Help! I Can’t Find Bugs!
What to do when you are stuck hacking
When I first started hacking on bug bounty programs, I’d often go days or weeks without finding a single vulnerability.
My first ever target was a social media site with a huge scope. But after reporting my first CSRFs and IDORs, I was soon out of ideas and out of luck. So I started checking for the same vulnerabilities over and over again to no avail and trying out different automatic tools without any positive results.
I later found out that I was not alone in my struggle: this type of “bug slump” is surprisingly common among new hackers. Today, let’s talk about how you can bounce back from the frustration and improve your results when this happens to you.
Phase One: Take A Break!
First, take a break! Hacking is hard work. Unlike what they showed us in the movies, hacking is tedious and difficult. It requires patience, persistence and an eye for detail. And managing all that can be very mentally draining.
So before you continue on hacking, it might be time to ask yourself: Am I tired? A lack of inspiration could be your brain’s way of telling you that it has reached its limits. In this case, your best course of action would be to rest it out!
Go outside. Meet up with friends. And have some ice cream.
Or stay inside. Make some tea. And read a good book. Cook. Take a nap.
There is more to life than SQL injections and XSS payloads. If you take a break from hacking, you’d often find that you are much more creative and motivated when you come back.
Phase Two: Build Skills
I’ve found that the best way to make it through a hacking slump is to use this opportunity to improve my skills. As hackers, we often get stuck because we get too comfortable only using the techniques that we are familiar with. And when those techniques don’t work anymore, we mistakenly assume that there is nothing more to do.
Learning new skills is the best way to unstuck yourself when hacking. And as a really nice bonus, you get to strengthen your hacker arsenal for future targets as well!
First, you can try to learn a new hacking technique that you find interesting. This could be a new web exploitation technique, a new recon angle, or hacking a different platform (like Android). Focus on a specific skill that you want to build, read about it, and apply it to the targets that you are hacking. Who knows, you might uncover a whole new way to approach the application!
You can also take this opportunity to catch up with what other hackers are doing. There are many interesting hacker blogs and writeup sites out there that you can read. Understanding their approaches can provide you with a refreshing new perspective on how to engage with your target.
New classes of vulnerabilities are also constantly being discovered, and staying on top of the newest techniques will ensure that you are constantly finding new bugs.
Here’s a curated list of some of my favorites writeups:
Lastly, I recommend playing CTFs! CTFs are really fun and they often feature interesting new classes of vulnerabilities. So take a break from live-target hacking and come play some CTFs! It gets your brain thinking in another way.
Phase Three: A Fresh New Perspective
When you are ready to jump back into hacking live targets, here are some tips that will provide you with a fresh new perspective.
First, don’t ever get bored with a target. Diversify your targets instead of focus on only one. I’ve always found it helpful to have a few targets to alternate between. When you’ve been staring at one application for too long, switch to another!
Second, make sure that you are looking for specific things in a target instead of wandering aimlessly within a target searching for anything. Make a list of the new skills that you’ve learned, and try them out! Try looking for that new bug, or try out that new recon angle! Then, rinse and repeat until you find a suitable new workflow.
Finally, remember that hacking is not always about finding a single vulnerability, but combining several weaknesses of an application into something fatal. In this case, it is helpful to look for “weird behavior” instead of vulnerabilities. Then, take note of these weird spots and weaknesses, and see if you can chain them into something valuable.
Lastly, a few words of Experience
It’s difficult. It really is. When I first started hunting for bugs, I would go weeks or even months without finding a bug. And when I do find a bug, it would be something trivial and low severity.
The key to getting better at finding vulnerabilities is practice. If you are willing to put in the time and effort, your hacking skills will improve and you will soon see yourself on leaderboards and private invite lists!
If you ever get frustrated during this process, remember that everything will get easier after you find your first bug. Good luck. And reach out to the hacker community if you need any help.
Thanks for reading. Is there anything I missed? Feel free to let me know on Twitter: https://twitter.com/vickieli7.
