July 13, 2026
I Spent 5 Days Looking for a Bug That Didn’t Exist: NASA
Until I Realized I Was Asking the Wrong Question.

By Vaibhav Kubade
2 min read
Day 1: I Couldn't Figure Out What I Was Testing
Whenever I start a new security engagement, I don't begin with payloads or scanners. The first few hours are always about understanding the target. What does the application do? Who uses it? What problem is it trying to solve?
Those questions are more important than they sound.
If I don't understand the application, I don't understand what's "normal." And if I don't know what's normal, it's very difficult to recognize what's abnormal.
This engagement gave me two applications and five days.
That was all I knew.
No walkthrough. No product demo. No documentation telling me what the applications were supposed to do. Just two URLs and a scope.
I started the way I usually do. Burp Suite was running, my terminal was open, and I began collecting information before touching the applications too much.
The first hour went into reconnaissance.
Google searches.
Trying to understand the organization.
Looking for documentation.
Searching for presentations, blogs or anything that explained the product.
Then I switched to the technical side.
I enumerated subdomains using Subfinder.
Checked which hosts were alive.
Fingerprinted the technologies.
Looked for forgotten assets.
Browsed a few common paths.
Nothing looked unusual.
That wasn't disappointing. Recon isn't supposed to magically hand you a vulnerability. It gives you context, and context is usually more valuable than a scanner telling you that a missing security header is "High Severity."
With a rough picture of the infrastructure in my head, I finally opened the applications.
That's when things became confusing.
Normally, after spending twenty or thirty minutes inside an application, I can explain its purpose to someone else.
"This is a customer portal."
"This is an admin dashboard."
"This is an inventory system."
I might not know every workflow, but I know what I'm looking at.
This time I couldn't.
I clicked every menu I could find.
Every tab.
Every button.
I created test data.
Deleted it.
Repeated workflows just to see whether I had missed something.
Burp quietly captured every request while I compared responses and looked for anything that stood out.
Nothing did.
The application wasn't leaking information.
It wasn't throwing stack traces.
There weren't any obvious authorization issues.
No endpoints looked out of place.
Everything behaved exactly the way I would expect a mature application to behave.
The strange part wasn't that I couldn't find a vulnerability.
The strange part was that I still didn't understand the product.
After a couple of hours, I caught myself asking the same question over and over.
"What does this thing actually do?"
That question bothered me more than not finding a bug.
Business logic vulnerabilities don't appear in isolation. They exist because a feature behaves differently from how it was intended. If I couldn't even explain the intended behaviour, how was I supposed to identify when something deviated from it?
So I went back to the beginning.
I replayed requests.
Compared parameters between users.
Opened the JavaScript files.
Looked for hidden endpoints.
Read whatever little documentation I could find.
Repeated the same workflows hoping I'd notice something I had overlooked the first time.
I didn't.
By the end of the day, nearly six hours had passed.
Burp's HTTP history was massive.
My shell history was full of recon commands.
I had a notebook filled with hostnames, technologies, endpoints and observations.
Yet if someone had walked up to me and asked, "So, what does this application actually do?" I wouldn't have had a good answer.
That was frustrating.
Not because I hadn't found a vulnerability. I wasn't expecting to find one on the first day.
It was frustrating because I didn't feel like I understood the target any better than I had that morning.
Looking back, I can see where my thinking started to drift.
Instead of accepting that I lacked context, I convinced myself that I simply hadn't enumerated enough.
Maybe there was another host.
Maybe another endpoint.
Maybe another JavaScript file.
Maybe another scanner would point me in the right direction.
So I made a plan for Day 2.
More reconnaissance.
More enumeration.
More tooling.
I went to bed thinking the answer was hidden somewhere in the application's attack surface.
I didn't realize that I wasn't missing an endpoint.
I was missing an understanding of the application itself.
To be continued……………..