Bug Bounty Tips

This is a collection of all published bug bounty tips on this website that I collected from the bug hunting community on Twitter, sharing their tips and knowledge to help all of us to find more vulnerabilities and collect bug bounties.

Each tip contains a link to the original tweet and to the author of the tweet. Note that I have added additional information and details to most published tips for a better understanding of the technicalities.

Hope you will find it useful!

Table Of Contents
show

OSINT / Recon

Finding subdomains

  • BBT1-7 – Finding subdomains
  • BBT1-8 – Curl + parallel one-liner
  • BBT2-1 – Find subdomains with SecurityTrails API
  • BBT3-3 – Find related domains via favicon hash
  • BBT3-7 – Find subdomains using RapidDNS
  • BBT4-10 – A recon tip to find more subdomains (Shodan)
  • BBT7-10 – Find subdomains using ASNs with Amass

Asset and content discovery

  • BBT2-2 – Access hidden sign-up pages
  • BBT2-4 – Find hidden pages on Drupal
  • BBT2-6 – Find Spring Boot servers with Shodan
  • BBT2-7 – Forgotten database dumps
  • BBT2-10 – Find RocketMQ consoles with Shodan
  • BBT3-11 – Fuzz list for GIT and SVN files
  • BBT4-8 – Generate content discovery wordlist from URI
  • BBT5-3 – HTTP recon automation with httpx
  • BBT6-7 – Web servers on non-standard ports (Shodan)
  • BBT6-13 – Keep track of attack surface with Amass
  • BBT7-8 – Easy information disclosure with httpx
  • BBT8-12 – Find Kubernetes with Shodan
  • BBT9-12 – OneListForAll – “Rockyou” wordlist for web fuzzing
  • BBT10-1 – List of 24 Google dorks for bug bounties

Fingerprinting

  • BBT6-4 – Find out what websites are built with
  • BBT6-8 – Fingerprinting with Shodan and Nuclei engine
  • BBT8-8 – Database of 500 Favicon hashes (FavFreak)
  • BBT9-10 – Calculate favicon hash value for favicon recon

Data extraction

  • BBT1-2 – Use grep to extract URLs
  • BBT1-3 – Extract information from APK
  • BBT4-2 – Find javascript files using gau and httpx
  • BBT4-3 – Extract API endpoints from javascript files
  • BBT4-9 – Extract endpoints from APK files
  • BBT7-11 – Find JavaScript files with httpx and subjs
  • BBT7-12 – Unpack exposed JavaScript source map files
  • BBT9-3 – Full-featured JavaScript recon automation (JSFScan.sh)
  • BBT9-6 – Useful regex for subdomain level extraction

Sensitive information

  • BBT2-3 – Top 5 bug bounty Google dorks
  • BBT2-5 – Find sensitive information with gf
  • BBT3-13 – Find sensitive information with AlienVault OTX
  • BBT4-7 – Find database secrets in SVN repository
  • BBT4-12 – GitHub dorks for finding sensitive information
  • BBT5-2 – Sensitive data leakage using .json
  • BBT5-4 – Easy wins with Shodan dorks
  • BBT5-7 – Find access tokens with ffuf and gau
  • BBT5-8 – GitHub dorks for finding secrets
  • BBT5-9 – Use Google cache to find sensitive data
  • BBT6-12 – Phpinfo() with sensitive information
  • BBT7-9 – Recon leading to exposed debug endpoints
  • BBT7-13 – List of 14 Google dorks for recon and easy wins
  • BBT8-6 – GitHub dorks for AWS, Jira, Okta .. secrets
  • BBT9-13 – List of 9 tools for identifying sensitive information

Looking for vulnerabilities

  • BBT1-1 – Heartbleed vulnerability
  • BBT6-5 – Scanning at scale with Axiom
  • BBT6-11 – Top 20+ Burp extensions for bug bounty hunting
  • BBT7-14 – Find web servers vulnerable to CORS attacks
  • BBT8-10 – List of 12 Android security testing tools
  • BBT9-9 – Scan Jira for known CVEs and misconfigurations
  • BBT10-4 – Search for CVEs of specific year with Nuclei

Broken access control (BAC)

  • BBT1-6 – JWT token bypass
  • BBT2-9 – From employee offers to ID card
  • BBT5-10 – Trick to find more IDOR vulnerabilities
  • BBT8-13 – Multi-factor (2FA) authentication bypass
  • BBT10-6 – How to find access control bugs

Cross Site Scripting (XSS)

