So you want to be a Web Security Researcher?

In essence, cybersecurity is all about discovering non-default uses of everyday technology to cause unintended behaviour.

We live in an era where online safety is not always guaranteed as every little blip of information sent out across the internet is subject to attack. Security professionals have identified that most of the security vulnerabilities stem from poor coding practice.

This article is aimed at beginning a career in web application security which has been continuously emerging as one of the most financially viable professions in Information Technology.

I would like to start with an example; There is a torch used by people to navigate through dark areas and also used by police when trying to investigate a house without lights.

Same object, just different use case. As a security researcher you need to see this torch as an unknown object like you don’t know what it is and question;

  • What does it do? Turns on Light. 
  • What do people use it for? To navigate through dark places.
  • What is the most common use of it? Police or consumers use it when the lights go off or need to navigate through dark areas.
Then you think if this is the regular use of the torch. What could be a use of it that is not intended? A thief can use this navigate dark area similar to how the cop will use but with wrong intentions.

Same goes for a kitchen knife. You see this as an unknown sharp object and ask;

  • What is this sharp object?  It's a kitchen knife. 
  • What do you do with it? Chop vegetables. 
  • What is the most common use of this Knife? Chopping Vegetables.

And you think what if this knife gets into wrong hands. The answer is quite simple, an Evil person could do some potential chopping with it.

As a web security researcher, you take regular everyday things and think of malicious ways of using those things.

Sounds simple, but you might say that you don't have a burning intellect or scientific thought process.

You also don’t have a mathematical background, you know nothing about discrete mathematics or dark sciences. Hence how can you be good at cybersecurity?

This is a myth. You don't need to have any of those things to be good at cybersecurity.

Sometimes we like to think what we are thinking is quite unique but it's not. In fact, most of the people have the same questions because human psychology is more or less similar.

 

It's all about securing our systems. Jeh Johnson

 

What is truly required to become a Web Security Researcher?

There is much abstraction in technology that you don’t need a mathematical background or a scientific thought process.

There are people who never had a formal education and are still excellent security researchers.

Let’s dive into the post and suggest some ways that you can get ahead in web security.


Insatiable Curiosity. 🤔

One thing required of you to survive in security for years is genuinely being curious about it. There is no difference between a web developer and a web security guy.

If you want to be an excellent web security professional, you need to know everything that's happening in the web development world.

You'll have to understand what is JavaScript, PHP, HTML, CSS and learn as a passionate developer but question everything as you learn and imagine other uses of it. You don't want to feel intimidated by the words like JavaScript, PHP or Node.js.

It’s important for you to know;

  • Where is web development headed?
  • What is the best framework used in the world used today?
  • What is the most used framework?

Insatiable Curiosity

In cybersecurity, people lose passion when they are not able to find bugs. You need to burn the midnight oil and nurture genuine curiosity about web security so that you don’t outgrow your passion for it.

You don’t want to look at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact.

If you want to be an above average web security researcher, you have to take a closer and deeper look at how the different technologies used by the website come together.


Learn by doing it. 🧐

Like, I said there is no difference between a web developer and a web security guy. You only make a distinction by pushing yourself to know beyond the default use while learning.

Start building simple and small websites with PHP or HTML.

Get familiar with database and web server, try making tiny pages that take input from a user like login credentials or contact details and learn to do some penetration testing.

I have curated a list of helpful resources for Beginners to get started with Web Development and Penetration Testing.

Practice common security vulnerabilities in an ethical hacking environment.

With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because you can learn in a safe environment.

Here are few resources to legally practice your hacking skills.

Most importantly, Take the OWASP - Free Testing Guide to practice security.

OWASP has created lots of resources for strengthening the relationships between security and development. You can read about almost 70 - 80% of vulnerabilities on the Web and how to find bugs.

OWASP aims to help web security researchers understand the What, Why, When, Where, and How of testing Web Applications.

If you are getting started with Web Application Security Testing, here are OWASP Resources that will help you get ahead in Security Testing.


Ask Questions to Improve Learning ❓

As you start practicing security, you have to make a difficult adjustment in your learning process by asking questions.

 

  • What is this Bug?
  • How does this bug work?
  • Why does this bug work?

Questioning is pivotal to success in cybersecurity and you need to ask the WHY question almost every time (why did this work and why did this not work) and answer them yourself.

If you find a bug; How did I find this bug? Why does this bug exist?

If you don’t find a bug; Why didn’t I find this bug? What am I doing wrong?

You have to know why you couldn’t find that bug. Maybe you were able to find that bug in your practice on the VM but you are not able to find the bug in the actual website.

You have to know Why. Possibly the website you are testing has implemented a good security mechanism. So you have to learn what they doing right.

Once you know more about doing things right, you will automatically know how to do things wrong. And next time when you go to test another website you will know what these guys are missing.


Go after Bug Bounties 💰

If you want to be an excellent web application security researcher, Go after bug bounties. You can sign-up with hackrone and bugcrowd.
You will see public programs that have running a bug bounty programs. For example, Google is running a bug bounty program, you can go ahead and try to find the issues you have learned.

Don't ever procrastinate by thinking that you don't have enough skills to find a bug for big companies.You should try to find vulnerabilities in products that you even use and take some real challenges to financially bootstrap your career in web application security.

Nearly 2 years ago, I found a bug in Payment processing app running on iOS and at that time I didn't know about bug bounty at all.  I was not doing any penetration testing or looking for design issues. I was simply using that app to keep track of sales. When I opened the app to new sales, I immediately scrolled the notification bar from Top. Then I noticed, I was able to log in without using a fingerprint. I checked again and I was able to bypass fingerprint authentication. I discussed the problem with my friend who identified it as an authentication bypass issue. We verified whether if it happened due to cache but it was a valid bug. We made a video on the run and submitted a report for it. I received a $1000 bounty in a day with instructions not to disclose any information about the company or the issue. I was awestruck because I had no bug hunting skills but was able to derive pleasure only from spotting the problem and getting paid for it.

 

Although it was an easy catch, you should know that finding bugs are not always easy. You need to build patience to stay focused because it's very easy to fall into lazy thinking habits.

The common problem in bug bounty hunters is that once you find a bug, you get over excited. You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more, you can make it to $2000 or even $20000 bounty.

 

Here are some resources that will help you get ahead in Bug hunting;

Bug Bounty Platforms
Recommended Resources
Once you find a couple of Bugs through Bug Bounty programs. You will get a job in most companies.

Before you go...

Always keep in mind that the devil is in the detail. And when it comes to security, engaging curiosity will create capacity for patience while trying to find bugs. Be Curious and Patient

If you enjoyed this post, do share it with your friends and don't forget to sign up for Monthly Security Experts Newsletter to keep up with similar awesome insights once every fortnight.  Cheers!

I hope this article puts you in the fast lane and wish you the best with your career in Web Application Security.

📜Please leave a comment below, and let us know what you think!

happy learning . . .👇🏾

Learning How to Learn