Questions regarding Programming and learning path

Hello all,newbie here trying to get into bug bounties for the past month or so ( actually attempted it last year too but life happened :confused: )

So I started by learning to code, mainly the beginner courses on codecademy for HTML,CSS and JS. I am also fairly decent at Python because I studied it in uni and I think that with a bit of practice ,since I’m very rusty,I should be fairly decent again (nothing advanced though) . I also did a course a 25-hour networking at coursera ( mainly because i find it really interesting). My plan next is to do the free course by The Cyber Mentor,for which I have heard great things and then read Web Hacking 101.So my questions are:

.Should I spend more time on learning how to program or am I at a good enough level to get me started?

.Should I delve into more advanced topics in networking or is the fairly basic course enough?

.How does continuing with the course from CyberMentor and the Web-Hacking 101 sound? Are they too easy or difficult for my level? Should I pick up another resource better suited to my skills and needs?

Of course I understand that there is not ‘‘right path’’ to becoming a bug bounty hunter but someties it gets rather harder knowing when to stop focusing on a subject and shifting your attention to another.
Thank you all in advance!

Hey @CynicalBug,

Having strong Python skills is a great asset when bug bounty hunting. You ask some interesting questions, which I am not sure can be quickly or easily answered, since the result will probably be “it depends”. :stuck_out_tongue_winking_eye:

Gaining book knowledge is always good. Cybermentor’s courses are pretty good, but you won’t walk away as the next ‘leet coder from it. That’s not its intent. But he does use Python and bash to show how to leverage automation to make you life easier as a hunter.

A better approach to thinking about this is to ask yourself how will your programming skills help you in your bug bounty hunting career? Well that all comes down to the type of vulns you like to chase down. Its common practice to get a breadth of knowledge in all the different type of attack vectors, and then with laser focus tackle one or two vuln types that you like. Then you can apply your programming skills to speed up a lot of the grunt work that can be automated.

You don’t have to be a programmer to hunt bugs, but it definitely can help. JHaddix shows in his Bug Bounty Hunting Methodology a process that doesn’t require a lot of programming skills, but does consider scripting automation to be helpful.

One thing to consider is to find the type of vulns you like and ask yourself “when looking for this what do I have to regularly do”? Surprisingly, this is where you can then think to use those skills.

I’ll give you a personal experience from my own journey. I just love tackling APIs. There is a lot of recon I do to look for inconsistencies in the endpoints. Over time, I wrote myself a nice set of Python scripts that took what felt like hours of recon effort down to minutes. Then I shifted it into a custom Burp extension (yes, you can write Burp extensions in Python using Jython, which is really cool). Now when I see an endpoint call I can click on it and launch my extension and have reproducible results each and every time in short order. A great use of programming to make me much more efficient.

YMMV.

Anyways, to sum it up think about the vuln types you like to pursue. Work on those and get really good at them. In your journey to excel at that, think about how to apply your programming skills to help you do that work more efficiently. Then you will know which programming skills you might want to improve on, if any.

HTH. Happy hunting.

2 Likes

Thank you for the reply!

I guess I should leave coding aside from now and just focus on the course by CyberMentor and I guess after that I’ll go ahead and read the OWASP testing guide just to get a better understanding on some of the most common vulnerabilities.

Sounds like a good plan. A few other suggestions:

  1. Complete the modules in BugCrowd University

  2. Then watch all the videos @ Hacker101

  3. Then read all the learning material and complete all the labs at PortSwigger’s Web Security Academy

  4. Then challenge yourself to complete all tasks in the OWASP JuiceShop

  5. Then complete the Hacker101 CTF challenge

By the time you complete all this you will have created a strong foundation of knowledge and experience to tackle pretty much any Bug Hunting program in front of you.

Experience will trump all. But that comes with time. Doing the above will help towards that.

Good luck. Happy hunting!

3 Likes

I’m a newbie and I’m reading over the forums and but I’m wondering what tools are best to start with also what operation systems is also Best to use and learn. I have a new laptop on the way and want to set it up so I can use it for school and bug hunting. I also have limited programming skills and was also wondering where I can start Learning Python as well.

Thank you again! Much appreciated.

One last question, do you have any experience with pentester labs? Thinking about subscribing there but I don’t know if I should do it now or after I’ve gained some more knowledge.

You should check out the free ethical hacking course by The Cyber Mentor on YT, he talks about setting up kali linux for bug hunting. I don’t really have any experience learning python online but a couple of friends did the Zero To Mastery python development course on udemy and told me it was great,it probably covers a lot of things than what you need for bug hunting,like machine learning and data analysis but it could be worth a shot.

1 Like

Okay, thanks for the tips. What tools do you use for looking for web vulnerabilities?

Burp is probably the only one you need in the beginning,besides that it depends on what type of vulns you are looking for

What tools do you use to hunt down vulns in web sites and API’s?

You might want to check out the tools thread for ideas.

Skill will always trump the tool, so make sure you understand the vuln type before trying to wield the tool. Ie: learn how SQLi works before learning sqlmap.

Happy hunting.