Mirrors/Resources-for-Beginner-Bug-Bounty-Hunters
2
0
Fork 0
mirror of https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters.git synced 2024-11-12 23:27:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

added changelog

Browse source
This commit is contained in:
AshF0x 2020-01-07 13:49:14 +01:00
parent 702addf2a7
commit 8d79f9436c
6 changed files with 142 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -4,8 +4,10 @@
There are a number of new hackers joining the community on a regular basis and more than often the first thing they ask is "How do I get started and what are some good resources?". As a hacker, there a ton of techniques, terminologies, and topics you need to familiarize yourself with to understand how an application works. Cody Brocious [(@daeken)](http://twitter.com/daeken), I put these resources together in order to help new hackers with resources to learn the basics of Web Application Security.
We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!
[Updates: See what's new!](/assets/basics.md)
We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!<br>
[Changelog: See what's new!](/assets/changelog.md)
---
## Table of Contents

86
assets/blogposts.md
View file

@ -18,84 +18,92 @@ A collection of Blog Posts ordered by Vulnerability Types
- [Automation](#Automation)
- [Buffer Overflow](#Buffer-Overflow)
- [IDOR](#IDOR)
- [GraphQL](#GraphQL)
- [Misc](#Misc)
## XSS
You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
- [XSS on Google Search - Sanitizing HTML in The Client?](https://www.youtube.com/watch?v=lG7U3fuNw3A) - by LiveOverflow
- [XSS on Google Search - Sanitizing HTML in The Client?](https://www.youtube.com/watch?v=lG7U3fuNw3A) - LiveOverflow
- [The Fix](https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa)
- [Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program](https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) - by [Sam Curry](https://twitter.com/samwcyo)
- [Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty](https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a) - by [@th3_hidd3n_mist](https://twitter.com/th3_hidd3n_mist)
- [Microsoft Edge (Chromium) - EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) - by [@Qab](https://twitter.com/qab)
- [Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program](https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) - [Sam Curry](https://twitter.com/samwcyo)
- [Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty](https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a) - [@th3_hidd3n_mist](https://twitter.com/th3_hidd3n_mist)
- [Microsoft Edge (Chromium) - EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) - [@Qab](https://twitter.com/qab)
### DOM XSS
- https://hackerone.com/reports/297968
- https://hackerone.com/reports/168165
- https://www.rafaybaloch.com/2017/06/a-tale-of-dom-based-xss-in-paypal.html
- [Persistent DOM-based XSS in https://help.twitter.com via localStorage](https://hackerone.com/reports/297968) - harisec
- [DOM based XSS in search functionality](https://hackerone.com/reports/168165) - sameoldstory
- [A Tale Of A DOM Based XSS In Paypal](https://www.rafaybaloch.com/2017/06/a-tale-of-dom-based-xss-in-paypal.html) - Rafay Baloch
- [H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing](https://hackerone.com/reports/422043) - filedescriptor
### Stored XSS
- https://blog.bentkowski.info/2018/09/another-xss-in-google-colaboratory.html
- https://medium.com/@Alra3ees/google-adwords-3133-7-stored-xss-27bb083b8d27
- https://opnsec.com/2018/03/stored-xss-on-facebook/
- https://klikki.fi/adv/yahoo.html
- https://klikki.fi/adv/yahoo2.html
- https://hackerone.com/reports/422043
- https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss
- [Another XSS in Google Colaboratory](https://blog.bentkowski.info/2018/09/another-xss-in-google-colaboratory.html) - Michał Bentkowski
- [Google adwords 3133.7$ Stored XSS](https://medium.com/@Alra3ees/google-adwords-3133-7-stored-xss-27bb083b8d27) - Emad Shanab
- [Stored XSS on Facebook](https://opnsec.com/2018/03/stored-xss-on-facebook/) - Enguerran Gillier
- [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) - Jouko Pynnönen
- [Yahoo Mail stored XSS #2](https://klikki.fi/adv/yahoo2.html) - Jouko Pynnönen
- [Account Recovery XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) - Gábor Molnár
### CSP Bypass
- https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
## SSRF
- [DEF CON 27 Conference - Ben Sadeghipour - Owning The Clout Through Server Side Request Forgery](https://www.youtube.com/watch?v=o-tL9ULF0KI)<br>- Nahamsec & daeken | DEFCON 2019
- [Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks](https://peertube.opencloud.lu/videos/watch/40f39bfe-6d3c-40f5-bcab-43f20944ca6a)<br>- Alyssa Herrera | Hack.lu 2019
- [Vimeo upload function SSRF](https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437) - by Sayed Abdelhafiz
- [Vimeo upload function SSRF](https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437) - Sayed Abdelhafiz
## Vulnerability Scanning
- [NMAP For Vulnerability Discovery](https://www.peerlyst.com/posts/nmap-for-vulnerability-discovery-sachin-wagh) - by Sachin Wagh
- [NMAP For Vulnerability Discovery](https://www.peerlyst.com/posts/nmap-for-vulnerability-discovery-sachin-wagh) - Sachin Wagh
## Token / Authentication
- [Abusing feature to steal your tokens](https://medium.com/@rootxharsh_90844/abusing-feature-to-steal-your-tokens-f15f78cebf74) - by Harsh Jaiswal
- [How I was able to bypass OTP code requirement in Razer [The story of a critical bug]](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572?) - by Ananda Dhakal
- [Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html) - by [@not_aardvark](https://twitter.com/not_aardvark)
