Resources-for-Beginner-Bug-Bounty-Hunters

This page is designated to hosts blog posts on particular vulnerability and techniques that have led to a bounty. If you would like to learn more about specific vulnerability types, please visit Vulnerability Types!

NahamSec’s Favorite Learning Resources

• HackerOne Hacktivity
• Bugcrowd Crowdstream
• The Daily Swig
• The Unofficial HackerOne Disclosure Timeline.
• Detectify Blog

Favorite Hacker Blogs

• Alex Champman
• Deesee
• EdOverflow
• Jon Bottarini
• Allyon O’Malley
• Orange Tsai
• Philippe Harewood
• Ron Chan
• Yassine Aboukir
• Shubham Shah
• spaceraccoon
• ziot
• zlz
• Vickie Li
• rez0
• MrTuxracer
• Pentest Book by six2dez
• Youssef Sammouda

Reddit

• /r/BugBounty
• r/websecurityresearch/
• r/howtohack
• r/netsec
• r/netsecstudents

Community Curated Blog Posts & Resource

• Awesome Google VRP Writeups
• Top HackerOne ReportsBy InsiderPhD
• How To Hunt

Blog posts & Disclosed Reports 📝

A collection of Blog Posts ordered by Vulnerability Types

• XSS
• SSRF
• SQL Injection
• HTTP Desync
• File Upload
• IDOR
• GraphQL
• RCE
• Recon
• API
• Misc
• Mobile
  • iOS
  • Android

XSS

You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:

• Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program - Sam Curry
• Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty - @th3_hidd3n_mist
• Reflected XSS in https://blocked.myndr.net - Thilakesh
• Facebook DOM Based XSS using postMessage
• [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities] (https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
• An XSS on Facebook via PNGs & Wonky Content Types
• Persistent DOM-based XSS in https://help.twitter.com via localStorage - harisec
• A Tale Of A DOM Based XSS In Paypal - Rafay Baloch
• H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing - filedescriptor
• Another XSS in Google Colaboratory - Michał Bentkowski
• Google adwords 3133.7$ Stored XSS - Emad Shanab
• Stored XSS on Facebook - Enguerran Gillier
• Yahoo Mail stored XSS - Jouko Pynnönen
• Yahoo Mail stored XSS #2 - Jouko Pynnönen
• Account Recovery XSS - Gábor Molnár

• [$6000 CRLF to XSS

  Microsoft Bug Bounty] (https://infosecwriteups.com/6000-with-microsoft-hall-of-fame-microsoft-firewall-bypass-crlf-to-xss-microsoft-bug-bounty-8f6615c47922)

SSRF

• A Glossary of Blind SSRF Chains
• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

• Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks - Alyssa Herrera

  Hack.lu 2019

• Pivoting from blind SSRF to RCE with HashiCorp Consul
• Piercing the Veal - by d0nut
• CVE-2020-13379 - Unauthenticated Full-Read SSRF in Grafana
• MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT - by nahamsec
• How I found SSRF on TheFacebook.com
• [SSRF on Zimbra Led to Dump All Credentials in Clear Text] (https://infosecwriteups.com/story-of-a-2-5k-bounty-ssrf-on-zimbra-led-to-dump-all-credentials-in-clear-text-6fe826005ccc)
• SSRF in Exchange leads to ROOT access in all instances

SQL Injection

• Time-Based Blind SQL Injection In GraphQL - Divyanshu Shukla
• SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database - spaceraccoon
• Finding SQL injections fast with white-box analysis — a recent bug example - @frycos
• How we hacked one of the worlds largest Cryptocurrency Website - strynx
• Blind SQL Injection on windows10.hi-tech.mail.ru - Просто душка (api_0)
• How to Hack Database Links in SQL Server! - Antti Rantasaari

HTTP Desync

• HTTP Desync Attacks: Request Smuggling Reborn in combination with this report - James Kettle
• HTTP Request Smuggling on vpn.lob.com - 0X0 (painreigns)
• Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies - Evan Custodio

File Upload

• Webshell via File Upload on ecjobs.starbucks.com.cn - johnstone
• Facebook Messenger server random memory exposure through corrupted GIF image - @xdzmitry
• A Tale of Exploitation in Spreadsheet File Conversions - @bbuerhaus//@daeken//@erbbysam//@smiegles
• External XML Entity via File Upload (SVG) - by 0xatul

IDOR

• Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method - Vijay Kumar
• GraphQL IDOR leads to information disclosure - @R0X4R
• From Multiple IDORs leading to Code Execution on a different Host Container - @Rahul_R95
• Automating BURP to find IDORs - Aditya Soni
• Another image removal vulnerability on Facebook
• Stealing Your Private YouTube Videos, One Frame at a Time

GraphQL

• Private System Note Disclosure using GraphQL - Ron Chan
• Graphql Abuse to Steal Anyone’s Address - pratik yadav
• Email address of any user can be queried on Report Invitation GraphQL type when username is known - msdian7

RCE

• My First RCE (Stressed Employee gets me 2x bounty) - Abhishek Yadav
• How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber - by Andrewaeva

Automation & Recon

• How to: Recon & Content Discovery
• Subdomain Recon Using Certificate Search Technique
• Notes about NahamSec’s Recon Sessions - maverickNerd
• 10 Recon Tools For Bug Bounty - Anshuman Pattnaik
• Recon: Create a methodology and start your subdomain enumeration - by FailedNuke
• THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP - by Sophia (https://twitter.com/SecQueens)
• Fasten your Recon process using Shell Scripting - Mohd Shibli
• Beginner’s Guide to recon automation - Ashish Jha
• gitGraber: A tool to monitor GitHub in real-time to find sensitive data - by @adrien_jeanneau & @R_Marot

API

• 31 Days of API Security Tips - smodnix
• Exploiting Application-Level Profile Semantics (APLS)

Misc

• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
• Abusing feature to steal your tokens - Harsh Jaiswal
• Zero-day in Sign in with Apple
• Account hijacking using “dirty dancing” in sign-in OAuth-flows By Frans Rosen
• Hacking GitHub with Unicode’s dotless ‘i’
• Abusing autoresponders and email bounces - securinti
• Abusing HTTP hop-by-hop request headers - @nj_dav
• Abusing ImageMagick to obtain RCE - strynx
• How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN - Alyssa Herrera
• Top 10 web hacking techniques of 2019 by James Kettle
• Understanding Search Syntax on Github by Github
• URL link spoofing (Slack) by Akaki Tsunoda (akaki)
• Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts by Sam Curry
• The Secret sauce of bug bounty by Mohamed Slamat
• Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty - Sam Curry
• TJnull’s Preparation Guide for PWK/OSCP

Mobile

iOS

• From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13 - spaceraccoon

  Android

• A deep dive into reversing Android pre-Installed apps and the

---

back to Intro Page