8 min read


AMA with Harsh Bothra

Application Security Engineer ⚙️ | Cobalt Core Pentester 🔏 | Bugcrowd Top 150 🐞 | SRT 🔥 | Author 📚 | Speaker 👨 | Blogger 🖊️ | Project Bheem 📜 | Learn365 📖

  • How to get advanced in Broken Acces Control?

    • I would say these are logical issues and have no limitation at all. Try various techniques shared by people, try to play around the endpoints to see if you can bypass things, Use auto repeater, autorize, authmatrix burp exts for rescue.

  • What is the future scope of mobile app pentesting? Where do I start and what exams I should prepare for if I want to make it?

  • How to deal with lack of consistency in learning and hacking?

    • Find a motivating factor that allows you to push yourself to learn something. For example, I started something called Learn365 (https://github.com/harsh-bothra/learn365).

    • For Hacking, I set monthly goals that at least 60 bugs per month or so.

  • Q1) How to make checklist for bug hunting?

  • Q2) What do you do when the target company doesn’t respond you after you find a bug on that program even after a month?

  • Q3) How to prepare infosec certification with College study & Bug Hunting?

    1. @Bugcrowd VRT is really good. You can derive a personal version from it.

    2. Reach out to the platform support via proper channels.

    3. Manage your time by keeping a planner and see where you can fit time for BB and Certs. It depends totally on your time management skills.

  • Do you perform credential stuffing during pentest? Can you please share some resources that can be useful to find breached credentials?

    • Not a regular exercise and this totally depends upon case to case basis.

    • Regarding the breached credentials, you can look on darkweb forums, github, pastebins, trello boards, etc.

  • I’m already doing bug bounty and all the stuff. Should I go for eWAPT or eWAPTX? What’s is your opinion?

    • Are you comfortable with Server-Side Issues and advanced bypass techniques? Yes? – go for eWAPTX : It’s a good exam, hard difficulty level.

    • Otherwise, go for WAPT.

  • When you start your journey in bug hunting first of all which bugs did you find and what recon tools you used mostly while hunting the bugs?

    • My journey was quite on and off in bug bounties. I tried doing it during my schooling (back in 2014-15) but as soon as I stepped in for graduation, I started exploring other stuff. Finally, I stepped back into Bug Bounty (not appsec, it was before) in 2020.

    • Initially, I reported a mixture of low and medium issues including some security misconfiguration such as rate limit bypass/business logic abuse and access control related issues. Further, I tried to understand this more closely and started reporting all sort of issues.

  • What is the learning path if want to learn API pentesting? What’s the best resource, how do we understand/paths/endpoints for the APIs in order to test the applications’ API?

    • Most of the test cases for Web are applicable to APIs too. You can refer to OWASP API TOP 10 and learn different APIs like REST and SOAP to see how they work! Rest, I usually treat web & API testing almost the same, to be honest.

  • How do you schedule your time and remain undistracted?

    • Well, I keep a daily planner and unless I finish off my daily goals, I usually don’t go to sleep (not always but usually).

    • Also, set some goals for the long term, let’s say I want to do X in this month or quarter and just start chasing it.

  • How can we enhance our fuzzing techniques?

    • Always try to enumerate technologies and understand what all things your application is using, say “PHP”, fuzz using a wordlist that is more relevant to PHP.

    • Secondly, always keep threads limited else you may end up hitting some services and disrupt them.

  • What do you think people do wrong or should also focus to stay motivated and progress?

    • Looking for easy ways to get hits! For Example, you are reporting very easy to discover low severity issues and feeling burnout/demotivated because it was not a valid/dupe! expectations are not well aligned with reality here. I am not sure if everyone will come up with something different because these are the only ways one can think of about progressing.

  • How to choose which domain is best for any new comer like bug bounty and network security or maybe system security?

    • All of these fields are really good and the major thing here is what interests you more?

    • Do you wish to have a secure source of income? - Do Job and Keep BB as part time gig.

    • Do you like networks/systems more? - Go for Network/System Sec.

  • Have you gone through burn out some time? If yes, how much time and how you overcome that?

