Shuffling the codes: Reasons you must learn programming for finding great bugs
Hello homies! I hope you are doing great and working on your stuff. We are getting pretty good amount of time due to pandemic and luckily we are one of the rarest group of people who are happy with it(I mean people from bounty and stuff). As you can see the heading of this blog, it is based on an evergreen debate whether you need some coding knowledge, or you need to be really good at it, or it is fine even if you have some sound knowledge of multiple programming languages. I believed this is the time to clear the things from my side and here we are! Right up with this article:)
Well, I have divided this read into three parts. What happens when :
- You Don’t understand programming at all and can only read the lines as simple english/maths.
- You understand the basics of programming and you can read what’s going on in the codes but can’t write it somehow.
- You are equally good at understanding and writting codes.
This will make us understand this topic better and people falling in all three categories can relate with it. Before ending the topic, I will put my point as well. Let me make this clear here: This is completely my opinion and your thoughts could be different. I totally respect that:) With this intro, let’s move forward.
Want to read this story later? Save it in Journal.
Let’s discuss about the first point. Suppose there is someone who is not good at coding stuff and can’t understand the code structures and algorithms applied. So the whole application code would work just as normal english/mathematical equations for him/her. Well, you can STILL find bugs like business logics/Sensitive data exposure but if I stay honest, those are low hangings these days until you are going really deep to find something. Even after that, you have to have some luck isn’t it? Right, you will lack in so many things. Pros and Cons for this category:
Pros: None
Cons: You can’t find great bugs since you won’t understand what’s actually happening in the backstage of the application. You won’t be able to bypass almost any restrictions like firewalls. Along with it, you will have very less chance to find bugs comparing with the people having programming knowledge. Also, you will need to be dependent on automated tools which are written way back and almost every guy(who can’t write their own code) is using the same tool you will use, chances got decreased again. Look, so many loopholes:(
2nd point, you have some knowledge of programming and you alteast understand the codes even if you can’t write it. You can guess what is happening in the code written there. Great news! you are atleast a few steps ahead, if not many, from the group of people mentioned in first point. Here, there might be conditions like people are still learning the programming or they have some knowledge from their college time. Also, there might be people who got the knowledge of codes after just visualising it since they are viewing almost same codes since a few years. Well, you have higher chances of finding a few(if not a lot of)very good bugs. For example, if you understand how DOM(document object model) works, you can look deeper and might exploit a DOM XSS over there. In the same way, if you know how php works, you can check for some higher level bugs i.e. injections and code executions. Pros and Cons for this catagory:
Pros: Since you know the basics already, you can upgrade your programming skill very quickly. You will understand the new functions and rules better than the people starting it with scratch. Also, you won’t find much difficulties in learning new programming languages as well since they all have almost same concepts. It will help you to increase your bug finding skills for sure.
Cons: Even if you understand the codes, note you can’t write it. So you are still behind the people who can write it for their purpose. Since you can’t write your own tools, you will still have to use automated tools many times(Less, comparing with the people from first category)written by other guys and as I said earlier, automated tools won’t help you much. You are obviously ahead from many guys, but still a lot to work on:)
Finally, we have our 3rd category, you are equally good at reading almost all type of codes and writting them. GZ! You’ve alreay won half of the battle! You have a huge, very huge edge over people who can’t write codes. Since you know how to code(here, I am assuming you know atleast one scripting language i.e. Bash, Python or Go), you can write your own tools, automate them and use them in a way where you will get results way before others will even reach there. Along with it, if you know any of these languages: Java, C or C++, well you will fall in a category of 1337 if you start finding bugs. So, Pros and Cons for this category. Cons! Cons! Really? No way!! There are only Pros:
Pros: You have everything in your hand. Suppose you got stuck somewhere in between exploiting a XSS which needs a small chunk of JS to be implented. You can write a code in minutes and try it there. Even if it doesn’t work in first attempt, you can try it several times since you know what could work there. In the same way, you want to automate something but you don’t want to use pre-written tools. Just grab your system and write a script in any scripting language. Coding simply makes it very easy in every possible way:) So, you are far ahead from a lot of people of other categories.
Well, now I guess things are pretty clear. As mentioned, I will discuss it on a bit. I hope you all understand only 5%(max)of the bughunters are actually successful and what do you think these big guys got it extra? Well, there is obviously out of the box thinking involved in their success but I’m pretty sure 95% of that 5% group are brilliant in coding. They will just write an automation tool and grab a lot of low hangings. In the same way, they go really deep and in any point of suspection, they use their programming skill. Also, if you look into the exploits written to find zero days, you will find a lot of them are written in C because systems and kernals are built in it. You can always check Google hacking database to find them:)
The point is, what you really need to learn. Well, you can start with C/Python. Java is also a very good choice but won’t make much difference in exploting web apps(Deserialization is exception). However, it is a great choice as well. Along with it, must learn JavaScript. It will help you in finding many complexed bugs. C is super handy as well in exploiting Buffer overflows and binary exploitations. For automating your process, bash is great in my opinion and if you want to write a tool, go wih GO. Python also works pretty great and quite easy to learn and implement. Just rememeber one thing while learning them: Learn one language and jump to another. Learning is a lifetime process. It’s a Marathon, not a sprint:) Take your time and keep adding them in your bucket one by one. You will enjoy the journey:)
With this final touch, I will end this read here. I have not mentioned any resource for learning the langauges and I leave it on you how you research on it. There are a lot of places where you can learn almost everything. Just take your time and have patience:) Also, please understand that everyone can’t be equally good at coding and you should never force yourself in it. But you can surely give it a try and check if it works for you:) If you loved this blog, share it with buddies. Sharing is caring:) Also, I will highly appreciate if you suggest me or recommend something related to this topic. You can ping me on twitter 24*7.
Take care, happy hacking!
Adios ❤
Twitter: @manasH4rsh
📝 Save this story in Journal.
