Nepali Lady Hacker Dikshya Shares How to Become a Bug Hunter: Challenges, Tips, and Opportunities in Cybersecurity

Kathmandu: Cybersecurity: entering the field comes with many challenges, particularly in bug bounties and web application security. Many beginners feel confused about where to start and what to learn.

Once you understand its concepts and methodology, embracing this field becomes easier. This article is based on my personal journey and the lessons I have learned, which will help you navigate this exciting domain.

My brief introduction

I am Dikshya Shrestha, also known online as ‘gakusen’, a Japanese word meaning ‘struggle for education’. I currently work in Offensive Security at CryptoGen Nepal. I am always eager to explore cybersecurity and uncover hidden vulnerabilities (bug hunting) in websites. I am not an expert yet, but I learn something new every day, and I want to share my journey with you.

This is how my cybersecurity journey began

My learning journey started about a year ago. Initially, I had no clear path. I would read anything I could find, watch YouTube videos, and practice labs on ‘TryHackMe’. However, there was no definite structure to my learning.

At that time, it all felt cumbersome and disorganized. I wanted to do something in cybersecurity but didn’t know where to start. I spoke to different people but couldn’t find the guidance I needed. During my search, I found an experienced mentor, Apil Chand Dai, through LinkedIn. His guidance became a turning point for me. Following his advice, I began learning from ‘PortSwigger Web Security Academy’, where I honed my skills in server-side vulnerabilities.

For beginners in cybersecurity, server-side vulnerabilities are easier to understand. Any input we give gets an immediate response from the server, and the effects are clear, making the learning process simpler.

Initially, I wondered, ‘We have put an alert in a system, but what do we do when it triggers?’ Just setting an alert does not solve the problem. Thinking “What now?” helped me understand server-side vulnerabilities more effectively.

Earlier, when I read blogs on platforms like 'Medium', I struggled to understand many concepts and processes. But gradually, as I studied, a basic structure began forming in my mind.

Around that time, I joined the 'Pentester Nepal' community. Posts by other members were very helpful, and I connected with many professionals in the field. I also started participating in competitions like Capture the Flag (CTF), which gave me valuable learning opportunities. Slowly, my skills began to take shape.

Entering the world of real bug hunting

After gaining some understanding of vulnerabilities, I decided to do bug hunting to gain practical knowledge of real-world applications.

At first, it was very challenging because I made many mistakes. For instance, while learning, I couldn’t analyze which requests produced which responses. So, when I started testing real applications, I felt completely lost.

Initially, I only looked at the ‘HTTP history’ in Burp Suite. I didn’t know where all the requests came from or which ones to work on. I didn’t understand the application workflow because I lacked basic knowledge.

Gradually, I practiced more, read write-ups by others, and observed applications carefully. I analyzed the responses for each action, paid attention to reconnaissance, and improved my approach. I’m not an expert yet, but understanding these concepts has become much easier than in the early days.

I began with the Vulnerability Disclosure Program (VDP) rather than the Bug Bounty Program (BBP). The reason is that BBPs are highly competitive, and many skilled hackers have already tested these applications. For beginners, it’s harder to find new bugs there. VDPs have fewer participants, offering a higher chance of finding bugs. It also helps avoid out-of-scope issues and provides a better understanding of applications, a solid foundation for the competitive bug bounty world.

First success in bug bounty

After searching for bugs in VDP programs for some time, I finally found my first bug. I cannot describe the joy and pride I felt. I had worked hard, and finally, success came.

That success boosted my confidence and made me eager to learn more. I still made mistakes for example, I submitted my report two or three times because I didn’t know the proper process. But when I saw my report marked as “Triaged” (accepted initially), I was overjoyed.

A basic roadmap for you

Now, I’m sharing a roadmap to help you advance systematically in this field.

Strengthen your basic knowledge of the web

​

Before diving into web security, you must understand how the web works. How can you secure it without knowing its fundamentals? Here are some key areas:

1. Basic knowledge of HTTP: Understand what HTTP (Hypertext Transfer Protocol) is and how it works. Learn about responses, status codes (e.g., 200 OK, 404 Not Found, 500 Internal Server Error), and the differences between GET, POST, and other request methods. This knowledge is crucial for testing applications.

2. How a browser works: Know how a browser retrieves content from a server. A browser doesn’t just display content, it constantly communicates with the server.

3. Web request and response flow: Whenever you click a button or submit a form, ask yourself:

   • How is the request sent?

   • What comes in response?
     Example: You clicked → Browser sends a request → Server sends data → Page updates.
     Understand:

   • What is sent in the request (form data, parameters)

   • Response type (HTML, JSON)

   • Status codes

   • Redirects or special headers

4. Client-server interaction: Understand how the front-end (client) and back-end (server) communicate.
   Example: User submits a form → Front-end sends data → Back-end processes it → Sends response → Front-end displays it.
   Without this, finding many bugs in front-end and back-end is impossible.

5. Cookies and sessions: Learn the difference between cookies and sessions. Understand:

   • How cookies are stored

   • How authentication works using cookies/sessions

   • Terms like Secure flags, HTTPOnly, Session ID
     Example: Logging in starts a session, logging out ends it—understand this flow in detail.

6. JavaScript in the browser: ‘A good developer is always a good hacker.’ Understanding JavaScript helps identify vulnerabilities in front-end code.
   You don’t need to be a developer, but you should be able to:

   • Understand what a JS file does

   • Identify front-end triggers

   • See how it fetches data from the server

   • Analyze form submissions, buttons, validations, AJAX requests
     This knowledge helps spot hidden parameters or logic flaws​

Using labs to learn vulnerabilities

Practice in labs to learn vulnerabilities. I started with PortSwigger, which provides both theoretical knowledge and practical labs.

Don’t limit yourself to PortSwigger. Its labs often seek a single solution, which can narrow your understanding. DVWA (Damn Vulnerable Web Application) is another great option. It lets you study back-end code and build exploits accordingly, a valuable experience.

The right way to learn: Understand the process, not just the solution

When you do a lab, don't just rush through it. Instead, understand what you did and how you solved it. Please don't make the same mistake I did. Rushing through your learning will make you a lot worse during real-world testing.

When you solve a lab, try to understand each step by asking, "How did I get to this solution?" Because the goal here is not just to solve it, but to learn the process.

Learn from others (write-ups and podcasts)

Reading write-ups and listening to podcasts is essential. They show how others find bugs and work on real applications. You may not grasp everything at first, but it reveals areas where you need to improve.

Resources:

• Write-ups: PentesterLand, InfoSec Writeups

• Podcasts/videos: Critical Thinking Podcasts, BBRE (Bug Bounty Reconnaissance Explained)

Be patient; over time, everything becomes clear. Make reading write-ups a habit. You can click here and access my resources

Work on real applications

After gaining knowledge, start testing real applications. I recommend starting with VDPs. Gradually, move to bug bounty platforms and select your targets.

Tips:

1. Understand each bug thoroughly, don’t rush. Learning takes time.

2. Don’t compare yourself to others on social media. Achievements you see don’t reveal the hard work behind the scenes. For beginners, finding bugs may take months. Patience and consistency are key.

(This article is based on a presentation by cybersecurity researcher Dikshya Shrestha at Pentester Nepal’s 12th anniversary program. You can connect with her on LinkedIn.)

 

पछिल्लो अध्यावधिक: भदौ २, २०८२ १३:१६

टिप्पणीहरू