Start by learning the basics. If you don't know how to code, that's probably a good place to start. Learn about web applications and network protocols. Learn the basics of Linux and Windows system administration.
Read some books, e.g. The Web Application Hacker's Handbook [1], The Tangled Web [2], Nmap Network Scanning [3]. Study the OWASP wiki [4]. Familiarize yourself with the tools of the trade: Nmap, Burp Suite, Nessus, IDA Pro, ...
Learn to recognize strange and suspicious behaviors in applications. Learn to recognize implementations that are almost, but not quite, what they should be. To get good at this, you have to be familiar with the underlying technologies, frameworks, and best practices. Having experience in software development or system administration helps a lot.
Most importantly: hack. You really only learn by doing. There are plenty of opportunities to hack legally and ethically and even make some money doing it. Set up WebGoat [5] and go through the lessons. Get on HackerOne [6] and participate in bug bounty programs. Learn how to responsibly disclose issues to vendors.
And finally, get involved in the infosec community. Follow interesting people on Twitter. Attend local meetups. Go to conferences. Ask questions and help others to learn as well.
9 comments
[ 3.1 ms ] story [ 31.5 ms ] threadRead some books, e.g. The Web Application Hacker's Handbook [1], The Tangled Web [2], Nmap Network Scanning [3]. Study the OWASP wiki [4]. Familiarize yourself with the tools of the trade: Nmap, Burp Suite, Nessus, IDA Pro, ...
Learn to recognize strange and suspicious behaviors in applications. Learn to recognize implementations that are almost, but not quite, what they should be. To get good at this, you have to be familiar with the underlying technologies, frameworks, and best practices. Having experience in software development or system administration helps a lot.
Most importantly: hack. You really only learn by doing. There are plenty of opportunities to hack legally and ethically and even make some money doing it. Set up WebGoat [5] and go through the lessons. Get on HackerOne [6] and participate in bug bounty programs. Learn how to responsibly disclose issues to vendors.
And finally, get involved in the infosec community. Follow interesting people on Twitter. Attend local meetups. Go to conferences. Ask questions and help others to learn as well.
[1] http://mdsec.net/wahh/ [2] http://lcamtuf.coredump.cx/tangled/ [3] https://nmap.org/book/ [4] https://www.owasp.org/index.php/Main_Page [5] https://github.com/WebGoat/WebGoat [6] https://hackerone.com/