Post cover image

June 29, 2026

Day 1 of Bug Hunting Learning : XSS Made Me Question Everything 😅

I’ve finally decided to document my bug hunting journey. Not because I’m an expert, but because I think it’ll be interesting to look back a…

By Crazzzy_Sam

2 min read

I've finally decided to document my bug hunting journey. Not because I'm an expert, but because I think it'll be interesting to look back a few months from now and see how much I've improved.

A little background first — I wouldn't call myself new to tech. I already have a decent understanding of Linux, networking, HTTP, web applications, and some security basics. I've also spent time learning how the web works instead of just running tools blindly.

But knowing the basics and actually finding vulnerabilities are two completely different things.

So today, I officially started learning XSS.

I used the PortSwigger Web Security Academy because literally everyone in bug bounty recommends it, and now I understand why.

My goal for today was simple:

  • Reflected XSS
  • Stored XSS
  • DOM XSS

That's it. I thought I'd finish them quickly.

Yeah… that didn't happen.

Some labs took only a few minutes, and I felt like, "Okay, this isn't too bad."

Then the next lab completely destroyed my confidence.

I kept changing payloads, refreshing the page, reading the lab description again and again, opening DevTools, checking the source, trying different inputs… and still nothing worked.

At one point I genuinely thought, "Am I just overthinking this?"

Turns out… yes. Sometimes I was.

The DOM-based XSS labs especially confused me. Reading about DOM XSS and actually understanding where the source and sink are inside JavaScript are very different experiences. I had to slow down and actually understand what the page was doing instead of throwing random payloads at it.

The funny part is that when the payload finally worked, it felt amazing.

It's just a lab. It's just an alert box.

But after struggling for 30–40 minutes on a single challenge, seeing that popup somehow felt like winning something.

Then I opened the next lab… and got humbled again. 😂

I think that's what bug hunting is going to be like.

You'll feel smart for five minutes, then the next challenge reminds you how much you still have to learn.

Today's biggest takeaway wasn't a fancy payload or some secret trick.

It was patience.

I realized that bug hunting isn't about memorizing payloads from cheat sheets. It's about understanding how an application behaves, asking the right questions, and being willing to spend time figuring out why something doesn't work.

By the end of today, I completed the Reflected, Stored, and DOM XSS labs I had planned to do.

I'm happy with that.

Not because I've "mastered XSS" — far from it — but because I actually understood more than I did yesterday.

There's still a long list waiting for me.

Honestly, it's a little overwhelming , but that's also what makes it exciting.

This isn't about becoming a bug bounty hunter overnight. I'm more interested in building a solid foundation than rushing into private programs hoping to get lucky.

Let's see where this journey goes.

Hopefully, a few months from now, I'll come back to this post and laugh at how difficult I thought XSS was.

For now…

Day 1 completed. ✅