Skip to content

Instantly share code, notes, and snippets.

@EdOverflow

EdOverflow/Fatnass1F1ras.md

Created May 22, 2020 13:10
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save EdOverflow/5431acad296db4c5f0e0fa64f4525acb to your computer and use it in GitHub Desktop.
Save EdOverflow/5431acad296db4c5f0e0fa64f4525acb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Fatnass1F1ras.md

Logical bugs require that you understand the app workflow as much as u can and that can take days and even weeks how do you stay motivated during that time and keep going even though you're not finding bugs?

It is true logic flaws require a comprehensive understanding of the target application and service. Part of the reason why I can deal with the concern of not finding bugs is rooted in my mentality and approach to bug bounty hunting in general.

Anyone who has worked closely with me will be able to attest that I have a tendency to come and go when it comes to bug bounty hunting. One week I am hunting and then I am on „holiday“ for a few months. This is to ensure I do not burn out and it gives me the freedom to ponder on issues rather than get all wrapped up in a program.

Someone once referred to my approach as the „Veni, vidi, vici“ of bug bounty. Although I am no Julius Caesar (and I hope on your behalf you will never see me in a Toga), it is true that for an outsider (hacker I am collaborating with or possibly the triage team), I appear out of nowhere with a batch of reports and disappear again. This is particularly noticeable with logic flaws since I rarely need to be sat in front of my computer. Sometimes the weirdest ideas hit me out of nowhere. I sit down to test my idea and it ends up resulting in a valid report.

I like this approach because it gives me the freedom to be away from my computer screen while doing something I love: hacking. There are other personal reasons why I love this approach which I will not go into detail about here.

Now of course this will not work for everyone but if there is something you might be able to take away from this is how important it is to take breaks as a bug bounty hunter. Take breaks and do not overwork yourself.

Something else I sometimes do is create an insurance of sorts. I submit an array of general findings to give me the freedom to experiment with logic flaws which consequently compensates for any dry spells I have.

Anecdotally, since I am writing about logic flaws, I recently took on the challenge to force myself to „hack“ on bug bounty programs using an iPad. Yes, you read that correctly: an iPad. Using an iPad forces me to distance myself from my tooling and focus on the target application as a whole. Experiment and see what works best for you.

@FatnassiFIras
Copy link

Thanks for the answer man. That's really helpful and informative it made me think differently about logic flaws especially the part where you said "iPad forces me to distance myself from my tooling" It made me really realize the true meaning of logic flaws.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment