Resources-for-Beginner-Bug-Bounty-Hunters
Vulnerabilities 💉
This page is created to help hackers understand a specific vulnerability type in details.
- If you would like to get some hands on experience by hacking more in detailed labs, please read the labs page
- If you would like to read blog posts and see example vulnerability, please read the blog posts page
Online Resources & Frameworks
- Owasp Top 10
- OWASP Testing Guide v4
- Bug Bounty Cheat Sheets - by EdOverflow
- WebSecurity Academy by PortSwigger
As we start to build this repository, we'll be adding more vulnerability types and resources for each one.
Cross-Site Scripting (XSS)
XSS is a great place to start as it's one of the most popular and easiest vulnerabilities to find in a web application.
Reading Material
- WebSec Academy - Cross-Site Scripting
- OWASP XSS
- XSS Filter Evasion Cheat Sheet
- Cross-site scripting - Executing untrusted JavaScript in a trusted context
- A comprehensive tutorial on cross-site scripting
- The 7 main XSS cases everyone should know - brutelogic
Video Content
- Cross-Site Scripting (XSS) Explained - by PwnFunction
- Finding Your First Bug: Cross Site Scripting (XSS) - by InsiderPhD
Labs
Cross-Site Request Forgery (CSRF)
Reading Material
- WebSec Academy - CSRF
- CSRF-Basics - by Princethilak
- Cross Site Request Forgery (CSRF) by Snyk
Videos
- Cross-Site Request Forgery Attack - by PwnFunction
- Finding Your First Bug: Cross-Site Request Forgery - by Insider PhD
- Cross Site Request Forgery - Computerphile
Labs
- [WebSec Academy - CSRF Labs]https://portswigger.net/web-security/all-labs)
Insecure Direct Object Reference (IDOR)
Reading Material
- WebSec Academy - Insecure direct object references (IDOR) By PortSwigger
- Insecure Direct Object Reference (IDOR) by Intigriti
- IDOR tutorial hands-on – OWASP Top 10 training
Videos
- Insecure Direct Object Reference Vulnerability - by PwnFunction
- Finding Your First Bug: Manual IDOR Hunting - by Insider PhD
- Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - by STÖK & Fisher
Labs
- (WebSec Academy - IDOR Lab)[https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references]
- (IDOR on TryHackMe)[https://tryhackme.com/room/idor]
- (Corridor on TryHackMe)[https://tryhackme.com/room/corridor]
Server-Side Request Forgery
Reading Material
- WebSec Academy - Server-Side Request Forgery
- SSRF by OWASP
- What is server-side request forgery (SSRF)?
- Server-side request forgery - Unintended access to internal resources via exploited serve
- SSRF vulnerabilities and where to find them
Videos
- (Find and Exploit Server-Side Request Forgery (SSRF))[https://www.youtube.com/watch?v=eVI0Ny5cZ2c]
- (Server-Side Request Forgery (SSRF) | Complete Guide)[https://www.youtube.com/watch?v=ih5R_c16bKc&t=1s]
- SSRF in 100 seconds
- How To Search For SSRF!
- How to exploit a blind SSRF?
Labs
- WebSec Academy - Server-Side Request Forgery Labs
- WebSec Academy - Blind SSRF vulnerabilities
- Server-Side Request Forgery (SSRF) vulnerable Lab
- Server-Side Request Forgery on TryHackMe
XML External Entities (XXE)
Reading Material
- WebSec Academy - XML External Entity (XXE) injection
- XML External Entity (XXE) Processing by OWASP
- How to Find XXE Bugs: Severe, Missed and Misunderstood by Luke Stephens
Videos
- XML External Entities ft. JohnHammond - by PwnFunction
- How to search for XXE!
- How to run an XXE injection via an SVG Image Upload!
Labs
back to Intro Page