🪲 Bug Bounty Reading

assetnote--- kanban-plugin: board created: 25/05/2025 modified: 04/08/2025 view-count: 71

Methodology methodology

• Monke’s Guide to Bug Bounty Methodology

• Map your hacking sessions- then execute - Douglas Day’s Blog

• Year in Bug Bounties - from 0 to $25,700* in 12 months (Stats, Graphs, Learnings, Experiences & Plans!)

• Approaching Large Scope Targets Without Feeling Overwhelmed

• How-to-pick-a-bug-bounty-program.pdf

• TILs (Today I Learned) are junk food

• How to Understand a New Codebase Quickly – avdi.codes

  The best way I know to get acquainted with an unknown codebase is to fire it up locally (this alone may be very hard). Then approach softly, humbly, as a mere user. Start making theories about how it works, and what parts of the code are responsible for the behaviors you see.
   
  Then deliberately start breaking it.
   
  And notes. Take oh so many notes.
   

Recon recon

• Finding Hidden Parameters: Advanced Enumeration Guide
• 7 Overlooked recon techniques to find more vulnerabilities

Authentication authentication

• Salt Labs Finds OAuth Abuse Used to Take Over Accounts oauth-vulns
• New OAuth Vulnerability Impacts Hundreds of Online Services oauth-vulns
• OAuth Account Takeover - Account Takeover on Booking.com oauth-vulns
• Bypassing HackerOne 2FA due to race condition. | by Akash Hamal | Medium 2fa-bypass
• PayPal Bypass OTP Verification Code Vulnerability Worth $15,000 Bounty IDOR 2fa-bypass
• Common OAuth Vulnerabilities · Doyensec’s Blog oauth-vulns
• OAuth 2.0 Client Credentials Misuse in Public Apps
• SCIM Hunting - Beyond SSO · Doyensec’s Blog oath-vulns SCIM

Authorization authorization

• Bypassing Access Control through OPTIONS Request + Method Smuggling: A HackerOne Finding | by Ayush Kumar | Apr, 2025 | Medium
• Mastering 403 Forbidden Bypass Techniques - Part 2 bypass-403
• Mastering 403 Forbidden Bypass Techniques bypass-403

IDOR IDOR

• IDOR Cheat Sheet

XSS XSS

• How I Discovered XSS that Affects around 20 Uber Subdomains
• Bug Writeup: Stored XSS to Account Takeover (ATO) via GraphQL API | A developer’s notes in the world of security research and bug bounty, by pmnh graphql
• Hunting for blind XSS vulnerabilities: A complete guide
• Client-side JavaScript Instrumentation · Doyensec’s Blog pentest-tools
• How we got persistent XSS on every AEM cloud site, thrice › Searchlight Cyber
• Nonce CSP bypass using Disk Cache | Jorian Woltjer
• JavaScript Security Vulnerabilities Tutorial – With Code Examples
• GMSGadget
  • Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
  • us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
  • Breaking XSS Mitigations Via Script Gadgets

Mutation XSS XSS

• Write-up of DOMPurify 2.0.0 bypass using mutation XSS - research.securitum.com mXSS
• Mutation XSS: Explained, CVE and Challenge | Jorian Woltjer mXSS
• mXSS: The Vulnerability Hiding in Your Code | Sonar mXSS
• mXSS cheatsheet mXSS

DOM Clobbering DOM-clobbering

• XSS in GMail’s AMP4Email via DOM Clobbering - research.securitum.com. This explains everything well.
• Webpack’s AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS · CVE-2024-43788 · GitHub Advisory Database. This is related to the output.publicPath config key and the generated JavaScript code of Webpack depends on a property that can be shadowed by the attacker via HTML injection.
• It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses

Client-Side Path Traversal CSPT

• Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF · Doyensec’s Blog
• CSPT2CSRF_2023_RC1
• Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain | Vitor Falcao

SSRF SSRF

• Road to SSRF : PDF generation and filter bypass on ASP.net application | by Supr4s | Apr, 2025 | Medium dotnet SSRF
• Novel SSRF Technique Involving HTTP Redirect Loops › Searchlight Cyber
• CA CTF 2022: Exploiting Redis Lua Sandbox Escape RCE with SSRF - Red Island RCE
• One SSRF To Rule Them All - Otterly
• Digging for SSRF in NextJS apps

Open Redirect open-redirect

• Open URL Redirect: Advanced Exploitation Guide | Intigriti

LFI file-inclusion

• Testing LFI in Windows: How I (never) got a $30000 bounty | @adeadfed

SQL Injection SQLi

• SQL Injection Cheatsheet | Tib3rius
• Double Dash, Double Trouble: A Subtle SQL Injection Flaw | Sonar

WordPress, Salesforce wordpress salesforce

• RESEARCH DAY: Discovering vulnerabilities in WordPress plugins - Onvio wordpress
• 5 Ways to hack WordPress targets | Intigriti wordpress
• Hacking Salesforce-backed WebApps - Hypn.za.net

