Cipher's Log #6: Precision Over Breadth

There was a time when I thought the best play was to touch everything.
One day I’d poke at XSS, the next day IDOR, maybe SSRF if I was in the mood.
It felt like I was moving fast — learning “a bit of everything” — but in reality, I was skimming the surface of an ocean. While that was kind of useful to solve easy-medium machines in CTFs, it wasn’t enough for me to land an actual Bug Bounty.

Then came the gap.

College restarted.
Schedules shifted.
The quiet, obsessive hours I had carved out for hacking got swallowed by labs, assignments, and the background noise of campus life.
I told myself I’d keep the momentum. I didn’t.
For a while, the grind wasn’t dead… but it was limping.

And maybe that was the wake-up call I needed.

Because when I finally got back to it, I didn’t want to waste time “sampling” anymore.
I wanted depth.
I wanted to take one vulnerability, break it apart until I understood every screw, gear, and wire, then rebuild it stronger than before.

That one vulnerability was SQL Injection.

---

🗡 The Focus Arc – SQLi

Not the surface-level, “I’ve seen this on YouTube” SQLi.
Not just copy-paste payloads from cheat sheets.
I wanted to know why it worked, what happened under the hood, and how to make it do things it wasn’t “supposed” to do.

Error-based, blind, time-based, stacked queries.
Chaining injections into privilege escalation.
Bypassing filters that were meant to “fix” it.
I went from hoping a payload would work… to knowing exactly why it would.

And here’s the thing: that depth made everything else sharper too.
I started seeing patterns — shared weaknesses, familiar logic gaps — across totally different vulnerabilities.

And while doing all this, I made my first ever bug bounty income. While it might seem small, I believe this is a sign that if I keep the grind going, I can turn this passion of mine into an actual career.

---

🛡 Next Hunt – Broken Authentication

If SQLi is picking the lock, broken authentication is stealing the master key.
It’s not just about getting in, it’s about becoming whoever you want to be inside the system.

Weak password flows.
Session mismanagement.
Token flaws.
Race conditions.

This is where technical skill meets psychological warfare — where you break not the code, but the trust holding the system together.

---

📜 Final Echo

The gap after college restarted taught me something I didn’t expect:
Momentum isn’t permanent.
If you don’t protect it, it will fade.
And when it does, you have two choices — mourn it, or rebuild it.

I chose to rebuild.

Some days, I still feel behind.
Some nights, I stare at a lab I should be able to solve and feel like a fraud.
But there’s a difference now — I trust the slow burn.

Because if the end of the beginning was about finding my footing…
Then this is about learning how to run.

And I’m not here to sprint.
I’m here to last.

— Bornov | WizB 🧙‍♂️