Success is going from failure to failure without losing enthusiasm. – Winston Churchill.
I am writing this to make myself accountable, and as a disclaimer although I have submitted 5 reports to hackerone, a bug bounty platform, none have been paid. I currently have 4 duplicates and 1 informative, here is my hackerone profile: pirateducky.
I started my journey learning about web application security at the beginning of this year(2019), after being rejected for a front-end developer job. After that I looked back at why I had started to learn to program and I remember telling myself that I wanted to learn how to hack – that was about 4 years ago, at which time I bought the following books:
The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy
The Hacker Playbook 2: Practical Guide To Penetration Testing
Rtfm: Red Team Field Manual
I started reading and not understanding anything, but I kept trying, using Google and YouTube to do research, at one point I decided to go back to the basics, and started to look for resources to learn how to program. I eventually found a course on coursera which taught me how to build web applications. I failed a bunch of times, taking hours to troubleshoot small problems(looking at you syntax errors), trying to understand CS concepts and smash my head until that “AHA!" moment would come. I enjoyed challenging myself and learning new things but up until that point I had learned and not put into practice anything I learned. I took courses online and bought some really good course material – which has been super helpful but at some point I forgot why I started this whole journey, that is until I got rejected from the job I applied for. After being rejected the "Impostor Syndrome" kicked in, and I couldn’t help but feeling like I didn’t know what I was doing, but then I found the hacker101 CTF which allows you to solve challenges and get flags which turn into points which eventually turn into invitations to private programs where your chance to find a vulnerability and get paid increases.
I started doing the CTF and got completely lost – after the first challenge. Then I hopped on twitter to see if I could find someone doing the CTF as well – using my awesome OSINT skills I looked up #hacker101 and found a user(@nemessisc) that had started a Discord server for people who were doing the CTF, and shot her a message asking her if I could join, she sent the invite and this is where it got interesting. I found the most amazing community there, full of people who were also doing this CTF and struggling just like me, sharing resources and just overall being friendly. It’s awesome and I have made so many friends through there, some are expert hackers that have been featured in the NEWS others are beginners just like me, and we all help each other.
Through the help of these awesome people I was able to understand the basic vulnerabilities going from challenge to challenge using Google when I didn’t know what I was doing or what to ask. After a few weeks of doing the CTF I decided to go out and look for bugs, I popped an XSS on a site and I felt the rush, it felt awesome to see my alert(1) actually showing up on a page, I then submitted the report and it came back as a duplicate, meaning someone else had found it already but still – I had found an actual bug, it was an awesome experience, from there on I continue to work on the CTF and hunted for bugs, I have found a total of 4 duplicates and 1 informative.
I have also attended my first security conference BSidesNash. I found an awesome group of local hackers organizing the conference through twitter of course – they invited me to join and be part of the organizing which I gladly did and it was the best choice I could have ever made because I met so many friends and cool people. Being around people who share the same interests and who push you to do better is amazing, and something I haven’t had before, so I felt right at home. I am continuing to learn every day, reaching further and pushing my knowledge to the limits. It has been an awesome experience to get to know everyone, and learning new things always makes excited so recently I have felt like a little kid in a candy store. My goal is to keep pushing myself and learn from the people I have met both in the discord server and locally.
I got rejected from the front-end position but that pushed me back to the reason why I started all of this, because my curiosity knows no limits and my hunger to learn has been insatiable lately, I am fully committed to this and want to make a career out of it – so life, universe, or whatever you want to call it: I am ready, I am ready to challenge myself and learn everything I can. I am still looking for my first valid bug and I know it’s near. In the words of a famous philosopher –
"Gotta catch ’em all" – Ash from Pallet Town.
Tips that I as a beginner think are important:
Be nice to everyone.
Don’t be scared to ask questions.
Join a community (S/O to the hacker101 Discord) If you want to join here’s the invite.
Find a local group of people (S/O to BSidesNash).
Take breaks away from the computer.
Share what you have learned.
Don’t hack something you have no permission to hack.
Some cool resources to check out for beginners:
hacker101 CTF – HackerOne CTF
hacker101 YouTube Hacker101 Playlist.
Stök’s YouTube – Awesome YT channel.
PortSwigger University – Awesome educational content.
Web Hacking 101 when you sign up for hackerone you get this book for free
PayloadsAllTheThings – Repo with payloads of all kind.
PenTester Land – Sign up for their newsletter is awesome!
Learn X in Y Minutes – Awesome primer for programing languages.
For future me: I hope you are still learning new things and that your curiosity has not died out, I’m sure you have met even more awesome friends and have gone to some cool events. Stay curious and don’t let anyone tell you that you can’t do something.