Question

When I got started in bug bounties, I often went days or weeks without finding a single vulnerability. My first-ever target was a social media site with a big scope. But after reporting my first CSRFs and IDORs, I soon ran out of ideas (and luck). I started checking for the same vulnerabilities over and over again, and trying out different automatic tools, to no avail.

当我刚开始接触漏洞赏金时，我经常连续数天甚至数周都无法找到一个漏洞。我第一个攻击目标是一个覆盖面广泛的社交媒体网站。但在报告了我的第一个 CSRF 和 IDOR 之后，我很快就没有了新的想法（运气也不怎么好了)。我开始反复检查同样的漏洞，尝试不同的自动化工具，但都无功而返。

I later found out I wasn’t alone; this type of bug slump is surprisingly common among new hackers. Let’s talk about how you can bounce back from frustration and improve your results when you get stuck.

我后来发现我不是唯一遇到这种挫折的人；新手黑客中出现这种情况是非常普遍的。让我们谈谈当你被卡住时如何从挫折中反弹，并改善你的成果。

Step 1: Take a Break!

First, take a break. Hacking is hard work. Unlike what they show in the movies, hunting for vulnerabilities is tedious and difficult. It requires patience, persistence, and an eye for detail, so it can be very mentally draining.

首先，休息一下。黑客工作很辛苦。与电影中所展示的不同，寻找漏洞是单调和困难的。它需要耐心，毅力和注重细节，因此可能非常消耗精力。

Before you keep hacking away, ask yourself: am I tired? A lack of inspiration could be your brain’s way of telling you it has reached its limits. In this case, your best course of action would be to rest it out. Go outside. Meet up with friends. Have some ice cream. Or stay inside. Make some tea. And read a good book.

在继续努力之前，请问一下自己：我累了吗？ 缺乏灵感可能是大脑告诉你已达到极限的方式。 在这种情况下，您的最佳选择是休息一下。 出去走走。 跟朋友聚会。 吃些冰淇淋。 或者呆在家里。 泡些茶。 然后读一本好书。

There is more to life than SQL injections and XSS payloads. If you take a break from hacking, you’ll often find that you’re much more creative when you come back.

生活中还有比 SQL 注入和 XSS 负载更多。如果你从黑客攻击中休息一下，往往会发现当你回来时更有创造力。

Step 2: Build Your Skill Set

Use your hacking slump as an opportunity to improve your skills. Hackers often get stuck because they get too comfortable with certain familiar techniques, and when those techniques don’t work anymore, they mistakenly assume there’s nothing left to try. Learning new skills will get you out of your comfort zone and strengthen your hacker skills for the future.

利用你的黑客低谷作为提高技能的机会。黑客经常会陷入困境，因为他们对某些熟悉的技术过于舒适，当这些技术不再起作用时，他们错误地认为没有其他方法可尝试了。学习新的技能将使你走出舒适区，并为未来增强你的黑客技能。

First, if you’re not already familiar with the basic hacking techniques, refer to testing guides and best practices to solidify your skills. For example, the Open Web Application Security Project ( OWASP ) has published testing guides for various asset types. You can find OWASP’s web and mobile testing guides at https://owasp.org/www-project-web-security-testing-guide/ and https://owasp.org/www-project-mobile-security-testing-guide/ .

首先，如果你还不熟悉基本的黑客攻击技术，请参考测试指南和最佳实践来巩固你的技能。例如，开放式网络应用程序安全计划（OWASP）已经针对各种资产类型发布了测试指南。你可以在 https://owasp.org/www-project-web-security-testing-guide/ 和 https://owasp.org/www-project-mobile-security-testing-guide/ 找到 OWASP 的网络和移动测试指南。

Learn a new hacking technique, whether it’s a new web exploitation technique, a new recon angle, or a different platform, such as Android. Focus on a specific skill you want to build, read about it, and apply it to the targets you’re hacking. Who knows? You might uncover a whole new way to approach the target application! You can also take this opportunity to catch up with what other hackers are doing by reading the many hacker blogs and write-up sites out there. Understanding other hackers’ approaches can provide you with a refreshing new perspective on engaging with your target.

学习一种新的黑客技术，无论是一种新的网络利用技术，一种新的侦查角度，还是不同的平台，比如 Android。着重于想要提高的特定技能，阅读相关资料并将其应用于你正在攻击的目标上。谁知道呢？你可能会发现一种全新的方法来接近目标应用程序！你也可以通过阅读众多黑客博客和写作网站来看看其他黑客在做什么。理解其他黑客的方法可以为你提供一个新鲜的与目标交互的视角。

Next, play Capture the Flags ( CTFs ) . In these security competitions, players search for flags that prove that they’ve hacked into a system. CTFs are a great way to learn about new vulnerabilities. They’re also fun and often feature interesting new classes of vulnerabilities. Researchers are constantly discovering new kinds of exploit techniques, and staying on top of these techniques will ensure that you’re constantly finding bugs.

接下来，玩捉旗比赛（CTFs）。在这些安全竞赛中，玩家搜索能证明他们入侵系统的标记。CTFs 是学习新漏洞的好方法。它们也很有趣，通常涉及有趣的新漏洞类型。研究人员不断发现新的攻击技术，并了解这些技术将确保您不断发现漏洞。

Step 3: Gain a Fresh Perspective

When you’re ready to hack live targets again, here are some tips to help you keep your momentum.

当你准备好重新攻击实时目标时，以下提示可帮助你保持动力。

First, hacking on a single target can get boring, so diversify your targets instead of focusing on only one. I’ve always found it helpful to have a few targets to alternate between. When you’re getting tired of one application, switch to another, and come back to the first one later.

首先，只针对一个目标进行攻击会变得乏味，因此应该多样化攻击目标，而不是只关注一个目标。我一直发现在几个目标之间轮流攻击很有帮助。当你厌倦了一个应用程序时，请切换到另一个，稍后再回到第一个。

Second, make sure you’re looking for specific things in a target instead of wandering aimlessly, searching for anything. Make a list of the new skills you’ve learned and try them out. Look for a new kind of bug, or try out a new recon angle. Then, rinse and repeat until you find a suitable new workflow.

其次，请确保你在目标中寻找的是具体的事物，而不是漫无目的地寻找任何东西。列出你学到的新技能并尝试它们。寻找新类型的缺陷，或尝试一种新的侦察角度。然后，反复执行，直到找到适合的新工作流程。

Finally, remember that hacking is not always about finding a single vulnerability but combining several weaknesses of an application into something critical. In this case, it’s helpful to specifically look for weird behavior instead of vulnerabilities. Then take note of these weird behaviors and weaknesses, and see if you can chain them into something worth reporting.

最后，请记得，黑客并不总是只找一个漏洞，而是将应用程序的多个弱点结合起来，变成关键性的漏洞。在这种情况下，寻找奇怪的行为而不是漏洞会更有帮助。然后记录这些奇怪的行为和薄弱点，看看是否可以将它们串联起来，变成值得报告的东西。