Resources-for-Beginner-Bug-Bounty-Hunters
Blog posts & Disclosed Reports 📝
A collection of Blog Posts ordered by Vulnerability Types
- Starting out & Tips
- XSS
- SSRF
- Vulnerability Scanning
- Token / Authentication
- SQL Injection
- Mobile
- HTTP Desync
- File Upload
- Automation
- Buffer Overflow
- IDOR
- GraphQL
- RCE
- Recon
- Smart Contracts
- API
- Misc
Starting out & Tips
- Basic Bug Bounty FAQ - by @thedawgyg
- Getting started in Cyber Security in 2019 – The Complete Guide - by ceos3c
- WTF is a Bug Bounty? - by ceos3c
- How to Set up Certificate-Based SSH for Bug Hunting - by Mack Staples
- XSS in Google Colaboratory + CSP bypass by Michał Bentkowski
- Zseano’s notes on hacking & mentoring by Intigriti & Zseano
- MY BUG BOUNTY JOURNEY! by Farah Hawa
XSS
You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
- XSS on Google Search - Sanitizing HTML in The Client? - LiveOverflow
- Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program - Sam Curry
- Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty - @th3_hidd3n_mist
- Microsoft Edge (Chromium) - EoP via XSS to Potential RCE - @Qab
- Reflected XSS in https://blocked.myndr.net - Thilakesh
- Google Bug Bounty Writeup- XSS Vulnerability - @itsmepethu
- How to solve the INTIGRITI Easter XSS challenge using only Chrome Devtools - by STÖK
- Found Stored Cross-Site Scripting — What’s Next? — Privilege Escalation like a Boss - by Harsh Bothra
- Bypassing WAF to perform XSS - by Kleitonx00
DOM XSS
- Persistent DOM-based XSS in https://help.twitter.com via localStorage - harisec
- DOM based XSS in search functionality - sameoldstory
- A Tale Of A DOM Based XSS In Paypal - Rafay Baloch
- H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing - filedescriptor
- DOM XSS on app.starbucks.com via ReturnUrl - Gamer7112
Stored XSS
- Another XSS in Google Colaboratory - Michał Bentkowski
- Google adwords 3133.7$ Stored XSS - Emad Shanab
- Stored XSS on Facebook - Enguerran Gillier
- Yahoo Mail stored XSS - Jouko Pynnönen
- Yahoo Mail stored XSS #2 - Jouko Pynnönen
- Account Recovery XSS - Gábor Molnár
SSRF
- DEF CON 27 Conference - Ben Sadeghipour - Owning The Clout Through Server Side Request Forgery
- Nahamsec & daeken | DEFCON 2019 - Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks
- Alyssa Herrera | Hack.lu 2019 - Vimeo upload function SSRF - Sayed Abdelhafiz
- Piercing the Veal - by d0nut
- MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT - by nahamsec
Vulnerability Scanning
- NMAP For Vulnerability Discovery - Sachin Wagh
Token / Authentication
- Abusing feature to steal your tokens - Harsh Jaiswal
- How I was able to bypass OTP code requirement in Razer [The story of a critical bug] - Ananda Dhakal
- Bypassing GitHub's OAuth flow - @not_aardvark
- Subdomain Takeover to Authentication bypass - by geekboy
- Ability to know the presence of a person in a private event even if the guest list is hidden. - by Vivek PS
SQL Injection
- Time-Based Blind SQL Injection In GraphQL - Divyanshu Shukla
- SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database - spaceraccoon
- Finding SQL injections fast with white-box analysis — a recent bug example - @frycos
- How we hacked one of the worlds largest Cryptocurrency Website - strynx
- Blind SQL Injection on windows10.hi-tech.mail.ru - Просто душка (api_0)
- How to Hack Database Links in SQL Server! - Antti Rantasaari
Mobile
iOS
Android
- A deep dive into reversing Android pre-Installed apps and the BlackHat Talk - Maddie Stone
HTTP Desync
- HTTP Desync Attacks: Request Smuggling Reborn in combination with this report - James Kettle
- HTTP Request Smuggling on vpn.lob.com - 0X0 (painreigns)
- Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies - Evan Custodio
File Upload
- Webshell via File Upload on ecjobs.starbucks.com.cn - johnstone
- Facebook Messenger server random memory exposure through corrupted GIF image - @xdzmitry
- A Tale of Exploitation in Spreadsheet File Conversions - @bbuerhaus//@daeken//@erbbysam//@smiegles
- External XML Entity via File Upload (SVG) - by 0xatul
Automation
- Fasten your Recon process using Shell Scripting - Mohd Shibli
- Beginner’s Guide to recon automation - Ashish Jha
- Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK & Fisher
- gitGraber: A tool to monitor GitHub in real-time to find sensitive data - by @adrien_jeanneau & @R_Marot
Buffer Overflow
- Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty - Sam Curry
- Writing a Simple Buffer Overflow Exploit - LiveOverflow
IDOR
- Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method - Vijay Kumar
- GraphQL IDOR leads to information disclosure - @R0X4R
- From Multiple IDORs leading to Code Execution on a different Host Container - @Rahul_R95
- Automating BURP to find IDORs - Aditya Soni
- Another image removal vulnerability on Facebook - by Pouya
GraphQL
- Private System Note Disclosure using GraphQL - Ron Chan
- Graphql Abuse to Steal Anyone’s Address - pratik yadav
- Email address of any user can be queried on Report Invitation GraphQL type when username is known - msdian7
RCE
- My First RCE (Stressed Employee gets me 2x bounty) - Abhishek Yadav
- How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber - by Andrewaeva
Recon
- Subdomain Recon Using Certificate Search Technique
- Notes about Nahamsecs Recon Sessions - maverickNerd
- 10 Recon Tools For Bug Bounty - Anshuman Pattnaik
- Recon: Create a methodology and start your subdomain enumeration - by FailedNuke
- THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP - by Sophia (https://twitter.com/SecQueens)
Smart Contracts
- Steal collateral during
endprocess, by earning DSR interest after `flow(Listed as Business Logic Error) - Steal all MKR from
flapduring liquidation by exploiting lack of validation inflap.kick(Listed as Improper Input Validation)
API
Misc
- Hacking GitHub with Unicode's dotless 'i'
- Abusing autoresponders and email bounces - securinti
- Abusing HTTP hop-by-hop request headers - @nj_dav
- Cracking reCAPTCHA, Turbo Intruder style - James Kettle
- Abusing ImageMagick to obtain RCE - strynx
- How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN - Alyssa Herrera
- 2 Cases of Path Traversal by @leonishan_
- Top 10 web hacking techniques of 2019 by James Kettle
- Understanding Search Syntax on Github by Github
- URL link spoofing (Slack) by Akaki Tsunoda (akaki)
- Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts by Sam Curry
- The Secret sauce of bug bounty by Mohamed Slamat
back to Intro Page