Setting Up Your Environment
Building a professional bug hunting workstation
What You'll Discover
🎯 Why This Matters
Your tools are your weapons. A properly configured environment lets you focus on hunting instead of fighting with configuration issues. More importantly, understanding why these tools work the way they do will make you a more effective hunter. Set it up right once and benefit forever.
🔍 What You'll Learn
- How web proxies work and why they're essential for security testing
- Burp Suite Community/Pro setup and configuration
- Browser proxy configuration with FoxyProxy
- Essential extensions and when to use each one
- Note-taking systems that scale as you grow
- Recon tool installation with troubleshooting tips
🚀 Your First Win
In about 30 minutes, you'll have a fully configured bug hunting environment ready for your first target - and you'll understand exactly what each component does.
🔧 Try This Right Now
Install Burp Suite and configure your browser to route traffic through it:
# STEP 1: Download Burp Suite Community Edition (free)
# Visit: https://portswigger.net/burp/communitydownload
# Choose your OS (Windows/Mac/Linux) and install
# STEP 2: Launch Burp Suite
# - Accept the license agreement
# - Select "Temporary project" (fine for learning)
# - Use "Burp defaults" configuration
# - Click "Start Burp"
# STEP 3: Verify the proxy is running
# Go to: Proxy tab → Proxy settings
# You should see: 127.0.0.1:8080 (Running)
# This means Burp is listening on your computer (127.0.0.1)
# on port 8080, ready to receive web traffic
# STEP 4: Install FoxyProxy browser extension
# Firefox: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
# Chrome: https://chrome.google.com/webstore/detail/foxyproxy-standard/
# STEP 5: Configure FoxyProxy to send traffic to Burp
# Click FoxyProxy icon → Options → Add
# Title: Burp Suite
# Type: HTTP
# Hostname: 127.0.0.1
# Port: 8080
# Save, then click the FoxyProxy icon and select "Burp Suite"
# STEP 6: Install Burp's CA certificate (for HTTPS sites)
# With FoxyProxy enabled, visit: http://burpsuite
# Click "CA Certificate" to download
# Import into your browser's certificate store (see detailed steps below)Success indicator: Visit any website. In Burp's Proxy → HTTP History tab, you'll see every request your browser makes. Congratulations - you can now see what your browser is really doing!
Skills You'll Master
Proxy Configuration
Set up and troubleshoot web proxies to intercept traffic
Certificate Management
Understand and install CA certificates for HTTPS interception
Browser Security
Configure dedicated browser profiles for security testing
Tool Organization
Build a scalable system for notes, findings, and reports
Understanding Web Proxies
What Is a Proxy and Why Do You Need One?
Think of a web proxy like a mail sorter at a post office. Normally, when you visit a website, your browser sends requests directly to the server and receives responses back. With a proxy in the middle, every "letter" (HTTP request) goes through the sorter first.
This gives you superpowers:
- See everything: View the exact data being sent and received
- Pause and inspect: Stop a request mid-flight to examine it
- Modify on the fly: Change values before they reach the server
- Replay requests: Send the same request again with modifications
Without a proxy, you're hunting blind. With one, you can see exactly what data the application is sending - including hidden form fields, API calls, authentication tokens, and more.
Why CA Certificates Matter
Modern websites use HTTPS (the padlock icon), which encrypts traffic between your browser and the server. This encryption is great for security but creates a problem: if traffic is encrypted, how can your proxy read it?
The solution: Burp Suite creates its own Certificate Authority (CA). When you install Burp's CA certificate in your browser, you're telling your browser: "I trust Burp to create certificates for any website." This allows Burp to:
- Receive your encrypted request
- Decrypt it using its certificate
- Show you the contents
- Re-encrypt it and send it to the real server
Important: Only install Burp's CA certificate in a dedicated testing browser profile. Never install it system-wide or in your daily browser - that would make you vulnerable to any attacker who obtains Burp's certificate.
Essential Tools
"A good setup means less friction between finding a bug and reporting it."
Burp Suite Deep Dive
Burp Suite is the industry standard for web application security testing. Here's what each major component does:
# BURP SUITE TABS EXPLAINED
Proxy
├── Intercept → Pause requests mid-flight, modify them, then forward
├── HTTP History → See every request/response that passed through
└── WebSockets → Monitor real-time WebSocket connections
Repeater
└── Send a request manually, modify it, send again
Perfect for testing "what happens if I change this value?"
Intruder
└── Automated testing - send the same request many times
with different values (fuzzing). Community edition is rate-limited.
