2023 Path to Hacking Success: Top 3 Bug Bounty Tips
I have a friend of mine, I work with, his name, he goes by Adam, he's on Twitter and he's I think he's 17 or 18 just graduated high school. And he has made some money and he saved every single penny of it just you know for now. He's trying to figure out what he wants to do next with it. But imagine being 17 and making 15k for example and over summer.
The return on investment you get if you go into it with the mentality of like hey. I have nothing to lose. I want to learn and become better at web hacking if I make money on the side even better if you do it because you're passionate about web hacking. Not just for the money aspects of it. You're gonna go very far and it's gonna be a lot more enjoyable than you know. Like any other industry when there's money involved. We want to do it for overnight quick buck. It's not gonna last that long.
I'm on a mission to help people in my community and the people that are watching my YouTube videos or any content that I'm a part of to find their first valid vulnerability whether it's to do a pentest whether they're doing a CTF. But even better if they're doing a bug bounty or a VDP. So my goal is to just help people this year get their first bounty and get their first valid submission. And just you know put them on the path of changing their lives. Okay, so this is brilliant and I really want to thank Brilliant for sponsoring this video.
I really like the way they teach you concepts. They have a whole bunch of interactive courses including some of my favorites. Programming with Python and introduction to neural networks. Their content is very interactive and hands-on. Okay, so let's put you to the test and see if you can answer some of these questions which are part of their AI training. I guess that this was a book, but what did you think it was? Okay, now let's say we add color. What do you think it is now? I just took a wild guess car driving on a bridge.
I had no idea what this actually was, just took a guess and that's actually the right answer. This is 1% of this photo, which part of this photo? I wasn't sure where it was, so I asked Brilliant to show me where this image was and as you can see. It's a snippet from this image. It's actually that car. So when you look at the image now, your brain may actually see that it's a car as they say.
Context matters now when you go through this training, you'll answer the questions yourself. I love that it's interactive, that it's hands-on. People don't learn as well by just reading a book or by watching a video. They learn much more with interactive hands-on training such as the training that Brilliant offers. Now. Not only do they offer Brilliant training, they also offer a 30-day trial with a 20% discount if you use my link below. brilliant.org forward slash David Bombal. I really want to thank Brilliant for sponsoring this video and for the long-term partnership.
They are sponsoring my channel, which allows me to create more free content. Check them out using the link below. Everyone, David Bombal back with a very special guest Ben, welcome. Hi, things are going good, man. It's great to have you back and I'm really excited about the topic for today's video. You recently posted on your channel and just for everyone watching seriously if you want to learn about bug bounty. Make sure that you sub to the HomeStack or Ben's channel link below in my opinion one of the best places to go for bug bounty.
Information and I've seen so many people say the same so Ben you got to tell us about this video. I heard you made like a hundred thousand dollars or something in like a few weeks, which is insane. Yeah, I don't recommend it.
It's I mean I recommend it because it's good for an answer. But it was it was a really it wasn't that I planned doing this. It was just more of a the New Year came and you know. January first came around and I really wanted to start a year and I give myself a good head start and.
There was a little bit of luck in play with it. But yeah, it was a great opportunity that came about and I helped him make some money and give me back into how I can get it. Honestly gave me some good content to make out of it too. Yeah, that's great.
I mean, I've heard a lot of people say it was you know. You hear all kinds of things on the internet, but like there's no money and bug bounty anymore, but I mean you've just proved that there is I think the. It's like that it's like every industry right it's like when people started streaming and everyone's like there's no money in streaming. There is there's money in every industry you go to it's just more of a how do you stand out? What do you bring that's new or how do you how do you compete with other people to do better or to make it work? So there is money to be made in bug bounty. It's like any other industry.
I think there's actually more money to be made in bug bounties nowadays because of how many bug bounty programs are out there. But yeah, I mean that's a good way to prove it and I even talked about it a lot of these programs that I hacked on there were two main. Programs that I've been shorting the video one has been around. For quite a few years like three four years and the other one has also been around for like one or two years. And some of these top hackers in the world have already hacked on them.
