I am Isira Adithya and I am a 17 years old researcher from Sri-Lanka.
Currently, Studying at Bandarawela Central College, Bandarawela.
How I got to Cyber Security
As a little kid back in the day, I was a heavy gamer with a 2GB ram. 😂
There are some missions that I cannot pass/finish without a mouse. Since I was using a Laptop, I had to use the touchpad to play games.
So, The solution was the
Cheat Engine. I think you all heard about that.
I hacked every single game with that, and even hacked some softwares too. It is a 👌 tool.
Then, We got a smart television to our home and It needs a Wi-Fi network to work.
I was so eager to hack into that just like in movies 😎.
Then, I installed Kali Linux without knowing anything about it and crashed my laptop too. (Whole Hard disk was corrupted 😅, and lost lots of our family photos. My father and mother was not happy about that still)
After, some googling I came across this
NMAP tool and I scanned the television via this. I found some open ports and decided to attack with XERXES. And, the Television was completely stuck and didn't responded back. I had to restart it. This is another win for me, I was able to turn off the television with my laptop whenever my brother and sister don't gave me the remote. 😈
Nothing for now. 😅
> Learning Materials
Tryhackme and Hackthebox
When It comes to my learning resources,
HackTheBox are some of the greatest teachers for me.
I addicted to CTF back in the day, It was so much fun for me.
Both platforms gave me a very entertaining experience while learning.
Make sure to try those platforms if you are a beginner in cyber security. (I think you already registered it. No need to introduce this. 😅)
I agree that these platforms are more into
penetration testing, but this knowledge will come in handy sometimes. 😉
So, Thanks a lot Tryhackme and Hackthebox.
Portswigger's Web Security Academy
This is so far the best resource to learn about web security in my opinion. 👌👌
This guides you with in-depth tutorials and it gives learning labs for free too.
Check out those too.
Theses are the youtube channels I follow,
- InsiderPHD - Very Well Detailed Presentations about various bug types and overall 👌 (She is the one who introduced me to Intigriti, I saw the sponser message every day and then gave it a try. 👌)
- PwnFunction - This guy will give you the most simplest explanation of any bug within 10 mins of his videos. I really like his presentation methods and the drawing. 👌
- Liveoverflow - Very Very deep explanations and very advanced topics about InfoSec (I used to watch his videos, even I don't understand a word back in the day)
- Bug Reports Explained - Explaining some of the most advanced bug reports on the info sec world with simplest way possible. I found his channel, When I was struggling to understand what is HTTP Request Smuggling
- Codingo - Super useful information from the manager of the triage team BugCrowd
- STÖK - More about Bug Bounty Life Style and other stuff.
- Nahamsec - Live Streams, Tutorials and Lot of useful things about Recon.
- Farah hawa - Some really cool tutorials. I learnt about graphql from this channel
- Intigriti's Hacker Tools and Hacker Heros - This is a upcoming channel, and It is featuring about hacking tools, and interviewing some great hackers.
- John Hammond - A Master when it comes to pentestng, I really like to watch his videos about CTF
- Hackerone - Hacktivity - Realworld bug reports by various hackers in the world.
- HackTricks - A Super useful Vulnerability Notebook
- Bug Bounty Tips by @gowsundar - Collection of bug bounty tips by top researchers.
- Bug Bounty Writeups - Pentester Labs - Very organized list of bug reports, useful when you need to read about a specific vulnerability.
- Zseano's Methodology - Methodology of a Legendary Researcher
- Intigriti - BugBytes NewsLetter - Intigriti will keep you updated with the latest news,tip,methods on the InfoSec commnity.
- Bug Reports explained Newsletter by @grexsunday - If you want some advanced and more intermediate resources, then this is a good newsletter.
2021/03/26- Found the solution to the Intigriti 0321 XSS Challenge
After, 5 days of trying, I found the solution. This was a crazy moment for me, This is the first time I ever came across the XSS
2021/03/29- I won the Intigriti 0321 XSS Challenge
After, found out that I won, I thought I am good at xss at least 😅. So, I watched every single youtube video about xss and I started reading through the Hackerone's Hacktivity about XSS
2021/04/06- Reported my first valid bug
I got my first private invitation in intigriti and I thought it is something very rarely happens and started digging into the web application. After about 3 days of trying came across reflected XSS. This time, I got paid 150 EUROS, It is about 35,000/- in our currency(Srilankan Rupees). It is the monthly income of my father and everyone in family was amazed about this. 😎
2021/04/11- Got Stored XSS on the same private program
I wasn't able to get XSS right away, So I reported HTML Injection and went to bed at late late night. Next, morning I decided to read about ASP WAF Bypass and Finally found a way to escalate the bug to XSS. That's why there is a bonus. 😊
2021/05/19- Registered to Hackerone, And started hunting there too
I was hunting only XSS at the time, I never tried to find any other vulnerability like CSRF,SSRF,RCE etc. Because of that, I wasn't able to find a single valid bug since 2021/04/11, after I started with hackerone, I started to learn more bugs via Portswigger's Web Security Academy.
2021/05/21 - 2021/06/10- Reported various bugs to Hackerone
2021/06/09- Found a High Severity bug on a big company
This was resolved within 7 hours, even before hackerone triage team reaches. This was a super exciting bug for me and this bug is not documented anywhere. Basically, I was able to takeover an subdomain in use.(Varnish Cache Server Misconfiguration)
2021/07/13- Got to the 5# in the Intigriti Last 30 days Leaderboard
How It Started - 2021/04/06
This is my old laptop with 2GB ram and 1.80Ghz i3 3rd gen
After, Getting first 2 bounties I got a new workstation
How It is going - -2021/07/15
This is a dream workstation for me, never imagined I would get to this.
Fails - (N/A, Out-of-scope)
My reports are not 100% perfect, I did some bad mistakes too.
But, Everyday, I learnt a lesson from that.
I reported stuff like,
- Click Jacking on Login Pages
- Denial Of Service while I was just blocked by the WAF 😅
- Self XSS
- XSS executed within a SandBox Domain. Always use
- CSRF on non sensitive actions like adding a product to a victim's cart.
If you have any questions regarding this blog post or anything,
feel free to contact me at,