Post

Getting Humbled with Bug Bounty Hunting

Posted Updated
By Keith Hoodlet
5 min read

After earning my Offensive Security Certified Professional (OSCP) certification I felt like I was riding a wave of accomplishment; I truly believed I was ready to hack anything! So to keep riding that wave, I thought I’d dive back into Bug Bounty Hunting after a five year hiatus - and let me tell you, I have been absolutely humbled since! 😅 This post is all about what I’ve been doing to “get back in the game”.

Midjourney: A female cyberpunk hacker, in front of a computer, talking with male developer, in the style of the Japanese Anime version of Ghost in the Shell

At first, I thought that getting back into hacking web apps would be easy. After-all, five years ago I ranked amongst the Top 100 security researchers on Bugcrowd (my highest rank was 64th) and was named as one of the MVP’s in 2018. How hard could it be?

Well, I hadn’t accounted for the fact that my web hacking skills had become dull and rusted without practice - and I certainly hadn’t considered the fact that securing web applications has become a lot easier for companies to implement. Cloud Web Application Firewalls (WAFs) and Runtime Application Security Protection (RASP) technologies offered by Content Delivery Networks (CDNs) have become a lot more ubiquitous. Being a successful bug bounty hunter requires a lot more skill in 2023 - so if you’re struggling, I’m right there with you!

The Bug Hunter’s Methodology Live course

To get a jump on learning about newer bug bounty hunting techniques, I reconnected with my sensei (Jason Haddix) and signed up for his Bug Hunter’s Methodology Live Course. I credit Jason for a lot of my early success in the Bug Bounty scene; working for him at Bugcrowd exposed me to a lot of his out-of-the-box thinking and techniques. I count myself fortunate to have built a great friendship with Jason, which continues to this day ❤️

Anyway, Jason’s two-day course is absolutely packed with the kind of “secret sauce” techniques that allowed me to hit the Top 100 back in 2018. He’s also added a ton of updated content related to new tools and techniques he’s adopted - including access to homegrown scripts, as well as techniques leveraging novel Artificial Intelligence (AI) technologies.

Whether you’re just starting out on your Bug Bounty adventure or looking to up your game - you can’t go wrong with spending $550 on this course - and you’ll get 5% off if you use this link 😉 The course will certainly pay significant dividends throughout your hacking career, and you’ll definitely learn a ton if you spend 16 hours with Jason (along with the special guests he invites to present) during the live course.

This content was written by a human being; If you find it useful, enjoyable, or influential you can support my work via Patreon.️ As always, thank you for being here and reading this content! 😊

APISec University Trainings

After taking Jason’s course, the next thing I started doing was diving into API security testing - and to me, this space still feels like a new frontier in AppSec. Firstly, there aren’t any clear-cut “winners” in this space from a security products perspective (yet). And secondly - if I’m being candid - it’s still not an area most application / product security teams are spending time on right now. This is partly because there aren’t many well-known security technologies in the space, and partly because most security professionals still don’t know how to write software - let alone build relationships with their development teams.

Regardless, to skill-up in this space I signed up for APISec University’s API Penetration Testing course, where I recently earned a certificate; I will fully admit that I listened to Corey Ball’s training sessions on 1.25x speed in order to keep from getting bored 😅 I guess I’m just a little too “New England impatient” sometimes 😬

Anyway - as far as free courses go, this one was pretty good. Corey walks students through setting up Burp Suite Community, Zed Attack Proxy, and Postman - as well as a couple of open source vulnerable web apps to practice with. If there was one thing I think this course could have improved upon, it would be spending more time in the vulnerable web applications to get more hands-on practice for the section quizzes. This is definitely something I feel like I should probably go back and do regularly to stay sharp with my new set of skills.

PortSwigger’s Web Security Academy

I am super excited by what PortSwigger has put together with their Web Security Academy learning modules. It has never been easier to pickup Application Security skills for free 🎉 The new learning paths for Server-side Vulnerabilities and SQL Injection are particularly well-built in terms of their ability to provide concise bundles of knowledge, along with links to useful resources and tightly scoped practical labs.

I’m a huge fan of the hands-on learning approach that PortSwigger has implemented with these trainings - and I am doubly thankful that they have solution walkthroughs for those times when I get stuck. Those moments between getting frustrated and getting that one little hint I need in order to keep making progress is where I find the learning really happens for me. Whether it’s practicing unfamiliar techniques or figuring out new ways to use Burp Suite, I am frequently going back and making notes on additional questions to ask myself when performing security assessments.

Critical Thinking - Bug Bounty Podcast

Last, but certainly not least in my training regiment has been the Critical Thinking Bug Bounty podcast. Listening to Joel and Justin talk about the interesting techniques that they’re using, learning, or reading about gives me a ton of energy and drive to keep practicing and learning new techniques in this space.

It’s also really helpful that Joel and Justin interview guests from time-to-time on the podcast, as it exposes listeners to new ways of thinking about hacking, as well as new tools and techniques to learn more about when bug bounty hunting. Don’t sleep on this podcast if you’re looking to expand your learning opportunities!

Thank You

As always, thanks again for stopping by to read my pseudo-random musings 😊 While I draft my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper - or go back and read my other OSCP content for additional tips-and-tricks.

Until next time, remember to git commit && stay classy!

Cheers,

Keith // securingdev

If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thank you once again for reading this content!

Hacking, Bug Bounty
hacking bug bounty security research practice learning
This post is licensed under CC BY 4.0 by the author.