Every bug bounty hunter began by reporting low-hanging bugs and minor problems that business didn't care about at the time.

 

1) Architecture Based Approach

First find the technologies used by the website.

For finding use this tool:

• Wappalyzer
• Buildwith

Then you can find if there are any CVE or public exploits related to the technology the web app.

You can read through documentations and bug bounty reports related to each dependencies. Find out what the most common mistakes that can be made by developer.

If you are a beginner, it would takes quite long time to understand each technologies behind. This approach works well on modern web app.

2) Asset-based Approach

Bug hunters using this approach heavily relies on tools to find out as many assets as possible.


For example -

• Use sublist3r to find all subdomains
• Use gau to fetch all URL.
• Discover all IPs belonged to the target.

Then you need to have a proper way to sort out and analyze the information obtained. This approach works well if the target has wide scope (eg. Facebook, Microsoft, Google).

To become successful in this approach, You better familiar with some bash scripting or use python to automate some tasks. Also it might create a lot of unneccessary noice to the target and might lead to ip ban from the target.

Read more about what bug you want to Report :- Click Here

3) Function based approach

In this approach start testing the website as the normal user uses it and use burp suite to record all request/response. Then, try to do something that is not supposed to do, access some URL that is not authentication to do so. Creativity is a key to be successful in this approach. Here are some of the type of information that should be gathered on your target:

• Create a list of all the subdomains and IPs that belong to the target.
• Find information about the type of software and services the site uses.
• Check if they have a github account?
• check the robots.txt file
• Does the site have any input forms, any parameters in the URLs?
• Start hunting as soon as any organization introduces the program.

Read more about Burp Suite Tutorial :- Click Here

Conclusion:

You can read more bug hunting report and find out more yourself. Then, you can mix and match these approaches and techniques.

As time passes you would find yourself developed your own methodology and getting smooth in bug hunting.

Disclaimer

Make money legally as a Hacker

It's okay if you don't have college degree

Without a college degree you can make money as a hacker and you won't get arrested for it. Even this is possible you are just in your first year and you are already earning a good lumpsum of money. It's just matter of effort
you execute over things.

You don't need certificate to earn money, you'll just need skills to earn money!

Teaching cyber security

Teaching hacking is one of the most easy may to make money with the help of your skills, even the best hackers of
world still write books related to hacking.


Writing articles on cyber security, helping others with tutorial videos and ebooks will helo you out in earning.

If you are an undergraduate, don't go for making tutorials, you can sell your skill in your campus.

Bug Bounty Programs

Companies are on the rise looking to reward ethical hackers who notify them of any bug in their software before it could be exploited by malicious hackers.

Become a bug bounty hunter, no legislation is against it, you make money when you win it. Any no company will ask for your certificate, all they need are your fingers on those keys.

Write Software securities

The government won't blame you making money writing software securities that abort malicious attacks. Instead, you will get some accolades for that.

 

Disclaimer

Killer website for hackers

Exploit Database

Exploit database (ExploitDB) is an archive of exploits for the purpose of public security, and it explains what can be found on the database. The ExploitDB is a very useful resource for identifying possible weakness in your network and for staying up to date on current attacks occuring in other networks.

Shodan

Shodan works by requesting connections to every imaginable internet protocol (IP) address on the internet and indexing the information that it gets back from those connection requests. Shodan crawls the web for devices using a global network of computers and servers that are running 24/7.

Archive org

Intenet Archive is a non-profit library of millions of free books, Movies, software, music, websites, and more.

Nmmapper

Pentest tool from nmap online to subdomain finder, theHarvester, wappalyzer. Discover dns records of domains, detect cms using cmseek & whatweb.

Builtwith

Builtwith is a website profiler, lead generation, competitive analysis and business intelligence tool providing technology adoption, ecommerce data and usage analytics for the internet.

Disclaimer

 
 
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Python Libraries that can automate your life

1) Openpxl

Automate excel reporting

Openpyxl is a python library that can help us automate our excel reporting. With openpyxl, we can read an Excel file, write excel formulas, make charts, and format a worksheet using python.


Installation

• pip install openpyxl

2) SMTPLIB

Email automation

smtplib is a built-in python module used for sending emails using the Simple Mail Transfer Protocol (SMTP).

• You dont need to install smtplib or email because thay come with python.

