====== Philosophy & Core Principles ======

The foundation of zseano's approach: go deep, not wide. One program for months, not ten programs for days.

===== Core Mindset =====

  * Spend **months** on the same program -- dive deep
  * Reverse engineer the developer's thought process
  * Where there's a filter, there's usually a bypass
  * The trend is your friend -- developers reuse code and repeat mistakes
  * Write notes as you hack -- build a treasure map of your target
  * Test what's in front of you before running scanners
  * Old code = bugs. New features on old code = more bugs
  * Build your own tools when existing ones don't cut it

===== Key Principles =====

==== The Trend Is Your Friend ====

If you find one bug type somewhere, look for it everywhere. Developers copy-paste code, so one XSS payload that works in a profile field will often work in event names, comments, and API responses. One bypass = look across the entire app.

==== Developers Only Fix What You Report ====

After a bug is fixed, test the fix. They usually patch only the specific endpoint you reported, not the root cause across the whole app. Check if the same parameter exists on other endpoints.

==== Mobile vs Desktop ====

Different codebases, different filtering, different bugs. Always test both. Mobile apps talk to APIs and often have weaker validation. The desktop may sanitize XSS but the mobile app won't.

==== GET vs POST ====

Always test both HTTP methods. $GET may be protected but $POST may not be. Try changing POST to GET to bypass CSRF protection. Some filters only apply to one method.

==== Test More Than Once ====

Go through the same target 50+ times. You will miss things on first look. Fresh eyes find new bugs. Take a break and come back -- your brain will spot things differently.

==== Use Patch Info ====

How a company patches tells you how their developers think. Look at what they changed and reason about what else they might have missed with the same pattern.

===== Don't Burn Out =====

  * Take notes constantly -- your treasure map grows over time
  * Walk away when tired -- fresh perspective finds bugs
  * Rotate between programs when stuck
  * VDPs are for practice -- know your risk/reward ratio

===== See Also =====

  * [[zseano:program_selection|Picking a Program]]
  * [[zseano:start|Methodology Index]]
  * [[tbhm:01_philosophy|TBHM Philosophy]]