Through my time pentesting and working with other people, I have picked up a few valuable lessons that I hope to imprint on your brain. Today’s lesson is all about where your priorities should lay and how you should order your work.
This can be a very difficult task to achieve, do not underestimate it. How often have you found yourself in a rabbit hole at 3 AM? I don’t like rabbit holes, I like to carefully plan my moves and see where I am in my planning at all points in time. This is how I prioritize my work and how I seemingly get the impossible done with a day job, a kid, and a rat empire to manage.
This is something not a lot of people do, yet I am sure could benefit them immensely. Usually, when we read an article or watch a youtube video we get a temporary boost of dopamine because we think we are learning but think back to our school days. What defined those was a set curriculum that was thoughtfully planned out in advance, not a random mess of lessons. In life it would help anyone to, first of all, get a proper calendar, this can be digital, something like Gmail works wonders and connect it up to your phone, home computers, and everything you can think of. Even if your smart fridge isn’t safe anymore, set that baby up to receive a calender!
You have to make a realistic estimation of how many hours you have awake and what you put your energy into. Make sure to calculate enough sleep into the mix. Also, realize that most tasks do not take as long as you think and just starting out is the hardest part. Always remember to perform your tasks immediately if they take less than 2 minutes or to put them into a to-do for later. Even if that to-do item is just to plan out time, that is okay. Planning also takes time but if you are prepared for 70%, all that is left is 30% execution.
Factor in every aspect of your time and do it like you were spending money. You know your budget, usually, it’s about 16 hours of time, how are you going to spend it? And remember that time is the only thing you can spend but never get back. Sit down and look at this objectively, do you really have to play for 4 hours or can you cut down your video game time to 3 and spend an hour learning?
So you might be wondering what you should focus on and this differs depending on your goals. As a bug bounty hunter you have to dig into rabbit holes, they are the locations where you will find the most cheese. As usually, pentesters have already raided as much low-hanging fruit as they can, bounty hunters are the warriors with the massive weapons of war that march behind the troops to slaughter any remaining bugs.
Your focus should lay on digging into the things you like, this is the most important aspect of bug bounty hunting. If you do not like to hack for XSS, you will not enjoy it doing bounties but do spend some time going wide and exploring your options since there is so much out there. Remember that your time is valuable and do not spend it on targets you do not like. That would be a big waste. Of course, finding that first bug is any hunter's dream but if you focus on finding your flow, the bugs will follow. If you focus on how other people hack though, you will only get lost because they describe their viewpoint at a snapshot in time and usually you can not fully comprehend a method unless you experience it.
That being said, I do think you should learn from the masters, they have paved the way from which you can gather elements and puzzle together with your own way through the jungle on your quest for the ultimate p1 critical bug.
Now comes the interesting part, pentesters often have the same tendency as bounty hunters when they first start where they want to dive deep into nook and cranny but it’s important to realize what the whole purpose and plan of a test are.
Often a company goes into an agreement where they make an estimation in hours, level of coverage, and expenses which they communicate with the client. This is often done in the form of a contract which can have heavy fines attached to it if those terms are broken. Your role as a pentester is to form part of a team that the company creates internally depending on the original estimation. You have to help your team lead honor that contract both in terms of time and coverage.
All of these fancy words mean that you have to first guarantee coverage, but if you do find something interesting, you have to communicate it with your client. They can decide if they want to pay your team to investigate your findings and you have to advise them in their decision but you must embrace that you want to at the very least guarantee a certain level of coverage. You can never test for everything, nobody has the budget for that.
Before you can achieve any of this, of course, you have to learn how to hack, for that, I wrote a whole article (https://thexssrat.medium.com/resources-to-help-make-you-a-better-hacker-304ad170afd3) but what matters most is that you set yourself an achievable goal. Both time and skill-wise, you have to be realistic at all times. It might take a while to find out what you want to be and that is okay, just know that you can aimlessly hack forever. If it is your hobby, why not? But if that is your goal, then own it and own up to it.
Make sure you chop down any mountain of work into smaller parts, as small as you can feasibly make them, and put them into your planning.
With that reference to our planning calender, we come full circle. Time is a limited resource, my friends, how will you spend yours?