Hackers question everything
I strongly believe that everyone has a hacker inside them and all they have to do is wake that person up. But waking up your inner hacker is not that easy - it takes a lot of practice, self-reflection and sometimes blatantly saying no to things which are invitations to try the impossible. You can become a hacker by being naturally curious, questioning the world around you and how it works, delving into new technology or anything that excites you whether it’s learning how something works or making a new invention entirely from scratch. Simply put: be open to trying new things and taking risks because it will always push you towards interesting places and conversations on your path down the road of being an Successful Hacker!
Keep in mind that all websites, browsers, devices and software are coded by another human - a real human being with a name. Mistakes are made we're only human. Each developer thinks differently so some mistakes may be unavoidable especially when you need to find the right balance between creating something quickly or getting it done correctly. It's because of this process that bugs and security flaws arise which is where the hacker can thrive.
Do I need a developer background to be a hacker?
A lot of people ask me, “Do I need a developer background to be a hacker?” and the answer is no, but it definitely does help. Having a basic understanding as to how websites work with HTML, JavaScript and CSS can aid you when creating proof of concepts or finding bypasses. You can easily play with HTML & JavaScript on sites such as jsfiddle.net and jsbin.com. As well as a basic understanding of those I also advise people to not over complicate things when starting out. Websites have been coded to do a specific function, such as logging in, or commenting on a post. As explained earlier, a developer has coded this, so you start questioning, “What did they consider when setting this up, and can I maybe find a vulnerability here?” Can you comment with basic HTML such as? Where is it reflected on the page? Can I input XSS in my name? Does it make any requests to an /api/ endpoint, which may contain more interesting endpoints? Can I edit this post, maybe there’s IDOR?! - And from there, deep down the rabbit hole you go. You naturally want to know more about this website and how it works and suddenly the hacker inside you wakes up.
If you have no developer experience at all then do not worry. I recommend you check through github.com/swisskyrepo/PayloadsAllTheThings and try to get an understanding of the payloads provided. Understand what they are trying to achieve, for example, is it an XSS payload with some exotic characters to bypass a filter? Why & how did a hacker come up with this? What does it do? Why did they need to come up with this payload? Now combine this with playing with basic HTML.
As well as that, simply getting your head around the fact that code typically takes a parameter (either POST or GET, json post data etc), reads the value and then executes code. As simple as that. A lot of researchers will brute force for common parameters that aren't found on the page as sometimes you can get lucky when guessing parameters and finding weird functionality. For example you see this in the request: /comment.php?act=post&comment=Hey!&name=Sean But the code also takes the “&img=” parameter which isn't referenced anywhere on the website which may lead to SSRF or Stored XSS (since it isn't referenced it may be a beta/unused feature with less 'protection'?). Be curious and just try, you can't be wrong. The worst that can happen is the parameter does nothing.
What process does a Hacker follow?
While you might think that a hacker does whatever he/she wants, it is actually true that professional hackers/penetration tester generally follow an established process to understand and exploit their targets. This ensures that there is consistency between how assessments are performed throughout the industry, and is the methodology that drives assessments.