The Hacking Project: Learning Resources

October 23, 2020

Today I will elaborate on one of the reasons for going into webhacking that I stated last week:

The amount of learning resources, both about the web itself and about hacking web stuff, are plenty.

Breaking this down, the learning resources I’m referring to are:

  1. General learning material about the web such as books, websites et.c.
  2. Same as above but with a focus on hacking.
  3. CTFs
  4. Bug Bounty Programmes.
  5. My own web services, for example this website.

Let’s start with 1 and 2 from the list. This is the kind of general (theoretical) documentation frequently consulted when learning any subject. Not much to say here except that there exist more such material about the web than there is time to read through it.

It is with 3 and 4 that the amount of webhacking resources outshines other areas. I touched upon these in the first update and here is a recap:
A CTF (Capture the flag) is a hacking game/challenge where the participant should hack something, a website in my case. Upon a successful hack a flag is received, represented by some data. This flag can be submitted to prove that a hack was made. The difficulty of the CTFs vary from easy to very hard. Two learning CTFs that I’m currently looking at are Hacker101 and Google Gruyere.
In Bug Bounty Programmes companies grant access to hackers to try to hack them. Finding a security flaw yields a monetary reward, the amount depending on the severity of the flaw. The largest companies (think Google, Facebook and a few more) usually run their own programmes. There are also third parties that works as matchmakers between hackers with companies. The largest as of writing this is Hacker One.

Practicing in CTFs comes before joining Bug Bounty Programmes.
Hacking a website in a CTF can visually and technically be as real as anything but there an important difference with the real world: in a CTF the hacker knows that the website can be hacked. This makes CTFs great for practicing hacking techniques but also easier due to this piece of information. Keep digging, have patience and eventually success will come. Bug Bounty Programmes add another dimension as this is no longer a fact: How many security flaws, if any, are there to be found? Nobody knows.
It is thus not possible to just rely on technical skill anymore, some tactics is also mandatory: how long time should be spent trying to hack a site before proceeding to the next one? Where is it most likely that vulnerabilities exist?
As I see it, Bug Bounty Programmes are as close to reality as it gets in all aspects except one: gamification.

Hacker points, leader boards and a generally competitive environment is something that is almost impossible to get away from in Bug Bounty Programmes.
I have no problem with this. However, I believe that internal motivation triumphs external in the long run.
That’s where 5 comes in. I host and use a few web services that provides value to my life, such as this website. I want them I continue to work and I want them to be exposed to the Internet.
To understand the risks and to be able take some responsibility for them is noble cause, comes entirely from within and will be important for the rest of my life.

Thank you for reading!