- [Abusing feature to steal your tokens](https://medium.com/@rootxharsh_90844/abusing-feature-to-steal-your-tokens-f15f78cebf74) - Harsh Jaiswal
- [How I was able to bypass OTP code requirement in Razer [The story of a critical bug]](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572?) - Ananda Dhakal
- [Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html) - [@not_aardvark](https://twitter.com/not_aardvark)
## SQL Injection
- [Time-Based Blind SQL Injection In GraphQL](https://medium.com/bugbountywriteup/time-based-blind-sql-injection-in-graphql-39a25a1dfb3c) - Divyanshu Shukla
- [SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051) - by spaceraccoon
- [SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051) - spaceraccoon
- [Finding SQL injections fast with white-box analysis — a recent bug example](https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76?) - [@frycos](https://twitter.com/frycos)
- [How we hacked one of the worlds largest Cryptocurrency Website](https://strynx.org/insecure-crypto-code-execution/) - [strynx](https://strynx.org/)
## Mobile
### iOS
- [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - by spaceraccoon
- [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - spaceraccoon
## Android
- [A deep dive into reversing Android pre-Installed apps](https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf) and the [BlackHat Talk](https://www.youtube.com/watch?v=U6qTcpCfuFc) - by Maddie Stone
- [A deep dive into reversing Android pre-Installed apps](https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf) and the [BlackHat Talk](https://www.youtube.com/watch?v=U6qTcpCfuFc) - Maddie Stone
## HTTP Desync
- [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) in combination with this [report](https://hackerone.com/reports/510152) - by [James Kettle](https://twitter.com/albinowax)
- [HTTP Request Smuggling on vpn.lob.com](https://hackerone.com/reports/694604) - by 0X0 (painreigns)
- [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) in combination with this [report](https://hackerone.com/reports/510152) - [James Kettle](https://twitter.com/albinowax)
- [HTTP Request Smuggling on vpn.lob.com](https://hackerone.com/reports/694604) - 0X0 (painreigns)
## File Upload
- [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) - by johnstone
- [Facebook Messenger server random memory exposure through corrupted GIF image ](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) - by [@xdzmitry](https://twitter.com/xdzmitry)
- [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) - by [@bbuerhaus](https://twitter.com/bbuerhaus)[@daeken](https://twitter.com/daeken)[@erbbysam](https://twitter.com/erbbysam)[@smiegles](https://twitter.com/smiegles)
- [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) - johnstone
- [Facebook Messenger server random memory exposure through corrupted GIF image ](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) - [@xdzmitry](https://twitter.com/xdzmitry)
- [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) - [@bbuerhaus](https://twitter.com/bbuerhaus)//[@daeken](https://twitter.com/daeken)//[@erbbysam](https://twitter.com/erbbysam)//[@smiegles](https://twitter.com/smiegles)
## Automation
- [Fasten your Recon process using Shell Scripting](https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a) - by Mohd Shibli
- [Beginners Guide to recon automation](https://medium.com/bugbountywriteup/beginners-guide-to-recon-automation-f95b317c6dbb) - by Ashish Jha
- [Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)](https://www.youtube.com/watch?v=3K1-a7dnA60) - by STÖK & Fisher
- [Fasten your Recon process using Shell Scripting](https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a) - Mohd Shibli
- [Beginners Guide to recon automation](https://medium.com/bugbountywriteup/beginners-guide-to-recon-automation-f95b317c6dbb) - Ashish Jha
- [Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)](https://www.youtube.com/watch?v=3K1-a7dnA60) - STÖK & Fisher
## Buffer Overflow
- [Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) - by [Sam Curry](https://twitter.com/samwcyo)
- [Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) - [Sam Curry](https://twitter.com/samwcyo)
## IDOR
- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - by [Vijay Kumar ](https://twitter.com/IndoAppSec)
- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - by [@R0X4R](https://twitter.com/R0X4R)
- [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) by [@Rahul_R95](https://twitter.com/Rahul_R95)
- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
- [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
## GraphQL
- [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
- [Graphql Abuse to Steal Anyones Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
## Misc
- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) by [maverickNerd](https://github.com/maverickNerd)
- [Writing a Simple Buffer Overflow Exploit](https://www.youtube.com/watch?v=oS2O75H57qU) by LiveOverflow
- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
- [Writing a Simple Buffer Overflow Exploit](https://www.youtube.com/watch?v=oS2O75H57qU) - LiveOverflow
- [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
- [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) by securinti
- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) by [@nj_dav](https://twitter.com/nj_dav)
- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) by James Kettle
- [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) - securinti
- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
- [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
---
back to [Intro Page](/README.md)

