerabilities. However, those are the topics that most people skip when starting, so by learning those you can have better visualization and understanding of the same topic. Keeping that in mind, we have also guided you through a shortcut roadmap that you can use to start your hacker career as soon as possible.
To sum up:
Nobody knows everything.
Various materials are available on each topic. Find what suits you best.
The learning process may be different among people.
There is also a shortcut roadmap to start practical hacking as soon as possible.
This roadmap might take years of learning process, do not rush things.
Last but not least, Practice makes perfect!
To start this career, we highly believe that you should love to hack. back in time, there were no bug bounty programs, VDPs, etc. The people were just doing hacking as their main passion instead of monetary purposes. meaning that you should have chosen hacking as your passion and understand the difficulties that may come up.
The second point is that this career is time-consuming. If you want to be as good as a proficient Security Researcher, you should deduce a lot of your daily time reading and learning new things, and as mentioned before, the knowledge in this field is growing.
Before proceeding to the next steps, understand the obstacles that might come the way, and ask yourself if this field is what suits you best.
Every career has a bunch of prerequisites which might seem boring but necessary if we are planning to have a successful career. Below is the list of prerequisites that we suggest you have before deep-diving into Application Security.
Networking and Protocols
If you have no background in the networking field, we highly suggest you read Network+ to understand the basic concepts. This will have a huge role in your career later in various vulnerabilities that need networking knowledge.
You should also be familiar with the HTTP protocol and the basic concepts. This is one of the most important initial readings that you should do, as HTTP is what we are going to deal with every day in our lives. We suggest the HTTP: The Definitive Guide book as a perfect example.
Once you start your career in this field, soon enough you will understand that there are various tasks you need to perform daily on a large number of targets. This is an impossible task for a human to do, however, if you learn a programming language like Python or Go, you should be able to automate the boring tasks for yourself.
Various open-source tools have been developed by other hackers and developers that do some publicly known tasks for us. However, there might be some cases in which you come up with an idea and the open-source tool is not available for that purpose. That’s when you need to know how to code your custom tool. For Python, we suggest 30 Days Of Python and for Go, we highly suggest the Learning Go book.
Linux and Bash
The OS you are going to work with is mostly Linux, so you should have basic knowledge of how to properly work with that. You can read Linux in Action to understand the UNIX file system architecture, and Introduction To Bash Scripting to learn how to automate basic tasks in Bash.
It’s recommended to understand the web server’s basics and to implement a practical web server for yourself to test the skills you have. There are various web servers, from which we have suggested Apache as a go-to. To learn Apache web servers we suggest the Apache Cookbook.
For load-balancing and proxies purposes we suggest Nginx as a way to go, as it’s more flexible in terms of those usages compared to Apache. You can read the Nginx Cookbook.
After getting a grip on our suggested list of prerequisites, it’s finally the time to get into the interesting parts and hacking. First of all, you need to learn the basic web vulnerabilities. The OWASP Top 10 has an amazing list of must-know vulnerabilities, which you can plan to start from.
We would highly suggest you learn the Top 10 list from PortSwigger’s Academy which is one the best learning resources out there, and it will be your best friend during your web application security learning process. PortSwigger has an amazing description of each vulnerability and they have built many awesome labs for each topic for you to test your skills in practice.
If you want to start PortSwigger’s Labs you should get their most famous product Burp Suite which is a web proxy, used to intercept and modify the HTTP traffic on demand. It’s a necessity to learn how to set up and work with this tool, which we believe you can gain by working with their labs. However, if you want solid knowledge on this topic we would suggest the Burp Suite Cookbook.
After the above step is done, We’d suggest you take a look at the Kontra Application Security Platform. There are several labs created for both OWASP Top 10 Web and API. The explanation is basic but creative, as you can visualize the steps into the exploitation of a vulnerability.
After understanding the OWASP Top 10 in-depth, you can go back to PortSwigger’s Academy and learn other different vulnerabilities.
Web Application Security Books For Juniors
Besides the practical training, it’s also very nice to read several high-quality books to get a deeper understanding of each topic and to learn even more. There is always room for improvement and to take new small notes. That’s why we suggest several resources on every single topic.
We suggest The OWASP Web Security Testing Guide, in addition to the training you have done before on Portswigger and Kontra, as it contains several other test cases for each vulnerability, as well as a deeper explanation of each topic described by the OWASP team.
One of the most popular books for beginners is The Web Application Hacker’s Handbook 2, in which several web-based vulnerabilities and basic web architectures are discussed. This book is basically a must-read although it’s a bit old. Do not skip it.
If you are planning to try Bug Hunting, you must know that it’s not that simple to find vulnerabilities, and most of the Bug Hunters have their different skills and toolsets. In Bug Hunting, one of the best training methods is to read other hacker’s writeups, in which they have discussed their point of view when hacking, and different kinds of assessments they had done.