    • I often get into burnouts. Time is really not defined, few hours to days. I just do some technological detox and sleep, take a walk, spend time with family, watch some shows, etc.

  • How to get a infosec job in India, what certification/degree do you recommend. What scope do you see in Infosec jobs in India?

    • Totally depends upon your skill-set I believe. Keep an eye for openings via LinkedIn and try to get referrals that may help.

    • Personally, I don’t think for getting started you “Must” have a certificate, it’s always good to have.

    • Look for application security specific organizations instead of Big Giants.

  • When you approach a target, what is your mindset, what are you thinking when you sit to hack on a particular target?

    • Mindset - I am gonna bypass some security controls to the best of my knowledge. I try to understand the target and its functionalities first and further move to test it.

  • How much networking and OS should I learn before exploring the pentesting tools?How should I test that I have learnt a good amount of networking and OS?

    • Networking and OS - I would say learn as much as you can, definitely going to help you throughout.

    • @hackthebox_eu and @RealTryHackMe are good ways to practice.

  • If you see a CDN, then what type of bugs do you hunt? What do you do with the wayback urls?

    • Unauthorized Access

    • Misconfigured Instances

    • If cache servers are used, Cache based attacks like cache poisoning, deception, denial of service, etc.

  • If we want to upskill ourself in WAPT, should we solve HTB or do Bugbounty?

  • Q1) How do you learn something new?

  • Q2) Any tips for a beginner in this field?

  • Q3) How do you manage your time between enjoyment, learning, friends and bug Bounties?

    1. I follow #Learn365 which motivates me to find something new and relevant to learn. I usually keep up with blogs and talks that people post.

    2. Never give up and try to go for bugs with high severity instead of playing around low severity issues only.

    3. I usually watch & hack.

  • What is your hunting approach for internalapi.example[.]com showing default nginx server homepage?

    • Fuzz it with different wordlists.

    • Do parameter discover.

    • Try to see if there is any known vulnerability.

    • Try running a port scan.

  • How to pentest CMS based applications?

    • Look for the known vulnerabilities.

    • Deploy the CMS locally and Fuzz it.

    • Often there is custom implementation, consider it as your normal application and try to hit something.

  • While solving lab of postswigger academy if after trying lot but I am not able to solve what should I do next? Also I am beginner.

    • It is good to refer to the solutions and search for the videos on same lab/topic, understand the concept and trying solving again yourself. Learning the concept is important in my opinion. There is no use in hitting dead ends and getting demotivated.

  • How to deal with dupes and what kind of target we should choose as a beginner?

    • Big Scope Targets

    • Do not run behind Low Hanging Isssues

    • Ask yourself, am I putting my best to identify high/crits?

  • Which tools do you use?

    • There are many but mainly Burp Suite, Tools that come with Kali [There are many to list]. @pdiscoveryio tools.

  • Why you hack and how long you will hack?

    • Hacking for a living mate and I guess compared to the other things I know, this is something I am good at.

    • Target is interesting – I don’t keep a track of time, usually, I doze off while working. Else, couple of hours.

  • For how many years you have been in Cyber Security?

    • I am more of doing Pentesting these days over Bug Bounty. On & Off it’s been 4-5 years now.

  • Could do we know which are your top 3 vulns in server side you begin looking for when you do bug bounties? And if you are in a traditional (professional) pentest, do you report anything deben the low hanging fruits?

    • Server Side: XXE, SSRF and Fuzzing for Injections.

    • In Pentest, we report everything that may be a directly exploitable issue or a defence-in-depth one.

  • How to overcome imposter syndrome in bug-bounty?

    • I just look back at what I was before a couple of years and what I am today. I try to track my progress and that boosts my confidence. Everyone got their own part to play so I don’t give much time to negative vibes.

  • How to stay consistent for learning 365 days and how do you manage it?

    • That’s a big challenge. I try to find time in chunks let’s say while having food, or during little breaks, etc.

The original twitter AMA can be found here :- https://twitter.com/sillydadddy/status/1403346944710242316