20
assets/changelog.md Normal file
View file

@ -0,0 +1,20 @@
# Resources-for-Beginner-Bug-Bounty-Hunters
## Changelog
Updates to this repo will be pushed monthly. You can read about the latest changes below.
## Update 2020.01
### Added
- New changelog page
- New content in [Blogposts](/assets/blogposts.md)
- Designated section to get started with [Burp Suite](/assets/setup.md#setup)
- Link from the Burp Tool section to the setup guide
- Recon Pi to [Tools](/assets/tools.md#others)
### Changed
- Updated the Twitter Descriptions in [media.md](/assets/media.md)
- Cleaned up [Setup Page](/assets/setup.md)
- Cleaned up [Blogposts Page](/assets/blogposts.md)
---
back to [Intro Page](/README.md)

127
assets/media.md
View file

@ -45,71 +45,70 @@ In general ["no starch press"](https://nostarch.com/catalog/security) offers gre
## Twitter
This List does not exclusively contains Bug Bounty themed Accounts but a broad variety of InfoSec and Hacking.<br>
Descriptions will be added later!.
| Name | Topics |
| ------------------------------------------------------- | ------ |
| [@Alyssa*Herrera*](https://twitter.com/Alyssa_Herrera_) |BB|
| [@Bugcrowd](https://twitter.com/Bugcrowd) |BB, Platform|
| [@DailySwig](https://twitter.com/DailySwig) |Web Technologie, News|
| [@DanielMiessler](https://twitter.com/DanielMiessler) |Security, Researcher, [SecLists](https://github.com/danielmiessler/SecLists)|
| [@Dinosn](https://twitter.com/Dinosn) |Researcher, News, Tools|
| [@EdOverflow](https://twitter.com/EdOverflow) |Developer, Researcher, @LiveOverflow in disguise|
| [@GoogleVRP](https://twitter.com/GoogleVRP) |VRP, Program|
| [@GossiTheDog](https://twitter.com/GossiTheDog) |Researcher|
| [@Hacker0x01](https://twitter.com/Hacker0x01) |BB, Platform|
| [@HackerSploit](https://twitter.com/HackerSploit) |General Hacking, Youtuber|
| [@InsiderPhD](https://twitter.com/InsiderPhD) |BB, Teaching, YouTuber, Beginner friendy content|
| [@JHaddix](https://twitter.com/Jhaddix) |BB, Bugcrowd, Streaming|
| [@KitPloit](https://twitter.com/KitPloit) |News, Tools|
| [@LiveOverflow](https://twitter.com/LiveOverflow) |Hacking, CTF, Teaching, YouTuber, @EdOverflow in disguise|
| [@MalwareTechBlog](https://twitter.com/MalwareTechBlog) |RE, Security, Hacking, News|
| [@NahamSec](https://twitter.com/NahamSec) |BB, Teaching, Streaming|
| [@Peerlyst](https://twitter.com/Peerlyst) |Articles, Peer Powered Publications|
| [@PortSwigger](https://twitter.com/PortSwigger) |BB, News, BurpSuite|
| [@PwnFunction](https://twitter.com/PwnFunction) |YouTuber, Teaching, Web Technologie|
| [@Regala\_](https://twitter.com/Regala_)(Fisher) |BB, DISTURBANCE, Podcaster|
| [@Rosenawesome](https://twitter.com/Rosenawesome) |Hacking, Events|
| [@TheBlindHacker](https://twitter.com/TheBlindHacker) |Hacking, Streamer|
| [@TheHackerNews](https://twitter.com/TheHackersNews) |News|
| [@TheParanoids](https://twitter.com/TheParanoids) |BB, "Program"|
| [@TomNomNom](https://twitter.com/TomNomNom) |Coding, BB, Hacking, DISTURBANCE, Tools|
| [@\_johnhammond](https://twitter.com/_johnhammond) |Hacking, Web Technologies, Coding, CTF|
| [@\_sn0ww](https://twitter.com/_sn0ww) |Social Enineering, OSINT|
| [@ajxchapman](https://twitter.com/ajxchapman) |BB, Researcher|
| [@albinowax](https://twitter.com/albinowax) |News, BB, Web Technologies, Researcher, BurpSuite|
| [@autothreat](https://twitter.com/autothreat) |Hacking, Cars|
| [@brutelogic](https://twitter.com/brutelogic) |Researcher, Teaching, XSS|
