Evening. Though I am not new to tech, I am new to the bug bounty scene. I have dabbled with web design in the past, HTML, CSS, CMS (XOOPS, JOOMLA) when they first came out. My security knowledge is more along the lines malware removal and best practices.
I’ve been reading the OWASP testing guide and THPB 2 & 3 and the Web App handbook. To me it seems that a lot of the data is out of date, though most of the process is the same.
Right now, i’ve looked at a couple of different programs. Following along with the process, I’ve started mapping and looking. I turned in one found bug, however, it was within their “acceptable risk.” The more I look, the more I am getting information overload.
During the spider phases, I find information that looks like it maybe susceptible to XSS, CSRF and a few other things. I start looking into them and get lost. I look at the books i’m reading but the examples are very, very basic. Like the sample scenario in the OWASP book for CSRF.
Everything I’ve come across is a lot more data in the pages than the examples. After getting a bit frustrated, I start looking the other things that have been flagged in the spidering and scans. Then it starts all over.
So, for someone starting out, how should I go about the processes of not getting too much information overload? It seems the only bug I did find was happenstance. I’ve always been good at the first part of the bug hunting process. I do it as part of my daily job. Log analysis, troubleshooting. Once I find what’s needed, I pass it off to another team for them to do what they need. Now i’m trying to get past that.
Is there a mentor program?