Web Hacking 101 is one of those books that have discussed several web-based vulnerabilities as well as mentioned some high-quality writeups on each topic. Reading this book will give you a lead on how Bug Hunting differs from Pentesting, along with learning the hacker’s perspective when approaching a Bug Bounty target.
Keeping Yourself Updated
As mentioned earlier, Application Security techniques change daily. You need to join the community in which other hackers are sharing their knowledge, one might be a writeup, an open-source tool, or a new CVE.
Hackers are mostly active on Twitter. You can follow their works, and keep yourself updated with their writeups either on their personal blog or on Medium. They might also share their open-source tools on GitHub, so always stay tuned.
Make a Custom Methodology
Most of the top Bug Hunters have their own methodology, in which they have written various test cases when approaching a target. They have gained this knowledge from different books or other hacker’s writeups.
We highly suggest you adapt yourself to make your methodology based on your learnings and to keep it updated with each tip you learn daily. To take notes you can use several services such as Notion, Obsidian, and Xmind.
Challenge Your Practical Skills
You’ve gained a great knowledge of different vulnerabilities until now. Finally, it’s time to test your skills in practice and expand your practical hacking expertise.
Many people may dislike CTFs as they seem like games. This approach is both true and false, as there are several real-world cases in which a technique/payload was first introduced in a CTF but later used on a real-world Bug Bounty Program.
- This payload was from a CTF solution by @Blaklis_. I had originally thought it might be an unexploitable XSS, but there seems to always be a solution somewhere for edge case XSS.
The other example is from Orange Tsai‘s BlackHat presentation Breaking Parser Logic – Take Your Path Normalization Off and Pop 0days Out, in which he discussed the Nginx off-by-slash technique that was first introduced at the end of 2016 HCTF.
Participate In Bug Bounty Programs
If you dislike CTFs and rather train your skills on a real target, you can start hunting on Bug Bounty Programs. Usually, this method is a more direct way of expanding your practical skills, as the target you are testing was not supposed to have a vulnerability.
Several types of Bug Bounty Programs are there, some of which pay for reported vulnerabilities, and some of which are “Vulnerability Disclosure Programs (VDP)” that do not pay for reported vulnerabilities. Instead, they usually award you with swags, points, etc. If you are only trying to improve your skills, We’d suggest you try VDPs first as they are easier to find vulnerabilities on.
Follow Security Conferences
One of the most interesting parts of Application Security is when the security researchers are going to present their findings over the past few months/years of their research in Security Conferences.
Usually, they present novel techniques that have been undiscovered until then. By participating in those conferences we learn:
The Security Researcher's point of view and thinking process
The Undiscovered novel technique, that we can possibly find on many targets
Our Weaknesses that we should improve
Update Your Methodology
This is the most important phase of this Tier. We have trained our skills either on CTF platforms, or Bug Bounty Programs. As well as participating in various Security Conferences, from which we have learned a lot.
Before, we have discussed that you should build your custom methodology over time. Now it’s time to continuously update it with the techniques you learn daily.
If you want to expand your skills and improve your expertise even more, then you should start reading high-quality books on this topic, and expand your methodology with those.
Web Application Security Books For Mediors
We highly suggest you start with Web Application Security which explains exploitation and countermeasures techniques of various vulnerabilities in modern applications.
The other book We suggest is Real-World Bug Hunting by Peter Yaworsky, in which he expanded his other book (Web Hacking 101), with more explanations and writeups. These two books look similar, but there are several new methods and techniques explained in the newer book.
Last but not least, We’d highly suggest you read the Bug Bounty Bootcamp by Vickie Li. This is one of the best books in Application Security, as it explains various vulnerabilities exploitation and mitigations, as well as the vulnerable code that caused the issue.
Deeper Understanding of Security Mechanisms
The books discussed above are mostly into offensive aspects of application security. However, to be successful in this field and to better understand what’s happening in the background it’s always good to understand the developer’s mindset and other defensive stuff.
Various books are available to achieve this goal, from which we suggest to you the most popular ones that we have had a great time reading.
The Tangled Web is one of the best books on this topic. The author discusses the web anatomy and browser security features in great detail.
The Browser Hacker’s Handbook is another book, focused on the browser’s security mechanism, as well as various techniques to attack browser extensions, plugins, etc.
API Security in Action is one of the greatest books in the field of API security, API development, and Modern Authentication and authorization development. The book also defines various attacking vectors that could happen to each implementation, from which you can do your own research and find other bypassing techniques.
Web Security for Developers is mostly focused on the vulnerabilities that you have learned before but from the developer’s perspective. The author discusses the vulnerable codes that cause possible issues. Reading this book you can understand what code might cause the issue and how developers reuse vulnerable codes over and over again.
At this stage, you are considered a Security Professional with lots of expertise in various fields. You might be a Pen Tester, Bug Bounty Hunter, or Security Researcher with lots of success in your career. Keeping that in mind, we have discussed earlier that there is always room for improvement. Even in this stage, with lots of different skill sets, you can improve your knowledge and grow even more.
In this stage, and with the skills you have you can find novel techniques that are undiscovered yet until then. So, how can we possibly find novel techniques and present them later on to the community?
Understanding Software Architecture Patterns
Basically, we need to understand different Architectural Patterns, Modern Web Applications Structures, Single Page Applications Structures, Different Authentication and authorization Implementations, Infrastructure Implementations, and Various Programming Frameworks.
Based on the topics discussed, you should now be able to find yourself a suitable resource to learn from. We have also suggested two books as an example. Your methodology should be to get as deep as possible on each implementation.
magine you want to learn about various authentication implementations, and you want to learn the OAuth protocol. You should find a proper resource for it and down the rabbit hole, you go. Getting Started with OAuth 2.0 is one of the suggested books in this field, as it discusses the Server-Side and Client-Side Web Application Flow, Client Credentials Flow, OpenID Flow, and various other tools and libraries.
There are several other implementations and architectures to learn. Now with this mindset, you should be able to find the needed resources depending on your needs.
Deep Into Web
Besides Software Architecture, we need to have a deeper understanding of HTTP protocol. The new trend is into HTTP/2 with lots of new techniques recently introduced. One of which was HTTP/2: The Sequel is Always Worse by one and only James Kettle.
He introduced several novel exploitation techniques of HTTP Desync vulnerabilities while dealing with HTTP/2. This was one of the few examples of trends and new techniques discovered in protocols. Thus, we should have a proper understanding of different web protocols to be able to come up with novelties.
To learn HTTP/2, we would suggest the Learning HTTP/2 book, and later going down through the new security research on this topic to better understand the possible discovered attacks until now.
Over the past few years, the infrastructure design has also been focused on by Security Researchers. One of the interesting concepts is reverse proxies and load-balancing.
One of the top Security Researchers in this field is Aleksei Tiurin.
He maintains an extensive repository of various research on proxies. With the new trends of HTTP/2, he also presented his research Weird proxies/2 and a bit of magic, in which he explains different Host and Path Misrouting exploitation techniques.
The attack surface on this topic is still growing. Over the past few years, many novel techniques have been discovered due to inconsistency and misconfiguration of proxies, such as H2C Smuggling in the Wild, Web Cache Poisoning, and HTTP Desync Attacks.
The other important web protocol is SSL/TLS in which there are lots of room for possible research. Before, we have seen that a vulnerability has been discovered in the OpenSSL implementation. i.e. The POODLE Attack.
Learning SSL/TLS protocol might not lead to a direct vulnerability but leads to a proper understanding of the web you are dealing with on a daily basis. We would suggest the Bulletproof SSL and TLS book for this purpose.
The Programming Language in this phase differs from the one we had in Tier 1. In that section, we described how important automation is. However, here the usage is different as they are used mostly for building applications ourselves to achieve a couple of purposes:
Building Web Applications
Understanding the Architectures
Understanding different protective functions and possible bypasses
Code Review knowledge for various White-Box projects
By doing the mentioned bullets, you will have a proper understanding of the application you are dealing with. This means that you will choose your test cases and payloads based on the technology and the programming language of that website. No more spray and pray.
One of the very productive learning methods is to build the various vulnerable applications and then break into them. Not only you are hacking into an application, but also you understand the application architecture and vulnerable code. Later on, when you observe an application with the same technology, you guess the possible backend code.
There are various programming languages for this purpose, such as PHP, Go, Python, NodeJS, and Java. Choose what fits you the best and later go through others as well. Slowly but surely, you will learn different technology stacks and you will be able to code various applications and understand the possible backend code in your black box security assessment.
Deep Into Frameworks
After learning the programming languages, we need to get into the various frameworks. How learning the frameworks can improve our security knowledge you might ask.
Each framework has its own security features that lead us toward the correct test cases we should conduct. Various protections are applied by default in these frameworks, for example:
Laravel handles XSS by sanitizing the user input
Django provides CSRF protection
Rails provide Clickjacking protection
ASP.NET handles SQL injection using parameterized queries
As observed, each framework has its own security feature, there are many other features in addition to the examples above. If we are familiar with the frameworks, we understand the assessments we should conduct based on the technology stacks of the target we are dealing with.
Everyone has a hacker inside, It’s just a matter of waking them up and getting them to use. Choose it as a passion and go down using the roadmap. Slowly but surely you will gain the knowledge to be a proficient Security Researcher.
This roadmap is meant to be used for all levels of knowledge. Choose your goal and take the steps to achieve it. 5 red sections in the roadmap image are the shortcuts you can go from to start hacking as soon as possible. However, keep in mind that you will need to review the other sections later on.
Take care, and Happy Hacking!