How To Start White Hat Hacking

We all know this isn't what hacking looks like, but I couldn't resist

So you want to start white hat hacking? Its not an easy skill to learn, but it can be a fun way to grow yourself professionally while making some money on the side and helping keep the public safe and secure. There is quite a bit to learn, but the goal of this post is that after reading this, you know where to start and will be on your way to submitting your first Security Report. But first, lets cover the basics.

The Basics

What is White Hat Hacking? White Hat Hacking is when an ethical security expert legally tests an organization’s software for any security issues and reports them to said company. This is done by testing an organization’s system till you find a security issue. Once an issue is found you write up a full report on the issue which includes but isn't limited to

1. A basic description of the hack
2. The impact of the hack
3. A step by step walk through of how to replicate the hack
4. Samples of relevant code or other examples to help

Getting Trained

Getting started often requires quite a bit of training. You will want to have a solid knowledge of computer programming skills already under your belt. You will want to have experience with the following topics if you want to do well in this field.

1. Operating Systems
2. Software Engineering
3. Networking
4. Security
5. Cryptography
6. Web Development
7. Databases

Once you have that, there are several different ways to further educate yourself on how to become a White Hat Hacker. Outside of universities, there are several programs and tools to help.

There are several web sites that include free training, like Hacker One and Cybrary, that can provide you the needed material. These are often in the style of free online courses.

You can also look at getting a certification, like from CEH or CISSP, which will provide the training you need and provide you with the documentation to prove it. These are often times actual classes, and while they do cost money, they deliver great value.

There are also many great books like the latest addition of Hacking Exposed: Network Security Secrets and Solutions, Web Hacking 101, and Metasploit: The Penetration Tester’s Guide. These will provide training and go over many specific web exploits giving you good ideas on initial hacks to start testing for.

There are online tools you can use to help you learn like the OWASP Web Goat Project. These tools will often times provide you with practice environments to actually safely test your skills.

Finally, there is a wide community of people who can help you get started. For example, there are many conferences like DefCon which can provide plenty of training and mentorship.

Where To Find Hacks

When you are getting started, you may have trouble finding eligible organizations to provide testing for. To find an organization with an eligible white hat or bug bounty program you can do one of two things. You can either check if they have a bug bounty program listed on their site, or you can go to a company that runs bug bounties, like Hacker One or Bugcrowd, which will provide a list of companies you can check out. Its important to find these listings first as these will have the rules of the program helping to ensure you comply with the laws and regulations.

Your First Hacks

Now that you know where you can get trained and find your first bug bounties, you could use some tips on your first hacks.

Follow the rules

All programs will have a set of rules to follow. As an ethical White Hat Hacker you need to make sure you read and stay within those guidelines and follow the rules of the program. Outside of ensuring you remain ethical and staying out of trouble, this can also save you time. Many issues you may discover may not actually be accepted by the organization. This could be for several reasons including but not limited to the software with the issue no longer being supported, the organization already being aware of it, the organization determining that type of bug is too low severity, or the organization not wanting that issue investigated because it could cause issues. Examples of the last one can include DDoS attacks and social engineering. Those are usually banned from white hat programs.

Follow their posted rules

Hacks to avoid

As I mentioned in the last section, organizations often times wont accept all types of issues. While you should check with the program for individual details because they can vary, I am going to list some hacks that are generally not accepted and you should avoid.

1. Social Engineering and Physical Attacks: These can cause large issues for an organization and is unethical. These are rarely, if ever, accepted and should always be avoided.
2. Denial of service (DOS) attacks: These can cause large issues for the organization and dont provide much value. These are rarely, if ever, accepted and should be avoided.
3. Scanners or Automated Testing: These are fairly easy for the company to do and they do not provide much value coming from a White Hat Hacker. Additionally, automated scans could cause issues for said organization.
4. SPF/DMARC/DKIM: These are usually considered out of scope unless you can prove a major issue has occurred.

Disclosure

Most programs have a disclosure policy. Make sure to read, understand and follow the policy before you began to speak publicly about the hack. Often you will need to submit a request to publicly discuss the contents of the hack.

How to find hacks

When you get started with the system you are going to want to properly understand how their system works.

You can accomplish this by mapping out their system. This will include mapping out the website, how it works, the inputs, and all the connections it makes. Testing out any APIs they make calls to, so you can understand how the API works, what end points they have, and what software, operating systems and tools its running. You can continue to follow this line of thought as you map out their entire network as much as possible. Once you have a clear picture of what their system looks like, it will be much easier to find issues.

Never stop learning

There are always new bugs, techniques, technologies and tools coming out. Make sure to stay involved in the community and to continue to read up on the latests updates to ensure your skill stay up to date.

Follow the Law!

You should always remain with in the law and never engage in “Black Hat” activity. You should never hack or attack someone without their full permission. Even if you avoid legal repercussions, not following the law will have a significant and likely bad impact on your career.

Summary

I hope you found this article helpful. There is a lot you will need to learn before you began ethically hacking, but hopefully this will set you on the right track to your first white hat hacking role! AND DONT FORGET TO FOLLOW THE LAW!

This is apparently what comes up for pictures if you type in hacker, so yeah this is apparently what you will become, maybe?

Your on your way to becoming a White Hat Hacker! For those interested, SimplyVital Health is also hiring for security related roles!