Well i have seen a lot of peoples asking questions how to get started in web appilication penetration testing. And if you will search these kind of articles on google you will find bunch of them. That’s good … But the problem starts here … We all know everyone suggests learn -Web App Hackers Handbook -OWASP TOP 10 -Some BAD web app -Some Practices and etc etc
but that doesn’t make a super champ or Even you cannot participate in bug bounty programms ! I mean the experts atleast should talk about what to do after learning these basic stufffs
I’d focus on what you’re interested in and what you’d like to learn more about. I’d watch videos and presentations from researchers that you admire or think have done cool stuff. Learn their techniques and tactics.
Check out our videos from LevelUp last year. They have a TON of useful stuff:
most of the hunter i know has followed these steps you have mentioned:
-web app hackers handbook also known as “web app hacking bible”
-owasp testing guide v4
-web hacking 101- how to make money hacking ethically
-Mastering Modern Web Penetration Testing
Breaking into Information Security: Learning the Ropes 101 by Andy Gill
These books gave you huge amount of knowledge about bugs,how to find bugs,where to find bugs,tools and all others things that are enough for a newbie to start practicing his skills on vulnerable labs.
apart from these you should read other hunters blogs,write ups,watch poc videos , conference videos. search for them on google and youtube. These books are not just for reading. For example if you’re reading about XSS and after getting good understanding of it practice your skills on vulnerable labs,read write-ups about Xss , watch Xss poc. tighten your grip on one vulnerability before going to next vulnerability. makes your own notes about bypassing different kinds of filters, encoding techniques and all.
If you have followed these steps properly then in my point of view you have enough knowledge for hunting bugs. i myself followed this flow and able to find some bugs in just some days.
Ignore my mistake as English is not my first language and stay motivated.