Target
├── Site map → Tree view of all discovered pages/endpoints
└── Scope → Define what's in-scope for your testing
Decoder
└── Convert data between formats (Base64, URL encoding, etc.)
Essential for understanding encoded parameters
# ESSENTIAL SETTINGS TO CONFIGURE
# 1. Add your target to scope (prevents accidentally testing other sites)
Target → Scope → Add → Enter target domain
# 2. Show hidden form fields (developers sometimes hide sensitive data)
Proxy → Options → Response Modification → Check "Unhide hidden form fields"
# 3. Increase font size for readability (optional but helpful)
User options → Display → HTTP Message Display → Font size
# RECOMMENDED EXTENSIONS (BApp Store → Install)
Autorize → Automatically test for authorization issues (IDOR)
Param Miner → Discover hidden parameters the app accepts
Logger++ → Enhanced logging with filtering capabilities
JSON Beautifier → Make JSON responses readableBrowser Extensions
These extensions help you understand and interact with web applications:
# ESSENTIAL EXTENSIONS
FoxyProxy Standard
├── What it does: Quick toggle between proxy configurations
├── Why you need it: Easily switch Burp on/off without changing settings
└── Pro tip: Create profiles for "Burp", "Direct", and "Other tools"
Wappalyzer
├── What it does: Identifies technologies used by websites
├── Why you need it: Know if target uses React, WordPress, etc.
└── Pro tip: Technology choices reveal potential vulnerability classes
Cookie-Editor
├── What it does: View, edit, and delete cookies
├── Why you need it: Test session handling, modify authentication cookies
└── Pro tip: Try copying cookies between browser profiles
User-Agent Switcher
├── What it does: Change your browser's identification string
├── Why you need it: Some apps serve different content to mobile vs desktop
└── Pro tip: Test with common mobile user agents
# DEVELOPER TOOLS (for modern JavaScript apps)
React DevTools → Inspect React component state and props
Vue DevTools → Same for Vue.js applications
Redux DevTools → See application state changes in real-time
# IMPORTANT: Create a dedicated browser profile for hunting
# Firefox: about:profiles → Create a New Profile → "BugBounty"
# Chrome: Settings → You and Google → Add Person → "BugBounty"
# This keeps your testing separate from personal browsingCommand Line Tools
These tools automate reconnaissance tasks. They require Go to be installed first.
Prerequisites: Installing Go
Go (Golang) is a programming language. Many security tools are written in Go because it compiles to a single binary that works anywhere. Install it first:
# STEP 1: INSTALL GO
# Download from: https://golang.org/dl/
# Follow installation instructions for your OS
# Verify installation:
go version
# Expected output: go version go1.21.0 (or similar)
# If "command not found", add Go to your PATH:
# Linux/Mac: Add to ~/.bashrc or ~/.zshrc:
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$(go env GOPATH)/bin
# Windows: Add C:\Go\bin to your System PATH
# STEP 2: INSTALL SECURITY TOOLS
# Subfinder - finds subdomains using public sources
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# What it does: Queries certificate logs, DNS databases, search engines
# to find subdomains without touching the target directly
# Test it: subfinder -d example.com
# Httpx - probes hosts to find live web servers
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# What it does: Takes a list of hosts, checks which ones respond
# and gathers info (title, status code, technologies)
# Test it: echo "example.com" | httpx
# Waybackurls - finds historical URLs from archive.org
go install -v github.com/tomnomnom/waybackurls@latest
# What it does: Queries the Wayback Machine for URLs
# that were previously crawled - finds forgotten endpoints
# Test it: waybackurls example.com
# Ffuf - fast web fuzzer
go install -v github.com/ffuf/ffuf/v2@latest
# What it does: Brute-forces directories, parameters, subdomains
# Test it: ffuf -u https://example.com/FUZZ -w wordlist.txt
# TROUBLESHOOTING
# "command not found" after installation?
# The tools are in $(go env GOPATH)/bin
# Add this to your PATH (see above)
# "go: command not found"?
# Go isn't installed or not in PATH
# Restart your terminal after installation
# Slow downloads?
# Use a VPN or try: go env -w GOPROXY=https://proxy.golang.org,directOrganization Systems
As you test more targets, you'll quickly accumulate data. A good organization system prevents you from losing findings and helps you spot patterns across targets.
