As you start practicing security, you have to make a difficult adjustment in your learning process by asking questions.
- What is this Bug?
- How does this bug work?
- Why does this bug work?
Questioning is pivotal to success in web security and you need to ask the WHY question almost every time (why did this work and why did this not work) and answer them yourself.
If you find a bug; How did I find this bug? Why does this bug exist?
If you don’t find a bug; Why didn’t I find this bug? What am I doing wrong?
You have to know why you couldn’t find that bug. Maybe you were able to find that bug in your practice on the VM but you are not able to find the bug in the actual website.
You have to know Why. Possibly the website you are testing has implemented a good security mechanism. So you have to learn what they doing right. Once you know more about doing things right, you will automatically know how to do things wrong. And next time when you go to test another website you will know what these guys are missing.
The common problem in bug bounty hunters is that once you find a bug, you get over excited. You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more and questions, you can make it to $2000 or even $20000 bounty.
Remember, as a web security researcher, you take regular everyday things and think of malicious ways of using those things. So, asking questions will keep you from looking at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact.
You need to know everything that's happening in the web development world.
If you want to be an above average web security researcher, you have to take a closer and deeper look at how the different technologies used by the website come together.
So Asking questions will help you do so
This post was originally published here.