-
I would actually disagree with this to some degree:
“The best hackers in the world take pride in hunting manually with the use of automation as a last resort”
One of the top hunters on HackerOne (aka todayisnew) who’s earned $1m+ in bounties so far is known for his use and reliance on automation. The thing is, when you’re doing that sort of bug bounty hunting, one strategy is to look at it as a numbers game. Yes, finding a $10,000 critical vulnerability would be AMAZING. But wouldn’t it be just as amazing to find 40 $250 bugs while you sleep from automation? Tools can be great enhancers that work with/for you, not necessarily a last resort.
The reason why I think people say what you wrote is that beginners do tend to rely heavily on tools at the expense of learning. After all, it can be much easier to type in a simple command that is well documented than to manually try to find something. Except, a lot of times, relying on tools like that doesn’t teach you how it really works. For example, let’s say that you need to be able to bypass a WAF. You go to Google and search for “WAF bypass tool github” and you download the tool to run it. The tool comes back empty and can’t find a way to bypass the WAF for whatever reason. You shake your head and either try a different tool or declare that the application is un-hackable and move on to the next.
Except maybe the WAF bypass tool you were using hasn’t been updated in 4 years. Or maybe you didn’t use it properly. Maybe you can’t use them in the environment you have access to. Or whatever the reason is, sometimes you need to be able to roll up your sleeves and do things the hard way in order to find a bypass, or at the very least, confirm that you’re not able to find a successful bypass when talking to your client. Except, because you’ve relied on tools exclusively to do this in the past, you don’t have a clue how to even approach this manually.
Another relevant example…I’m bug hunting some GraphQL endpoints right now, and I tried using a tool but it kept erroring out on me. I haven’t figured out why it errors out yet, but I’m not going to let that prevent me from manually going after the endpoints. I could have thrown my hands up in the air and blamed the author of that tool instead, but that’s not a winning strategy. You have to be able to persist, especially when things don’t work your way.
TL;DR: I believe both have a place. Don’t let naysayers get in your head and make you feel bad for using tools. But don’t rely exclusively on tools to get the job done either.
All of this is just my opinion in a sea of other opinions on the subject, so I’d love to hear other viewpoints from the community!