My journey of becoming a bug bounty hunter from scratch thread

Hello! As the title says, I’m learning all of this from scratch, not a drop of previous IT experience. Whenever I learn a new skill or hobby I always like to make a starter forum thread about my progress. This helps me keep myself accountable and to have a road map as I go along. I also hope by doing this thread that in the future other new hackers can use it as a guide as well.

I’m interested in meeting people on this forum and being active for a long time. So here’s a little bit about me-No previous experience in IT, but I love to game.I wanted to become a game designer when I was younger but I never thought I was “smart enough” to do it. I loved modding games, especially RTS games like Command and Conquer. I’ve always liked the idea of hacking and it has always appeared as a cool “spy” look and feel to me, but again I never thought I would be able to learn it and I didn’t like the unethical side of it. Now about half a year ago I discovered ethical hacking and It sounds awesome! I’ve always had hobbies of taking things apart and putting them back together (Building cars for race tracks, putting together mechanical wrist watches to name a few). So being able to do this ethically is very interesting and I am up for the challenge. So now I made it a goal to find my first bug and report it successfully in 2020.

My experience so far- Nothing. No programming experience, no knowledge of any of it. I have been doing some reading so far such as Web Hacking 101 by Peter Yaworski and Didn’t have a clue of what I read.

Now with lots of free time for a month and a half due to a quarantine from the Corona Virus I figured this is the perfect opportunity to really focus on this idea. So currently I’ve been reading The Web Application Hackers handbook, doing HTML and Javascript coding lessons on code academy and Freecodecamp, and doing CTFs from Hack this Site and Hacker 101.
After gaining a better basic understanding I have a course from Zaid security that I purchased on Udemy that I’ll follow along with. After this I plan on trying to focus on one specific attack/topic at a time and mastering it on bug bounty targets. Hopefully I’ll come across something at that time.

Thank you for reading my long post and I look forward to keeping this updated and meeting people on here :).

Great thread and congrats.

I have been using some sites that I think you may find of interest…

https://tryhackme.com/tutorial

https://pentesterlab.com/pro

These have some really good challenges and cover a multitude of subject matter

I hope you do find some nuggets of info and that you can continue to learn this wide and varied topic.

Cheers,

CI69

1 Like

From what you wrote, I think you have an aptitude for this. The expertise should follow. I am a beginner, like you. But unlike you, I am trying to reinvent myself after a 35-year career in I.T. in the mainframe era. I spun my wheels for the first couple months trying to find the loose end of the Gordian knot. Finding a good starting place seems to be one of the hardest steps, and I suspect it will be different for each of us. For example, I don’t learn much of anything by watching YouTube videos. I suspect it is possible to do web app hacking without Linux or knowing much programming. That’s where I am for now. Good luck!

Hello All!

I’m going to jump in this thread too since I’m about 1.5 months into this.

I have a fairly strong IT background, but only basic level programming and app development. So this is new to me. I do know operating systems (Windows/Linux), Networking, and Security at decent levels.

I’ve found capture the flags to be helpful. Also, I’m getting really comfortable with Burp.

My main issue seems to be…that I can’t find any actual bugs on websites. I’ve reported several things. Some are already reported. 1 I was sure I had, but my POC didn’t work. I’ve tested about 20 different ones. I look for certain things like XSS and Open Redirects. I’ve found not 1. Now a lot of these sites I go to show that hundreds and in some cases thousands of bugs have been reported and remediated.

Does anyone have any guidance on that?

Thank you Cyberice for the resources. The try to hack me site looks like a fun way to learn with a lot of info. I’ve looked into pen tester labs a bit but it only seems like the paid version is the way to go, but I’ll give one of the modules a shot sometime.

Thank you Rich for the kind words! So far Linux has been useful with its tools and terminal but I’ve seen especially from hack this site that you can do a lot with the browser bar and other inputs on actual websites.

D3nn I totally agree with you as far as finding actual bugs. My personal issue is when I give it a go at messing around with some sites I’ll see things happen and I’m not entirely sure if it’s an exact bug to report or not. I think that’s what my next goal is to learn what the actual exploit is and what someone could gain, information or financially.

So far I’ve still been doing basic coding lessons still. I have a decent understanding of HTML now and I could code a basic website but have no clue of CSS so far to make it look good.

My next goal is to download atom and mess around coding an HTML site and opening it with my browser. I don’t have a need to make an actual site yet. After I get comfortable with that I’m going to start messing with Javascript, from what I’ve seen this plays a pretty significant role and can be useful to manipulate. After this I’m not entirely sure what I should try to learn the basics of. Should I look into python, MySQL, or something else?

I thought I would share two resources I came across for the brand new new to IT person like me. One’s a blog post that has a great list of resources in order to build a foundation upon, to finding actual bugs.
The other is an actual book that looks like it explains the basics of TCP/IP, HTTP, and all the other names and acronyms I have no clue about. I placed an order for a copy and will report back on the usefulness of it.

as I am also begginer to bug bounty the solution your problem is first to concentrate on one vulnerability and master in that and try to report some bugs on that vulnerability and move on to other vulnerabilities read as many articles in medium related to bug bounty they are really helpful and also start reading different books related to bug bounty (google it)…and also read various articles related to bug bounty on the internet

Been taking this advice and I’ve started looking into XSS now and doing CTFS. I’ve finished all the HTML and website builder courses on Codecademy. Also been doing JavaScript now.

One question I have if anyone can help about XSS, how do I determine or come up with a payload? They seem very random when reading bug reports