INTRODUCTION


Hello everyone, Hope y'all are doing good. In the past week, I received over a hundred messages, sorry if I couldn't answer someone! Most people asked me about Bug Bounties and Hacking, so this blog is dedicated to answering people's questions.


ABOUT ME


Hi, I'm Mhamed Kchikech, 18 years old and proudly a 1337 student. I loved computer science since I was a kid, I began programming 7 years ago and Cybersecurity 2 years ago. I was acknowledged by a lot of big companies for finding security issues on their websites, some of these companies were: PayPal, Facebook, Microsoft, Sony, Spotify ...


WHAT IS A BUG BOUNTY PROGRAM


A bug bounty program, is an open program to everyone, offering hackers monetary rewards for each bug found, This program is run by many websites, developers and organizations.


Who can participate in such programs ?


Literally everyone can participate, except if there are some restrictions imposed by the program owner.


Example of companies running this program:


Almost all big companies are running this program, such as Google, Facebook, Microsoft, PayPal, Tesla, Yahoo...


How can someone start Bug Bounty and Hacking?


I tried to summarize this:


1) Read


If you have never heard about hacking, you should start by reading books, Here are some books you should read:

OWASP Testing Guide:
https://owasp.org/www-project-web-security-testing-guide/

Penetration Testing: A Hands-On Introduction to Hacking:
http://amzn.to/2dhHTSn

The Hacker Playbook 2: Practical Guide To Penetration Testing:
http://amzn.to/2d9wYKa

2) Practice

Hacking is a "Learn by doing", so, if you want to get better, you should practice while learning. There are dozens of free and paid labs you can use to test your skills and your acquired knowledge. I tried to group some really interesting websites and platforms that helped me get a lot better:

  • Free websites and platforms:

1- My favorite of all time: https://portswigger.net/web-security, it's a really good website, that groups dozens of interesting vulnerabilities + perfect labs that contain useful and real-life attack scenarios

2- https://www.hacker101.com/ It's a HackerOne website that aims to introduce people to hacking, it contains interesting labs that simulate real-life attacking scenarios, and by solving these labs, you get points that you can convert to HackerOne private programs invitations, isn't this great?

3- bWAPP: https://sourceforge.net/projects/bwapp/, is an open-source insecure web application, it contains over 100 web bugs, each bug contains 3 different levels of difficulty. You can download it from the link above, and set it up on your local machine.

4- DVWA: http://www.dvwa.co.uk/, it's the same idea as bWAPP.

  • Paid websites and platforms:

1- https://pentesterlab.com/ : High-quality content + High-quality labs. Just perfect, and it's really cheap.

2- https://www.hackedu.com/ : contains real attack scenarios, based on previously found vulnerabilities on well-known websites.

3) Read again

Labs can't contain every attack scenario, so, to make sure you're covering everything, you have to read again:

1- https://hackerone.com/hacktivity

2- https://pentester.land/

3- https://medium.com/bugbountywriteup

4- https://portswigger.net/research

4) Join the community

This is the important part of all the time, joining the community is critical, there are thousands of hackers out there that shares dozens of useful tips and useful write-ups, the first thing you need is a Twitter account, and start by following these fellow hackers:

1- https://twitter.com/stokfredrik

2- https://twitter.com/NahamSec

3- https://twitter.com/Yassineaboukir

4- https://twitter.com/thedawgyg

5- https://twitter.com/_ayoubfathi_

6- https://twitter.com/aessadek

7- https://twitter.com/brutelogic

8- https://twitter.com/HafidAitChikh

9- https://twitter.com/spaceraccoonsec

10- https://twitter.com/albinowax

11- https://twitter.com/ElMrhassel

12- https://twitter.com/_jensec

13- https://twitter.com/wongmjane

5) You're good to go

Once you finish this, you should really be good, and you can start your hacking journey xD