Manual vs Automation ?Posted by Anthony on April 25, 2021 at 1:10 pm
Hello everyone I have a question that has been puzzling through my head for months and months in my search for a bug. There is always this debate within the community whether you’re a script kiddie or a seasoned hacker. The best hackers in the world take pride in hunting manually with the use of automation as a last resort. While script kiddies are looked down upon relying on tools to hunt for bugs and so on.
AdministratorApril 27, 2021 at 10:40 pm
I would actually disagree with this to some degree:
“The best hackers in the world take pride in hunting manually with the use of automation as a last resort”
One of the top hunters on HackerOne (aka todayisnew) who’s earned $1m+ in bounties so far is known for his use and reliance on automation. The thing is, when you’re doing that sort of bug bounty hunting, one strategy is to look at it as a numbers game. Yes, finding a $10,000 critical vulnerability would be AMAZING. But wouldn’t it be just as amazing to find 40 $250 bugs while you sleep from automation? Tools can be great enhancers that work with/for you, not necessarily a last resort.
The reason why I think people say what you wrote is that beginners do tend to rely heavily on tools at the expense of learning. After all, it can be much easier to type in a simple command that is well documented than to manually try to find something. Except, a lot of times, relying on tools like that doesn’t teach you how it really works. For example, let’s say that you need to be able to bypass a WAF. You go to Google and search for “WAF bypass tool github” and you download the tool to run it. The tool comes back empty and can’t find a way to bypass the WAF for whatever reason. You shake your head and either try a different tool or declare that the application is un-hackable and move on to the next.
Except maybe the WAF bypass tool you were using hasn’t been updated in 4 years. Or maybe you didn’t use it properly. Maybe you can’t use them in the environment you have access to. Or whatever the reason is, sometimes you need to be able to roll up your sleeves and do things the hard way in order to find a bypass, or at the very least, confirm that you’re not able to find a successful bypass when talking to your client. Except, because you’ve relied on tools exclusively to do this in the past, you don’t have a clue how to even approach this manually.
Another relevant example…I’m bug hunting some GraphQL endpoints right now, and I tried using a tool but it kept erroring out on me. I haven’t figured out why it errors out yet, but I’m not going to let that prevent me from manually going after the endpoints. I could have thrown my hands up in the air and blamed the author of that tool instead, but that’s not a winning strategy. You have to be able to persist, especially when things don’t work your way.
TL;DR: I believe both have a place. Don’t let naysayers get in your head and make you feel bad for using tools. But don’t rely exclusively on tools to get the job done either.
All of this is just my opinion in a sea of other opinions on the subject, so I’d love to hear other viewpoints from the community!
MemberApril 28, 2021 at 12:59 pm
Damn you have so much wisdom after 11 months of failure i do believe i have found a real community that could help me find my first bug. Yes i need to stop letting these people get into my head and making me second guess myself and abilities. There were times i was upset at whatever tool i used for not being updated or not finding anything. I know this is going to take time and persistence and not let those people tell me that all vulnerabilities have been found and machine learning and other AI. Either way thank i will continue to use your courses as references and if there is updates i will be there.
- This reply was modified 2 years, 5 months ago by Anthony.
MemberApril 28, 2021 at 2:40 pm
I don’t see how using automation or not can be an indicator of an individual’s hacking skills or knowledge as long as the individual understands the logic and concepts behind these tools whether it’s a publicly available tool or a self-made automation script.
Bug hunting is something many folks do in their spare time or in addition to their regular job, school, or family activities and automation is a great way to aid in those efforts.
Additionally, @christophe brought up a great point about automation helping to make bug bounty a fiscally responsible activity. Often times payouts come months after a bug is found and reported so finding multiple low paid bounties can be a more financially sustainable way to protect cash flow vs a big payout every few months.
As someone new to this industry I see phrases like “Real hackers don’t use Kali Linux” or “Real hackers don’t use automation” as gatekeeping and discouraging.
UItimate the best hackers are the ones that help make the world a safer place while protecting personal information and in some cases preventing the loss of lifes regardless of what tools they use to accomplish that.
- This reply was modified 2 years, 5 months ago by Juan.
MemberApril 28, 2021 at 4:28 pm
Personally I think you’re a scriptkiddy if you’re running a tool mindlessly rather than taking the time to learn how it works, as in my case I use tools that I didn’t write as they do alot of a better job then what my spagetti code could do. 😀
Responding to the “best” hackers do it manual, not all of them do as Christophe said, Todayisnew he’s a great hacker and his use of automation is amazing.
MemberApril 29, 2021 at 12:09 pm
I dont go mindlessly i am training with these tools to make sure i know what i am doing before i use them.
AdministratorApril 28, 2021 at 6:53 pm
Ironically, I’ve seen the “Real hackers don’t use Kali Linux” that @jfernandez mentioned and I’ve seen the exact opposite said too! I’ve seen answers on StackOverflow say “You have no business using Kali unless you already know what you’re doing.” So according to this, nobody should ever use Kali
Also @Bludger the cool thing with you is that you’re even building some of your own tools. Yeah, they may not be as advanced as some of the other tools out there, but you’re learning a s*** ton by doing that, so keep it up
Log in to reply.