My Barker Experinece
My Barker experience
My name is Martin with the barker nickname “bongo” and I am a kind of seasoned Cyber Security Consultant. I started in IT Networking back in 1997, did my Cisco CCIE in 2004, my CISSP in 2020, worked in defensive security for many years (Firewalls, VPNs, IDS/IPS, hardening etc.) before I started in offensive security and pen testing around 2007.
I took my first Offensive Security course back in 2007, but only did my OSCP in 2015. I have been running my own successful Penetration Testing company from 2009 which I sold in 2018 and I became a technical consultant again.
Things have changed dramatically in terms of technology enhancement throughout my career. The first LAN I set up was Win NT 4.0, I configured old Cisco 1600 routers to enable ISDN BRI Internet access. And today we have Docker, Kubernetes, Microservices, Cloud, APIs, Blockchain and what not.
Now back to Barker.
What brought me to Barker in the first place?
Brushing up Web Application hacking skills. I have been doing Infrastructure Pentesting for years and standard OWASP Top 10 Web App Testing. However, the whole bug bounty hunting and finding things Pentests don’t easily reveal always fascinated me.
I went through Portswigger’s academy, the Hacker 101 challenges and watched “Stök’s” Youtube channel. This is also where I first heard the name “Zseano”. I was looking for a realistic Web Application which reflects the real world with real bugs. The CTFs are all good and nice but you know always that there is a vulnerability and sometimes it even tells you what to look out for. In a real Pentest or during a bug hunting spree you don’t have that luxury.
I signed up to bugbountyhunter.com for the lifetime membership. What really has drawn my attention to it is the fact that it’s a real-world application rather than CTF but also the Methodology from Zseano. It takes a hell lot of effort to try to summarize what’s really important in 47 pages. This is a master piece in my opinion. I read countless books (500+ pages) and by the time you read them, you forgot the first chapters again. Information overload instead of a clear to follow method.
OK. I signed up to the platform, got my welcome mail and immediately liked the Discord channels. So much info, different topics and super helpful other member helping each other out. This is not common as you surely know. Often “noob” questions are ignored on other platforms – not on Barker. Any question goes. If you don’t know anything about X, people will help you and send you links etc.
My wife and me are dog lovers! We have 6 dogs ourselves. What could be better to sharpen your skills than hacking on a Social Media platform like Barker if you love dogs yourself!!
Some of the tasks on Barker are straight forward and stand out right away. Other things require you to spend days and days to exploit them. You will re-read the guides on the website and the methodology again and again. You will find that 90% is there for you. You just need to use it.
If you apply Pentest semi-automated and time driven frameworks to Barker (which I have done to start with) you will uncover around 40 – 50 bugs. However, there are close to 150 bugs now and the others require a lot of thinking and manual exploitation. This is what makes Barker so exciting, real-world and addictive at the same time. I am currently at 119 unique bugs, still missing 29 bugs! I know a few endpoints where I feel there is something…
Now I am currently contracting for a big tech company where part of my day job is also application pen testing. So far, I have found a total of 9 critical / high ones by re-applying the same methods taught by Zseano which I used on Barker. Authorization, Information Disclosure, Business Logic and API related issues along with seriously twisted XSSs (something a scanner would not have the logic to do).
It is unique. With Portswigger you eventually look up the solution if you are stuck and move on. With Barker you can’t do that. You can get a hint from Zseano or anyone else, but you will spend hour and days on say trying to exploit an SSRF until you actually find a unique bypass. These things stick in your head and in my opinion are so much more valuable than reading a book and running through hand-holding step by step labs.
Zseano organizes “hacking events” as well where anyone who is Level 2 (25+ bugs) can join and hack. There are also real hacking events where a whole team hacks against a real target. I haven’t participated in either yet, but certainly plan to do so in the future.
Now for improvement suggestions. These are just nice to have’s
It would be great to see mobile apps (not just mobile browsing) at some point. Like an Android and/or iOS App.
Adding new technology and bugs. Barker has tons already, but things like Web Cache poisoning, Oauth 2.0, insecure deserialization and a few others from Portswigger would be great to have.
Also, there should be a feature or stronger hints for some of the bugs. Once you spent like 80 hours trying to exploit one single thing and you can’t make it work, you should have access to stronger hints or even the solution. Then that specific bug should not count towards the ranking anymore, but there are a lot of hunters who just struggle on a few things and a solution should be given to them to learn.
Lastly it would be great if the specific bug infos from the website could be merged with the methodology book to have everything in 1 place. For example, certain XSS techniques are mentioned on the website only but not in the book and vice versa.
Overall, I can honestly say that this is probably the best investment I made when it comes to acquire more hacking skills. Offsec has only 90 days access to the labs, Barker is online 24/7 and new bugs are introduced all the time. I took a break for 3 months due to work and other commitments but then you just come back, fire up your instances and you are hooked again.