My baby steps towards Bug Bounty Hunting — an arduous yet exciting journey

It’s fascinating, how life has its twisted plots. I am an Oral Pathologist by education, an Entrepreneur by profession and here I am giving a shot at writing an article on my bug bounty hunting/web app hacking journey!! I know it sounds crazy but its amazing, how much you could learn and do if you put your mind to something. However, I would be digressing here. I’ll write more on this some other time.

Psst…I host a blog/email newsletter called “FourZeroThree”, where you could catch up with a lot more articles on internet privacy and security!

Well, this article is an attempt to run through my personal journey so far, in learning web app hacking and bug bounty hunting. But why would I do this? When I started out learning, I found there was no dearth for learning resources (blogs, videos, courses). You have to give it to them, the hacker community is amazing that way! However, I still, to this day hunt for hackers’ personal learning experiences, hoping it would personally resonate with me. An article that would give me solace and maybe telepathically tell me, I am on the right track. You see, there are umpteen number of beginner articles telling you to read “The Web Application Hacker’s Handbook”, “Web hacking 101”, “OWASP testing guide”, hacker blogs and the list goes on. You know the routine. Don’t get me wrong, the beginner articles are the reason I am here right now. But, I feel knowing someone else’s personal learning curve and experience along with the rest of the stuff would immensely help. Knowing that your fellow hacker, went through the same emotional and learning hardships would give great comfort and motivation.

“What did the individual learning web app hacking go through, did he/she have any prior experience with IT or computers in general, what were the mistakes he/she made during his/her learning curve, what learning resource helped the individual as opposed to some other resource, how much time did he/she dedicate to learning.”

This is something I always searched for as a beginner. I did read/listen to (through podcasts) many hackers’ personal learning experiences, but I had to do a lot of digging and searching!

This blog post would be an attempt in that direction. While this would be a non-technical post, I plan/intend to also start writing technical write-ups in the future (hopefully). That way I could help the community and also learn and improve along.

I started learning web app hacking in June 2018. I continued to learn and train (with labs) for a year (don’t get me wrong here, I still continue learning. It never ends!) without any serious bug hunting. I started bug bounty hunting in the month of June this year (2019)and have continued to do so (along with learning) consistently for the last four months. I have so far submitted 4 reports with 2 being duplicates, 1 being invalid and 1 earning me a three figure bounty. I have such a long way to go, but hope this is a start of sorts.

You see, I have no background in Information Technology or Security, whatsoever. The amount of frustration, overwhelm and discomfort that I had to go through to learn something ridiculously new, is something I cannot express in words. This was in part because I had already spent 10 years learning dentistry. I had to put in conscious effort to re-wire and learn something new altogether (from scratch)! I should say, however, that I kept at it solely because I found it interesting and intellectually challenging (apart from a major motivation being the bounties/cash rewards successful bug bounty hunters got :P). Being an entrepreneur (and having that mindset) helped me stay motivated. I went through the same emotional overwhelm when I founded my company 3 years back. So that helped (mentally).

I am a full time entrepreneur, hence learning was tough in the beginning. I probably dedicated 5–12 hours per week for the first 3 months, learning the basics. I used to most often dedicate time in the morning between 6–8 AM or sometimes at night between 8–10 PM. Many a times I compromised my Sunday mornings to learn for 4 hours at least. I was never paranoid about how much time I had to put in, but I disciplined myself to consistently put in a minimum of 5 hours a week.

After the first 3 months, I lost some motivation. I had a lot of work at hand and couldn’t maintain consistency. I was tired and exhausted after work. I used to somehow irregularly maintain some reading so that I did not jeopardize the hardwork I had put in the previous 3 months. There was this phase of at-least 3 months where I used to read stuff and read them again, because I kept forgetting stuff (as a result of the inconsistent reading and learning).

So far, the first 6 months, has been the toughest phase for me in learning web app hacking. I was distracted, demotivated, impatient and sometimes bored to death. But I hung on.

