This is a collection of all published bug bounty tips on this website that I collected from the bug hunting community on Twitter, sharing their tips and knowledge to help all of us to find more vulnerabilities and collect bug bounties.
Each tip contains a link to the original tweet and to the author of the tweet. Note that I have added additional information and details to most published tips for a better understanding of the technicalities.
Hope you will find it useful!
OSINT / Recon
Finding subdomains
- BBT1-7 – Finding subdomains
- BBT1-8 – Curl + parallel one-liner
- BBT2-1 – Find subdomains with SecurityTrails API
- BBT3-3 – Find related domains via favicon hash
- BBT3-7 – Find subdomains using RapidDNS
- BBT4-10 – A recon tip to find more subdomains (Shodan)
- BBT7-10 – Find subdomains using ASNs with Amass
Asset and content discovery
- BBT2-2 – Access hidden sign-up pages
- BBT2-4 – Find hidden pages on Drupal
- BBT2-6 – Find Spring Boot servers with Shodan
- BBT2-7 – Forgotten database dumps
- BBT2-10 – Find RocketMQ consoles with Shodan
- BBT3-11 – Fuzz list for GIT and SVN files
- BBT4-8 – Generate content discovery wordlist from URI
- BBT5-3 – HTTP recon automation with httpx
- BBT6-7 – Web servers on non-standard ports (Shodan)
- BBT6-13 – Keep track of attack surface with Amass
- BBT7-8 – Easy information disclosure with httpx
- BBT8-12 – Find Kubernetes with Shodan
- BBT9-12 – OneListForAll – “Rockyou” wordlist for web fuzzing
- BBT10-1 – List of 24 Google dorks for bug bounties
Fingerprinting
- BBT6-4 – Find out what websites are built with
- BBT6-8 – Fingerprinting with Shodan and Nuclei engine
- BBT8-8 – Database of 500 Favicon hashes (FavFreak)
- BBT9-10 – Calculate favicon hash value for favicon recon
Data extraction
- BBT1-2 – Use grep to extract URLs
- BBT1-3 – Extract information from APK
- BBT4-2 – Find javascript files using gau and httpx
- BBT4-3 – Extract API endpoints from javascript files
- BBT4-9 – Extract endpoints from APK files
- BBT7-11 – Find JavaScript files with httpx and subjs
- BBT7-12 – Unpack exposed JavaScript source map files
- BBT9-3 – Full-featured JavaScript recon automation (JSFScan.sh)
- BBT9-6 – Useful regex for subdomain level extraction
Sensitive information
- BBT2-3 – Top 5 bug bounty Google dorks
- BBT2-5 – Find sensitive information with gf
- BBT3-13 – Find sensitive information with AlienVault OTX
- BBT4-7 – Find database secrets in SVN repository
- BBT4-12 – GitHub dorks for finding sensitive information
- BBT5-2 – Sensitive data leakage using .json
- BBT5-4 – Easy wins with Shodan dorks
- BBT5-7 – Find access tokens with ffuf and gau
- BBT5-8 – GitHub dorks for finding secrets
- BBT5-9 – Use Google cache to find sensitive data
- BBT6-12 – Phpinfo() with sensitive information
- BBT7-9 – Recon leading to exposed debug endpoints
- BBT7-13 – List of 14 Google dorks for recon and easy wins
- BBT8-6 – GitHub dorks for AWS, Jira, Okta .. secrets
- BBT9-13 – List of 9 tools for identifying sensitive information
Looking for vulnerabilities
- BBT1-1 – Heartbleed vulnerability
- BBT6-5 – Scanning at scale with Axiom
- BBT6-11 – Top 20+ Burp extensions for bug bounty hunting
- BBT7-14 – Find web servers vulnerable to CORS attacks
- BBT8-10 – List of 12 Android security testing tools
- BBT9-9 – Scan Jira for known CVEs and misconfigurations
- BBT10-4 – Search for CVEs of specific year with Nuclei
Broken access control (BAC)
- BBT1-6 – JWT token bypass
- BBT2-9 – From employee offers to ID card
- BBT5-10 – Trick to find more IDOR vulnerabilities
- BBT8-13 – Multi-factor (2FA) authentication bypass
- BBT10-6 – How to find access control bugs
Cross Site Scripting (XSS)
- BBT1-9 – Simple XSS check
- BBT3-2 – Javascript polyglot for XSS
- BBT3-9 – Tiny minimalistic XSS payloads
- BBT4-11 – Find hidden GET parameters in javascript files
- BBT5-13 – XSS payload as an image filename
- BBT7-5 – Bypass WAF blocking “javascript:” in XSS
- BBT8-7 – Simple reflected XSS scenario
- BBT8-9 – XSS firewall bypass techniques
- BBT9-4 – List of 25 tools for detecting XSS
- BBT9-7 – Find XSS in Java applications in Boolean values
- BBT10-12 – XSS payload in an XML file
Server Side Request Forgery (SSRF)
- BBT3-6 – SSRF payloads to bypass WAF
- BBT5-1 – Top 25 server-side request forgery (SSRF) parameters
- BBT10-13 – SSRF Bypass list for localhost (127.0.0.1)
Local / Remote File Inclusion (LFI / RFI)
- BBT3-10 – Top 25 local file inclusion (LFI) parameters
- BBT9-11 – Browser-based application LFI via view-source
- BBT10-3 – Turning LFI to RCE in PHP using ZIP wrapper
Injection (SQL, RCE..)
