First lets get one thing straight. You have two groups, the angels and the daemons, white hat and black hat, hackers and crackers. Keep in mind, that the angels, the guys who find security holes and report them (what a sweet angel) are sometimes perceived as a daemon! The world is full of digital users, but the majority of people are ignorant fools when it comes to cyber security. For this reason, never call yourself a hacker, but a “Security researcher” or “Pen tester” (google it). Remember, keep it legal, only search for vulnerabilities, never retrieve data, only show that you can do it and where they need to improve.
Three simple steps
To become a skilled hacker, you just need three simple steps. When you perform these steps, you’ll end up as a professional who has acquired enough knowledge to further investigate follow-up topics.
Step one: Programming
Websites, software, firewalls; everything is written in computer code. In order to understand security issues, it is useful to know how to program.
Start by learning HTML5 (html and JS), get to a level that you can build basic websites and then use “inspect element” in chrome to learn from existing websites.
When you know the basics of creating websites and scripting them, continue to the more advanced topics; AJAX calls fired (xhr), HTTP headers, cookies etc.
When you understand the total spectrum from web server (e.g. Node.js) to website you are ready to learn how to find weaknesses.
ProTip: If you are taking this serious and plan to be doing this for a longer period, I would suggest using a Linux dist. (e.g. Ubuntu). Try to use the terminal in Linux as much as possible (gradually learning it). Just don’t ask why, you’ll know when you SSH into a VPS in the future.
Step two: Learn from the best
This step is easy. While the previous step made you into a programmer and will get you a job. We now tell you where you can learn from the pro’s. They usually report the issue, give the company some time to fix it and then publish the results. However, just as Google does, when no action is performed, you should still show the world this issue. (e.g. Microsoft did not fix a security issue for months) A good example of how a security researcher reports an issue can be found here. Just like him, many researcher write blog posts about their findings. You find them on websites that have “bug bounty” lists or “whitehat” rules. Google and Github for example have a list of the most important bugs reported. Another website to look at is HackerOne. Just search for those security researchers and find their blogs and read them, you’ll learn a lot!
Step three: Weaknesses
You know how to code, you have read a hundred blog post of various researchers. Now you are ready to report some bugs! Just head over to plaintextoffenders.com where you will find website who need some guidance on their security.