Actually i started bug hunting before 1year
i Readed so many books
-Web hackers Handbook
-Owasp Testing Guide [V4]
-Penetration Testing with kali linux
-Grey Hat hacking 3
and Many other
Programming Languages that i know
i have taken alot of hacking courses from pentesteracademy,YouTube,Security tube and from Cybrary also
I know how different protocols like HTTP/SSL/TLS/FTP/ etc protocols work.
i have already solved BWAPP,DWVA,Webgoat,Webforpenterst and alot of Vulnerable webapps for practising my hacking skill
but unfortunately still i am not able to find valid security issue !
what do you guys this where i am doing wrong ! i mean i don’t know whats missing ! but there is something which is missing …
I’m new as well, but hope my experience is helpful.
I can really relate to how you’re feeling, and I’m slowly learning and practicing on Vulnerable Web App’s too.
I can also relate to the challenge of finding valid bugs, and the only thing I can say is keep at it. I started reading and practicing in June, and last month I had my first valid P5. It is a small personal victory for me, and keeps me motivated to keep trying.
The thing that recently started clicking for me is looking to understand how the interesting parts of the web application works. I try poking them with a stick to see if they do anything odd. I figure that overtime that experience will help me see vulnerabilities quicker, but for now, I will take my time poke everything to learn and gain experience. Personally, it has already helped me at work which I noticed an Open Redirect and an IDOR two days ago on an internal site at work.
Advice, don’t give up!
You should try reading WebHacking-101 from Peter Yawrski and reading the public disclosed reports from HackerOne at https://hackerone.com/hacktivity and bring that experience and ideas. Try to apply the examples explained over there in the BugCrowd’s programs. Read the AMA’s from Bug Bounty Forum and explore a lot Burp Suite Community (when you get some bounties give a chance to Burp Suite Pro).
And if it’s possible try to learn Python, Shell Scripting and PHP. Knowing how to program will help to understand the Web Applications Logic.
A delayed comment but I hope it could help you.
Thank you for your time !
Look to a program on an app you really know, like, and understand. That gives you a leg up. I would also imagine that your recon needs some work. I would look for blogs that are specifically recon related as well as threat modeling. there is a Hacker101.com video about lightweight threat modeling you should check out.
I am CEH and preparing for OSCP… so i am solving CTF…which as much i can. my aim is to become securityanalyst so please anybody guide me totally confused…not getting proper focusing