Hey hackers! This is the first post of a series on the topic of: How to think out of the box?

When I was preparing the Bug Hunter podcast Ep. 4 on this same topic, I wanted to include advice from different bug hunters. So I asked several hackers these 3 specific questions:

How to find bugs that are not duplicates?

How to find new areas of research (like in @securinti’s last blog post or what James Kettle does)?

How to find logic bugs or bugs that don’t fall under any category, can’t be found with tools or require real thinking?

@zseano was one of the hackers I reached out to, and he was kind enough to respond with awesome advice!

Here is his response:

How to find bugs that are not duplicates?

I think even if you do find a dupe, don’t get discouraged. It happens to everyone and instead you should ask yourself: “okay, does this type of behaviour exist elsewhere? Are they re-using the same parameters throughout?”. A dupe means a valid bug is found, which is good, the only downside is, someone got to it first.

Next, ask yourself what type of bugs are you looking for? If you’re just placing <script>alert(0) into the search and hoping it executes, chances are a lot of other people also tried that! :) Set yourself a goal as to what it is you want to find and look at and focus on that. Try and think of as many different angles as possible, mobile, different browsers, different countries etc :)

How to find new areas of research (like in @securinti’s last blog post or what James Kettle does)?

I think this just comes with experience of testing and from seeing various different things when testing. The more you hack, the more you start trying random things to see what it does. Being curious is good.. :)

Understand the application you are testing and what it’s purpose is and then start to think of ways to exploit this.

The best advice for finding bugs I can give someone is to install the mobile app, visit their website, and literally just start clicking and monitoring what is going on.

I recently found stored XSS on a very known public program from simply installing their mobile app and upon opening it sent a request to generate a login URL. One parameter it took was “nextUrl” so I simply entered javascript:alert(0)"><svg/onload=alert(0)> and upon visiting the generated URL my XSS executed (automatically and it would of executed when user clicks login).

I was shocked no-one else found this but then I realised everyone was just using scanners to scan for subdomains to look for bugs and not actually testing things manually.

I also think a lot of people turn on burp after opening the app. On first run a lot of apps will make requests once, and once only. You don’t want to miss that request.. :)

Thank you so much @zseano for this advice and for sharing your knowledge!

If you want to be notified when new articles, our newsletter and podcasts are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…