So it just shows that it wasn't that I got my hands on this like brand new program. What is brand new company that I made money on it was just more of a I found a really good spot in this company. I want to hack into I changed the style of my hacking and I ended up and then I'm working out and to be honest. I took my own I ended up taking my own advice of the that I give people on this videos. And I'm like I'm giving these people advice and is that that's actually work and I start taking my own advice and I'm like. Okay, I don't feel as bad about that fight so I'm giving on my channel.
But that's great. So I mean that's what I want to try and get from you in today's video for everyone who's watching. Let's say I'm interested in bug bounty. I'm new to this or you talking to your younger self, you know. You've been down to this journey. I like to find people with lots of experience who can share with all of us how to do it. So let's start with like top three types of perhaps that you would give someone starting out or yourself.
You know a few years ago. This is the top three non-technical tips. First of all, it's just like you know. I think you as a YouTube content creator you can relate to this doesn't happen overnight. It takes a lot of patience. It's just like anything you do in life. It takes a lot of patience. It's like at one is also very generic, but consistency is absolutely key in anything you do including hacking including. Bug bounties because you have to consistently learn you have to be consistent with how much time you put into hacking.
And I'm not saying overdo it. I'm not saying you know go out there and like you know put yourself in a position that you're gonna be. Exhausted, but it's just consistently wanted to put in their work as another one. And the last the third thing that I want to say is I think it's also just not comparing yourself and yeah. But finding someone that could push you. It's a kind of like the opposite of each other. But the biggest one is like finding someone that could either keep you as an accountability buddy.
Or finding someone that knows as much as you do a little bit more than you do and kind of like working with each other. And learning from each other and hacking is just one of the biggest things that's happened to me is having someone. Brett Boehrhaus at Kay Zayet is one of my good friends. We started hacking together and he knew a little bit more about some stuff that I didn't know and we ended up just working with each other. And learning and actually making this bug bounty thing work.
So join a community find a friend and hang out with them and hack with them. It's like everything in life right teamwork. You can't know everything yourself. You can't be the best at everything. You're so much more powerful as a team. Yeah, so those are the non-technical, you know tips. But on the technical side, it's just what you should learn. There's a lot that goes into bug bounties and I would also say it's not just bug bounties. It's just web-app hacking and pen testing is you want to learn the basics.
If you want to learn how things work. So what happens like the first one is what happens when you type in. www.no-hopsick.com for example into the browser. What happens in the background? Can you explain that to anybody? What is on that? What happens to the DNS side? What happens on the browser side? What happens on the server side? And kind of understanding how everything works in the back.
And so that's like networking DNS and then like web servers and how they work. So that's the number one thing if you can't figure those out and you can't learn those things. You may be able to get around but you're not gonna go far.
The second thing is understanding the vulnerabilities at its core not just payloads. But also knowing why the payloads work and what makes this vulnerability work on the server side or on the application side. So not just going oh, I plugged this exploit in or this payload in this is what happens why what happens there. So not so much of the how but more on the why it works. And a third one that I would say is also important for just web hacking bug bounties.
Or just becoming a red team or even is having the hacker mentality. And I think I personally think that a lot of people have done some sort of hacking in their life including you including. But then I have a technical or content creators. What would you want to say they've done some sort of hacking? It's by just finding loopholes in life. It's you go and find these different things that you go.
I want to do this or this thing doesn't do this. I want to do this thing. How do I do that whether it's cheating in a game whether it's finding a loophole to get something for free. Whatever that is right that's also with hacking. What does this application do what does it not do. What do I do exactly to make that happen? So it's just a hack a mindset and hack a mentality of having that as well. Been the biggest problem is like is there way to hack learning the stuff or you know how to get skills.
How do you have you got any tips of that? So a lot of people that my my have already heard this term. But we we talk about this if you go on Twitter you look at it. Everyone says like don't learn to hack hack to learn and it's also it's you know. It makes sense why you hack things to learn them. But let's just take a step back. We're gonna about hacking. Let's say I think a lot of people that probably watch our content on. YouTube are the gamers themselves or right? They play video games.
