1) Identified a badly protected side entrance to use rather than the front door
2) Painstakingly researched the third party product (similarly one could investigate a third party library used in a bespoke codebase)
3) Figured out the adaptations the target organisation had made to it and guessed some mistakes they'd made
4) Eventually hit on a cookie modification attack made possible by limitations found in that publicly-available codebase.
Smart.
1) Identified a badly protected side entrance to use rather than the front door
2) Painstakingly researched the third party product (similarly one could investigate a third party library used in a bespoke codebase)
3) Figured out the adaptations the target organisation had made to it and guessed some mistakes they'd made
4) Eventually hit on a cookie modification attack made possible by limitations found in that publicly-available codebase.
Smart.