Introduction
For starters, TBHM is the bug hunters methodology is taught by Jason Haddix. For almost over a decade, he has been a rockstar in the industry of of bug bounty and now he teaches his recon and hunting tips for a cost. Recently about around two years back he has started an consultancy service company called “Arcanum Security” that specializes in training and security services.
Now if you are in bug bounty or web hacking space, you must have heard about the name “Zwink”. He was on top of leader board on bug crowd for quite sometime, and he launched and taught his methodology on bug hunting for free previously. Now the same guy is under the alias of “Idorminator” and joined hands with Jason Haddix and made a course on broken access control. In this blog we will be talking about my course experience.
I promise you unlike other course review, this won’t be just the talk about the good bad and fantastic parts of the course. You get to see how this impacted me, and changed my point of view. And unlike most of the course reviews, I won’t be asking you to buy the course and I really do understand the pain of coming from middle class background, from a country where purchasing power is not equal, I truly get your pain. If you stay till the end, we will be sharing an work around, and how you could get the closest experience to this course, and upskill yourself.
Lastly special thanks to FC (@Freakyclown) for organizing an giveaway on X and giving me a chance to take the course. This course costs around $200, and you can get this course using this url
Course Contents
In the above image you can see the course contents. And it has got 10 sections, and most of the videos are at least 30+ minute long and some are close to an hour, so you definitely are making the most out of this course.
The best part of the course is that it starts core basics, and instead of confusing beginners and asking them focus on rot memorising linux commands for 3 months, and learn scripting for next couple of months, Idorminator keeps things real. He shows that it is completely possible to hack from windows. And I love this originality take, as most of the courses on youtube and udemy contain lot of less hacking videos and more general IT stuffs. When they come to hacking, all the tutorial is wrapped within 5 to 12 minute videos on average. This sets up very bad and unrealistic expectation of hacking, and leaves the audience under prepared for the real world hacking. Zwink / Idorminator keeps his content real and raw, which directly applies to real world. As someone who started from 5 minute quick hacks and gimmicks I really wish I took this as my first course. it would have saved up lot of time and effort.
Now don’t get fooled by the beginner content and beginner topics. If you are in this industry for long, you know people who use vim, and tmux feel proud and call themselves real hackers. Annoying right? Here Idorminator showcases cool tips and tricks within notepad++ that you could use to edit multiple lines of text at once, and how you can format it all in windows without touching terminal. That’s really cool and he really breaks the norm that hacker must be terminal. He sets an example that hacker should be one who is persistent, and focused, not someone who is good in linux.
Now if we move away from the introductory part, you will notice that he drops his wisdom in his videos here and there. I regret not taking this course earlier, he literally gives hints that something might be vulnerable, go ahead and look at this, this could potentially be a bug. Imagine how lucky are the people who took first this course and acted on his clues? I might be wrong but I do felt that during a course he does give a lot of hints.
Now so far we have covered three good things about the course. The fourth one is this recon methodology. If you are a fan of TBHM from Jason Haddix, you know that there are around 18 recon steps which is over whelming for anyone new. On the flip side if you google and use youtube or udemy, you will notice that people teach you to be literal script kiddies by just running tool, 99 % of instructors won’t even bother to teach you the nuances, the tool options, how to analyse and interpret the output, and where to go from there. This affected and wasted years of my time, and trust me improper learning is one sure recipe for disaster. It will waste years of time, and definitely in the age of AI it will put anyone in a disadvantage.
His recon methodology is very simple. If you take a look at course contents, you will know. He shares his private scripts and methodology on discord. And the best part you got other hackers like XNL-H4CK3R sharing their private tips there too. Don’t trust me? have a look at the following screenshots your-self
In his hunting strategy, he emphasis on not even missing a single parameter. In course he teaches a simple but effective method to find more similar parameters. For example, if I get an object ID, he shows from where it came from? and how can I find more parameters like this using burp without reading the application source code. Honestly this was a real game changer. Though I have not found any bug bounty, I found access control bug during my work. Idorminator teaches us understanding application and having proper context is greater than having knowledge on bug bounty.
Literally for most of the later videos he shows how to be persistent and not miss any parameter. I usually get tired of searching through all requests, but he shows how to do this. You could see his enthusiasm covered during the entire class and urges everyone to hunt more, not give up, how to research and understand unknown things during pentest by leveraging AI. He is real with this content and emphasis strongly that if one can’t or does not want to do this work, maybe this is not their calling.
He sets an example that tinkering and tampering takes you a long way rather than just knowledge. Idorminator shows how simple it is and why exactly it’s not easy and why it’s not for everyone. I got to learn a lot from his course and apply the same at my work. The most important takeaway apart from technical stuff from the course is the ability to focus on one thing. I can’t admire enough the fact that he suggests to focus on one task, one tab. We have seen lot of people flexing multiple open tabs, vibing to lofi beats or phonk during work. He does none of that. Pure sheer focus on only and only one tab. Certainly I am trying to implement the same ( can’t give up listening to spotify during work though), but I have tried to limit my tabs to 10 or few. I can’t say for sure I have improved in my work, but I certainly feel that I am more satisfied with my work and I can see that some tasks are getting completed quicker. Certainly when it comes to hacking, sometimes less is more !!
The workaround
If you have reached this point of blog I am sure you will be like “Okay mccleod, we get that this is an amazing course, it has cool tips and tricks and also you get access to community that share more tips and tricks. What about people who can’t get the course or missed the giveaway?” Don’t worry I hear you and here is an work around for that.
Be active and try your luck on every single giveaway on X, linkedin or any social platform.
Watch rs0n videos on broken access control. He has made around 7-8 hours video on broken access control testing that covers graphql as well. On top of that he made a video to use match and replace tips to hunt for idor. Links below
(I) Access Control Part 1 :
(ii) Access Control Part 2:
(iii) Access control Part 3:
(iv) Match & Replace :
Honestly IMHO just watching (i) and (iv) will give big kick start boost for hunting / understanding access control bugs. Please don’t underestimate the amount of information shared just because it’s on youtube. This is an exception and there is a lot to learn personally for me from rs0n’s youtube videos.
Conclusion
I really do wish this was my first course that I took on hacking. Even now I still get to learn lot of new things, which seem to appear simple at surface, but have real impact. Huge thanks to FC for sponsoring this course. For $200, you get access to knowledge from bug bounty expert, who made million for himself. And on top of that you get access to community of like minded people who share tools, tips and tricks. Even though the discord chat was supposed to be related to access control, you see people sharing tips, tricks and resources related to topics like graphql as well. For the course price you get access to course content, opportunity to connect with industry experts, ask doubts and get even more access to research, tools, tips and tricks.
I get that still some people would be like why not do Portswigger Web Academy?. Great question but a single resource does not click for everybody. Portswigger web academy is my far the best, without any doubt and I do believe that starting out with web academy is not for everyone. The learning curve is steep, even with writeups there are so many vulnerabilities which would be overwhelming for anyone to start with, and I do believe it’s easier to learn one vulnerability at a time, in depth from someone reputed in the industry. And this course by Idorminator is not just for beginners, even people who are familiar with OWASP top 10, and are good with CTFs should still consider this course. Got an interesting tip related to access control testing? feel free to share here in comments !!
