Questioning is pivotal to success in web security and you need to ask the WHY question almost every time (why did this work and why did this not work) and answer them yourself.
As you start practicing security, you have to make a difficult adjustment in your learning process by asking questions.
- What is this Bug?
- How does this bug work?
- Why does this bug work?
If you find a bug; How did I find this bug? Why does this bug exist?
If you don’t find a bug; Why didn’t I find this bug? What am I doing wrong?
You have to know why you couldn’t find that bug. Maybe you were able to find that bug in your practice on the VM but you are not able to find the bug in the actual website.
You have to know Why. Possibly the website you are testing has implemented a good security mechanism. So you have to learn what they doing right.
Once you know more about doing things right, you will automatically know how to do things wrong. And next time when you go to test another website you will know what these guys are missing.
You will see public programs that have running a bug bounty programs. For example, Google is running a bug bounty program, you can go ahead and try to find the issues you have learned.
Bear in mind that most the common problem in bug bounty hunters is that once you find a bug, you get over excited. 🤩
You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more and questions, you can make it to $2000 or even $20000 bounty.
Remember, as a web security researcher, you take regular everyday things and think of malicious ways of using those things.
So, asking questions will keep you from looking at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact.
If you want to be an above average web security researcher, you need to know everything that's happening in the web development world.
With deliberate you can nurture genuine curiosity about web security so that you don’t outgrow your passion for it because you need to take a closer and deeper look at how the different technologies used by the website come together.
Also, if you like online courses. The skills required for Web Application Security are taught excellently in Play by Play: Bug Bounties for Researchers and The Information Security Big Picture Courses by Troy Hunt on PluralSight.
Before you go . . .
Always keep in mind that the devil is in the detail. And when it comes to Web security, asking questions will create capacity for patience while trying to find bugs.
So think of Questioning as a critical skill which is pivotal to success in web security.
You may also be interested in reading How to Become a Web Security Researcher?
If you liked this post enough, please share it with your friends and don't forget to sign up for Data-Centric and Security Newsletter to keep up with similar awesome insights once every quarter.