Resources

Bug Bounty Resources & Disclosed Reports: A Valuable Collection of Insights 📝

• Starting out
• Books
• Blogs
• Training Platforms
• Web Security
• Recon
• XSS
• CSRF
• IDOR
• Open Redirect
• Race Condition
• Subdomain Takeover
• SSRF
• XXE
• SQLi
• Misc

---

Starting-Out

• PortSwigger's Learning Path
• Cobalt Vulnerability Wiki
• OWASP Top 10 Web Training
• OWASP Top 10 API Training
• Web Security Course

---

Books

• The Web Application Hacker's Handbook, 2nd Edition
• Web Hacking 101
• Real-World Bug Hunting
• The Tangled Web
• The Hacker Playbook 2
• The Hacker Playbook 3

---

Blogs

• Assetnote
• Secjuice
• James Kettle
• Orange Tsai
• Sam Curry
• Patrik Hudak
• Honoki

---

Training-Platforms

• BugBountyHunter.com
• PentesterLab
• HackTheBox
• TryHackMe
• Rootme
• PicoCTF
• GoogleCTF

---

Web-Security

• Finding The Origin IP Behind CDNs
• Accessing cross-site data using JSONP
• Hacking the SOP
• LocalStorage vs Cookie XSS
• Cross-Site script inclusion
• How to Hunt Bugs in SAML; a Methodology - Part I
• How to Hunt Bugs in SAML; a Methodology - Part II
• How to Hunt Bugs in SAML; a Methodology - Part III
• SAML Attack Surface

---

Recon

• The Bug Hunter's Methodology v4.0 - Recon Edition
• Fundamentals of Bug Bounty Recon
• How To Do Recon: Introduction to Recon
• Just another Recon Guide for Pentesters and Bug Bounty Hunters
• The Best Bug Bounty Recon Methodology
• The Art of Subdomain Enumeration

---

XSS

• Instagram Reflected XSS
• XSS in Facebook CDN
• XSS on forums.oculusvr.com
• Persistent DOM-based XSS in https://help.twitter.com via localStorage
• DOM XSS on app.starbucks.com via ReturnUrl
• XSS in steam react chat client
• XSS while logging using Google
• Stored XSS in RDoc wiki pages

---

CSRF

• CSRF on connecting Paypal as Payment Provider
• CSRF on Periscope Web OAuth authorization endpoint
• CSRF combined with IDOR within Document Converter exposes files
• CSRF in all API endpoints when authenticated using HTTP Authentication
• The mass CSRFing of *.google.com/* products.
• Facebook CSRF bug which lead to Instagram Partial account takeover.
• Media deletion CSRF vulnerability on Instagram
• Facebook CSRF protection bypass which leads to Account Takeover

---

IDOR

• IDOR bug to See hidden slowvote of any user even when you dont have access right
• IDOR allow access to payments data of any user
• IDOR Causing Deletion of any account
• IDOR allow to extract all registered email
• Another image removal vulnerability on Facebook
• Gsuite Hangouts Chat 5k IDOR
• How I pwned a company using IDOR and Blind XSS
• Disclose Private Dashboard Chart's name and data in Facebook Analytics

---

Open-Redirect

• Open Redirects that matter
• XSS and Open Redirect on MoPub Login
• XSS and Open Rredirect on supporthiring.shopify.com
• Open Redirect in secure.showmax.com
• Open Redirect on streamlabs.com
• Open Redirect on "Language change"
• Open Redirect idp.fr.cloud.gov
• Airbnb chaining third party open redirect into SSRF via liveperson chat
• Oauth authentication bypass on airbnb acquistion using wierd 1 char open redirect

---

Race-Condition

• Race Condition in performing retest allows duplicated payments
• Race Conditions in OAuth 2 API implementations
• Race Condition in Flash workers may cause an exploitable double free
• Exploiting a Race condition vulnerabililty
• Race Condition leads to undeletable group member
• Race Condition on web
• Race Condition in account survey
• Race Condition at create new Location

---

Subdomain-Takeover

• Subdomain Takeover to Authentication bypass
• Subdomain Takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
• Subdomain Takeover on wfmnarptpc.starbucks.com
• Subdomain Takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com
• Subdomain Takeover: new level
• Subdomain Takeover on svcardproxydevus.starbucks.com
• Subdomain Takeover on blog.greenhouse.io pointing to Hubspot
• Subdomain Takeover on openapi.starbucks.com

---

SSRF

• SSRF in Exchange leads to ROOT access in all instances
• SSRF using Javascript allows to exfill data from Google Metadata
• SSRF in Google cloud platform stackdriver
• SSRF to ROOT Access
• SSRF reading local files from downnotifier server
• Facebook SSRF
• 31k$ SSRF in Google Cloud Monitoring led to metadata exposure
• How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!

---

XXE

• XXE at ecjobs.starbucks.com.cn
• XXE on sms-be-vip.twitter.com in SXMP Processor
• XXE and SSRF on webmaster.mail.ru
• XXE in Site Audit function exposing file and directory contents
• Blind OOB XXE on ubermovement.com
• XXE over which leads to RCE
• LFI and SSRF via XXE in emblem editor
• Non-production Open Database In Combination With XXE Leads To SSRF

---

SQLi

• Bypassing a crappy WAF to exploit a blind SQLI
• Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)
• Tesla Motors blind SQLI
• Blind SQL Injection on windows10.hi-tech.mail.ru
• Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
• Step by Step Exploiting SQL Injection in Oculus
• SQL Injection in lapsuudenturva
• SQL Injection Root Access tw.yahoo.com