  • BBT1-9 – Simple XSS check
  • BBT3-2 – Javascript polyglot for XSS
  • BBT3-9 – Tiny minimalistic XSS payloads
  • BBT4-11 – Find hidden GET parameters in javascript files
  • BBT5-13 – XSS payload as an image filename
  • BBT7-5 – Bypass WAF blocking “javascript:” in XSS
  • BBT8-7 – Simple reflected XSS scenario
  • BBT8-9 – XSS firewall bypass techniques
  • BBT9-4 – List of 25 tools for detecting XSS
  • BBT9-7 – Find XSS in Java applications in Boolean values
  • BBT10-12 – XSS payload in an XML file

Server Side Request Forgery (SSRF)

  • BBT3-6 – SSRF payloads to bypass WAF
  • BBT5-1 – Top 25 server-side request forgery (SSRF) parameters
  • BBT10-13 – SSRF Bypass list for localhost (127.0.0.1)

Local / Remote File Inclusion (LFI / RFI)

  • BBT3-10 – Top 25 local file inclusion (LFI) parameters
  • BBT9-11 – Browser-based application LFI via view-source
  • BBT10-3 – Turning LFI to RCE in PHP using ZIP wrapper

Injection (SQL, RCE..)

  • BBT2-8 – E-mail address payloads
  • BBT3-5 – Top 25 remote code execution (RCE) parameters
  • BBT5-11 – Valid email addresses with evil payloads
  • BBT6-2 – Directory traversal payloads for easy wins
  • BBT7-2 – Bypass email filter leading to SQL injection (JSON)
  • BBT7-3 – Tests for identifying SQL injections 100%
  • BBT7-4 – Test your SQL injections in an online sandbox database
  • BBT8-2 – Find SQL injections (command combo)

Open redirect

  • BBT1-5 – Top 25 open redirect dorks
  • BBT6-3 – Find open redirect vulnerabilities with gf
  • BBT10-9 – List of 48 open redirect parameters from HackerOne

File upload

  • BBT3-8 – Top 10 what can you reach in case you uploaded..
  • BBT4-4 – Handy extension list for file upload bugs
  • BBT8-5 – Chaining file uploads with other vulns
  • BBT10-2 – WAF bypass during exploitation of file upload

Tricks and Techniques

  • BBT2-11 – HTTP Accept header modification
  • BBT3-1 – HTTP Host header: localhost
  • BBT4-1 – Price manipulation methods
  • BBT4-13 – Bypass Rate limits by adding X- HTTP headers
  • BBT5-12 – Search for interesting parameters with gf
  • BBT7-7 – How to quickly identify session invalidation issues
  • BBT9-8 – WAF bypass using globbing
  • BBT10-5 – Search for login portals and default creds
  • BBT10-8 – Bypass WAF with Unicode characters

Account takeover

  • BBT3-4 – Account takeover by JWT token forging
  • BBT6-10 – Account takeover by reset token disclosure (Burp)
  • BBT7-1 – Account takeover using secondary email in password reset
  • BBT9-5 – Password poisoning bypass to account takeover
  • BBT10-10 – Mass account takeover via BAC

403 / 401 bypass

  • BBT4-5 – Access Admin panel by tampering with URI
  • BBT4-6 – Bypass 403 Forbidden by tampering with URI
  • BBT5-5 – How to find authentication bypass vulnerabilities
  • BBT6-6 – Trick to access admin panel by adding %20
  • BBT8-11 – Tips on bypassing 403 and 401 errors
  • BBT9-1 – Bypass 403 errors by traversing deeper
  • BBT10-7 – Automated 403 Forbidden bypasser tools

Fuzzing tips

  • BBT5-6 – Simple ffuf bash one-liner helper
  • BBT6-9 – Generate custom wordlist from any domain
  • BBT7-6 – Burp Intruder without licensed Burp Pro (ffuf)

Other useful tips

  • BBT1-4 – Extract zip file remotely
  • BBT1-10 – Filter out noise in Burp Suite
  • BBT3-12 – Mirror a web directory structure
  • BBT5-14 – How to become a bug hunter
  • BBT6-1 – Open arbitrary URL in Android app
  • BBT8-1 – Intercepting traffic on iOS13 in Burp Suite
  • BBT8-3 – Get scope of Bugcrowd programs in CLI
  • BBT8-4 – GraphQL notes for beginners
  • BBT9-2 – Prevent accidental copy & paste errors in terminal
  • BBT10-11 – Top 20 search engines for hackers

References