Beginner Advice for Information Overload?


#1

Evening. Though I am not new to tech, I am new to the bug bounty scene. I have dabbled with web design in the past, HTML, CSS, CMS (XOOPS, JOOMLA) when they first came out. My security knowledge is more along the lines malware removal and best practices.

I’ve been reading the OWASP testing guide and THPB 2 & 3 and the Web App handbook. To me it seems that a lot of the data is out of date, though most of the process is the same.

Right now, i’ve looked at a couple of different programs. Following along with the process, I’ve started mapping and looking. I turned in one found bug, however, it was within their “acceptable risk.” The more I look, the more I am getting information overload.

During the spider phases, I find information that looks like it maybe susceptible to XSS, CSRF and a few other things. I start looking into them and get lost. I look at the books i’m reading but the examples are very, very basic. Like the sample scenario in the OWASP book for CSRF.

Everything I’ve come across is a lot more data in the pages than the examples. After getting a bit frustrated, I start looking the other things that have been flagged in the spidering and scans. Then it starts all over.

So, for someone starting out, how should I go about the processes of not getting too much information overload? It seems the only bug I did find was happenstance. I’ve always been good at the first part of the bug hunting process. I do it as part of my daily job. Log analysis, troubleshooting. Once I find what’s needed, I pass it off to another team for them to do what they need. Now i’m trying to get past that.

Is there a mentor program? :slight_smile:


#2

This is always a challenge for new bug bounty hunters. As there is no such book like other programming language where you can learn and directly implement the same in your project or at least in POC.

I think that if you can invest more time looking into the published report of other bug bounty hunters then it would help you to get some idea to point out specific areas in bug bounty hunting. I agree that it is always starting from zero after getting lots of information in each phases and then again trying to implement new concepts. Also this kind of group is very helpful as most of the questions are being answered by the real hackers.


#3

Pete Yawaorski’s book Web Hacking 101 is a great way to wade in. It is essentially his notes on how he became a bug hunter and so is paced well for beginners.

Good luck!


#4

He is also writing another book that will be published in early 2019.


#5

Hi @clysm,

maybe Pete’s book can help as a guide to not get lost.
Usually, each application works different and the code/infrastructure is totally different than others. It’s not the same finding a CSRF on Google than on Facebook.
I used “spider” a few times only, but never found it useful. I should spend more time trying to make it work for me.
Maybe is a good thing if you just focus in a program and try to find any kind of bug there. That way you end up understanding the application and infrastructure. Maybe it works for you.

Best.


#6

I’m looking for a mentor too!! This seems so awesome. :heart_eyes: