First bug felt like magic.
I was clicking around a subdomain, typed a random parameter, and boom – reflected XSS. My heart actually raced. I screenshotted everything. Told two friends who didn't care. Felt like a god.
Then came the drought.
Two weeks of nothing. Burp Suite open every night. Same tabs. Same tests. Same feeling of staring at a website that knew something I didn't.
If you've been there, you know the voice. "First bug was luck. You don't actually know anything."
Here's what got me out of it.
– -
The Mistake I Was Making
I kept testing the same places. Login forms. Search bars. Profile updates. The OWASP top 10 checklist I had memorized.
But here's the thing – every new hunter tests those. So every program gets 500 reports for the same basic bugs. The easy ones get fixed fast. The rest are either not vulnerable or already found.
I was basically hunting in a field that had already been picked clean.
– -
What I Changed (And It Actually Worked)
I stopped asking "what should I test?" and started asking "what are people not testing?"
Here's exactly what I did different.
First – I stopped looking at the main app entirely.
Every public program has been hammered on the main domain. So I spent a full day just finding every subdomain, old endpoint, and forgotten server I could. Used Chaos Project, SecurityTrails, and plain old Google dorks.
Found a subdomain called backup-old.company.com that hadn't been touched in years. It had a directory listing open with config files. Nothing critical. But it taught me something – the good stuff hides where nobody bothers to look.
Second – I stopped testing features and started testing the spaces between them.
Password reset works? Cool. What happens if you start reset, then login from another tab, then complete reset? What happens if you request reset twice? What happens if you use an old reset link after changing your password?
These aren't in any checklist. I had to think like someone trying to break a toaster by pressing the button in the wrong order.
Third – I kept a "failure log."
Every night I wrote one sentence about what didn't work. Not to punish myself. To see patterns.
After 5 days I noticed something – I kept testing the same 3 endpoints over and over. I wasn't exploring. I was stuck in a loop. Seeing it written down made me so annoyed I forced myself to try completely new things.
– -
The Bug That Broke The Drought
Day 15. I was testing a password reset flow on a site I'd ignored before because it looked "too simple."
Normal flow: Enter email → Receive link → Click link → Set new password.
I tried something random. Requested reset on my account. Then before clicking the link, I requested reset again on the same account. Then I clicked the first link.
It worked. Both tokens were valid. That shouldn't happen. Most sites invalidate the old token when you request a new one.
I spent another hour testing. Turns out, the site kept all reset tokens active for 30 minutes. And the token was just a base64 encoded email. I could generate valid tokens for any user if I knew there email.
That was a $1500 bug. Not because it was complex. Because no one had bothered to test the second request.
– -
What I Learned From Two Weeks of Nothing
The drought wasn't a waste. It taught me something no tutorial could.
You don't get better by finding bugs. You get better by being confused, trying stuff that fails, and noticing why it failed.
Every dead end teaches you how the app thinks. Every "no" narrows down where the "yes" might be.
The hunters who last aren't the ones who find bugs every day. They're the ones who don't quit when they don't.
– -
If this hit home, clap and follow. Tomorrow I'm breaking down the exact subdomain discovery method I use – including the Google dorks that still work in 2026.
I'm new to blogging so if you find anything in my blog that can be improved please comment.