I understand HTML, CSS some PHP and JS so I figured XSS was the way to go. I’m currently a programmer and have been getting into Bug Hunting. Everywhere i go people state XSS is the easiest vuln to find, but when I look more into it XSS and CSP seem to have almost eradicated reflected XSS. Is there a X-XSS or CSP I can get to practice against or resources available?
Few additional questions while I’m here:
- is running a port scanner or any automated scanner on a website frowned upon and wouldnt it be stopped by a firewall or IDT?
- when using Burp Intruder to brute force passwords wouldn’t my IP get black listed after so many attempts? (I do have IP Vanish)
- I feel like there are so many methods in catching the signatures of the common tools that unless you have a very in depth knowledge on how the detection systems work you will get no where. is there resources to practice against updated, well put together firewalls, X-XSS, CSP and IDT systems.logic?
Sorry for the novel just feeling overwhelmed tying to find my first bug