Race Conditions race-condition

• Features likely vulnerable to race conditions

Cache Poisoning & Deception web-cache-poisoning web-cache-deception

• Avoid CPDoS in CloudFront | VRT Digital Products dos
• CPDoS: Cache Poisoned Denial of Service dos
• (895) Web Cache Deception | PortSwigger Labs | - YouTube web-cache-deception

Request Smuggling & Tunneling http-request-smuggling

• The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling | Assured AB, Security Consultants
• HTTP Request Smuggling on business.apple.com and Others. | by Stealthy | Medium
• From Akamai to F5 to NTLM… with love.
• Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites | @Bugcrowd

Misconfiguration misconfiguration

• Common Nginx misconfigurations - Blog Detectify nginx
• Nginx resolver vulnerabilities allow cache poisoning attack nginx
• (Research) Exploiting HTTP Parsers Inconsistencies
• Fastly Subdomain Takeover $2000 - Bug Bounty Writeup | InfoSec Write-ups subdomain-takeovers
• Shaking secrets out of CircleCI builds - insecure configuration and the threat of malicious pull requests - Nathan Davison

Web3 web3 blockchain

• 𝗩𝗶𝗰𝘁𝗼𝗿_𝗧𝗵𝗲𝗢𝗿𝗮𝗰𝗹𝗲 🛡️ on X: “If I were starting blockchain security from scratch, here’s the roadmap I’d follow. I wasted a lot of time early on because I didn’t know where to begin or what actually mattered. If I could start over, I’d do things in this order:” / X
• DeFiHackLabs/DeFiHackLabs-Ethereum-Web3-Security-BootCamp
• SunWeb3Sec/DeFiHackLabs: Reproduce DeFi hacked incidents using Foundry.
• Web3 Security Auditor’s 2024 Rewind
• ERC-4626 Inflation Attack and How to Mitigate It. | by Favorite_blockchain_lady | CoinsBench
• Uniswap V2 — Protocol Understanding | by Ben | CoinsBench
• Damn Vulnerable DeFi
• MiloTruck/evm-ctf-challenges: CTF challenges made by MiloTruck
• ONLYPWNER
• Zokyo Auditing Tutorials | Zokyo Auditing Tutorials
• Cyfrin/sc-exploits-minimized: A repo to showcase web3 hacks
• ChainLight Web3 Hack Postmortem 2024 V1.0.pdf smart-contract-audit
• Dacian on X: “In private audits sometimes I comment out a few important lines like token transfers, then re-run the test suite. If all test still pass, this indicates the test suite doesn’t validate important state changes & there are likely many bugs to be found. https://t.co/y9KedYNpAA” / X
• GreyCTF 2025 - Chovid99’s Blog write-up
• Blockchain Writeup - Codegate Finals 2025 :: teddyctf write-up
• baindlapranayraj/SolanaBlogs: Some Solana Blogs I am writing, read if you are intrested
• zksecurity/zkbugs: Reproduce ZKP vulnerabilities
• Security Research Blog
• Uniswap V3 Development Book - Uniswap V3 Development Book

CVEs cve

• HackerOne | Report #1858574 - [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick | HackerOne

Misc

• Exploiting an ORM Injection to Steal Cryptocurrency from an Online Shooter · xEHLE ORM
• Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke) › Searchlight Cyber dotnet
• Subdomain takeovers - Security | MDN subdomain-takeovers
• Automatically Change IP Address Every 3 Seconds - 100% ANONYMOUS | Kali Linux 2024 (new method) tor anonymization
• Netflix Vulnerability: Dependency Confusion in Action - Lupin & Holmes dependency-confusion
• Story Of 15 Vulnerabilities in one public BBP ! | by Ahmed Elheny (Ahmex000) | Medium IDOR race-condition misconfiguration
• From Demo to Live: Zero-Click Account Takeover via the Same Encryption Algorithm | by can1337 | InfoSec Write-ups: sử dụng OTP response từ demo app cho live app để take over account có cùng ID (incremental) encrytion
• Some notes and techniques for reverse engineering Webpack (and a little bit about React/Vue/Angular) apps reversing
• The ultimate beginner’s guide to Caido | @Bugcrowd caido
• Critical Thinking - Bug Bounty Podcast on X: “HackerNotes TLDR for episode 132! — ►⠀Archive Alchemist was born from Mathias’ frustration with repeatedly looking up archive utility parameters for testing archive-based bugs. It streamlines testing by making it easier to list, add, remove, and extract files without” / X
• CodeQL zero to hero part 1: The fundamentals of static analysis for vulnerability research - The GitHub Blog
• How a GitHub Quirk Helped Me Earn $40K+ in Bug Bounties | by Arshad Kazmi | Jul, 2025 | InfoSec Write-ups
• Struts Devmode in 2025? Critical Pre-Auth Vulnerabilities in Adobe Experience Manager Forms › Searchlight Cyber
• Stealing HttpOnly cookies with the cookie sandwich technique | PortSwigger Research cookie-attacks
• Bypassing WAFs with the phantom $Version cookie | PortSwigger Research cookie-attacks
• An Exploration & Remediation of JSON Interoperability… | Bishop Fox