Resources
Bug Bounty Resources & Disclosed Reports: A Valuable Collection of Insights 📝
- Starting out
- Books
- Blogs
- Training Platforms
- Web Security
- Recon
- XSS
- CSRF
- IDOR
- Open Redirect
- Race Condition
- Subdomain Takeover
- SSRF
- XXE
- SQLi
- Misc
Starting-Out
- PortSwigger's Learning Path
- Cobalt Vulnerability Wiki
- OWASP Top 10 Web Training
- OWASP Top 10 API Training
- Web Security Course
Books
- The Web Application Hacker's Handbook, 2nd Edition
- Web Hacking 101
- Real-World Bug Hunting
- The Tangled Web
- The Hacker Playbook 2
- The Hacker Playbook 3
Blogs
Training-Platforms
Web-Security
- Finding The Origin IP Behind CDNs
- Accessing cross-site data using JSONP
- Hacking the SOP
- LocalStorage vs Cookie XSS
- Cross-Site script inclusion
- How to Hunt Bugs in SAML; a Methodology - Part I
- How to Hunt Bugs in SAML; a Methodology - Part II
- How to Hunt Bugs in SAML; a Methodology - Part III
- SAML Attack Surface
Recon
- The Bug Hunter's Methodology v4.0 - Recon Edition
- Fundamentals of Bug Bounty Recon
- How To Do Recon: Introduction to Recon
- Just another Recon Guide for Pentesters and Bug Bounty Hunters
- The Best Bug Bounty Recon Methodology
- The Art of Subdomain Enumeration
XSS
- Instagram Reflected XSS
- XSS in Facebook CDN
- XSS on forums.oculusvr.com
- Persistent DOM-based XSS in https://help.twitter.com via localStorage
- DOM XSS on app.starbucks.com via ReturnUrl
- XSS in steam react chat client
- XSS while logging using Google
- Stored XSS in RDoc wiki pages
CSRF
- CSRF on connecting Paypal as Payment Provider
- CSRF on Periscope Web OAuth authorization endpoint
- CSRF combined with IDOR within Document Converter exposes files
- CSRF in all API endpoints when authenticated using HTTP Authentication
- The mass CSRFing of *.google.com/* products.
- Facebook CSRF bug which lead to Instagram Partial account takeover.
- Media deletion CSRF vulnerability on Instagram
- Facebook CSRF protection bypass which leads to Account Takeover
IDOR
- IDOR bug to See hidden slowvote of any user even when you dont have access right
- IDOR allow access to payments data of any user
- IDOR Causing Deletion of any account
- IDOR allow to extract all registered email
- Another image removal vulnerability on Facebook
- Gsuite Hangouts Chat 5k IDOR
- How I pwned a company using IDOR and Blind XSS
- Disclose Private Dashboard Chart's name and data in Facebook Analytics
Open-Redirect
- Open Redirects that matter
- XSS and Open Redirect on MoPub Login
- XSS and Open Rredirect on supporthiring.shopify.com
- Open Redirect in secure.showmax.com
- Open Redirect on streamlabs.com
- Open Redirect on "Language change"
- Open Redirect idp.fr.cloud.gov
- Airbnb chaining third party open redirect into SSRF via liveperson chat
- Oauth authentication bypass on airbnb acquistion using wierd 1 char open redirect
Race-Condition
- Race Condition in performing retest allows duplicated payments
- Race Conditions in OAuth 2 API implementations
- Race Condition in Flash workers may cause an exploitable double free
- Exploiting a Race condition vulnerabililty
- Race Condition leads to undeletable group member
- Race Condition on web
- Race Condition in account survey
- Race Condition at create new Location
Subdomain-Takeover
- Subdomain Takeover to Authentication bypass
- Subdomain Takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
- Subdomain Takeover on wfmnarptpc.starbucks.com
- Subdomain Takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com
- Subdomain Takeover: new level
- Subdomain Takeover on svcardproxydevus.starbucks.com
- Subdomain Takeover on blog.greenhouse.io pointing to Hubspot
- Subdomain Takeover on openapi.starbucks.com
SSRF
- SSRF in Exchange leads to ROOT access in all instances
- SSRF using Javascript allows to exfill data from Google Metadata
- SSRF in Google cloud platform stackdriver
- SSRF to ROOT Access
- SSRF reading local files from downnotifier server
- Facebook SSRF
- 31k$ SSRF in Google Cloud Monitoring led to metadata exposure
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
XXE
- XXE at ecjobs.starbucks.com.cn
- XXE on sms-be-vip.twitter.com in SXMP Processor
- XXE and SSRF on webmaster.mail.ru
- XXE in Site Audit function exposing file and directory contents
- Blind OOB XXE on ubermovement.com
- XXE over which leads to RCE
- LFI and SSRF via XXE in emblem editor
- Non-production Open Database In Combination With XXE Leads To SSRF
SQLi
- Bypassing a crappy WAF to exploit a blind SQLI
- Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)
- Tesla Motors blind SQLI
- Blind SQL Injection on windows10.hi-tech.mail.ru
- Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice
- Step by Step Exploiting SQL Injection in Oculus
- SQL Injection in lapsuudenturva
- SQL Injection Root Access tw.yahoo.com