you need to be a Programmer!

to be a programmer?

Note: we are talking about the research of web applications only.

Let's single out 4 types of vulnerabilities.

1. Recon vulnerabilities Here I will include everything that does not require direct interaction with the application. For example, you can find the ssh key from the company's server in a github commit. Or, say, scan the server's ports and find some outdated service with a publicly known exploit available. This also includes the hijacking of a subdomain or an admin panel open to all without a password on company.com/admin.

Does it need programming? No.

And what you need? Here you need to have a broad outlook in computer science, let's say so. That is, to understand how the web works, what is HTTP, ports, DNS, GIT, SSH keys, and more. It would also be nice to figure out how to use specialized software, such as port and subdomain scanners.

Can programming be useful? Yes, sure. The search for such vulnerabilities can be automated, for example. For these purposes, I would choose some kind of interpreted language, such as python (I use it myself).

1. Application logic bugs For example, you found that when you buy a product on the server, along with its ID, the price that you see in the application also sent to the server. And it turned out that if you modify this price, then the purchase will be made at a lower cost.

This was found, for example, in OK.ru - it was possible to buy either stickers or music almost for free. And I would include IDOR here - there is a request to change the password of a user with a specific ID. And what happens if you substitute someone else's instead of your own?

Maybe it needs some programming? Well, actually no.

And what you need? First of all, you need to understand how the client communicates with the server via HTTP and master any HTTP / WebSocket request interceptor. The leader here is Burp Suite. There are others, but when I tested them (long ago) they were poor.

And the logic is very necessary. You need to think that the developers could not have foreseen. Or how can you trick the application to get some extra privileges?

Can programming be useful here? Hardly. There is just logic and working with requests from the client to the server.

1. Attacks on the client XSS, CSRF, CSS-exfiltration, clickjacking, JS-hijacking, I forgot something else.

Do you need to know programming? At the very least, you need to know a little. You need to understand and be able to read HTML and JS. For more complex types of XSS, like DOM-XSS, you will need to know JS fairly well.

What else is needed? You need to understand how the browser works. It is most important. Understand what SOP, CORS, CSP are. Know what security headers are and what they affect. How cookies work and what is the SameSite policy, how can it be bypassed.

1. Attacks on the server SQLi and other injections, SSRF, race condition, stuff like that.

Do you need to know programming here? Well, I would say that first of all you need to know the theory of programming. That is, what are threads, how queries are made to databases in general (and how injections into these queries work), how an application works and is structured in general, what components it consists of, how they interact with each other. It is absolutely not necessary to be able to create the same application yourself.

Moreover, it is absolutely not necessary to know all the languages ​​in which these applications are made. It is enough to simply understand the general principles and concepts. Of course, if you are a good programmer, it will be useful, you will be able to find some bugs that others cannot find.

So here are my top skills:

1. Not programming, but computer science. How the web, browser, protocols work. Needed everywhere.

2. HTML + JS. For attacks on the client.

3. Python or other simple interpreted language. To automate and understand server programming concepts.

4. Other server languages. Studying their specifics and features to find complex unique bugs.

But some times you need knowledge about Besic programming!
And following that how to fix bug when you find but you can fix bug all about doing hunting !

Happy journey 💜