Resources-for-Beginner-Bug-Bounty-Hunters

Changelog 📬

Updates to this repo will be pushed monthly. You can read about the latest changes below.

Update 2020.05

Added

Media:
- New curated Bug Bounty List (Twitter)
- Curated List of YT Channels by TCM
Labs:
- Kontra Application Security Training
- Cyberseclabs
Coding:
- Exercism
- CodeCademy
- Khan Academy
- Learn Python the Hard Way
- Udacity
- Bug Bounty with Bash
Setup:
- New Video by nahamsec: Creating Wordlists for Pentesting & Bug Bounty
Blogposts & Disclosed Reports:
- Piercing the Veal by d0nut
- Basic Bug Bounty FAQ by dawgyg
- How to Set up Certificate-Based SSH for Bug Hunting by Mack Staples
- Getting started in Cyber Security in 2019 – The Complete Guide by ceos3c
- WTF is a Bug Bounty? by ceos3c
- How to solve the INTIGRITI Easter XSS challenge using only Chrome Devtools by STÖK
- URL link spoofing (Slack) by Akaki Tsunoda (akaki)
- Subdomain Takeover to Authentication bypass by geekboy
- Zseano’s notes on hacking & mentoring by Intigriti & Zseano
- Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts by Sam Curry
Mobile:
- Android App Reverse Engineering 101 by Maddie Stone
Tools:
- Ghidra -> Mobile
- jadx -> Mobile
- nuclei -> Recon & OSINT
New Category: Certifications
- Fot the moment one Cert: OSCP
New Category: Mindset & Mental Health

Changes

Changed the formating of the Changelog starting this month to make it cleaner
Removed the links for every new addition to its article.
The headers for every category now links to their page instead.
Changed the formatting of the HTTP Section in the Basics Category
Changed Blogposts to -> Blogposts & Disclosed Reports
Changed some of the formatting in the XSS Blogposts, cleaner now

Fixes

Fixed some layout errors
Added missing Header in Basics Category
Fixed Typos

Update 2020.04

Added

New in Basics
- Added Stanford CS 253 Web Security
New Category: Hardware & IoT
- Added Exploitee.rs Wiki
New Category: Coding & Scripting
- Added Bash Scripting Full Course 3 Hours
- Added ShellCheck
- Added Explainshell
- Added Discovering the Terminal
- Added Text Processing in the Shell
New Podcasts:
- Darknet Diaries Episode 60 with dawgyg
- The Bug Bounty Podscast Episode 3 with nahamsec
New in Tools:
- crithit
- objection - A new Mobile tool
- CyberChef
- RMS - Runtime Mobile Security
- New Category: Notes & Organization
  - Reconness to Notes & Organization
  - Updog to Notes & Organization
- New Category: Burp Extensions
  - Logger++ to Burp Extensions
  - AuthMatrix to Burp Extensions
  - Autorize to Burp Extensions
  - Auto Repeater to Burp Extensions
  - Progress Tracker to Burp Extensions
  - Flow to Burp Extensions
New in Labs:
- TryHackMe & Videos
New in Media:
- @codingo_ now in Twitter-List
New Streamers:
- sup3rhero1
- STÖK
New in BlogPosts:
- New Category: API
- Added 31 Days of API Security Tips- Misc
- Added Blind SQL Injection on windows10.hi-tech.mail.ru - SQLInjection
- Added DOM XSS on app.starbucks.com via ReturnUrl - DOMXSS
- Added Email address of any user can be queried on Report Invitation GraphQL type when username is known - GraphQL
- Added External XML Entity via File Upload (SVG) - File Upload
- Added Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies - HTTP Desync
- Added gitGraber: A tool to monitor GitHub in real-time to find sensitive data - by @adrien_jeanneau & @R_Marot
- Added 2 Cases of Path Traversal by @leonishan_
- Added Google Bug Bounty Writeup- XSS Vulnerability - by @itsmepethu
- Added Top 10 web hacking techniques of 2019 by James Kettle
- Added Recon: Create a methodology and start your subdomain enumeration - by FailedNuke
- Added Understanding Search Syntax on Github - by Github
New in Mobile:
- Android-Reports-and-Resources
New in Vulnerabilities:
- New Video: Cross-Site Scripting (XSS) Explained -by PwnFunction
New in Setup:
- Added Docker Tutorial for Beginners - A Full DevOps Course on How to Run Applications in Containers

Changed

Fixed

Update 2020.03

Added

New: Smart Contracts (special thanks to @0xatul)
- New White-/yellowpapers in Smart Contracts: Bitcoin whitepaper & Ethereum yellowpaper
- New How to Audit a Smart Contract
New Smart Contracts Category under Blogposts and added two Writeups
New in Blogposts:
- 10 Recon Tools for Bug Bounty
New in Setup:
- Finding your First Bug and getting a Bounty with InsiderPhD
- Introduction to Docker for CTFs
New in Vulnerabilities:
- Finding your first Bug - CSRF
- CSRF-Basics
New in Tools:
- Knockpy
New in Labs:
- 0l4bs for XSS
New in Mobile:
- Q&A with Android Hacker bagipro
- Introduction to Android Hacking
- Mobile Hacking Cheat Sheet
- Android Pentesting Github Repo by Riddhi Shree

Changed

Nothing

Fixed

Format Issue in Changelog
Changed Format in README

Update 2020.02

Added

New XSS Lab: XSS Labs from PwnFunction
New Recon & OSINT Tool: Reconness
New IDOR Blogspost: Automating BURP to find IDORs
New Misc Blogpost: How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN
New Blogspost Category: RCE
- New RCE Blogpost: My First RCE (Stressed Employee gets me 2x bounty)
New Blogpost Cetegory: Recon
- New Recon Blogpost/Guide: Subdomain Recon Using Certificate Search Technique
New Vulnerabilities Post: The 7 main XSS cases everyone should know
Added Jason Haddix to Media (contributed by securibee)

Changed

Moved Notes about Nahamsecs Recon Sessions from Misc to Recon

Fixed

Typos in Media (contributed by securibee)

Update 2020.01

Added

New changelog page
New content in Blogposts
Designated section to get started with Burp Suite
Link from the Burp Tool section to the setup guide
Recon Pi to Tools

Changed

Updated the Twitter Descriptions in media.md
Cleaned up Setup Page
Cleaned up Blogposts Page

back to Intro Page