I’m not sure for all of the others, but I do know that XSStrike does have WAF detection and evasion capability. Doesn’t mean it will always be successful, but it’s at least a start. Once you know what WAF is sitting in front of the application, you can 1) research its weaknesses, and 2) try different payloads and see what gets blocked and what makes it through…then go from there, iterating until something works. This is a time-consuming process unless you get lucky.
From personal experience, I’d say finding XSS is going to be more likely than SQL injection and command injection, at least for bug bounty programs. XSS consistently comes out on top in HackerOne’s list of top 10 vulnerability bounty awards. That doesn’t mean that will always be the case, but it has been for at least the last couple of years. So while it might be true that organizations are getting better and better at preventing XSS (which is great), the data shows that there is still a long way to go.
The other thing is that most public programs have already had a lot of eyeballs on them by the time they become public. A lot of programs start out as private, invite-only, and later on (months or years later) sometimes become public. So finding easy vulnerabilities in public programs is going to be difficult unless you jump on the program as soon as it comes out. With that said, hackers are lazy and a lot of them will move on to a different program after checking for low-hanging fruit. Use that to your advantage – sign up for the free tier (or maybe even pay for an account if it’s not too much $) and access portals/endpoints that likely didn’t get anywhere near as much attention as the public marketing website would have. Thinking from a developer’s mindset, that’s also probably where less care was taken for security. “Only customers will access this, and why would customers try to hack us/their own data?” This is a very common mindset, and I’ve heard many variations of that said over the past few years. Use that to your advantage.
With all of that said, I’d encourage you to take a step back for a moment: bug bounty hunting is hard. It takes a serious amount of time and commitment for most to make headway. Given the time limitations you’ve mentioned in other posts and what looks like a growing frustration, maybe you should take a break from it for a little bit and come back later. Even some of the more popular bounty hunters openly talk about needing to take breaks (months at a time) in between programs. In my opinion, it should be a fun experience. Sure, it will cause frustration, but overall you should be enjoying the hunt of it and overcoming roadblocks and challenges. When it starts deviating from that, I think that’s when it’s time to take a break.