Activity – MrX – Forum

MrX posted an update 6 months, 2 weeks ago

Hey everyone,

Quick question.

What was the most confusing thing for you when you started bug hunting?

Could be recon, finding your first bug, understanding reports, tools, scopes… anything.

Or if you’re still new, what’s confusing you right now?

Drop it in the replies. No judging here.
If you’ve been doing this for a while, feel free to help others out.

Let’s keep it real and help each other grow.
- Zabir Abdullah replied 6 months, 2 weeks ago
  I was confused about a number of things one of which was about automated vulnerability scanners like Burp’s scanner and nuclei. I heard that everyone runs automated scanners on a target and its not worth it to run them because you wont find anything with automated scanners. I believed that until I came across Jason Haddix’s advice that its not possible to test each and every parameters manually for SQL injection, XSS etc. So configure Burp’s scanner to test them for you while you test the important stuffs. Also running scanners on new subdomains no one touched before might yield some results.
  - MrX replied 6 months, 2 weeks ago
    Yeah this confusion is very real, almost everyone goes through it.
    People usually say “automation is useless” and beginners take it as “never use scanners”. That’s not true. Automation is bad only when you blindly trust it.
    Tools like Burp scanner or nuclei are actually helpful for covering a large surface. You can’t manually test every single parameter for XSS or SQLi, it’s not practical. Let scanners handle that part.
    At the same time, scanners won’t find logic issues, auth problems, or flow-based bugs. That’s where manual testing matters. using automation on fresh subdomains that no one has touched yet also makes a lot of sense.
    So yeah, balance is the key. Use tools smartly, don’t depend on them fully.