Post

CBBH Review

Posted Updated
By Josh Morrison 2 min read

Description

The Bug Bounty Hunter Job Role Path is designed for individuals who want to enter the world of bug bounty hunting with little to no prior experience. This path covers core web application security assessment and bug bounty hunting concepts, providing a deep understanding of the attack tactics used in bug bounty hunting.

With the necessary theoretical background, multiple practical exercises, and a proven bug bounty hunting methodology, students go through all stages of bug bounty hunting, from reconnaissance and bug identification to exploitation, documentation, and communication with vendors/programs. By completing this job role path, students will be proficient in common bug bounty hunting techniques and be prepared to report vulnerabilities professionally.

CBBH

Course Modules

The course consists of 20 modules:

  • Web Requests
  • Introduction to Web Applications
  • Using Web Proxies
  • Information Gathering - Web Edition
  • Attacking Web Applications with Ffuf
  • JavaScript Deobfuscation
  • Cross-Site Scripting (XSS)
  • SQL Injection Fundamentals
  • SQLMap Essentials
  • Command Injections
  • File Upload Attacks
  • Server-side Attacks
  • Login Brute Forcing
  • Broken Authentication
  • Web Attacks
  • File Inclusion
  • Session Security
  • Web Service & API Attacks
  • Hacking WordPress
  • Bug Bounty Hunting Process

Motivation

Before taking this exam, I had recently graduated with a bachelor’s degree in computer science and had been actively involved in bug bounty hunting for about eight months. During this time, I found and successfully reported ten security vulnerabilities on HackerOne.

I learned a great deal from bug bounty write-ups, YouTube videos, CTFs, university courses, and podcasts. My motivation for obtaining this certification was to take my bug bounty skills to the next level.

Review

Since I had previously studied bug bounty hunting, I was already familiar with much of the course material. However, I still picked up valuable tips and tricks while deepening my understanding of web vulnerabilities. The most beneficial part of the course was the ability to read the material and then actively test it on a vulnerable target.

The course is well-structured, beginning with foundational knowledge before diving into specific vulnerabilities. One of the things I appreciated most was the lack of unnecessary filler content—everything taught in the course is useful for bug bounty hunters. The exam is fair, and if you know the material, you shouldn’t struggle with it.

Tips

  • You will need to provide a well-documented report at the end of the exam. Take screenshots and notes as you work through the exam to avoid spending extra time re-exploiting the machine to get the necessary documentation.
  • Create a cheat sheet with key course material to quickly find the commands needed to exploit vulnerabilities or gain a foothold on the machine.
Cyber Security
bug bounty cyber security
This post is licensed under CC BY 4.0 by the author.