ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Ethical Hacking: How to Teach Yourself About Bugs

Updated on March 4, 2020
Jacob Petrov profile image

Jacob is an Ethical Hacker / Bug Bounty Hunter wishing to share his knowledge and help you learn the basics.

Click thumbnail to view full-size

Disclaimer:

All information given in this article is provided under the assumption that the reader will use it ethically. You should never hack anything without prior consent to do so

What Will be Covered in This Article

  1. Why You Need to Know How to Teach Yourself
  2. The OWASP top Ten
  3. Hacksplaining
  4. Bug Reports
  5. Finding Your own Resources

Why You Need to Know How to Teach Yourself

The advantages of teaching yourself are that you get to learn at your own pace as well as focus in on the areas that interests you the most. I will be giving you resources to learn about prominent bugs, but I will also be covering how to do your own research.

Give a man a fish, teach a man to fish etc etc... We live in the age of information. You want to learn about web hacking? To learn about the human heart? The blue whale? The entire history of the Holy Roman Empire? All the resources you could ever imagine are online, the skill you must develop is how to find them!

The OWASP top Ten

An important concept to understand is there are a small minority of bugs that are commonly found. This means you only need to learn a few bugs to start hacking. OWASP.org is kind enough to rank the most pressing vulnerabilities. It is these vulnerabilities you must learn.

What I recommend to do is to pick a category and start there. For beginners I recommend #7: Cross Site Scripting. You can pick whichever category you would like, but know that I think XSS (Cross Site Scripting) is the easiest to start on.

I give you this list so you have the terminology needed to do further research. The list alone is not very informative, but it tells you what you need to study further.

Hacksplaining

Okay, this is the fun one. This is the website that I'm always excited to recommend to people: www.hacksplaining.com (requires a free account)

So let's assume we want to learn more about XSS (Cross Site Scripting). We would go to hacksplaining.com and select one of their XSS lessons. I recommend the first one simply called Cross-Site Scripting.

What they do is take a bug and give a step by step explanation of what the bug is and how it is performed. They then explain how prominent and exploitable it is. All the while there are fun and visually appealing cartoon characters. I find it incredibly charming and cannot recommend it enough.

Bug Reports

If you've read my previous article then you will remember hackerOne. A quick summary: it's a site that offers you bug bounty programs and acts as a middle man between you and a company with said bounty program.

Once someone discloses a bug and the site fixes the problem, it is disclosed to the public. What this means is that there is a database of bug reports that you can learn from. These reports are in depth explanations of how these hackers tested and what they did to find the exploit. You also get to see how to write a bug report as well as how much you can get paid. This is all under the hacktivity tab, there's a search bar so you can look for specific bugs.

You will have to sign in / make an account but I find hackerOne to be an incredible resource. Once you feel confident enough in XSS vulnerabilities, you can go back to the OWASP top Ten to find a new category and start the process all over again.

Finding Your own Resources

I can only hold your hand for so long, when you get out there and start learning on your own is when you will start to make real progress. Let's cover how you can do this on the web.

Key Words:

The layman doesn't understand how search engines work. Depending on your familiarity with tech you may not either. So much of computer science is learning how to search for things. For starters, don't phrase your queries as questions. Instead, you should be using key words. For instances, don't search:

How to exploit web app using XSS?

Here you will only get vague answers. Be short and concise as possible, like so:

Reflected XSS on Angular 1.7.3

This will yield much better results.

Search Engines:

There is more than just Google! I know it's a meme that no one uses Bing, but seriously if you're having difficulty finding something, try a different engine. Different search engines will return different results. Check out this article giving a list of all the other options you have.

Query Tricks:

Okay so Google will probably remain your default search engine. Did you know there neat tricks you can put in your queries? For instances, if you are searching for something and want a phrase in your query to be in the result, put it in quotes

most common "web bugs"

This will treat "web bugs" as one term so you can get specific results.


You want a result from a specific site? use the site tag.

site:youtube.com sneezing panda

This will only return results from the site you specify, great for obscure websites.


Do you want a specific file type? try the filetype tag.

webhacking101 filetype:pdf

This will only return pdfs.

Conclusion

Web Hacking requires the ability to constantly learn, people can recommend resources to you (like I did in this article) but eventually, you will need to learn how to find your own.

I have given you three resources, one to give you better terminology for research, one to help you understand complicated concepts and one to see the real world implementations of bugs. I have also given you some tips and tricks that have helped me over the years.

Only you know what you're interested in and how you like to learn. The best teacher is yourself.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

Comments

Submit a Comment

No comments yet.

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://maven.io/company/pages/privacy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)