I'm gonna use a game like Call of Duty or maybe Apex or something like that. Like to get to first-person shooter game when you buy that game even though you have you know. You maybe knew or you have played the previous versions the first thing you want to do is you want to learn how to maps work. The maps could be your programs your software that you hacking then you want to learn how to guns work.
What the attachments are those are your tools right? So you have all these different things that come into it. But you can't learn them unless you do it. So you can you know like one of the things that I tell people is you can sit here and consume content 24-7. You can watch my videos you can watch your videos. John Hammond's whoever you want to call you can watch all these videos all these pros. But until you put in the work you're not gonna be able to hack things.
So the biggest thing is to actually jump in and stop it in that worse in your head. You're whatever you want to call you know that I think that wants to stop you. Whether your doubts yourself doubts whatever it is sit sometime aside and actually put in the work and learn these. Concepts that you have watched or you have read or you're you know you watch video and on or whatever it is and actually start doing them on your own.
Yeah, I mean the analogy I always like to use and it applies to anything is um. You can read about writing a bicycle you can watch videos. Whatever but until you've done it and you've fallen off a few times you'll never actually know how to do it. So just do it. Yeah, absolutely. It's the same thing. It's anything in life. You do right? It's. Whether you want to get some in technical. You want to just do anything. It's just you have to practice and the gaming analogy.
Some that I know a lot of my viewers kind of relate to because they all play video games and it's anything in life. You want to do these things and then more and more you do it the more you practice you become better. So practice makes it perfect and also you know, it's just a consensus to see anything that I said earlier in a video. Yeah, the book that I love is atomic habits. It's that thing where you read it right where you do.
1% increase. Consistent 1% increase it will put you in a different league to someone who. Who does a whole bunch a little bit and then forgets or for a little while and then forgets about and comes back and so forth. Like anything in life yet could that consistency that you that you've said is so important.
Yeah, you want to build that muscle of like hey, I want to hack and then more and more you do that that muscle becomes stronger. So you know where to look for one that ability, you know when you play video games when people can corners. You know where those are right? You just you know where we're gonna be hiding and popping out.
It's the same thing with hacking you just have to put in the effort and put in the time and honestly a lot of people that you know. I they asked me these things. I know if you're in your late 20s early 30s me in your 40s. It's harder because you have more responsibilities you have kids have family you have a job right. But a lot of people that I also talk to me or watch my content there in their way early 20s or even their teenagers. You have a lot of time. It's a lot more fun that teenagers are not really working. You know if you're working shout out to you good for you.
But if you're not working you don't have as many responsibilities all you have to do is invest your time. And I promise you it's worth it at the end of it and then if it's not with just for bug bounty hunting. And you learn how to hack websites and you get good at it. There is a lot of job opportunities that come out of it. Especially if you're young and if you're a teenager or your early 20s. That's brilliant. I mean, let's get a bit more technical. So where do I go? Do you have like top three bug bounty platforms?
And like on the bug bounty platforms. I might be competing against someone like you. I mean, I don't stand a chance. Is there any log sort of specific part of that or program or something within that bug bounty program that you'd recommend? So let's let's learn the learning side of things are three learning. Platforms or resources that I recommend and they're these are 100% free. I'm not endorsed by them. This is not an ad. It's just I think it's really the things that worked.
The first one is pico ctf. I think people have probably heard of this one. It's not only they teach you how to hack things. But some other web challenges for example are exactly what I said what happens when you type in the address bar. The website it makes you understand those things in a form of a challenge or a puzzle.
So pico ctf to start is a really good place and the second one what you want to do is you want to go to the website academy by PortSwigger. That is a very very good resource if you want to learn the basics of vulnerabilities to give you. A written content and I think they have some videos too now. But you read it and at the bottom there is a lab you click on the lab and you practice that exact thing.
But these ctf so with the PortSwigger Academy. It's very much to like a point and exploit. This is the bug you have to exploit here is a lab so you do that. But it's really good to learn.
But it it goes to it actually translates into the actual bug bounty world. But you want to get a little bit better and just be able to find these vulnerabilities without knowing they exist. So that's where hacker101 is a good one to go to which is owned by HackerOne which is one of the bug bounty platforms in the world.