- BBT2-8 – E-mail address payloads
- BBT3-5 – Top 25 remote code execution (RCE) parameters
- BBT5-11 – Valid email addresses with evil payloads
- BBT6-2 – Directory traversal payloads for easy wins
- BBT7-2 – Bypass email filter leading to SQL injection (JSON)
- BBT7-3 – Tests for identifying SQL injections 100%
- BBT7-4 – Test your SQL injections in an online sandbox database
- BBT8-2 – Find SQL injections (command combo)
Open redirect
- BBT1-5 – Top 25 open redirect dorks
- BBT6-3 – Find open redirect vulnerabilities with gf
- BBT10-9 – List of 48 open redirect parameters from HackerOne
File upload
- BBT3-8 – Top 10 what can you reach in case you uploaded..
- BBT4-4 – Handy extension list for file upload bugs
- BBT8-5 – Chaining file uploads with other vulns
- BBT10-2 – WAF bypass during exploitation of file upload
Tricks and Techniques
- BBT2-11 – HTTP Accept header modification
- BBT3-1 – HTTP Host header: localhost
- BBT4-1 – Price manipulation methods
- BBT4-13 – Bypass Rate limits by adding X- HTTP headers
- BBT5-12 – Search for interesting parameters with gf
- BBT7-7 – How to quickly identify session invalidation issues
- BBT9-8 – WAF bypass using globbing
- BBT10-5 – Search for login portals and default creds
- BBT10-8 – Bypass WAF with Unicode characters
Account takeover
- BBT3-4 – Account takeover by JWT token forging
- BBT6-10 – Account takeover by reset token disclosure (Burp)
- BBT7-1 – Account takeover using secondary email in password reset
- BBT9-5 – Password poisoning bypass to account takeover
- BBT10-10 – Mass account takeover via BAC
403 / 401 bypass
- BBT4-5 – Access Admin panel by tampering with URI
- BBT4-6 – Bypass 403 Forbidden by tampering with URI
- BBT5-5 – How to find authentication bypass vulnerabilities
- BBT6-6 – Trick to access admin panel by adding %20
- BBT8-11 – Tips on bypassing 403 and 401 errors
- BBT9-1 – Bypass 403 errors by traversing deeper
- BBT10-7 – Automated 403 Forbidden bypasser tools
Fuzzing tips
- BBT5-6 – Simple ffuf bash one-liner helper
- BBT6-9 – Generate custom wordlist from any domain
- BBT7-6 – Burp Intruder without licensed Burp Pro (ffuf)
Other useful tips
- BBT1-4 – Extract zip file remotely
- BBT1-10 – Filter out noise in Burp Suite
- BBT3-12 – Mirror a web directory structure
- BBT5-14 – How to become a bug hunter
- BBT6-1 – Open arbitrary URL in Android app
- BBT8-1 – Intercepting traffic on iOS13 in Burp Suite
- BBT8-3 – Get scope of Bugcrowd programs in CLI
- BBT8-4 – GraphQL notes for beginners
- BBT9-2 – Prevent accidental copy & paste errors in terminal
- BBT10-11 – Top 20 search engines for hackers
References
- https://www.infosecmatter.com/bug-bounty-tips-1/
- https://www.infosecmatter.com/bug-bounty-tips-2-jun-30/
- https://www.infosecmatter.com/bug-bounty-tips-3-jul-21/
- https://www.infosecmatter.com/bug-bounty-tips-4-aug-03/
- https://www.infosecmatter.com/bug-bounty-tips-5-aug-17/
- https://www.infosecmatter.com/bug-bounty-tips-6-sep-07/
- https://www.infosecmatter.com/bug-bounty-tips-7-sep-27/
- https://www.infosecmatter.com/bug-bounty-tips-8-oct-14/
- https://www.infosecmatter.com/bug-bounty-tips-9-nov-16/
- https://www.infosecmatter.com/bug-bounty-tips-10-dec-24/