Resources-for-Beginner-Bug-Bounty-Hunters

This page is designated to hosts blog posts on particular vulnerability and techniques that have led to a bounty. If you would like to learn more about specific vulnerability types, please visit Vulnerability Types!

NahamSec's Favorite Blogs & Reading Material

• HackerOne Hacktivity
• Bugcrowd Crowdstream
• Alex Champman
• The Daily Swig
• Deesee
• EdOverflow
• Jon Bottarini
• Allyon O'Malley
• Orange Tsai
• Philippe Harewood
• Ron Chan
• Shubham Shah
• spaceraccoon
• ziot
• zlz
• Vickie Li

Reddit

• /r/BugBounty
• r/websecurityresearch/
• r/howtohack
• r/netsec
• r/netsecstudents

Blog posts & Disclosed Reports 📝

A collection of Blog Posts ordered by Vulnerability Types

• Starting out & Tips
• XSS
  • DOM XSS
  • Stored XSS
• SSRF
• Token / Authentication
• SQL Injection
• HTTP Desync
• File Upload
• IDOR
• GraphQL
• RCE
• Recon
• Smart Contracts
• API
• Misc
• Mobile
  • iOS
  • Android

---

Starting out & Tips

• Basic Bug Bounty FAQ - by @thedawgyg
• Getting started in Cyber Security in 2019 – The Complete Guide - by ceos3c
• WTF is a Bug Bounty? - by ceos3c
• How to Set up Certificate-Based SSH for Bug Hunting - by Mack Staples
• XSS in Google Colaboratory + CSP bypass by Michał Bentkowski
• zseano’s notes on hacking & mentoring by Intigriti & Zseano

XSS

You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:

• Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program - Sam Curry
• Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty - @th3_hidd3n_mist
• Microsoft Edge (Chromium) - EoP via XSS to Potential RCE - @Qab
• Reflected XSS in https://blocked.myndr.net - Thilakesh
• Google Bug Bounty Writeup- XSS Vulnerability - @itsmepethu
• Found Stored Cross-Site Scripting — What’s Next? — Privilege Escalation like a Boss - by Harsh Bothra
• Bypassing WAF to perform XSS - by Kleitonx00
• Facebook DOM Based XSS using postMessage

DOM XSS

• Persistent DOM-based XSS in https://help.twitter.com via localStorage - harisec
• DOM based XSS in search functionality - sameoldstory
• A Tale Of A DOM Based XSS In Paypal - Rafay Baloch
• H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing - filedescriptor
• DOM XSS on app.starbucks.com via ReturnUrl - Gamer7112

Stored XSS

• Another XSS in Google Colaboratory - Michał Bentkowski
• Google adwords 3133.7$ Stored XSS - Emad Shanab
• Stored XSS on Facebook - Enguerran Gillier
• Yahoo Mail stored XSS - Jouko Pynnönen
• Yahoo Mail stored XSS #2 - Jouko Pynnönen
• Account Recovery XSS - Gábor Molnár

SSRF

• Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks
  - Alyssa Herrera | Hack.lu 2019
• Pivoting from blind SSRF to RCE with HashiCorp Consul
• Vimeo upload function SSRF - Sayed Abdelhafiz
• Piercing the Veal - by d0nut
• CVE-2020-13379 - Unauthenticated Full-Read SSRF in Grafana
• MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT - by nahamsec
• How I found SSRF on TheFacebook.com
• How I made $31500 by submitting a bug to Facebook
• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Token / Authentication

• Abusing feature to steal your tokens - Harsh Jaiswal
• How I was able to bypass OTP code requirement in Razer [The story of a critical bug] - Ananda Dhakal
• Bypassing GitHub's OAuth flow - @not_aardvark
• NMAP For Vulnerability Discovery - Sachin Wagh
• Subdomain Takeover to Authentication bypass - by geekboy
• Ability to know the presence of a person in a private event even if the guest list is hidden. - by Vivek PS
• Zero-day in Sign in with Apple

SQL Injection

• Time-Based Blind SQL Injection In GraphQL - Divyanshu Shukla
• SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database - spaceraccoon
• Finding SQL injections fast with white-box analysis — a recent bug example - @frycos
• How we hacked one of the worlds largest Cryptocurrency Website - strynx
• Blind SQL Injection on windows10.hi-tech.mail.ru - Просто душка (api_0)
• How to Hack Database Links in SQL Server! - Antti Rantasaari

HTTP Desync

• HTTP Desync Attacks: Request Smuggling Reborn in combination with this report - James Kettle
• HTTP Request Smuggling on vpn.lob.com - 0X0 (painreigns)
• Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies - Evan Custodio

File Upload

• Webshell via File Upload on ecjobs.starbucks.com.cn - johnstone
• Facebook Messenger server random memory exposure through corrupted GIF image - @xdzmitry
• A Tale of Exploitation in Spreadsheet File Conversions - @bbuerhaus//@daeken//@erbbysam//@smiegles
• External XML Entity via File Upload (SVG) - by 0xatul

IDOR

• Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method - Vijay Kumar
• GraphQL IDOR leads to information disclosure - @R0X4R
• From Multiple IDORs leading to Code Execution on a different Host Container - @Rahul_R95
• Automating BURP to find IDORs - Aditya Soni
• Another image removal vulnerability on Facebook
• Stealing Your Private YouTube Videos, One Frame at a Time

GraphQL

• Private System Note Disclosure using GraphQL - Ron Chan
• Graphql Abuse to Steal Anyone’s Address - pratik yadav
• Email address of any user can be queried on Report Invitation GraphQL type when username is known - msdian7

RCE

• My First RCE (Stressed Employee gets me 2x bounty) - Abhishek Yadav
• How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber - by Andrewaeva

Automation & Recon

• How to: Recon & Content Discovery
• Subdomain Recon Using Certificate Search Technique
• Notes about NahamSec's Recon Sessions - maverickNerd
• 10 Recon Tools For Bug Bounty - Anshuman Pattnaik
• Recon: Create a methodology and start your subdomain enumeration - by FailedNuke
• THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP - by Sophia (https://twitter.com/SecQueens)
• Fasten your Recon process using Shell Scripting - Mohd Shibli
• Beginner’s Guide to recon automation - Ashish Jha
• gitGraber: A tool to monitor GitHub in real-time to find sensitive data - by @adrien_jeanneau & @R_Marot

Smart Contracts

• Steal collateral during end process, by earning DSR interest after `flow(Listed as Business Logic Error)
• Steal all MKR from flap during liquidation by exploiting lack of validation in flap.kick(Listed as Improper Input Validation)

API

• 31 Days of API Security Tips - smodnix
• Exploiting Application-Level Profile Semantics (APLS)

Misc

• Hacking GitHub with Unicode's dotless 'i'
• Abusing autoresponders and email bounces - securinti
• Abusing HTTP hop-by-hop request headers - @nj_dav
• Cracking reCAPTCHA, Turbo Intruder style - James Kettle
• Abusing ImageMagick to obtain RCE - strynx
• How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN - Alyssa Herrera
• Top 10 web hacking techniques of 2019 by James Kettle
• Understanding Search Syntax on Github by Github
• URL link spoofing (Slack) by Akaki Tsunoda (akaki)
• Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts by Sam Curry
• The Secret sauce of bug bounty by Mohamed Slamat
• Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty - Sam Curry

Mobile

iOS

• From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13 - spaceraccoon

Android

• A deep dive into reversing Android pre-Installed apps and the

---

back to Intro Page