| [@ceos3c](https://twitter.com/ceos3c) |YouTuber, General Hacking, Teaching|
| [@d0nutptr](https://twitter.com/d0nutptr) |Rust.|
| [@daeken](https://twitter.com/daeken) |BB, Researcher|
| [@evilsocket](https://twitter.com/evilsocket) |Hacking, Coding, Hardware, Tools|
| [@firebounty](https://twitter.com/firebounty) |BB, Platform|
| [@fluxfingers](https://twitter.com/fluxfingers) |CTF|
| [@fs0c131y](https://twitter.com/fs0c131y) |Mobile Applications, Hacking, Web Technologies, Researcher|
| [@hakluke](https://twitter.com/hakluke) |Researcher, Coding, Tools|
| [@intigriti](https://twitter.com/intigriti) |BB, Platform|
| [@jerh17](https://twitter.com/jerh17) |BB, Researcher, Platform|
| [@lorenzofb](https://twitter.com/lorenzofb) |Journalist|
| [@maddiestone](https://twitter.com/maddiestone) |Project Zero, Researcher|
| [@malwareunicorn](https://twitter.com/malwareunicorn) |Researcher, RE, Malware, Unicorn|
| [@mongobug](https://twitter.com/mongobug) |BB, Researcher|
| [@nahamsec](https://twitter.com/nahamsec) |BB, Researcher, YouTuber, Streamer, Teaching, Recon|
| [@nnwakelam](https://twitter.com/nnwakelam) |BB, Researcher|
| [@openbugbounty](https://twitter.com/openbugbounty) |Platform|
| [@orange_8361](https://twitter.com/orange_8361) |BB, Researcher|
| [@owasp](https://twitter.com/owasp) |OWASP|
| [@samykamkar](https://twitter.com/samykamkar) |Hacking, News, Tools, Hardware|
| [@securinti](https://twitter.com/securinti) |Researcher, BB|
| [@spaceraccoonsec](https://twitter.com/spaceraccoonsec) |Researcher, BB|
| [@stokfredrik](https://twitter.com/stokfredrik) |Researcher, BB, YouTuber, Teaching, Sunglasses|
| [@synack](https://twitter.com/synack) |Platform, Team, BB|
| [@thecybermentor](https://twitter.com/thecybermentor) |Streamer, Youtuber, General Hacking, Teaching|
| [@thedawgyg](https://twitter.com/thedawgyg) |BB|
| [@thegrugq](https://twitter.com/thegrugq) |Researcher|
| [@yaworsk](https://twitter.com/yaworsk) |BB, Researcher, Author|
| [@yeswehack](https://twitter.com/yeswehack) |BB, Platform|
| [@zseano](https://twitter.com/zseano) |BB, Teaching|
| Name | Topics |
| ------------------------------------------------------- | ---------------------------------------------------------------------------- |
| [@Alyssa*Herrera*](https://twitter.com/Alyssa_Herrera_) | BB |
| [@Bugcrowd](https://twitter.com/Bugcrowd) | BB, Platform |
| [@DailySwig](https://twitter.com/DailySwig) | Web Technologie, News |
| [@DanielMiessler](https://twitter.com/DanielMiessler) | Security, Researcher, [SecLists](https://github.com/danielmiessler/SecLists) |
| [@Dinosn](https://twitter.com/Dinosn) | Researcher, News, Tools |
| [@EdOverflow](https://twitter.com/EdOverflow) | Developer, Researcher, @LiveOverflow in disguise |
| [@GoogleVRP](https://twitter.com/GoogleVRP) | VRP, Program |
| [@GossiTheDog](https://twitter.com/GossiTheDog) | Researcher |
| [@Hacker0x01](https://twitter.com/Hacker0x01) | BB, Platform |
| [@HackerSploit](https://twitter.com/HackerSploit) | General Hacking, Youtuber |
| [@InsiderPhD](https://twitter.com/InsiderPhD) | BB, Teaching, YouTuber, Beginner friendy content |
| [@JHaddix](https://twitter.com/Jhaddix) | BB, Bugcrowd, Streaming |
| [@KitPloit](https://twitter.com/KitPloit) | News, Tools |
| [@LiveOverflow](https://twitter.com/LiveOverflow) | Hacking, CTF, Teaching, YouTuber, @EdOverflow in disguise |
| [@MalwareTechBlog](https://twitter.com/MalwareTechBlog) | RE, Security, Hacking, News |