Its important how you start off when beginning something new, especially when trying to start something in a new field altogether. Its very tempting to begin with the best books in the market, but you see, it doesn’t help one’s cause. You need to know where you stand and reverse engineer in order to even know what you have to learn. Let me explain.

When I started googling how to learn web app hacking, the overwhelming response from the community was to read “The Web application hacker’s handbook”. You see, the community is right. It is one hell of a book! But I had to be self aware and understand that jumping off with that book wouldn’t help. I didn’t know shit about technology, web applications or how they work. Heck, I didn’t know how the internet worked!!

I tried searching for something like IT for dummies or something in that front and I found this book called “How to Speak Tech. The non-techie’s guide to technology basics in business” authored by Vinay Trivedi.

This is an amazing book, especially for one’s who are completely ignorant of how technology works. The very first chapter starts off with “how the internet works”. It has chapters like hosting, back end and front end programming languages, API, Databases and stuff like that. Of course, it offers a very basic layman explanation of these concepts. I complemented this book with YouTube videos (on the same topics I was reading)wherever I had to and started getting a hang of the technology jargon. The YouTube videos I initially watched were basic and include videos such as “How the Internet Works in 5 Minutes”. This YouTube playlist called “How the Internet Works” by the channel is great.

A lot more YouTube videos later, I started making a deep dive on to web application basics. The 3rd chapter in “The Web application hacker’s handbook” (Dafydd Stuttard & Marcus Pinto) is badass!

I mean, the book itself is great, but I can’t tell you how many times I have read this chapter. This chapter has all the basics, HTTP protocol, Methods, Requests & Responses, URLs, cookies, basic web technologies and so on. It was in no way easy to understand (at least for me). I have no qualms in saying I kept re-reading this chapter, I used to read it, watch YouTube videos on the same, come back and re-read it. Every time I read it, my understanding improved.

But beyond this, I started struggling to grasp concepts in other chapters in the book. I was stuck and started searching to see if there was an even more basic book that could help my cause. I didn’t quite understand which knowledge gap I had to fill, in order to make progress with the hacker’s handbook. I came across this article “So you want to be a security engineer?” written by Niru Ragupathy. The article was a great read and it gave me some impetus as to where I could head next. I, to date keep going back to this article and read it.

But the game changer for me was this book titled “Web application security: A beginner’s guide(Brian Sullivan and Vincent Liu). It helped my understanding so much, I started becoming confident moving forward.

I feel this book is understated and I highly recommend this book for beginners starting to learn web app hacking from scratch. This book is written from a defense perspective and makes the basic concepts of web applications and web app security so easy to understand. Especially concepts of Authentication and Authorization. It greatly helped set my understanding of authentication, sessions and session management, cookies and in general how web applications work. It also has this great chapter explaining XSS and CSRF. It is tailor made for beginners (but I should say I did struggle to understand XSS and CSRF initially).

After this going back to “The Web application hacker’s handbook” was easier than before. I started making some progress comprehending stuff. I never, entirely read the book though. I used to jump across blogs and videos, according to my personal comprehension of topics. Boy, were these 6 months tough!

Interestingly after that period, I experimented with deliberate practice. As an entrepreneur I know for a fact that one can learn a lot more by executing/doing. I learnt to set up a virtual lab (I used the OWASP Broken Web Applications) and spent a few hours a week (around 5–15 hours) learning how to use Burp Suite (free/community edition), capturing and tampering data and whatever little I learnt, to poke around the apps in the virtual lab. I also went a notch further, by participating in Zomato’s bug bounty program.

I remember having this “child like” excitement trying to hack Zomato! I tried reading disclosed Hackerone reports, going back to books and blogs, reading reports again and back and forth. All this while also doing bug bounty hunting on Zomato. Honestly, most of the time, I didn’t know what the heck I was doing when bug hunting. After 2 months of doing this, I realized, I had to stop. It was fun but I was wasting time, I had to discipline myself to go back to reading. But,this was by far the best learning phase. After this, books and aticles were a lot easier to understand!

