Building a Bug Bounty Journey: Exploring Web Security with a Custom CMS

So far in my learning journey, I’ve discovered just how fascinating and extensive this field is. Most lessons focus on a single part of a website, which is fantastic for targeted learning. However, I’m the kind of person who needs to fully understand how things work end-to-end. I wanted to go beyond replicating individual pages and see if I could create and test my own code in a more realistic environment. That’s when I decided to take it a step further: instead of focusing on isolated elements, I would build and test a fully functional website that mimics a real-world application. To add to the realism, I’ll also set it up to use DNS instead of IP addresses, creating a more complete and authentic testing experience.

I started by exploring WordPress to understand how it works. Out of the box, WordPress is a basic CMS, but its flexibility comes from plugins, themes, and various customization’s that enable it to serve multiple use cases. This got me thinking — why not apply a similar approach to my own project? Every CMS requires core functionalities like a login system, user registration, and user management.

For my project, I decided to begin by creating a universal admin area as the foundation of my custom CMS. This admin area will serve as the first module, providing essential management features. From there, I can expand by adding additional modules for specific tasks outside the admin area, such as a blog, an online shop, or other features. This modular approach will make the CMS both flexible and scalable for different use cases.

I realized I couldn’t just build a secure system right out of the box. My goal was to create a system that reflects common mistakes developers might make when building such a platform. To achieve this, I teamed up with my new favorite assistant, ChatGPT, and together we designed a login system riddled with multiple vulnerabilities. After some tinkering, we developed the ZeroScorpion-CMS, a project intentionally containing a variety of security flaws such as SQL Injection, XSS, IDOR, file upload RCE, LFI, and more.

Next, I had to figure out how to approach securing the system. I decided to create two versions of the site: dev.zeroscorpion.cms and the primary zeroscorpion.cms. Both versions will start in the same vulnerable state. However, as I advance in my learning, I’ll work to secure the primary zeroscorpion.cms, while leaving the dev version in its original, vulnerable state. This setup allows me to test vulnerabilities, implement fixes, and verify that the issues are resolved. It’s a practical way to learn, experiment, and track my progress in securing the CMS.

My CMS will follow a traditional PHP and MySQL stack. I chose this approach because I’m already familiar with PHP, having built small internal applications with it in the past. To clarify, I’m not a professional web developer — I’m a System Administrator — but using PHP allows me to dive into bug bounty learning without investing significant time in mastering a new framework like Node.js.

There’s an ongoing debate about PHP’s security: some claim it’s inherently vulnerable by design, while others argue that it’s poor coding practices that lead to vulnerabilities. I’m eager to put this debate to the test. PHP remains actively developed, widely used, and is the backbone of major CMS platforms like WordPress, Joomla, and others. So, how insecure can it really be? Let’s find out!

I’ve been researching advice from some of the top bug bounty hunters about what they wish they had known when they first started. A common theme is that many of them wish they had focused on mastering one subject at a time before moving on to the next. With that in mind, I’m adopting this approach for my own learning journey.

The first major topic I’ll dive into is SQL Injection. Why? Because it forms the foundation of my entire CMS — everything I’ve created interacts with the database. Understanding SQL Injection thoroughly will not only help me identify vulnerabilities but also teach me how to secure the very backbone of my application. It feels like the most logical starting point for this journey.

I’ll be taking a two-pronged approach to documenting my journey. While the majority of the content will be available here on Medium, I’ll also be using ZeroScorpion.net to organize and provide additional information. On ZeroScorpion.net, I’ll arrange all my Medium posts into an easy-to-follow walkthrough, offering a structured and organized way to track my progress. For example, I’ll include things like a comprehensive list of all the pages in my CMS, which will be much easier to navigate than posting it solely on Medium.

There will be a mix of both free and paid content on Medium to help cover the costs of not only my time but also resources like maintaining ZeroScorpion.net and some paid training content. This approach ensures I can keep sharing valuable insights while supporting the work behind it.

I’ll primarily be using free resources like PortSwigger Academy to guide my learning, but I’ve also enrolled in several paid courses. I plan to share a list of the resources I use for each topic I cover. Platforms like HackTheBox and TryHackMe, along with other similar sites, will play a significant role in my journey.

I’m fortunate to have access to a licensed version of Burp Suite, which I’ll be using extensively alongside a variety of open-source tools. Additionally, I’ll be exploring scripting to enhance my workflows, and any scripts I create for specific tasks will be hosted on my GitHub for others to access and learn from.

I think I’ve covered everything except for my content release schedule. Since some subjects may take time to fully learn and master, I won’t be committing to a fixed posting schedule for bug bounty content at this stage. There will also be times when I’m focused on creating posts related to System Administration.

So, sit back and join me on this journey! I’ll be sharing both the successes and the mistakes I make along the way. Watch as this (almost 50-year-old) System Administrator takes on the challenge of learning some new tricks in the world of bug bounties.