The most useful thing I've internalised is also the least glamorous: most footholds aren't wizardry. They're patience, reading, and a developer who trusted input they shouldn't have.
The box doesn't fall because you're brilliant. It falls because the lock was already a little bit open and you were the one stubborn enough to keep jiggling the handle. Stubborn beats brilliant most days, and stubborn is trainable in a way brilliant isn't.
Two operating principles I keep coming back to:
- The quality of an attack is the quality of your attention. Before you decide what to send, look at exactly where your input lands: the HTML body, an attribute, inside a
<script>block. A scanner that fires the same<script>alert(1)</script>everywhere misses three-quarters of the real bugs because it never asked the question. Look first, then act. - The clean run is the deliverable, not the first one. The first pass is usually flailing. Then I do it again (proper enumeration, real methodology, the technique done the way it should be done) and that version is what I write up. The flailing was for me. The clean run is for the record.
Find the doors first. You can't pick a lock you never knew was there.