And what they do with hacker101 is if you go on there and you solve a ctf. They give you about six to seven points per flag and if you find three or four flags. What happens is they actually put you in the invite algorithm. So you get invited to a bug bounty program that's private on their platform and you're inside their algorithm. So you kind of bypass a little bit of logistics by showing them that you know how to hack.
So yes, the third one is the key if you do them in that order specifically. It's very very good and actually gets you out there. Those are the top three like learning platforms where you can learn hands-on for free and actually make a. A little bit of money if you get invited to a bug bounty program on HackerOne. And if I want to do it like you do to make money like actually hack companies is a HackerOne. What do you recommend top three? Yeah, there are a couple of bug bounty platforms out there. Yeah, there are a couple of bug bounty platforms out there
There's a lot of new bug bounty platforms that are coming out I recommend people to to one of the advice that I give to a lot of the The mentees and people that I talk to is pick two of these bug bounty platforms or even three The top three for me personally is a hacker one is the the first one that is my primary what I call it Bugcrowd is my secondary and that's what I tell people hey take your primary and take a second there and then it's third and fourth If you have extra time so the primary for me is HackerOne and the second one is Bugcrowd And then there's Intigriti and Synack, those two are kind of equal to me. Synack is a little bit harder to get into, you have to pass an exam and do an interview. It's a private red team. They do bug bounties, but it's kind of like a bug bounty meets red team. But those four other ones that I would go to, but honestly it doesn't matter if you think you're like. Bugcrowd more than HackerOne, do it. If you're in Europe and watching this, Intigriti. Maybe a better choice for you because I have a lot of European programs.
They work better with the tax laws in Europe and they just have programs that are very much niche to Europe. But honestly, that's a matter of pick one, make it your primary because when you have that primary. The more you hack on them, the more they're going to take care of you and become a loyal hacker on them.
The more loyal you are, the more they invite you to more things and get more perks. So you want to build that and then build your second. They're just in case you're out of work with the other one and then I think you've said it in previous interviews. If you're starting out, try and go for the non-paid programs, is that right? Because the problem is if you go against big companies like PayPal, whatever that. Did you've hacked in the past, you may be competing against people who are far ahead of you, that kind of thing, is that right? Yeah, so what I would recommend is, uh, go hack on these vulnerability disclosure programs or VDP for short. The way these work is it's a see something, say something.
So if you find a vulnerability, you report it to them and they just say thank you to you. There's no money involved in that. But what is really cool about doing these VDPs, and on the streams that I do, I hack on these VDPs. So people can see it, there are so many vulnerabilities that have not been found in some of these, you know. But just yesterday I did a livestream on.
LATAM Airlines, it's like a South American airline, and we could just see there's so many potential vulnerabilities. And people in my stream were like, is it really that easy? Not that I'm making it easy, but it's just more of the pros, quote-unquote, people that are doing this for money. Are going to be looking at these programs. So there are more vulnerabilities there. But that does two things. One, it allows you to find vulnerabilities and you kind of like. Have a track record with these bug bounty programs or platforms, creating your profile on these platforms.
But two, it's also allowing you to create your own methodology. How do I look for these vulnerabilities? How do I do a recon? How do I do X, how do I do Y? So it gives you that capability and it's a win-win. So you also get to learn more and not get paid.
But it gives you a really good way to. Learn these different vulnerabilities and eventually, if you know your stuff, if you're confident. Then you can go to these public bug bounty programs and get paid. The biggest advice for. Anyone that's watching this, if you want to get into bug bounties, the biggest thing that I've realized is it takes one program to.
Crush. So if you go into VDPs and hack or one of the bug bounty programs, the private ones. It takes one program for you to crush it and make four, five, six thousand dollars to build momentum and catch the. Bug bounty platforms' attention to invite you to more things. So you just want to find a program that works for you and then just crush it, absolutely as much as you can. Something you've said in the past as well is this opened up doors for you in companies.
So it's a great way to show experience when you don't have experience, right? Yeah, absolutely. Another thing is. People that are doing bug bounties, they do it for different reasons, right? They could be that you want to. You know, put something on your resume because you just want to learn or you just want to make money from it, right? But if your goal is to score a job or do something. I'm a prime example of it. Before I did any bug bounties. I had zero tech, zero cybersecurity content on my resume, right? And then I was just hacking on anything. I could, whether it was Yahoo, whether it was like a random company that I've never heard of, I found vulnerabilities.
