How to start ethically hacking websites

If you’re reading this, you’re most likely interested in bug bounty programs and ethical hacking. If you look at some of the public bounty program disclosures, such as on HackerOne, you’ll find that most exploits that are reported are not that complex; many times they are simple oversights by web app developers. It’s much rarer to see something super critical, such as a remote code execution (RCE) or one-click account takeovers.

I’m going to go over some basic prerequisites and resources I think you should know (at a minimum) in part 1 before going into the specific vulnerabilities I found in part 2. There are a lot of other important things to know, such as what programs to join, how to write good reports, and so on, but I will not be covering those things.

Hacking is a powerful tool that should be employed for good. Your goal should be to find and responsibly disclose vulnerabilities to websites before malicious criminals do! We should aim to protect users from damage rather than cause more. Follow the rules of bug bounty programs and don’t hack things without the owner’s expressed permission. If you “stumble” on vulnerabilities outside of programs, report them responsibly and more likely than not, the site owners will be thankful.

The internet is full of scams, dangerous people, and people with ill-intent; don’t be another!

Knowing the latest and greatest is very important in cybersecurity, and from my experience (unless you want to spend lots of money through formal training/programs/certificates/etc.), most of learning is done independently without much guidance. A pitfall to avoid is thinking you do not know enough; cybersecurity is a vast field, and you’ll never know everything or stop learning. Even within the subset of web application security, there are many types of vulnerabilities, many ways to exploit them, and many different people trying to tell you to focus on one thing or another. You may be starting at a much lower base level of education than others, so you might need to spend more time knowing the basics than others.

I will try to give a road map of things know before starting to look at bug bounty programs. Any bolded words are keywords you should be concepts you that feel good about knowing with links to references.

• How does the modern web browser?

This is the most important topic. You should be familiar with the basics of JavaScript, the programming language used on all web browsers. This does not mean you need to be a JS guru, but knowing how the websites use JavaScript to make requests to the server to fetch data, store sessions in cookies, or reference objects. It’s also critical to understand how the server and the client web browser communicate through the form of HTTP requests and responses, as well as the difference between HTTP and HTTPS and why that difference matters. This also includes understanding the different pieces of the URL and how it changes based on what you’re doing. You should also know the basics of HTML, which is the format of how content is displayed on web browsers.

• Basic types of exploits and how common defenses

Once you have accrued basic understanding of how the web works, you’ll most likely start to look at different vulnerability. For each vulnerability, it’ll be important to understand how/where to look for them, common exploit techniques, and On the easier side of things, there is XSS, or Cross-Site Scripting, IDOR, or Insecure Direct Object Reference, and SQLi, or SQL injections. Getting familiar with these three will probably be your best bet at finding something in the early days. The first bugs I found were XSS.

As your knowledge grows, you’ll start to look for more complex vulnerabilities such SSRF and CSRF, or server-side request forgery and client-side request forgery, account takeovers, zero-click vulnerabilities, other forms of injection, using known CVEs, RCEs and more. Reading other people’s exploits helps to know how they found them and how you can do so as well.

• Basic tools used to hack

There are SO many tools out there that all promise to make it easier, but for the most part, you can do everything without the fancy tools. The tools recommended to get started are Burp Suite Community (i.e free) version, Sublist3r, and Google Dorking. There are alternatives to those tools and everyone has their own preference, but those are just what I use.

There’s a lot more to know and learn, and it’ll take time! Here are some more good resources to get started:

• OWASP (Open Web Application Security Project)
• Jack Cable’s Getting started article
• HackerOne “Hacktivity” Board and similar on Bugcrowd, Intigriti, etc.
• YouTubers such as InsiderPhD, CyberMentor, John Hammond
• Medium blog post write-ups

In part 2, I’ll be going over the first bugs I found in the wild. Hopefully this gives you a good starting point where to begin and where you’ll want to go!

Want to Connect?Please consider contacting me at [email protected] following me on Medium, buying me a coffee, following me on twitter, or connecting with me on LinkedIn!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!