Most bug hunters would’ve missed this — here’s how I spotted a hidden SQLi behind Cloudflare’s strict WAF.

It started with a simple API endpoint: /users/public?search=. At first glance, it seemed harmless—just a search feature for public profiles. But something felt off. When a single quote (') was entered, the results vanished. No errors, no warnings. Just silence.

“No errors showed up — just silent SQL failures. Here’s why manual testing beats tools.”

Automated scanners would’ve skipped this. No 500 Internal Server Error, no SQL syntax warnings. But silence can be a vulnerability’s loudest scream.

When a Missing Result Means Everything

The search parameter was supposed to filter users by name. Typing deepak returned profiles. But adding a quote ('OR testing1337) made the page empty.

Burp Suite revealed the truth. While the frontend showed nothing, the HTTP response hinted at a broken SQL query. Most testers rely on visible errors, but hidden SQL failures are where real exploits hide.