Hey everyone! Today, I am excited to share with you my insights into manual hacking. In this post, I will delve into hacking approaches, the reasons why I made the prefer manual hacking, discuss the mindset required for this approach and weigh its pros and cons. So, whether you are a seasoned hacker or just starting out, I hope you will find this post informative. Let's get started!
The automation approach is exactly what it sounds like. You will code a script, make your own custom framework with some public and private templates or buy someone else's. Get a list of domains that have bug bounty programs, and vulnerability disclosure policies. Pipe all these domains into your automation framework, sit at your desk with a cup of coffee and enjoy glancing at critical, high and medium bugs on your screen. Then, it's just a matter of reporting the bugs and enjoying the rewards! Well, today you can even automate reporting with APIs.
Sounds easy, right?
- Easy Money: Yes
- High chance of duplicates as most hackers have the same templates.
- Takes time to code/maintain these scripts with updating technologies.
- Requires expensive high-performance servers.
The manual approach to hacking requires some elbow grease. In manual hacking, the goal is to explore all of the application's features and functionality. To achieve this, the hacker often proxies the HTTP traffic and manipulates the input within the HTTP traffic, searching for vulnerabilities that may have been missed by automated tools. Although manual hacking can be time-consuming, it provides a more thorough and personalized analysis that can yield valuable results.
Ahaa, this sounds like heavy manual labour. It is actually!
- Fewer chances of duplicates.
- No spending on servers.
- You, the browser and burpsuite are enough.
- Sometimes it takes days to understand the working of the application.
- High patience required
In the world of so many bug bounty programs where you are receiving private invitations daily, your college life, your personal life and other several reasons that you can give. I know it's not easy to stick to one program.
Ohh, OpenAI (ChatGPT) opened their program on Bugcrowd. Fuck Twitter, let's move to OpenAI now. This will not work in manual approach. You would've to stick to one program. Make that one program your partner for months.
The programs are already tested by other hackers manually and by automated tools. You have to explore every feature, 3 features nothing, 4 nothing, 5 nothing, 6th feature you got something. That's how it works.
And, it's not the same every time. It depends on the program and your approach. Sometimes it's like 8 bugs on Shopify in two days, completely manual whereas sometimes 2 bugs on LinkedIn in 6 days. It depends on the program, the type? how many assets? launch date?
A hacker needs these pre-requisites when hacking manually:
- Patience: Manual testing requires a great deal of patience, attention to detail, and a willingness to dig deep into the application's code and functionality.
- Thoroughness: To be successful at manual testing, it's important to explore every nook and cranny of the application, examining each feature and function in detail.
- Creativity: Manual testing often requires creative thinking and the ability to approach problems from multiple angles in order to find vulnerabilities that automated tools may have missed.
- Persistence: Manual testing can be time-consuming and frustrating, but it's important to stay focused and persistent in order to identify as many vulnerabilities as possible.
- Curiosity: A curious mindset can be extremely helpful in manual testing, as it can lead to innovative approaches and techniques for discovering vulnerabilities.
- Empathy: It's also important to keep in mind the end-user experience while testing. Empathy towards the users can help identify issues that can't be detected by automated testing tools.
- Constant testing: The web is always evolving, and so is the technology used to build web applications. It's important to stay up-to-date on the latest developments in the field in order to be an effective manual tester.
Why do I love manual hacking?
There are several reasons why I love to hack manually:
- I am into the application completely. From the back end to the front end, I am fully immersed in every aspect of the application's code.
- I know where to input "hacky payloads" that may cause the application to behave in unusual ways, allowing me to uncover vulnerabilities that may have been missed by automated tools.
- Sometimes, it takes time but once you get a bug, that feeling is "I did something". Cuz you have worked on this app for days to weeks, it took time to understand the working of the application and then you found the gold.
- I get fewer duplicates in comparison to automated hacking.
Which approach do I prefer?
I use the combination of manual and automated techniques. In general, I hack something like 80-70% manual and 20-30% automated. For automation, I am taking root domains -> piping into several tools using a bash script -> piping into nuclei templates. I have coded some custom templates of my own as well.
It depends on the program's scope as well. If I am invited to an H1 challenge where there is so much wildcard scope, I may use a 50/50 mix of automation and manual testing.
If you will ask me honestly, 6 out of 8 hours I use Burpsuite and Browser only.
I'm not opposed to any particular approach of hacking - it's a personal decision for each hacker. Some prefer a completely automated approach, while others prefer manual testing techniques. Personally, I prefer a mix of both. However, with new technologies emerging every day, it's important to stay up-to-date and regularly re-evaluate your strategies.
I may change my approach in the future as the field evolves. Ultimately, the key is to remain adaptable and open to new methods and techniques.
If you enjoyed reading this blog, please consider sharing it on Twitter or other social media channels. Don't forget to subscribe to our newsletter to stay updated on new blogs published by me and my team.
Author: Inderjeet Singh