Question

In the context of a bug bounty program, an asset is an application, website, or product that you can hack. There are different types of assets, each with its own characteristics, requirements, and pros and cons. After considering these differences, you should choose a program with assets that play to your strengths, based on your skill set, experience level, and preferences.

在漏洞赏金计划的背景下，资产是指您可以攻击的应用程序、网站或产品。有不同类型的资产，每种都有其自身的特点、要求和优缺点。在考虑这些差异之后，您应该选择一个拥有能够发挥您优势的资产的计划，基于您的技能水平、经验水平和个人偏好。

Social Sites and Applications

Anything labeled social has a lot of potential for vulnerabilities, because these applications tend to be complex and involve a lot of interaction among users, and between the user and the server. That’s why the first type of bug bounty program we’ll talk about targets social websites and applications. The term social application refers to any site that allows users to interact with each other. Many programs belong to this category: examples include the bug bounty program for HackerOne and programs for Facebook, Twitter, GitHub, and LINE.

任何标记为社交的应用程序都有很多潜在漏洞，因为这些应用程序往往很复杂，并涉及用户之间以及用户与服务器之间的大量交互。这就是为什么我们要谈论的第一类漏洞赏金计划针对社交网站和应用程序。社交应用程序一词指的是任何允许用户相互交互的网站。许多计划属于此类别：例如 HackerOne 的漏洞赏金计划以及 Facebook，Twitter，GitHub 和 LINE 的计划。

Social applications need to manage interactions among users, as well as each user’s roles, privileges, and account integrity. They are typically full of potential for critical web vulnerabilities such as insecure direct object references (IDORs), info leaks, and account takeovers. These vulnerabilities occur when many users are on a platform, and when applications mismanage user information; when the application does not validate a user’s identity properly, malicious users can assume the identity of others.

社交应用需要管理用户间的交互，以及每个用户的角色、权限和账户完整性。它们通常充满了严重网络漏洞的潜力，例如不安全的直接对象引用(IDORs)，信息泄漏和帐户控制。当许多用户在平台上时，这些漏洞就会发生，当应用程序处理用户信息不当时，当应用程序未正确验证用户身份时，恶意用户可以冒充他人的身份。

These complex applications also often provide a lot of user input opportunities. If input validation is not performed properly, these applications are prone to injection bugs, like SQL injection (SQLi) or cross-site scripting (XSS).

这些复杂的应用程序通常提供了许多用户输入的机会。如果输入验证不正确，这些应用程序就容易出现注入漏洞，如 SQL 注入（SQLi）或跨站点脚本（XSS）。

If you are a newcomer to bug bounties, I recommend that you start with social sites. The large number of social applications nowadays means that if you target social sites, you’ll have many programs to choose from. Also, the complex nature of social sites means that you’ll encounter a vast attack surface with which to experiment. (An application’s attack surface refers to all of the application’s different points that an attacker can attempt to exploit.) Finally, the diverse range of vulnerabilities that show up on these sites means that you will be able to quickly build a deep knowledge of web security.

如果你是 bug 赏金的新手，我建议你从社交网站开始。现今社交应用的数量庞大，如果你攻击社交网站，就会有许多项目可供选择。此外，社交网站的复杂性意味着你将遇到广泛的攻击面供你进行实验。（应用程序的攻击面是指攻击者可以尝试利用的应用程序中的所有不同点。）最后，这些网站上出现的各种漏洞的多样性意味着你将能够快速建立对 Web 安全的深入了解。

The skill set you need to hack social programs includes the ability to use a proxy, like the Burp Suite proxy introduced in Chapter 4 , and knowledge about web vulnerabilities such as XSS and IDOR. You can learn more about these in Chapters 6 and 10 . It’s also helpful to have some JavaScript programming skills and knowledge about web development. However, these skills aren’t required to succeed as a hacker.

黑客社交计划所需要的技能包括使用代理器，例如第 4 章介绍的 Burp Suite 代理器，以及关于 Web 漏洞（如 XSS 和 IDOR）的知识。你可以在第 6 章和第 10 章了解更多。具备一些 JavaScript 编程技能和 Web 开发知识也会很有帮助。然而，这些技能并不是成为黑客所必需的。

But these programs have a major downside. Because of the popularity of their products and the low barrier of entry, they’re often very competitive and have many hackers hunting on them. Social media platforms such as Facebook and Twitter are some of the most targeted programs.

但是这些程序有一个主要的缺点。由于他们的产品受到欢迎并且准入门槛较低，他们通常非常有竞争力，并且有许多黑客在追捕他们。像 Facebook 和 Twitter 这样的社交媒体平台是一些最受攻击的程序。

General Web Applications

General web applications are also a good target for beginners. Here, I am referring to any web applications that do not involve user-to-user interaction. Instead, users interact with the server to access the application’s features. Targets that fall into these categories can include static websites, cloud applications, consumer services like banking sites, and web portals of Internet of Things (IoT) devices or other connected hardware. Like social sites, they are also quite diverse and lend themselves well to a variety of skill levels. Examples include the programs for Google, the US Department of Defense, and Credit Karma.

一般的网站应用也是初学者的好目标。这里，我指的是不涉及用户之间互动的任何网站应用。相反，用户与服务器进行交互以访问应用程序的功能。这些目标可以包括静态网站、云应用程序、诸如银行网站的消费者服务以及物联网设备或其他连接硬件的 Web 门户。就像社交网站一样，它们也相当多样化，适合各种技能水平。例如谷歌、美国国防部和信用卡业务。

That said, in my experience, they tend to be a little more difficult to hack than social applications, and their attack surface is smaller. If you’re looking for account takeovers and info leak vulnerabilities, you won’t have as much luck because there aren’t a lot of opportunities for users to interact with others and potentially steal their information. The types of bugs that you’ll find in these applications are slightly different. You’ll need to look for server-side vulnerabilities and vulnerabilities specific to the application’s technology stack. You could also look for commonly found network vulnerabilities, like subdomain takeovers. This means you’ll have to know about both client-side and server-side web vulnerabilities, and you should have the ability to use a proxy. It’s also helpful to have some knowledge about web development and programming.

在我的经验中，相对于社交应用，它们更难被黑客攻击，攻击面也更小。如果你想寻找账户被接管和信息泄漏的漏洞，可能会没有那么多机会，因为用户与其他人互动的机会并不多，也不太可能被窃取信息。你能在这些应用中找到的漏洞类型稍有不同。你需要寻找服务器端漏洞和与应用技术栈相关的漏洞。你也可以寻找常见的网络漏洞，比如子域名接管。这意味着你需要了解客户端和服务器端的 Web 漏洞，并应该具备使用代理的能力。对 Web 开发和编程有一些了解也会很有帮助。

These programs can range in popularity. However, most of them have a low barrier of entry, so you can most likely get started hacking right away!

这些程序的受欢迎程度可能不同。然而，它们大多数都有低门槛，所以你很有可能可以立即开始黑客攻击！

Mobile Applications (Android, iOS, and Windows)

After you get the hang of hacking web applications, you may choose to specialize in mobile applications . Mobile programs are becoming prevalent; after all, most web apps have a mobile equivalent nowadays. They include programs for Facebook Messenger, the Twitter app, the LINE mobile app, the Yelp app, and the Gmail app.

当您熟悉了如何攻击 Web 应用程序后，可以选择专攻移动应用程序。移动应用程序越来越普及；毕竟，现在大多数 Web 应用程序都有移动等价物。它们包括 Facebook Messenger、Twitter 应用程序、LINE 移动应用程序、Yelp 应用程序和 Gmail 应用程序等程序。

Hacking mobile applications requires the skill set you’ve built from hacking web applications, as well as additional knowledge about the structure of mobile apps and programming techniques related to the platform. You should understand attacks and analysis strategies like certificate pinning bypass, mobile reverse engineering, and cryptography.

黑掉移动应用程序需要你在黑掉网页应用程序中所建立的技能组合，加上对于移动应用的结构和与该平台相关的编程技巧的额外知识。你应该了解攻击和分析策略，例如证书固定绕过、移动应用逆向工程和密码学。

Hacking mobile applications also requires a little more setup than hacking web applications, as you’ll need to own a mobile device that you can experiment on. A good mobile testing lab consists of a regular device, a rooted device, and device emulators for both Android and iOS. A rooted device is one for which you have admin privileges. It will allow you to experiment more freely, because you can bypass the mobile system’s safety constraints. An emulator is a virtual simulation of mobile environments that you run on your computer. It allows you to run multiple device versions and operating systems without owning a device for each setup.

黑客攻击移动应用程序需要比攻击网页应用程序多一点设置，因为您需要拥有一台可以进行实验的移动设备。一个好的移动测试实验室包括普通设备、已 Root 过的设备以及 Android 和 iOS 的设备仿真器。已 Root 过的设备是您拥有管理员权限的设备，它将允许您更自由地进行实验，因为您可以绕过移动系统的安全限制。仿真器是您在计算机上运行的移动环境的虚拟模拟。它允许您运行多个设备版本和操作系统，而无需为每个设置拥有一个设备。

For these reasons, mobile applications are less popular among bug bounty hunters than web applications. However, the higher barrier of entry for mobile programs is an advantage for those who do participate. These programs are less competitive, making it relatively easy to find bugs.

因此，移动应用程序比起网站应用程序，对于漏洞赏金猎人而言不太受欢迎。然而，移动程序的入门门槛较高对于参与者是一种优势。这类程序竞争较少，相对更容易发现漏洞。

APIs

Application programming interfaces ( APIs ) are specifications that define how other applications can interact with an organization’s assets, such as to retrieve or alter their data. For example, another application might be able to retrieve an application’s data via HyperText Transfer Protocol (HTTP) messages to a certain endpoint, and the application will return data in the format of Extensible Markup Language (XML) or JavaScript Object Notation (JSON) messages.