This was a phase, where I somehow forced myself to level up. I started learning the basics of HTML and Javascript (Freecodecamp, Code-academy, Colt Steele’s course on Udemy) learnt how to use the Chrome and Firefox console, used to deliberately look at the page source code of websites, kept reading Hackerone reports and other technical blog posts/writeups and started watching talks given by hackers like Jason Haddix (the Level Up series). I also taught myself through courses in Udemy (Said Sabih’s course) and Pluralsight (Troy Hunt’s course). I know many fellow hackers advise against this, but as a beginner, shelling out a few bucks for the right course really helps. This was along with practicing on vulnerable web apps, not to forget reading and re-reading books. I still feel like an impostor. Learning web app hacking never ends!

After a year I thought I should seriously give some time for bug bounty hunting. I started in June 2019 and initially for 2 months, I dedicated a day or two per week solely for this (around 6 hours/day). However, in August and September, I tried experimenting with bug bounty hunting for at-least 35–40 (effective) hours a week (this includes bug hunting, reading & research and making notes). My co-founder was kind enough to compensate and cover up for my work in our business. Moreover, I had worked very hard towards setting up the company for the last 3 years and I had the leverage to dedicate this time for bug bounty hunting. So I gave it a shot. These 2 months have been amazing. I can’t tell you how much I have learnt.

My first 2 months in bug hunting was just random testing. There was no plan, no methodology I specifically followed. In knew I had to take a step back to do something about this. I would recommend not to rush into things and do random monkey testing. It yields frustrating results. You have to give yourself the time to do some research and experimenting to come up with your own methodology. Develop a pattern, your own style of bug hunting, put some effort to organize it. It need not necessarily be thorough (at least as a beginner), but IT HAS TO BE DISCIPLINED & ORGANIZED. You have to know what you want to do next and when to move on when things don’t work as planned. By no way am I having any roaring success following this, but it has disciplined my bug hunting and makes my bug hunting a notch easier. These are some resources I leveraged to come up with my methodology-

  1. The 21st chapter in the The Web application hacker’s handbook. This would give you a detailed overview, as to how you could go about testing a web app. I’ll be honest, I found this a little overwhelming, though.
  2. The 7th chapter on testing and methodologies in “Breaking into information security” by Andy Gill. This is sort of a broken down, briefer view of the one given in The Web application hacker’s handbook. This was more digestible.

3. Peter Yaworski’s Web hacking Pro tips video series on YouTube. In this series he interviews successful hackers and picks their brains as to how they go about their hacking. How they started, how they train, how they go about hacking/testing web apps, their tips and tricks. Carefully listening and taking down notes can give you tremendous insights into how you could go about bug bounty hunting.

4. I would highly recommend leveraging BugCrowd’s forum. The forum has hundreds of questions by beginners that have been patiently and very nicely addressed by seasoned hackers.Take your time and go through the forum. Dig deep and you would find gems when it comes to methodology, tips and tricks.

5. There are 2 videos in Stok’s YouTube channel I found particularly useful, as far as methodology was concerned. One was “I accidentally started a live stream and it turned into #askstok” and the other BUG BOUNTY METHODOLOGY TIPS TO ALWAYS TEST FOR! with Jason Haddix.

I spent a lot of time patiently doing the above to come up with my own unique method to bug hunt. Not that its perfect, but I take efforts to keep experimenting and changing it if necessary.

The last 1 year and 4 months seems like a long time, but ironically I have just started :P My article comes to an end here, because honestly I am a rookie and don’t have any tips or tricks to offer. After all, I am just 4 months old (the time I have been bug hunting) :)

Psst…I host a blog/email newsletter called “FourZeroThree”, where you could catch up with a lot more articles on internet privacy and security!

Internet privacy, security, OSINT & Bug bounty enthusiast. I write/host “FourZeroThree” a blog on Internet privacy & security