3) Camelot

Automate table extraction from

PDFs

These tables can be exported into a Pandas dataframe and other formats such as CSV, JSON, Excel, HTML, Markdown, and SQLite.

Installation

• pip install "camelot-py[base]"

4) Requests: Make Your Life Easier With an API

Automation sometimes involves working with an API. APIs can help you collect real-world data and also simplify the development process of an application.

To work with an API you need to send requests to a server and then read the responses. The message sent by a client to a server is known as an HTTP request.

With the Requests library, we can interact with an API by sending HTTP requests and accessing the response data. This library has useful features such as passing parameters in URLs, sending custom headers, form data, and more.
Installation

To install Requests, we only need to run the command below in our terminal.
 

• python -m pip install requests

Disclaimer

Useful Github Repositories

1) Project Based Learning

A list of programming tutorials in which aspiring software developers learn how to build an applications from scratch.

Link - https://github.com/practical-tutorials/project-based-learning

2) Free Programming Books

The Free Ebook Foundation now administers the repo, a not-for-profit organization devoted to promoting the creation, distribution, archiving, and sustainability of free ebooks. Donations to the Free Ebook Foundation are tax-deductible in the US.


This list was originally a clone of StackOverflow - List of Freely Available Programming Books with contributions from Karan Bhangui and George Stocker.

The list was moved to GitHub by Victor Felder for collaborative updating and maintenance. It has grown to become one of GitHub's most popular repositories, with 226,000+ stars, about 9,600 watchers, more than 7,000 commits, 1,900+ contributors, and 47,700+ forks.


Link - https://github.com/EbookFoundation/free-programming-books

3) Developer Roadmap

Roadmaps are being made interactive and have been moved to website.
View all Roadmaps

Here is the list of available roadmaps with more being actively worked upon.

•     Frontend Roadmap
•     Backend Roadmap
•     DevOps Roadmap
•     React Roadmap
•     Angular Roadmap
•     Android Roadmap
•     Python Roadmap
•     Go Roadmap
•     Java Roadmap
•     DBA Roadmap
•     Etc...

Link - https://github.com/kamranahmedse/developer-roadmap




4) Public APIs

A collective list of free APIs for use in software and web development


Link - https://github.com/public-apis/public-apis

Disclaimer

India gave a befitting reply to foreign hackers

India gave a befitting reply to foreign hackers in their stronghold, conspiracy being hatched from Malaysia and Indonesia


After the remarks of former BJP spokesperson Nupur Sharma, hackers from some countries have hatched a cyber war against India. Information about attacks on the websites of government departments and some private institutions by hackers from countries like Malaysia and Indonesia has come to the fore. These hackers also made Nupur Sharma's mobile number and home address public on many websites.


In order to give a befitting reply to the perpetrators of cyber attacks against India, the Ahmedabad Cyber ​​Crime Cell penetrated the hackers' website and their cyber network, found bugs and gave a befitting reply. Amit Vasava, Deputy Commissioner of Police, Ahmedabad Cyber ​​Crime Cell shared important information about this. He told that after such attacks, the cooperation of cyber expert Nisarga Shah was taken to answer the hackers in their own language.


With the help of cyber expert Nisarg Shah, the Cyber ​​Crime Cell of Ahmedabad Police has found a bug in the network of these hackers and submitted a report to the governments of Indonesia and Malaysia. Have looked for flaws in over 100 Indonesian government websites and 70 Malaysian government websites.

Hacker Groups of Malaysia and Indonesia

According to Deputy Commissioner of Police Amit Vasava, with this conspiracy against India, hackers want to create disturbances by cyber attack on India's infrastructure, power grid, digital space. The names of hacker groups 'Dragon Force Malaysia' and 'Hectivist Indonesia' have come to the fore in this conspiracy so far. Their target is the websites of many important departments of the central and state government, police, universities, civic facilities networks and websites of many private industry groups.

Inputs received from Andhra Pradesh and Maharashtra Police

Hackers claim that so far they have hacked 200 websites in India. This is also corroborated on the basis of inputs received from Andhra Pradesh Police and Thane Police in Maharashtra. There are reports of hacking. The cyber cell of Ahmedabad Police has challenged by reaching the network of hackers. The cyber cell says that we cannot sit on our hands.

Disclaimer