应用程序编程接口（API）是指定其他应用程序如何与组织的资产进行交互的规范，例如检索或更改它们的数据。例如，另一个应用程序可以通过超文本传输协议（HTTP）消息到达特定的终端点来检索应用程序的数据，应用程序将以可扩展标记语言（XML）或 JavaScript 对象表示法（JSON）消息的格式返回数据。

Some programs put a heightened focus on API bugs in their bug bounty programs if they’re rolling out a new version of their API. A secure API implementation is key to preventing data breaches and protecting customer data. Hacking APIs requires many of the same skills as hacking web applications, mobile applications, and IoT applications. But when testing APIs, you should focus on common API bugs like data leaks and injection flaws.

一些程序将在其漏洞赏金计划中加大对 API 漏洞的重视，尤其是当他们推出新版本的 API 时。安全的 API 实现对于防止数据泄露和保护客户数据非常重要。黑客攻击 API 需要许多与黑客攻击 Web 应用程序、移动应用程序和物联网应用程序相同的技能。但在测试 API 时，应集中关注常见的 API 漏洞，如数据泄漏和注入漏洞。

Source Code and Executables

If you have more advanced programming and reversing skills, you can give source code and executable programs a try. These programs encourage hackers to find vulnerabilities in an organization’s software by directly providing hackers with an open source codebase or the binary executable. Examples include the Internet Bug Bounty, the program for the PHP language, and the WordPress program.

如果你具备更高级的编程和逆向技能，可以尝试使用源代码和可执行程序。这些程序直接为黑客提供开源代码库或二进制可执行文件，鼓励他们发现组织软件中的漏洞。例如，Internet Bug Bounty、PHP 语言程序和 WordPress 程序等。

Hacking these programs can entail analyzing the source code of open source projects for web vulnerabilities and fuzzing binaries for potential exploits. You usually have to understand coding and computer science concepts to be successful here. You’ll need knowledge of web vulnerabilities, programming skills related to the project’s codebase, and code analysis skills. Cryptography, software development, and reverse engineering skills are helpful.

侵入这些程序可能涉及分析开源项目的源代码，以查找 Web 漏洞，并对潜在的漏洞进行模糊测试。在此，您通常需要了解编码和计算机科学概念才能成功。您需要了解 Web 漏洞，与项目代码库相关的编程技能以及代码分析技能。加密，软件开发和反向工程技能也会有所帮助。

Source code programs may sound intimidating, but keep in mind that they’re diverse, so you have many to choose from. You don’t have to be a master programmer to hack these programs; rather, aim for a solid understanding of the project’s tech stack and underlying architecture. Because these programs tend to require more skills, they are less competitive, and only a small proportion of hackers will ever attempt them.

源代码程序可能听起来很可怕，但请记住它们是多样的，所以你有很多选择。你不必成为一名高手程序员来攻击这些程序; 相反，目标是对项目的技术堆栈和基础架构有扎实的了解。因为这些程序往往需要更多的技能，它们竞争力较小，只有少部分黑客会尝试攻击它们。

Hardware and IoT

Last but not least are hardware and IoT programs. These programs ask you to hack devices like cars, smart televisions, and thermostats. Examples include the bug bounty programs of Tesla and Ford Motor Company.

最后还有硬件和物联网项目。这些项目要求你攻击诸如汽车、智能电视和恒温器等设备。例如特斯拉和福特汽车的漏洞赏金计划。

You’ll need highly specific skills to hack these programs: you’ll often have to acquire a deep familiarity with the type of device that you’re hacking, in addition to understanding common IoT vulnerabilities. You should know about web vulnerabilities, programming, code analysis, and reverse engineering. Also, study up on IoT concepts and industry standards such as digital signing and asymmetric encryption schemes. Finally, cryptography, wireless hacking, and software development skills will be helpful too.

你需要具备高度具体的技能才能攻击这些程序: 你经常需要深入了解你要攻击的设备类型，以及理解常见的物联网漏洞。你应该了解网络漏洞、编程、代码分析和逆向工程。此外，学习物联网概念和行业标准，如数字签名和非对称加密方案。最后，密码学、无线网络攻击和软件开发技能也会很有帮助。

Although some programs will provide you with a free device to hack, that often applies to only the select hackers who’ve already established a relationship with the company. To begin hacking on these programs, you might need the funds to acquire the device on your own.

虽然一些程序可能提供免费的设备供你使用，但这通常只适用于已经与公司建立关系的特定黑客。要开始在这些程序上进行黑客攻击，你可能需要自己拥有获取设备的资金。

Since these programs require specialized skills and a device, they tend to be the least competitive.

由于这些程序需要专业技能和设备，它们往往是竞争最少的。