When I am frustrated about not knowing what to do or not finding enough bugs, I try to help my cause by introspecting and making an attempt towards “upping” my game. Part of this introspection is in trying to actively identify knowledge gaps and skills. (For the sake of sounding tangled) I make up for these skill gaps by running “learning experiments”.
You see, self-learning something like web app hacking can be difficult because there is no set step by step path. You read, practice, hunt/hack and keep running this cycle. Learning by doing is great (as that is the best way to learn bug bounty hunting) but “knowledge and skill gaps” in this journey are inevitable.
I am very much a rookie, and keep running learning experiments to raise my game. I won’t be a hypocrite. This process, is at most times, terribly frustrating and boring. I am so flustered at times that I am not able to rake in enough cash$$ (doing bug bounty), I want to fling my laptop!! But you see, the process of introspection and running learning experiments everyday to become a notch better at your art is a wonderful journey. You know at the back of your mind that “the” day would come when your skills would give you dividends, the returns. It’s more like, you enjoy doing bounties, so much so cash becomes a side effect. So here’s my two cents on how you could attempt to raise your game, or rather this is what I did/am doing to become better (assuming it is in the right direction).
The “Chicken or the egg” dilemma
As a rookie, you know you have a lot to read and learn. At the same time, you need hands on experience to actually become better at this art. While there is one group always reading and getting stuck due to “analysis paralysis”, there is another just starting burp, intercepting traffic and going baloney, without knowing much. Balance is key.
You see, at the end of the day, to become better you need to “DO”, whatever the field. You need not necessarily know how to program or know the OWASP top ten (from top to bottom) from the get-go. One could read “just enough” to actually start bug bounty hunting. JUST START! This is subjective, how much is “enough” depends on the individual. Of course the excitement ends after a few days, when you realize the “enough” you learnt, so you could start hacking isn’t actually “enough”. Don’t fret. This realization is growth. Act on it. Be aware to note your knowledge gaps and skills you need to get better at, while active bug bounty hunting. Jot them down. Take a break, and start reading/learning (again duration here depends on the individual). But don’t fall for “analysis paralysis”. I have made this mistake and realized that momentum is key.
This experiment of cyclically reading “just enough” → bug hunting → taking a break to read/learn “just enough” to fill knowledge gaps → bug hunting, is serving my bug hunting purpose well. This is an attempt to actively “up” my knowledge and skills at the same time. You don’t have to read or know everything. Read/learn “enough” to keep hacking and progressing steadily.
I feel my game got better when I started learning reconnaissance. After starting to learn recon, I have understood that it is an art in itself and has so much potential to net you many wins.
This is more so important when you are just starting out hacking. Its obvious isn’t it? How many critical or high impact bugs can a rookie get, by attacking a robustly secure website running a public bug bounty program for many years? As cliched as it may sound, Recon is key.
When I started bug bounties, to be honest, recon overwhelmed me. I thought learning to attack would be enough. Or rather that’s how I convinced myself so that I could justify my procrastination to learn recon.
I had to get uncomfortable as I did not enjoy recon. As every beginner, I thought recon was only about finding subdomains. I did not know what to do next. Most articles I read focused on tooling and methodology necessary to find as many subdomains as possible. So I ran an experiment. I have discussed this in my previous blog post (The need for note making and an organized methodology in Bug Bounty Hunting) too. I tried learning recon through twitter. I don’t know if you would believe it, but a lot of the recon that I do as of today, I learnt via twitter, and I continue to learn. A twitter advanced search with some (recon) keywords, hashtags as filters, lo and behold, you have recon specific tweets! The best part is, tweets are very personal and hackers tweet what worked for them. Also the conversations that follow a tweet are amazingly informational, not to forget links to great articles (in tweets) that may be useful. You see, I follow some very skilled people on twitter, but the advanced search would bring up hundreds of tweets from hackers I have never heard of, and they are amazing too. You learn a metric ton!
Getting comfortable with OWASP ZAP
I was initially taking in as much learning material as I could with regards to using Burp Suite. But let’s face it, you miss a lot of features in the community edition. Spidering, running a quick scan, content discovery, using the intruder for fuzzing and bruteforcing, these are very important too. You see, all these features comprise a significant part of web hacking.
So what did I do? I got uncomfortable, learnt how to use OWASP ZAP and am now trying to leverage these features. It comes so much in handy, especially now, when I cannot as yet afford a PRO Burp license. Now, I use both Burp as well as ZAP for bug hunting!
Learning from someone else’s experience to become a better hacker
So, not just in web hacking but take any field, you naturally get better with experience. To put this in other words, you get better with repetition - doing the same mundane things over and over again for a long time. Repeating an action helps create mental dots that connect with time.
Less repetition/action (hacking/bug bounty hunting in our case)= more time to become better at it; more repetition/action = lesser time to become better at it. You could also substitute action (in the above equation) for a specific skill set/bug class etc.
More action (hacking/bug bounty hunting in our case) would increase chances of pattern recognition. Pattern recognition is key.
Now action requires time, and there is only so much you could do with the time you have (you may be running a side business, have a job, other commitments etc). So, why not learn from someone else’s experience? You could read any number of technical articles you want, but the “tid bit” gems (great tips & tricks) that could go a long way in bettering your art, in my opinion, could be got from hackers giving tips on twitter from their personal experience. You see, there are so many in this field tweeting…
- tips and tricks
- about their mistakes
- about what they could have done better
- about what generally works and what doesn’t (at least for them)
- about their methodology (how they hack)
- about their personal opinion on something…
and so much more. The best part (like I mentioned previously) are the conversations that follow. Other hackers debate, give their opinions and advice on/for the tweet. I have spent hours reading tweets through advanced search filters on twitter. Its amazing how much you could learn from other hackers’ experience. There is so much information continuously getting buried in your feed. Don’t depend on what your feed provides you. Do an advanced search and you could learn a bunch of great stuff!
I have now made it routine to do it for sometime once in the morning and before going to sleep. Keep taking in as much as possible to get it buried in my subconscious mind, and then retrieve it when necessary (retrieving from memory is a significant skill set too. Start off by making notes).
There is so much more you could do to keep bettering your art. But these are some of the things that I could articulate in this blog post.
This may sound easier than it actually is but, enjoy the process of learning and obsessively want to get better at your art. What else can you do? After all diamonds are forged after millions (billions maybe, need to google it) of years!
Let me finish off with one of Naffy’s tweets.