And I put them on my resume. That's how I got my first job in tech. All I put was 10 cross-site scripting or over 20 cross-site scripting vulnerabilities found. And then in parentheses, it would say confirmed by x, y, and z companies. That alone just gave me the credentials that I needed to get a job. So if your goal is to get a job.
There is that. If your goal is to understand. Where that was more, you have that opportunity. It's just really, it just varies on your goal and what your end goal is with what you're doing. I love it because I mean it's real-world experience. I mean if you're 16 or 18 or whatever or you're going from coming from another industry, this.
I mean, there's like no better way than like, okay. You did, you actually hacked a company. I mean, what a great thing to put on your resume. Absolutely. I have a friend of mine. He's, you know, I work with him. His name is Adam. He goes by NahamSec on Twitter. And he's, I think, 17 or 18, just graduated high school. And he has made some money and he saved every single penny of it just, you know, for now.
He's trying to figure out what he wants to do next with it. But imagine being 17 and making 15k, for example, over summer. That pays for your probably your college or pays for your car. Or pays for your summer vacation or whatever it is, right? But imagine 15k at the age of 17. I don't know at that time. I'm not saying that's how much he made. But even if you make 15k in over summer, that's more than any 17-year-old would make in a year. Working a regular job, right? Yeah, exactly.
And I mean, you're doing what you enjoy as well, rather than working in, say, McDonald's or some other place. Perhaps that you don't enjoy. Yeah, the cool thing with bug bounties is you need three things, one of them is optional. Which is a coffee or tea that you drink, it's optional. And the other two is your laptop and a Wi-Fi connection. Nothing else matters. That's so true. I mean, the barriers to entry are so low. Yeah, absolutely. And I know before that, hack on their Android phones, on their iPad. Honestly, to start.
I know someone who bought their first laptop by hacking on their iPad or an Android device of some sort, and then they made like. 1500 bucks and they bought their laptop for themselves. The return on investment you get if you go into it with the mentality of like, hey. I have nothing to lose. I want to learn and become better at web hacking. If I make money on the side, even better. If you do it because you're passionate about web hacking, not just for the money aspects of it.
You're gonna go very far and it's gonna be a lot more enjoyable than, you know, like any other industry when there's money involved. We want to do it for overnight quick, but it's not gonna last that long. That's great advice. Now. I obviously recommend your channel. But do you have any top three YouTube channels and perhaps top three books that you could recommend? Let's start with the YouTube channels. The top three YouTube channels that I would recommend, there's so many of them, so if I forget yours.
I'm sorry. There is Katie, aka InsiderPhD. She's been doing some really cool content for beginners. She used to be a mentee at one of the programs we did when I worked at HackerOne, and she's now crushing it herself. There's Farah Hawa. She's a content creator. She used to work at Bugcrowd, now she's employed by Facebook. So she made it to the security team, and she does some really cool stuff. There's also Stokes. He doesn't make as much content anymore. He's taking a break.
But he also has a great channel for it. There is Bug Bounty PhD, a very good channel, very brand new. He also focuses a lot on bug bounties and that kind of aspect.
But on hacking, there are so many other people. There's John Hammond. There's Jacoby. There is HackerSploit. There's so many of them, but yeah, if you are there's so many, but the bug bounty side, the three or four that I mentioned. Are probably one of the best ones you can find out there. And if I forgot your channel. I'm so sorry. There's so many new content creators out there nowadays. And there's also another one that I forgot about, Bug Bounty Explained. Greg takes vulnerabilities that have been disclosed and then he talks about why they were working, how they work. Also a really good one if you want to learn more on the technical side. So for everyone who's watching.
We've obviously forgotten a whole bunch of amazing people or not mentioned them here. Please put in the comments below people that you really like, share the love, and show your love to all the content creators out there that are creating amazing content. So please put your comments below. Ben, books, top three books. Or it doesn't have to be three, but any books that you can recommend that I buy to get started.
