Philosophy & Core Principles

The foundation of zseano's approach: go deep, not wide. One program for months, not ten programs for days.

• Spend months on the same program – dive deep
• Reverse engineer the developer's thought process
• Where there's a filter, there's usually a bypass
• The trend is your friend – developers reuse code and repeat mistakes
• Write notes as you hack – build a treasure map of your target
• Test what's in front of you before running scanners
• Old code = bugs. New features on old code = more bugs
• Build your own tools when existing ones don't cut it

If you find one bug type somewhere, look for it everywhere. Developers copy-paste code, so one XSS payload that works in a profile field will often work in event names, comments, and API responses. One bypass = look across the entire app.

After a bug is fixed, test the fix. They usually patch only the specific endpoint you reported, not the root cause across the whole app. Check if the same parameter exists on other endpoints.

Different codebases, different filtering, different bugs. Always test both. Mobile apps talk to APIs and often have weaker validation. The desktop may sanitize XSS but the mobile app won't.

Always test both HTTP methods. $GET may be protected but $POST may not be. Try changing POST to GET to bypass CSRF protection. Some filters only apply to one method.

Go through the same target 50+ times. You will miss things on first look. Fresh eyes find new bugs. Take a break and come back – your brain will spot things differently.

How a company patches tells you how their developers think. Look at what they changed and reason about what else they might have missed with the same pattern.

• Take notes constantly – your treasure map grows over time
• Walk away when tired – fresh perspective finds bugs
• Rotate between programs when stuck
• VDPs are for practice – know your risk/reward ratio

• Picking a Program
• Methodology Index
• TBHM Philosophy