loading...

How To Become A Web Security Researcher?

sinxloud profile image sinxloud Originally published at sinxloud.com Updated on ・5 min read

This post is part of an article originally published here.

In essence, cybersecurity is all about discovering non-default uses of everyday technology to cause unintended behaviour.

*Image Source: Unixmen<br>
Image Source: Unixmen.com

As a cybersecurity researcher, you take regular everyday things and think of malicious ways of using those things. Sounds simple, but you might say that you don't have a burning intellect or scientific thought process. You also don’t have a mathematical background, you know nothing about discrete mathematics or dark sciences. Hence how can you be good at cybersecurity? This is a myth. You don't need to have any of those things to be good at cybersecurity. Sometimes we like to think what we are thinking is quite unique but it's not. In fact, most of the people have the same questions because human psychology is more or less similar.

What is truly required to become a Web Security Researcher?

There is much abstraction in technology that you don’t need a mathematical background or a scientific thought process. There are people who never had a formal education and are still excellent security researchers. Let’s dive into the post and suggest some ways that you can get ahead in web security.

1. Insatiable Curiosity. 🤔

One thing required of you to survive in security for years is genuinely being curious about it. There is no difference between a web developer and a web security guy. If you want to be an excellent web security professional, you need to know everything that's happening in the web development world. You'll have to understand what is JavaScript, PHP, HTML, CSS and learn as a passionate developer but question everything as you learn and imagine other uses of it. You don't want to feel intimidated by the words like JavaScript, PHP or Node.js.

It’s important for you to know;

Where is web development headed?
What is the best framework used in the world used today?
What is the most used framework?

*When solving problems, dig at the roots instead of just hacking at the leaves. - Anthony J. D'Angelo*<br>
When solving problems, dig at the roots instead of just hacking at the leaves. - Anthony J. D'Angelo

In cybersecurity, people lose passion when they are not able to find bugs. You need to burn the midnight oil and nurture genuine curiosity about web security so that you don’t outgrow your passion for it. You don’t want to look at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact. If you want to be an above average web security researcher, you have to take a closer and deeper look at how the different technologies used by the website come together.

2. Learn by doing it. 🧐

Like, I said there is no difference between a web developer and a web security guy. You only make a distinction by pushing yourself to know beyond the default use while learning.

Start building simple and small websites with PHP or HTML.
Get familiar with database and web server, try making tiny pages that take input from a user like login credentials or contact details and learn to do some penetration testing. I have curated a list of helpful resources for Beginners to get started with Web Development and Penetration Testing.

Web Development resources for Beginners 💻
Penetration Testing Resources for Beginners 📚
Ethical Hacking: Hacking Web Applications - Troy Hunt 🔗

Practice common security vulnerabilities in an ethical hacking environment.
With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because you can learn in a safe environment. Here are few resources to legally practice your hacking skills.

List of Vulnerable Apps
How to Install DVWA
Play by Play: Web Security Patterns - Troy Hunt 🔗

Most importantly, Take the OWASP - Free Testing Guide to practice security.
OWASP has created lots of resources for strengthening the relationships between security and development. You can read about almost 70 - 80% of vulnerabilities on Web and how to find bugs. OWASP aims to help web security researchers understand the What, Why, When, Where, and How of testing Web Applications. If you are getting started with Web Application Security Testing, here are OWASP Resources that will help you get ahead in Security Testing.

OWASP Testing Project (Highly Recommended for a Beginner)
Play by Play: OWASP Top 10 - TroyHunt 🔗

3. Go after Bug Bounties 💰

If you want to be an excellent web application security researcher, Go after bug bounties. You can sign-up with hackrone and bugcrowd. You will see public programs that have running a bug bounty programs. For example, Google is running a bug bounty program, you can go ahead and try to find the issues you have learned. Don't ever procrastinate by thinking that you don't have enough skills to find a bug for big companies. You should try to find vulnerabilities in products that you even use and take some real challenges to financially bootstrap your career in web application security.

You need to build patience to stay focused because it's very easy to fall into lazy thinking habits. The common problem in bug bounty hunters is that once you find a bug, you get over excited. You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more, you can make it to $2000 or even $20000 bounty.

Here are some resources that will help you get ahead in Bug hunting;

Bug Bounty Platforms
Hackerone
Bugcrowd
Firebounty

Recommended Course/Reads
Play by Play: Bug Bounties for Researchers - Troy Hunt
Why Ethics Matter in Bug Bounties

Once you find a couple of Bugs through Bug Bounty programs. You will get a job in most companies.

Before you go...

Always keep in mind that the devil is in the detail. And when it comes to security, engaging curiosity will create capacity for patience while trying to find bugs. Be Curious and Patient

If you enjoyed this post, do share it with your friends ... !

📜Please leave a comment below for any questions or let me know what you think!

Discussion

pic
Editor guide
Collapse
tux0r profile image
tux0r

It’s important for you to know;
What is the best framework used in the world used today?

How does that affect your ability to be sufficiently good at (both language- and framework-agnostic) web security? That makes no sense to me.

Collapse
sinxloud profile image
sinxloud Author

I am simply suggesting that you must be aware... I don't think you have to go and ahead learn how to build things using a framework but if you have to find bugs, you should be able to read through the code...

Collapse
tux0r profile image
tux0r

Which is easier when you just know the language. You can't specialize in moving targets (a.k.a. this week's JS framework).

Thread Thread
sinxloud profile image
sinxloud Author

Please suggest a weekly source for the best frameworks used.

Thread Thread
tux0r profile image
tux0r

There is no "best framework".

Thread Thread
sinxloud profile image
sinxloud Author

commonly used..

Thread Thread
tux0r profile image
tux0r

jQuery, Angular and React, I guess. Everything else cannot be said.

Also, it does not matter for web security at all.

Thread Thread
sinxloud profile image
sinxloud Author

If it doesn't matter for web security then Web Application Security is a joke.

I encourage you to refer to this security report :

CRITICAL Account takeover via AngularJS template injection in connect.squareup.com

hackerone.com/reports/26700

$2000 bounty paid by Square...

Thread Thread
tux0r profile image
tux0r

I encourage you to think about whether knowing the framework was relevant here at all. Knowing JavaScript was the only requirement to find this bug.

And yes, I think that "web application security" is a joke. If you want to have a secure application, do not put it in the weakest part of the computer (your web browser)!

Thread Thread
sinxloud profile image
Thread Thread
projectrhonin profile image
Rhonin

It matters in so far as: at the end of the day you have to provide guidance to developers, who may or may not understand the security implications at a deep level. These developers are possibly using "common" frameworks and you need to know what these frameworks do and don't bring to the table. Some do common validation and output encoding for example. Some use functions with cryptographic weaknesses ECT ECT ECT. You wouldn't be able to provide guidance to them if you don't understand the framework they are using (ie the way the language is implemented).

Its also important in pentesting because it allows you to target commonly used packages and implementation for research or do hit known vulnerabilities.

Thread Thread
sinxloud profile image
sinxloud Author

We are talking about security researchers. read this article again.

Collapse
ethan1997 profile image
Ethan

Your post helps me a lot! Thank you

Collapse
sinxloud profile image
sinxloud Author

i am glad it helped.. :-)