| [@NahamSec](https://twitter.com/NahamSec) | BB, Teaching, Streaming |
| [@Peerlyst](https://twitter.com/Peerlyst) | Articles, Peer Powered Publications |
| [@PortSwigger](https://twitter.com/PortSwigger) | BB, News, BurpSuite |
| [@PwnFunction](https://twitter.com/PwnFunction) | YouTuber, Teaching, Web Technologie |
| [@Regala\_](https://twitter.com/Regala_)(Fisher) | BB, DISTURBANCE, Podcaster |
| [@Rosenawesome](https://twitter.com/Rosenawesome) | Hacking, Events |
| [@TheBlindHacker](https://twitter.com/TheBlindHacker) | Hacking, Streamer |
| [@TheHackerNews](https://twitter.com/TheHackersNews) | News |
| [@TheParanoids](https://twitter.com/TheParanoids) | BB, "Program" |
| [@TomNomNom](https://twitter.com/TomNomNom) | Coding, BB, Hacking, DISTURBANCE, Tools |
| [@\_johnhammond](https://twitter.com/_johnhammond) | Hacking, Web Technologies, Coding, CTF |
| [@\_sn0ww](https://twitter.com/_sn0ww) | Social Enineering, OSINT |
| [@ajxchapman](https://twitter.com/ajxchapman) | BB, Researcher |
| [@albinowax](https://twitter.com/albinowax) | News, BB, Web Technologies, Researcher, BurpSuite |
| [@autothreat](https://twitter.com/autothreat) | Hacking, Cars |
| [@brutelogic](https://twitter.com/brutelogic) | Researcher, Teaching, XSS |
| [@ceos3c](https://twitter.com/ceos3c) | YouTuber, General Hacking, Teaching |
| [@d0nutptr](https://twitter.com/d0nutptr) | BB, Researcher, (Rust.) |
| [@daeken](https://twitter.com/daeken) | BB, Researcher |
| [@evilsocket](https://twitter.com/evilsocket) | Hacking, Coding, Hardware, Tools |
| [@firebounty](https://twitter.com/firebounty) | BB, Platform |
| [@fluxfingers](https://twitter.com/fluxfingers) | CTF |
| [@fs0c131y](https://twitter.com/fs0c131y) | Mobile Applications, Hacking, Web Technologies, Researcher |
| [@hakluke](https://twitter.com/hakluke) | Researcher, Coding, Tools |
| [@intigriti](https://twitter.com/intigriti) | BB, Platform |
| [@jerh17](https://twitter.com/jerh17) | BB, Researcher, Platform |
| [@lorenzofb](https://twitter.com/lorenzofb) | Journalist |
| [@maddiestone](https://twitter.com/maddiestone) | Project Zero, Researcher |
| [@malwareunicorn](https://twitter.com/malwareunicorn) | Researcher, RE, Malware, Unicorn |
| [@mongobug](https://twitter.com/mongobug) | BB, Researcher |
| [@nahamsec](https://twitter.com/nahamsec) | BB, Researcher, YouTuber, Streamer, Teaching, Recon |
| [@nnwakelam](https://twitter.com/nnwakelam) | BB, Researcher |
| [@openbugbounty](https://twitter.com/openbugbounty) | Platform |
| [@orange_8361](https://twitter.com/orange_8361) | BB, Researcher |
| [@owasp](https://twitter.com/owasp) | OWASP |
| [@samykamkar](https://twitter.com/samykamkar) | Hacking, News, Tools, Hardware |
| [@securinti](https://twitter.com/securinti) | Researcher, BB |
| [@spaceraccoonsec](https://twitter.com/spaceraccoonsec) | Researcher, BB |
| [@stokfredrik](https://twitter.com/stokfredrik) | Researcher, BB, YouTuber, Teaching, Sunglasses |
| [@synack](https://twitter.com/synack) | Platform, Team, BB |
| [@thecybermentor](https://twitter.com/thecybermentor) | Streamer, Youtuber, General Hacking, Teaching |
| [@thedawgyg](https://twitter.com/thedawgyg) | BB |
| [@thegrugq](https://twitter.com/thegrugq) | Researcher |
| [@yaworsk](https://twitter.com/yaworsk) | BB, Researcher, Author |
| [@yeswehack](https://twitter.com/yeswehack) | BB, Platform |
| [@zseano](https://twitter.com/zseano) | BB, Teaching |
---

