04-12-2025, 02:36 PM
Copying what other people do
What is methodology in the cyber world?
it represents the ways that people themselves have using path to, such as enumeration, exploitation and more.
Repeating bug bounty articles you see from infosecwriteup will only improve your vocabulary.
If you ask how to gain methodology, there is no shortcut. if everyone read articles for 10 minutes and hacked companies on their own, you would see me here leaking nsa.gov data.
all you need to do is, practical, practical, PRACTICAL
I have been in this sector for 4 years and I have spent half of it to have the methodology.
You learn by making mistakes. You improve by practicing.
Using tools for just using them
I notice that a lot of people, even hundreds of thousands of people, use programs like subfinder/amass just as it is. if you are a bug hunter you will understand what I mean.
There is no harm in using known tools, but if you don't use them neither by using api key, nor by giving the correct input file, nor by filtering, you will be sure that you will only do empty work.
Forcing yourself to use tools
when you see a company as a target, you don't necessarily have to take “all” of its subdomains. for example, let's say there is a company example.com. this company performs api requests through example-api.com and the company keeps user data on example-server.com. even if you find a subdomain on example.com that even god doesn't know about, your research will most likely be in vain. some terms like ASN come into play in this kind of scenario. if the company is under its own ASN, maybe you can find the domains that execute these server and api requests from there. then if you find the subdomains of these sites with both subfinder and brute force, you are more likely to find vulnerabilities in the company than in the first scenario. of course, this is not always the case. there is not necessarily such domains. it may be a different domain with a completely different name or they may be in AWS buckets. there are different types of vulnerabilities for them.
Not using your brain
This is one of the most important elements. For example, you have found a subdomain and this is the data-api.example.com and data-backend.example.com.
The first thing I see here will be a value like data-*. example.com. If I think like a developer, I think of it as a regular person. I use my brain and start to make fuzz. data-FUZZ.example.com with ffuf.
This is a great enumeration logic.
What can you suggest to others?
What is methodology in the cyber world?
it represents the ways that people themselves have using path to, such as enumeration, exploitation and more.
Repeating bug bounty articles you see from infosecwriteup will only improve your vocabulary.
If you ask how to gain methodology, there is no shortcut. if everyone read articles for 10 minutes and hacked companies on their own, you would see me here leaking nsa.gov data.
all you need to do is, practical, practical, PRACTICAL
I have been in this sector for 4 years and I have spent half of it to have the methodology.
You learn by making mistakes. You improve by practicing.
Using tools for just using them
I notice that a lot of people, even hundreds of thousands of people, use programs like subfinder/amass just as it is. if you are a bug hunter you will understand what I mean.
There is no harm in using known tools, but if you don't use them neither by using api key, nor by giving the correct input file, nor by filtering, you will be sure that you will only do empty work.
Forcing yourself to use tools
when you see a company as a target, you don't necessarily have to take “all” of its subdomains. for example, let's say there is a company example.com. this company performs api requests through example-api.com and the company keeps user data on example-server.com. even if you find a subdomain on example.com that even god doesn't know about, your research will most likely be in vain. some terms like ASN come into play in this kind of scenario. if the company is under its own ASN, maybe you can find the domains that execute these server and api requests from there. then if you find the subdomains of these sites with both subfinder and brute force, you are more likely to find vulnerabilities in the company than in the first scenario. of course, this is not always the case. there is not necessarily such domains. it may be a different domain with a completely different name or they may be in AWS buckets. there are different types of vulnerabilities for them.
Not using your brain
This is one of the most important elements. For example, you have found a subdomain and this is the data-api.example.com and data-backend.example.com.
The first thing I see here will be a value like data-*. example.com. If I think like a developer, I think of it as a regular person. I use my brain and start to make fuzz. data-FUZZ.example.com with ffuf.
This is a great enumeration logic.
What can you suggest to others?