HackrHub

Hackrhub is a platform developed by Imad Husanovic with a primary goal to help up and coming hackers become better in security research.

How long did it take me to find my first bug?

Before I even start, just a quick heads up on a CTF challenge that I will be hosting soon. The final price will be Burp Suite Professional for first 10 places so make sure to subscribe to the newsletter on the official platform https://hackrhub.com where I often post premium content which you cannot see here. So make sure to check that out!

Socials:

Instagram: https://instagram.com/deadoverflow

Youtube: https://youtu.be/tXWoRK7JiHk?si=4w18cDWZ_oH25GL-

How long did it take me to find my first bug?

I started with bug bounty around 3 years ago and I remember having a really hard time finding my first bug. All of the websites I visited on the bug bounty platforms like Hackerone seemed really complicated. I was just a newbie in a world that seemed too much for me and, at that time, I considered giving up multiple times. I was roaming around the website hoping I could just find my first valid bug, I was so desperate that I didn’t even want to be paid for it so all I was focusing on is that I just find something. Long story short, it was really stressful and demotivating.

Big moment

So one day I was doing research and all of a sudden I see that the password reset functionality was very interesting. The link to reset your password was something like this:

https://targetwebpage.com/password/reset/Y3Rme2NvbW1pbmdfc29vbn0

I noticed that in the url there was a token which looked like base 64 and when I decoded it, it was a ID of the user whose password is about to be reset. So I was so happy because in my mind I could just replace the ID from mine to somebody else’s and reset their password. Unfortunately, when I tried that, it didn’t work. I tried everything and nope, it was all safe and secure.

Low motivation

At this point, I was already 7 months into this hacking journey after studying some stuff on Portswigger and yet I was nowhere. I was really pushing myself to hunt for bugs even when I just didn’t want to. All I would do whole day is to either study hacking and or try to hunt for bugs. The problem was, I would try to hunt for a bug on a platform for 5 minutes, see that I cannot find anything and I would just move on to a new platform and so on. When I realized that was the problem, I was already 9 months in this journey without a single bug. So my next plan was to spend a little bit more time on a platform. So I would pick a platform and everyday just try to hunt on it.

Finally I found it!

I wasn’t motivated to spend more time on a target, however I forced myself to do so. And eventually I find my first ever bug. It felt amazing and I felt amazing as well, In that moment I felt like a genius even though it was just a simple CSRF which was even closed as duplicate by the triage team. However the point is that I found a valid issue and I cannot explain to you how that felt. It was purely indescribable feeling of joy. Nowadays I don’t get that as much since I am used to finding bugs. I just try my best to help you understand how the process works since once you know that and you are putting in so much effort, you have no other outcomes but to succeed!

Let’s summarize

Nothing. Happens. Over. Night. You must know that and believe in that. Your effort today will show you the result tomorrow. How much effort you put in will be exactly how much you will get in the end. So make sure to stay consisent and you shouldn’t care about time, regardless of how long it’s taking you to find a bug. Just focus on finding a one every single day and your effort will shine. It can happen tomorrow, or day after that or even a week after reading this. Only way to find out is to stay consistent you will never miss your lucky day, if you try everyday!