My baby steps towards Bug Bounty Hunting — an arduous yet exciting journey

Image for post
Image for post

It’s fascinating, how life has its twisted plots. I am an Oral Pathologist by education, an Entrepreneur by profession and here I am giving a shot at writing an article on my bug bounty hunting/web app hacking journey!! I know it sounds crazy but its amazing, how much you could learn and do if you put your mind to something. However, I would be digressing here. I’ll write more on this some other time.

So, what’s the deal with this blog post?

“What did the individual learning web app hacking go through, did he/she have any prior experience with IT or computers in general, what were the mistakes he/she made during his/her learning curve, what learning resource helped the individual as opposed to some other resource, how much time did he/she dedicate to learning.”

This is something I always searched for as a beginner. I did read/listen to (through podcasts) many hackers’ personal learning experiences, but I had to do a lot of digging and searching!

This blog post would be an attempt in that direction. While this would be a non-technical post, I plan/intend to also start writing technical write-ups in the future (hopefully). That way I could help the community and also learn and improve along.

How long have I been at this?

The beginning is the toughest!

How much time did I dedicate in the beginning?

After the first 3 months, I lost some motivation. I had a lot of work at hand and couldn’t maintain consistency. I was tired and exhausted after work. I used to somehow irregularly maintain some reading so that I did not jeopardize the hardwork I had put in the previous 3 months. There was this phase of at-least 3 months where I used to read stuff and read them again, because I kept forgetting stuff (as a result of the inconsistent reading and learning).

What did I read in these first 6 months?

Its important how you start off when beginning something new, especially when trying to start something in a new field altogether. Its very tempting to begin with the best books in the market, but you see, it doesn’t help one’s cause. You need to know where you stand and reverse engineer in order to even know what you have to learn. Let me explain.

When I started googling how to learn web app hacking, the overwhelming response from the community was to read “The Web application hacker’s handbook”. You see, the community is right. It is one hell of a book! But I had to be self aware and understand that jumping off with that book wouldn’t help. I didn’t know shit about technology, web applications or how they work. Heck, I didn’t know how the internet worked!!

I tried searching for something like IT for dummies or something in that front and I found this book called “How to Speak Tech. The non-techie’s guide to technology basics in business” authored by Vinay Trivedi.

Image for post
Image for post

This is an amazing book, especially for one’s who are completely ignorant of how technology works. The very first chapter starts off with “how the internet works”. It has chapters like hosting, back end and front end programming languages, API, Databases and stuff like that. Of course, it offers a very basic layman explanation of these concepts. I complemented this book with YouTube videos (on the same topics I was reading)wherever I had to and started getting a hang of the technology jargon. The YouTube videos I initially watched were basic and include videos such as “How the Internet Works in 5 Minutes”. This YouTube playlist called “How the Internet Works” by the channel Code.org is great.

A lot more YouTube videos later, I started making a deep dive on to web application basics. The 3rd chapter in “The Web application hacker’s handbook” (Dafydd Stuttard & Marcus Pinto) is badass!

Image for post
Image for post

I mean, the book itself is great, but I can’t tell you how many times I have read this chapter. This chapter has all the basics, HTTP protocol, Methods, Requests & Responses, URLs, cookies, basic web technologies and so on. It was in no way easy to understand (at least for me). I have no qualms in saying I kept re-reading this chapter, I used to read it, watch YouTube videos on the same, come back and re-read it. Every time I read it, my understanding improved.

But beyond this, I started struggling to grasp concepts in other chapters in the book. I was stuck and started searching to see if there was an even more basic book that could help my cause. I didn’t quite understand which knowledge gap I had to fill, in order to make progress with the hacker’s handbook. I came across this article “So you want to be a security engineer?” written by Niru Ragupathy. The article was a great read and it gave me some impetus as to where I could head next. I, to date keep going back to this article and read it.

But the game changer for me was this book titled “Web application security: A beginner’s guide(Brian Sullivan and Vincent Liu). It helped my understanding so much, I started becoming confident moving forward.

Image for post
Image for post

I feel this book is understated and I highly recommend this book for beginners starting to learn web app hacking from scratch. This book is written from a defense perspective and makes the basic concepts of web applications and web app security so easy to understand. Especially concepts of Authentication and Authorization. It greatly helped set my understanding of authentication, sessions and session management, cookies and in general how web applications work. It also has this great chapter explaining XSS and CSRF. It is tailor made for beginners (but I should say I did struggle to understand XSS and CSRF initially).

After this going back to “The Web application hacker’s handbook” was easier than before. I started making some progress comprehending stuff. I never, entirely read the book though. I used to jump across blogs and videos, according to my personal comprehension of topics. Boy, were these 6 months tough!

Two months of deliberate practice

I remember having this “child like” excitement trying to hack Zomato! I tried reading disclosed Hackerone reports, going back to books and blogs, reading reports again and back and forth. All this while also doing bug bounty hunting on Zomato. Honestly, most of the time, I didn’t know what the heck I was doing when bug hunting. After 2 months of doing this, I realized, I had to stop. It was fun but I was wasting time, I had to discipline myself to go back to reading. But,this was by far the best learning phase. After this, books and aticles were a lot easier to understand!

Another 4 months of learning

Bug Bounty Hunting

My first 2 months in bug hunting was just random testing. There was no plan, no methodology I specifically followed. In knew I had to take a step back to do something about this. I would recommend not to rush into things and do random monkey testing. It yields frustrating results. You have to give yourself the time to do some research and experimenting to come up with your own methodology. Develop a pattern, your own style of bug hunting, put some effort to organize it. It need not necessarily be thorough (at least as a beginner), but IT HAS TO BE DISCIPLINED & ORGANIZED. You have to know what you want to do next and when to move on when things don’t work as planned. By no way am I having any roaring success following this, but it has disciplined my bug hunting and makes my bug hunting a notch easier. These are some resources I leveraged to come up with my methodology-

  1. The 21st chapter in the The Web application hacker’s handbook. This would give you a detailed overview, as to how you could go about testing a web app. I’ll be honest, I found this a little overwhelming, though.
  2. The 7th chapter on testing and methodologies in “Breaking into information security” by Andy Gill. This is sort of a broken down, briefer view of the one given in The Web application hacker’s handbook. This was more digestible.
Image for post
Image for post

3. Peter Yaworski’s Web hacking Pro tips video series on YouTube. In this series he interviews successful hackers and picks their brains as to how they go about their hacking. How they started, how they train, how they go about hacking/testing web apps, their tips and tricks. Carefully listening and taking down notes can give you tremendous insights into how you could go about bug bounty hunting.

4. I would highly recommend leveraging BugCrowd’s forum. The forum has hundreds of questions by beginners that have been patiently and very nicely addressed by seasoned hackers.Take your time and go through the forum. Dig deep and you would find gems when it comes to methodology, tips and tricks.

5. There are 2 videos in Stok’s YouTube channel I found particularly useful, as far as methodology was concerned. One was “I accidentally started a live stream and it turned into #askstok” and the other BUG BOUNTY METHODOLOGY TIPS TO ALWAYS TEST FOR! with Jason Haddix.

I spent a lot of time patiently doing the above to come up with my own unique method to bug hunt. Not that its perfect, but I take efforts to keep experimenting and changing it if necessary.

This is just the beginning

P.S - I also write/host “FourZeroThree” an email newsletter on Internet security — https://fourzerothree.substack.com/

Written by

Dentist | Entrepreneur | Bug bounty enthusiast | I also write/host “FourZeroThree” a newsletter on Internet security https://fourzerothree.substack.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store