Hello friends, I am a beginner too and I had almost the same questions you have. As a beginner I don’t have a lot of Rep or Kudos but I want to give my 2 cents to help someone like me.
You should read “The Web Application Hacker’s Handbook 2nd Edition” and you can download the nice book of Peter Yaworski available for free in https://hackerone.com/resources/web-hacking-101 (if you are registered). Other option is to visit frequently hxxp :// hackerone . com /hacktivity or http://h1.nobbd.de where you can find a lot of limited information or totally open reports. With that resources your eyes will be opened and you’ll have the idea that there are a lot interesting types of vulnerabilities and how to approach it.
Other suggestion I could give is you should learn to use at least the basic Burp Suite’s features (repeater, intruder, decoder, spider without any particular order) if you can’t afford yet buying the BS Pro version, or another proxy software you feel comfortable with, because if you come (like me) from shooting targets having SQLi or XSS found by Google dorks, when you find targets like Instacart it’s tedious to shot XSS payloads directly in the URL website. I think Burp Repeater might help if you have some XSS payloads and shot them from there, in the aside window you can see if your payload fired the pop-up you are waiting (the response time I guess is faster).
In the time you’ve acquired some experience and your knowledge it is increased maybe you will look for a methodology, the Jason Haddix methodology in this link hxxps :// github . com /jhaddix/tbhm I think is good (I stumbled with that resource yesterday while reading a twitter time line).
I don’t know if Instacart has a private or public program in BugCrowd too, but if know about them by HackerOne, keep reading the open reports they offer in that platform (since this initial question, 8 months ago, Sep/16, a hacker found a XSS at Instacart in Jan/17 and another hacker found a bypass in the same company in May,11th, 17).
This morning I was reading open reports and saw one from Instacart, where a hacker found a XSS (hxxps :// hackerone . com / reports/196221) and around 5 months later another hacker found a bypass for the fix implemented in the same url (hxxps :// hackerone . com /reports/227809).
There’s a lot good information in HackerOne reports. Personally in the BugCrowd Forum I see low participation (8 months without a helpful answer) from experienced hackers or maybe there’s no enough time to answer so basic questions like this. Maybe the success of HackerOne is the open reports where beginners like us we can find.
Good luck, try harder and happy hacking!
“Sorry, new users can only put 2 links”, why limiting to new users? That are really weird policies but I think are useful for someone. it is appreciated you are sorried for new users about that limitation.