MemberApril 19, 2021 at 12:57 pm
Hello everyone my post is about my struggle in the world of ethical hacking. I have been hacking for 10 months now and i have found nothing. I was originally a data scientist and i thought that was hard, but this is 10x harder than i thought. To me when everyone out there flexes their bounties and constant success in this field i feel left out or somehow think it’s too late all the bugs i am searching for are all gone.
I have searched and searched for answers and nothing really helps i have paid for online training and that did not help much. I have a subscription to chef secure who has a program named the “Ultimate XSS Course” that turned out to be a bust. Sure i learned many things about XSS on a training simulator. But in the real world its not that simple there are so many defenses no matter if you hunt manually or use tools.
There were a few times i wanted to quit due to the lack of anything i did not get into this to strike it rich by any means. I got into to this to try something different and prove to myself i can be something in this world. I don’t need any pity or sympathy i just want to find bugs and report them i know there is no magic bullet.
These are the only vulnerabilities i am interested in pursuing for now.
- – SQL Injection
- – Command Injection
- – Cross-Site Scripting
I know there are hundreds more, but these are the most interesting to me and someday will strike gold on. That is why i am here to hopefully learn more so i can finally earn my first valid bounty, thank you.
AdministratorApril 21, 2021 at 4:52 pm
Hey Anthony, first things first, I want to welcome you to the community! You’ve come to the right place and we’re glad to have you here 😀
Second, I want you to know that you’re definitely not the only person who’s feeling that way. I know sometimes it can seem like everybody is crushing it on social media, but you don’t get to see the behind-the-scenes struggles that they’re going through. Most of the people who are getting nice bounties have been doing it for years or have an extensive background. Just like you though, they had to start from zero at some point in their lives :-). So try not to let that get you down too much! Let it motivate you though!!
It’s definitely not too late – all the bugs are not gone. If they were, we’d all be out of a job. The other thing to keep in mind is that bug bounty hunting isn’t the only thing you can go after in this field. There are many other options, and sometimes you can start off with a different entry point. So even if bug hunting isn’t working out right now, don’t quit cybersec! Not saying you’re necessarily there yet, just saying that so you know there are different avenues.
Now to more actionable tips:
1- Most beginner hunters that I talk to who are struggling don’t spend enough time on, or don’t have a solid process for, information gathering. Instead, they jump right into the application and start throwing random payloads at the target to see what sticks and what doesn’t. Or they’ll fire up an automated tool right away and point it at all the input fields they can find. Then, when nothing happens, they say that there are no security bugs and they move on to a different target.
I’m not saying that’s necessarily what you’re doing, but I have to ask: what does your reconnaissance process look like right now? How much do you know about your target before you try and attack it?
2- Next, I’m glad to see that you’re focusing on 3 classes of vulnerabilities only because sometimes people try to cover everything under the sun. It might be beneficial to narrow your focus down even further to 1 vulnerability class (maybe 2). That way you’re really focusing all of your energy on finding one type of vulnerability and you’re learning that class super well.
3- Try to find a mentor in the space. Someone who’s doing bug bounties right now or who has in the recent past, and who’s ahead of your skillset. You’re asking for help so that’s a great first start.
I’m actually putting together an invite-only group for bug bounties right now. We’re still in the early stages, but the idea is to start beginners off by going after realistic test environments (ie: a copy of Cybr’s platform) to practice without worrying about making a mistake, and also solving certain challenges that I’ve put together in order to gauge where you are at. Then, moving on to real bounty programs (HackerOne, Bugcrowd, etc) and having the group collaborate & share discoveries, ideas, feedback, etc along the way. Let me know if this is something you’d be interested in and we can chat to make sure you’d be a good fit for the program!
Hope this helps, and I look forward to your thoughts,
MemberApril 22, 2021 at 12:37 pm
Thank you so much for the inspiration i need to keep going yes there were a few times i wanted to quit. But something inside me tells me dont its only a matter of time before i strike gold and from what you said yes its only a matter of time. Yes i need to be patient and persistent because no one is going to do this for me i need to do it on my own and prove to myself i can be one of the best ethical hackers on the planet. Your site is solid it has everything i need to continue and refresh anything i have forgotten. I have other resources out there i use and only a couple of cheat sheets that make sense if i need them.
Ethical Hacking is a journey its very challenging but from what i have seen if a bug is found and validated its very rewarding. Again thank you so much for the invite i would be honored to be with that group, and we can learn together and grow as hunters. I am trying to look past all the negativity out there who say Ethical hackers are just legal criminals and bug bounties are dead don’t waste your time all bugs have been found etc.
I am trying to find more time to train on these vulnerabilities and hunt on live platforms the ones i am currently on are:
I just need to take it one day at a time and i will continue to be a member of Cybr to continue to build my skills and knowledge.
Log in to reply.