Note-Taking Structure
# RECOMMENDED FOLDER STRUCTURE
~/bugbounty/
├── targets/ # One folder per program you're testing
│ ├── company-name/
│ │ ├── scope.md # Copy of program scope and rules
│ │ ├── recon/ # Reconnaissance data
│ │ │ ├── subdomains.txt # Found subdomains
│ │ │ ├── live-hosts.txt # Responding servers
│ │ │ └── endpoints.txt # Discovered URLs/APIs
│ │ ├── notes.md # Your testing notes
│ │ ├── screenshots/ # Evidence for reports
│ │ └── reports/ # Submitted reports
│ │ ├── report-001-xss.md
│ │ └── report-002-idor.md
│
├── wordlists/ # Custom and downloaded wordlists
│ ├── directories.txt
│ ├── parameters.txt
│ └── subdomains.txt
│
├── scripts/ # Your automation scripts
│ └── recon.sh
│
└── templates/ # Reusable templates
└── report-template.md
# WHAT TO TRACK FOR EACH TARGET
## In scope.md:
- Exact scope boundaries (copy from program page)
- Out-of-scope items (critical - don't test these!)
- Bounty ranges per severity
- Program-specific rules
## In notes.md:
- Technologies identified (React? Django? AWS?)
- Authentication mechanisms found
- Interesting endpoints to revisit
- Tested vs untested features (checkbox list)
- Dead ends (so you don't repeat work)
- Ideas for further testing
# TOOL RECOMMENDATIONS
Obsidian (free) → Local markdown files, great linking between notes
Notion (free tier)→ Cloud-based, good for collaboration
Cherry Tree → Hierarchical notes, popular in security community
Plain text files → Simple, portable, works everywhereWhy Setup Matters: Real Examples
🏆 The Bug Found Because of Good Setup
A hunter noticed something odd in Burp's HTTP History: a request to an API endpoint that wasn't visible anywhere in the application's UI. The frontend JavaScript was making a call to /api/internal/users that returned admin-level data. This endpoint was hidden - no links pointed to it - but Burp captured it automatically. The hunter earned $3,500 for an information disclosure bug they would have never found without intercepting traffic.
💸 The Bug Missed Because of Bad Setup
A researcher was testing a banking application but hadn't properly configured their CA certificate. HTTPS connections failed, so they only tested HTTP endpoints. A month later, another hunter reported an authentication bypass on an HTTPS-only admin panel - a $10,000 bounty. The first researcher had all the skills to find it, but their setup prevented them from even seeing the vulnerable endpoint.
💡 The Lesson
Investing time in your setup isn't optional - it's foundational. Every minute spent configuring tools correctly pays dividends across every program you test. The best hunters have environments they can trust completely, so they can focus on what matters: finding vulnerabilities.
Frequently Asked Questions
Do I need Burp Suite Pro?
Community edition handles everything you need to learn and find bugs. Pro ($475/year) adds automated scanning, unrestricted Intruder speed, and project saving. Most hunters start with Community and upgrade when bug bounty becomes profitable - think of Pro as an investment that pays for itself with one good find. For learning, Community is perfect.
Mac, Windows, or Linux?
All work well. Linux is popular because most command-line security tools are built for it. macOS works great - it's Unix-based, so most tools work natively. Windows works fine with Windows Subsystem for Linux (WSL) for command-line tools. Use whatever you're comfortable with - you can switch later. The skills transfer across all platforms.
How do I learn Burp Suite quickly?
The best way is hands-on practice. HackerDNA labs teach Burp Suite through practical challenges. Start by intercepting requests on any website, modify a parameter, and see what happens. The built-in documentation (Help → Burp Suite Documentation) is comprehensive and worth reading. Within a week of daily use, the interface becomes second nature.
My proxy isn't working. What should I check?
Most common issues:
1. FoxyProxy not activated (click the icon, select your Burp profile)
2. Burp not running or proxy listener not started (check Proxy → Proxy settings)
3. Port conflict - another app using 8080 (change Burp to a different port like 8081)
4. HTTPS not working - CA certificate not installed (see Understanding section above)
5. Intercept is on - requests are paused waiting for you (turn off intercept or click Forward)
Should I use a VPN or virtual machine?
VPN: Useful for privacy and avoiding IP-based rate limits, but not required. Some programs have rules about VPN usage - check their policy.
Virtual Machine: Excellent practice for isolating your hunting environment. Keeps testing separate from your personal system. A Linux VM is a common choice for dedicated testing. Not required to start, but a good habit as you progress.
🎯 Your Environment Is Ready!
You now have a professional bug hunting setup and understand why each component matters. Burp Suite configured to intercept traffic, browser ready with useful extensions, command-line tools installed, and an organization system to track your work.
Ready to learn reconnaissance techniques →