Couple of days before I received messages where people asked me what mistake am I doing in Bug Bounty?
To be frank, I really don't know. I still make a lot of mistakes, but learn every time.
Regardless, here's some of the mistakes I realized I did when starting.
๐งต๐
To be frank, I really don't know. I still make a lot of mistakes, but learn every time.
Regardless, here's some of the mistakes I realized I did when starting.
๐งต๐
1. Not starting
I consumed loads and loads of information when starting and I never realized that I failed put them to practice. All I did was learn theory & forget.
I strongly advice people to hunt as they learn.
At least, start doing Portswigger Labs and apply them IRL.
I consumed loads and loads of information when starting and I never realized that I failed put them to practice. All I did was learn theory & forget.
I strongly advice people to hunt as they learn.
At least, start doing Portswigger Labs and apply them IRL.
// For the next few threads, I assume you've started and are having trouble.
2. Picking unfavourable/poor programs to hunt on.
Well, if you don't know what's the right program for you, read this thread below.
Well, if you don't know what's the right program for you, read this thread below.
3. Mindset
I used to look for a vulnerability in every program I hunt on. That's devastating.
Instead, assume that the program you're testing on is fully secure and that you're trying to break in. Don't expect to find bugs at all.
Follow your instinct and explore everything.
I used to look for a vulnerability in every program I hunt on. That's devastating.
Instead, assume that the program you're testing on is fully secure and that you're trying to break in. Don't expect to find bugs at all.
Follow your instinct and explore everything.
4. Single vulnerability
I don't know how this works for you, but back when I started I used to look for only one specific vulnerability. Although some might argue this is fine, I'd ask you to develop the hacker's mindset by probing every area rather than focusing on one.
I don't know how this works for you, but back when I started I used to look for only one specific vulnerability. Although some might argue this is fine, I'd ask you to develop the hacker's mindset by probing every area rather than focusing on one.
5. Sticking to a program
I still haven't figured out when to exit from hacking a program but I sure am not exiting without probing every interesting endpoint and parameter. Testing on one program for a long long time has it's own advantages.
I'm still learning this.
I still haven't figured out when to exit from hacking a program but I sure am not exiting without probing every interesting endpoint and parameter. Testing on one program for a long long time has it's own advantages.
I'm still learning this.
BONUS
Like I mentioned, I used to consume a lot of information. But one thing I didn't do was read reports on a periodic interval. This is super helpful and nurtures your thinking process.
Would highly recommend you to start reading HackerOne reports.
Like I mentioned, I used to consume a lot of information. But one thing I didn't do was read reports on a periodic interval. This is super helpful and nurtures your thinking process.
Would highly recommend you to start reading HackerOne reports.
And that's a wrap!
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
#bugbounty #infosec #cybersecurity
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
#bugbounty #infosec #cybersecurity
Loading suggestions...