How to Make Money From Ethical Hacking and Bug Bounty Hunting
No Coding Knowledge Is Required for This Article!
All information given in this article is provided under the assumption that the reader will use it ethically. You should never hack anything without prior consent to do so.
Introduction for the Technologically Illiterate
"But Jacob..." I hear you saying "...I hardly know anything about computers, you really think I could learn how to hack?"
To that I say yes! For starters, hacking isn't like what it is in the movies, it's much calmer and a lot more accessible, you don't need to be a computer science genius to start.
What you do need is the ability to learn, there are many resources on the web to teach you. If you put the effort in you'll be hacking like a pro in no time.
I know it's incredibly overwhelming. "where do I even begin?" well that's the whole point of this article. Give it a read and see if this industry is for you, it makes a great side hustle too!
What Is Covered in This Article?
- How Does One Make Money From This?
- Where to Find Bug Bounty Programs?
- Where to Begin: The Basics of Web Hacking
- What you Need
- Where to go From Here
How Does One Make Money From This?
The way this works is rather simple, some companies have a bug bounty program. What that means is they will pay you to find flaws in their websites. It's essentially something that gives you permission to hack.
Why do Companies Want This?
If you find a bug, report it to them and they fix it, then it means a real hacker can't exploit that bug. It just saves them the headache of dealing with pesky hackers.
That's it! Simple concept! if you find a bug, they pay you. Now let's go deeper, How do you actually start? how do you find bug bounties and most importantly how do you even test for bugs?
You do need permission to search for bugs. Don't just start trying to break things!
Where to Find Bug Bounty Programs?
First let me start this by saying don't worry about finding programs just yet, first we should learn how to look for bugs and then we can look for programs. Why I put this paragraph here is so you can see how easy it is to find programs once you know how to look for bugs.
There is one site I recommend for beginners, and that is hackerone.com. Open a new tab and check it out and you'll see what they're about.
HackerOne is free to use and immediately throws you into the action. Yes that's really it, you make an account and you have hundreds of programs at your disposal. This is what I mean by how accessible web hacking is. There's no barrier for entry.
Let's move on to what you'll actually need to know to start hunting!
Where to begin: The Basics of the Web
I bet you thought hacking required the ability to code; All those movies of people in hoodies typing 200 words a minute? Yeah... not really like that at all. Don't get me wrong, coding knowledge certainly doesn't hurt, but by no means is it a requirement.
So what the hell even is hacking then? Well there are a lot of different types of hacking, but for bug hunting you only need to know Web Hacking. This involves a basic understanding of the HTTPS protocol. Don't worry, that sounds really intimidating but it's actually not. HTTPS is just the the way the web communicates. The next article I write will go into the details of the HTTPS protocol, but for now what you need to know now is that there is a request packet and a response packet.
You see, a simplified way the internet works is like this, you have a browser, the browser sends a request packet to a web server and the server sends a response packet back.
Let's use this site as an example, you clicked on this article which sent a request packet to the server. The server responded with the response packet holding the HTML that makes up this page. Your browser displays the HTML which allows you to read the text you currently are.
Let's use the same example but with a malicious intent. First, you send a request packet to a server but catch it with a tool called a web proxy. A web proxy is a fancy name for a tool that let's you read and edit your request packets before sending them to the server. So let's edit your request packet to be malicious, instead of asking for this article, let's say you ask for a page you're not supposed to able to see. You then send it on it's way and the server gets the request. The server should see that there's something wrong and ignore it. However, if the server doesn't ignore it, then you can access data you shouldn't be able to. Badabing badaboom you got yourself a bug.
Now it's obviously more complicated than that, but that is the core concept.
What You Need
I mentioned it in the previous paragraph, a web proxy intercepts web packets being sent between you and the server. This just allows you to edit the packets and see if you can break the site. This is an essential tool for an ethical hacker. There are many web proxies to choose from. The one I fully throw my weight behind is Burp Suite
Burp Suite is a free to download web proxy. It's created and maintained by Port Swigger. A quick google search will take you to the download page. It is available for Mac, Linux and Windows. I'll write an article later on setting up burp suite, but believe me when I say there is no shortages when it comes to burp suite tutorials. It's kind of a pain to set up (meaning you can't just install it and run it) you have to do a little tampering with certificates and your browser of choice. But again, many tutorials and it is an essential tool.
Where to go From Here
Well I tried to make this article as accessible to the layman as possible, and because of that you're not ready to start hacking real sites yet. This article was to get the core concept across so you could see if you're actually interested in a career (or side hustle) of ethical hacking.
If you are interested, I will be writing more articles, but right now I recommend hacker101.com. They teach you all the basics. They have virtual machines for you to start hacking on as well as a whole plethora of video tutorials on the types of bugs to look for. I really can't recommend that site enough.
I will be exploring concepts like XSS, CSRF, HTTPS in the future. I hope you're as eager to learn as I am to teach.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.