mirror of
https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters.git
synced 2024-11-25 05:00:24 +00:00
15 KiB
15 KiB
Resources-for-Beginner-Bug-Bounty-Hunters
This page is designated to hosts blog posts on particular vulnerability and techniques that have led to a bounty. If you would like to learn more about specific vulnerability types, please visit Vulnerability Types!
NahamSec's Favorite Learning Resources
- HackerOne Hacktivity
- Bugcrowd Crowdstream
- The Daily Swig
- The Unofficial HackerOne Disclosure Timeline.
- Detectify Blog
Favorite Hacker Blogs
- Alex Champman
- Deesee
- EdOverflow
- Jon Bottarini
- Allyon O'Malley
- Orange Tsai
- Philippe Harewood
- Ron Chan
- Yassine Aboukir
- Shubham Shah
- spaceraccoon
- ziot
- zlz
- Vickie Li
- rez0
- MrTuxracer
- Pentest Book by six2dez
- Youssef Sammouda
Community Curated Blog Posts & Resource
Blog posts & Disclosed Reports 📝
A collection of Blog Posts ordered by Vulnerability Types
XSS
You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
- Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program - Sam Curry
- Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty - @th3_hidd3n_mist
- Reflected XSS in https://blocked.myndr.net - Thilakesh
- Facebook DOM Based XSS using postMessage
- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities] (https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
- An XSS on Facebook via PNGs & Wonky Content Types
- Persistent DOM-based XSS in https://help.twitter.com via localStorage - harisec
- A Tale Of A DOM Based XSS In Paypal - Rafay Baloch
- H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing - filedescriptor
- Another XSS in Google Colaboratory - Michał Bentkowski
- Google adwords 3133.7$ Stored XSS - Emad Shanab
- Stored XSS on Facebook - Enguerran Gillier
- Yahoo Mail stored XSS - Jouko Pynnönen
- Yahoo Mail stored XSS #2 - Jouko Pynnönen
- Account Recovery XSS - Gábor Molnár
- [$6000 CRLF to XSS | Microsoft Bug Bounty] (https://infosecwriteups.com/6000-with-microsoft-hall-of-fame-microsoft-firewall-bypass-crlf-to-xss-microsoft-bug-bounty-8f6615c47922)
SSRF
- A Glossary of Blind SSRF Chains
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
- Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks
- Alyssa Herrera | Hack.lu 2019 - Pivoting from blind SSRF to RCE with HashiCorp Consul
- Piercing the Veal - by d0nut
- CVE-2020-13379 - Unauthenticated Full-Read SSRF in Grafana
- MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT - by nahamsec
- How I found SSRF on TheFacebook.com
- [SSRF on Zimbra Led to Dump All Credentials in Clear Text] (https://infosecwriteups.com/story-of-a-2-5k-bounty-ssrf-on-zimbra-led-to-dump-all-credentials-in-clear-text-6fe826005ccc)
- SSRF in Exchange leads to ROOT access in all instances
SQL Injection
- Time-Based Blind SQL Injection In GraphQL - Divyanshu Shukla
- SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database - spaceraccoon
- Finding SQL injections fast with white-box analysis — a recent bug example - @frycos
- How we hacked one of the worlds largest Cryptocurrency Website - strynx
- Blind SQL Injection on windows10.hi-tech.mail.ru - Просто душка (api_0)
- How to Hack Database Links in SQL Server! - Antti Rantasaari
HTTP Desync
- HTTP Desync Attacks: Request Smuggling Reborn in combination with this report - James Kettle
- HTTP Request Smuggling on vpn.lob.com - 0X0 (painreigns)
- Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies - Evan Custodio
File Upload
- Webshell via File Upload on ecjobs.starbucks.com.cn - johnstone
- Facebook Messenger server random memory exposure through corrupted GIF image - @xdzmitry
- A Tale of Exploitation in Spreadsheet File Conversions - @bbuerhaus//@daeken//@erbbysam//@smiegles
- External XML Entity via File Upload (SVG) - by 0xatul
IDOR
- Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method - Vijay Kumar
- GraphQL IDOR leads to information disclosure - @R0X4R
- From Multiple IDORs leading to Code Execution on a different Host Container - @Rahul_R95
- Automating BURP to find IDORs - Aditya Soni
- Another image removal vulnerability on Facebook
- Stealing Your Private YouTube Videos, One Frame at a Time
GraphQL
- Private System Note Disclosure using GraphQL - Ron Chan
- Graphql Abuse to Steal Anyone’s Address - pratik yadav
- Email address of any user can be queried on Report Invitation GraphQL type when username is known - msdian7
RCE
- My First RCE (Stressed Employee gets me 2x bounty) - Abhishek Yadav
- How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber - by Andrewaeva
Automation & Recon
- How to: Recon & Content Discovery
- Subdomain Recon Using Certificate Search Technique
- Notes about NahamSec's Recon Sessions - maverickNerd
- 10 Recon Tools For Bug Bounty - Anshuman Pattnaik
- Recon: Create a methodology and start your subdomain enumeration - by FailedNuke
- THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP - by Sophia (https://twitter.com/SecQueens)
- Fasten your Recon process using Shell Scripting - Mohd Shibli
- Beginner’s Guide to recon automation - Ashish Jha
- gitGraber: A tool to monitor GitHub in real-time to find sensitive data - by @adrien_jeanneau & @R_Marot
API
Misc
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
- Abusing feature to steal your tokens - Harsh Jaiswal
- Zero-day in Sign in with Apple
- Account hijacking using "dirty dancing" in sign-in OAuth-flows By Frans Rosen
- Hacking GitHub with Unicode's dotless 'i'
- Abusing autoresponders and email bounces - securinti
- Abusing HTTP hop-by-hop request headers - @nj_dav
- Abusing ImageMagick to obtain RCE - strynx
- How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN - Alyssa Herrera
- Top 10 web hacking techniques of 2019 by James Kettle
- Understanding Search Syntax on Github by Github
- URL link spoofing (Slack) by Akaki Tsunoda (akaki)
- Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts by Sam Curry
- The Secret sauce of bug bounty by Mohamed Slamat
- Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty - Sam Curry
- TJnull’s Preparation Guide for PWK/OSCP
Mobile
iOS
Android
back to Intro Page