I mean, you can see kind of like behind me right there at the top there. It's just peeking out, "The Web Application Hacker's Handbook" is a really good one if you want to learn how to hack APIs. "The Bug Bounty Bootcamp" by Vickie Li, absolutely amazing book that I recommend. There's also "The Web Application Hacker's Handbook".
It's kind of old and it's really thick, about like this big. But I recommend it because it covers a lot of the basics. But also shows you how to use the tools that you need to get better, like Burp Suite. So I recommend that also as one of the top three. There are a lot of good books. No Starch makes some good books.
So just look up No Starch and see some other hacking books. Those are the top three that I would recommend on the bug bounty aspect. Ben, top three technologies. I mean, you mentioned web technologies, right? Are there any specific technologies that I have to understand? There isn't a specific one that I would recommend. I would break it down into three different categories. One is you want to learn how to script, how do you automate some of your work? How do you make your life easier? How do you become more efficient if we love doing? By scripting, which I recommend. I think it's probably one of the better ones you could do. Or Python, even better if you want to go down that route. Learning Python would be very helpful because you just know how things work better.
So that's just one of those for scripting purposes. Two is understanding some web programming would be really good. Like how to build a website. I would just say go and create a WordPress website on your own.
So those are the three things that I would say are good on the programming or technology side of things. Okay, I want to talk about your channel because I've seen an amazing. Change in your channel. That's why I sort of wanted to set up this interview because you've really taken it to another level. So something that I really loved is what you said in one of your videos where you're saying you're trying to help people. So what's the goal with your channel these days and what are you sharing there? So the, it's very cool that you asked me this. I just recently realized what my "why" it was with my YouTube channel.
Brilliant. I want to, there's two things. One is I've drastically changed my life. I went from a not sure when I wanted to do, a confused college kid, to getting a career out of bug bounties. I want to help the same thing.
I think people can change their lives with hacking, whether it's bug bounties, whether it's pen testing. You know, getting a job in cybersecurity. But the other one is I'm on a mission to help people in my community and the people that are watching my YouTube videos. Or any content that I'm a part of to find their first valid vulnerability. Whether it's doing a pentest, whether they're doing a CTF. But even better if they're doing a bug bounty or a VDP.
So my goal is to just help people this year get their first bounty and get their first valid submission. And just put them on the path of changing their lives. That's such a cool mission. I love that. You know, the "why" is so important. So tell me, where can people find you? So obviously YouTube. Are you on like Twitch? Where's good places? So I stream very regularly on Twitch, Sunday, Monday, Tuesdays. Sundays being my most consistent and most popular.
Because I interview and hack things live on Twitch. And then I'm on YouTube for my weekly content. I post a video every Monday. And then you can find me on Twitter if you want to just, you know, hear me. Complain about how sucky hacking sometimes. I hate hacking and. Instagram is on the personal side, like there's just things that I deal with that I struggle with and then micro-content. That I post. Those are the four social media that I'm on.
But if you want to, everyone that wants to learn about hacking. I think YouTube and Twitch would be your best bets. Yeah, I mean, I was gonna just to reiterate, one of the reasons that I wanted to set up this interview is because I see you on. What you're doing on Instagram. I see what you're doing on Twitter, obviously YouTube. It's fantastic. So everyone who's watching, please go and show the love.
Ben's trying to get a hundred thousand subscribers. That might have already been reached by the time you watch this video. But if he hasn't, please get him to the hundred K sub mark.
I found that once I hit a hundred thousand subs, things changed a lot and I really want to get him to, you know. Million as soon as we can, but let's get to that 100K. He made a hundred thousand dollars. Hacking, we want to get him to a hundred thousand on YouTube. So let's hack that algorithm, legally of course, go and sub. Ben, thanks so much for sharing and that fantastic mission. I love it.
Thank you, and who knows if I had a hundred K, I'd do something crazy with my hair or do something. To make people happy with the challenge, but yeah, thanks again for having me, and also if you're watching this. If you're not subscribed to David's channel, you should also hit that like and subscribe on his channel as well. Appreciate it, man. Thanks, Ben.