Resources-for-Beginner-Bug-Bounty-Hunters

Vulnerabilities 💉

This page is created to help hackers understand a specific vulnerability type in details.

• If you would like to get some hands on experience by hacking more in detailed labs, please read the labs page
• If you would like to read blog posts and see example vulnerability, please read the blog posts page

Online Resources & Frameworks

• Owasp Top 10
  • TryHackMe’s OWASP Top 10 Room
  • OWASP top 10 by Snyk
• OWASP Testing Guide v4
• Bug Bounty Cheat Sheets - by EdOverflow

• WebSecurity Academy by PortSwigger

As we start to build this repository, we’ll be adding more vulnerability types and resources for each one.

Cross-Site Scripting (XSS)

XSS is a great place to start as it’s one of the most popular and easiest vulnerabilities to find in a web application.

Reading Material

• WebSec Academy - Cross-Site Scripting
• OWASP XSS
• XSS Filter Evasion Cheat Sheet
• Cross-site scripting - Executing untrusted JavaScript in a trusted context
• A comprehensive tutorial on cross-site scripting
• The 7 main XSS cases everyone should know - brutelogic

  Video Content

• Cross-Site Scripting (XSS) Explained - by PwnFunction
• Finding Your First Bug: Cross Site Scripting (XSS) - by InsiderPhD

  Labs

• WebSec Academy - Labs
• xssLABS
• Codelatte
• Google XSS Game
• Pwnfunction XSS

Cross-Site Request Forgery (CSRF)

Reading Material

• WebSec Academy - CSRF
• CSRF-Basics - by Princethilak
• Cross Site Request Forgery (CSRF) by Snyk

  Videos

• Cross-Site Request Forgery Attack - by PwnFunction
• Finding Your First Bug: Cross-Site Request Forgery - by Insider PhD
• Cross Site Request Forgery - Computerphile

  Labs

• [WebSec Academy - CSRF Labs]https://portswigger.net/web-security/all-labs)

Insecure Direct Object Reference (IDOR)

Reading Material

• WebSec Academy - Insecure direct object references (IDOR) By PortSwigger
• Insecure Direct Object Reference (IDOR) by Intigriti
• IDOR tutorial hands-on – OWASP Top 10 training

  Videos

• Insecure Direct Object Reference Vulnerability - by PwnFunction
• Finding Your First Bug: Manual IDOR Hunting - by Insider PhD
• Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - by STÖK & Fisher

  Labs

• (WebSec Academy - IDOR Lab)[https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references]
• (IDOR on TryHackMe)[https://tryhackme.com/room/idor]
• (Corridor on TryHackMe)[https://tryhackme.com/room/corridor]

Server-Side Request Forgery

Reading Material

• WebSec Academy - Server-Side Request Forgery
• SSRF by OWASP
• What is server-side request forgery (SSRF)?
• Server-side request forgery - Unintended access to internal resources via exploited serve
• SSRF vulnerabilities and where to find them

  Videos

• (Find and Exploit Server-Side Request Forgery (SSRF))[https://www.youtube.com/watch?v=eVI0Ny5cZ2c]

• (Server-Side Request Forgery (SSRF)

  Complete Guide)[https://www.youtube.com/watch?v=ih5R_c16bKc&t=1s]

• SSRF in 100 seconds
• How To Search For SSRF!
• How to exploit a blind SSRF?

Labs

• WebSec Academy - Server-Side Request Forgery Labs
• WebSec Academy - Blind SSRF vulnerabilities
• Server-Side Request Forgery (SSRF) vulnerable Lab
• Server-Side Request Forgery on TryHackMe

  XML External Entities (XXE)

  Reading Material

• WebSec Academy - XML External Entity (XXE) injection
• XML External Entity (XXE) Processing by OWASP
• How to Find XXE Bugs: Severe, Missed and Misunderstood by Luke Stephens

  Videos

• XML External Entities ft. JohnHammond - by PwnFunction
• How to search for XXE!
• How to run an XXE injection via an SVG Image Upload!

  Labs

• WebSec Academy - XML External Entity (XXE) Labs
• XXE Lab (On GitHub)

---

back to Intro Page