I’ve been reading books and doing courses on penetration testing and bug hunting for a while, but I find most of them point to CTFs as the place to practice a hands-on approach. I’ve been doing that but can’t help but notice a big difference between doing CTFs and real-world bug hunting. Only a handful of them are web apps (which I will be focusing on) and the vulnerabilities don’t seem “real” enough. Feels like I have all the pieces of the puzzle and the picture on the box, but I don’t know the methodology that people follow to complete them.
I know that I should just jump head first into HackerOne but I would like to see someone actually working on a real bounty and try to get a feel for the process. As an example I’m looking for something like a longer version of this (https://www.youtube.com/watch?v=y23l5P4-HAk).
Any tip on a book/video/course/etc would be greatly appreciated, thanks in advance!