When I got kicked out of college for my hack (rm https://news.ycombinator.com/item?id=5090007) all I did was spam URLs with different IDs and test if they returned 200 or 404.. and bam press coverage + job offers. Sometimes the simplest of stuff can lead to nirvana.
I'm no longer in security since it was getting very addicted (I would start testing every website I'd visit for vulbs)..and I had to change and decided to jump into the startup world.
You don't have to choose one of them. I was in a similar position about 6 years ago, software + security background and passion for startups which led me to start my own company (https://www.netsparker.com/), we're building a tool to automate web app security and advancing the automated scanning in web apps, it's really fun stuff if you are into security.
Security industry is great for startups and new comers, another option is obviously working for a security startup, there are tons of them.
That's a pretty bad idea if you don't have permission from the owners of the site.
Yes, there is a reason why bounty programs exist, they make it plain that testing is 'ok'. In absence of a bounty program or a relationship with the company you can't claim that you 'don't mean harm' and that your tests would never break the software or the network. It's going to be lumped in with actual attacks.
I've found a disturbing number of SQL injection and XSS attacks like this, just messing around on obscure sites.
I run a small business and have noticed our customers try to do the same sometimes, their user ID is visible in the URL at some points. I see the error logs saying they tried to load something they didn't have permission for at least a few times a month.
Do you think there's a serious legal risk here, assuming I don't perform any bad queries on the DB but just see an error message from it and assuming I don't give anyone an XSS'd link, just from plain toying with URLs?
All the sudden every user on the site is getting alert popups.
A lot of these sites can calculate down to the second and the dollar how much they lose if their site goes down. Guess who's liable if the cause of that downtime is you?
But that's criminal law. That's a real concern, but the bigger concern is tort law. If you blow up someone's site by getting an XSS input cached and replayed to all its users (or, heck, even if you just cause an alarm that they have spend money responding to), you are going to be liable.