9
assets/setup.md
View file

@ -7,10 +7,13 @@ This section will help you set up your testing environement.
- [Setting up virtualbox + linux](https://linuxconfig.org/how-to-install-kali-linux-on-virtualbox)
- [Docker For Pentesting And Bug Bounty Hunting](https://www.youtube.com/watch?v=5G6tA8Q9AuQ)
- [Basics of UNIX](https://lifehacker.com/5633909/who-needs-a-mouse-learn-to-use-the-command-line-for-almost-anything)
- [Setting up Burp (Video Series)](https://www.hacker101.com/playlists/burp_suite) by Hacker101
- [Burp Suite Introduction](https://github.com/bugcrowd/bugcrowd_university/blob/master/An_introduction_to_Burp_Suite/Bugcrowd%20University%20-%20Burp%20Suite%20Introduction.pdf) by Jason Haddix
- [Burp Hacks for Bounty Hunters](https://www.youtube.com/watch?v=boHIjDHGmIo) by James Kettle
- [Previously Disclosed Vulnerabilities / HackerOne Hacktivity](https://hackerone.com/hacktivity)
## Burp Suite
This section should help you get familiar with BurpSuite.
- [Setting up Burp (Video Series)](https://www.hacker101.com/playlists/burp_suite) by Hacker101
- [Burp Suite Introduction](https://github.com/bugcrowd/bugcrowd_university/blob/master/An_introduction_to_Burp_Suite/Bugcrowd%20University%20-%20Burp%20Suite%20Introduction.pdf) by Jason Haddix
- [Beginners Guide to Burpsuite Payloads (Part 1)](https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/) by Raj Chandel
- [Burp Hacks for Bounty Hunters](https://www.youtube.com/watch?v=boHIjDHGmIo) by James Kettle
---
back to [Intro Page](/README.md)

3
assets/tools.md
View file

@ -15,7 +15,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
### Proxy & Network Sniffer
| Name | Description | Written in | Created by |
|------ |------------- |------------ |------------- |
|[Burp Suite](https://portswigger.net/burp)|A Proxy to intercept and manipulate Web Traffic (free & paid version).|Java|Port Swigger|
|[Burp Suite](https://portswigger.net/burp)|A Proxy to intercept and manipulate Web Traffic (free & paid version). [Here](/assets/setup.md#setup) you can find Tips & Tricks to get started with Burp.|Java|Port Swigger|
|[OWASP Zap Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)|A Proxy to intercept and manipulate Web Traffic (free).|Java|OWASP|
|[Wireshark](https://www.wireshark.org)|Wireshark is a network protocol analyzer that lets you capture and read network packets.|C, C++|The Wireshark team|
@ -78,6 +78,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
| Name | Description | Written in | Created by |
|------ |------------- | ------------ |------------- |
|[SecLists](https://github.com/danielmiessler/SecLists)|A huge collection of word lists for hacking.||Daniel Miessler|
|[Recon Pi](https://github.com/x1mdev/ReconPi)|A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi.||[@x1m_martijn](https://twitter.com/x1m_martijn)|
---
back to [Intro Page](/README.md)