Scribd
Upload
647 views178 pages

BB - BugBounty Hunting

Uploaded by

ks344212
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
647 views178 pages

BB - BugBounty Hunting

Uploaded by

ks344212
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Bug

Bounty Hunting

Mahmoud M. Awali
@0xAwali
Prerequisites
● English Language
● How to Study
Marty Lobdell - Study Less Study Smart
[Link]

● Your Mind
Methodology
Bug Bounty Hunting Web Apps Pen Testing

Target Pre-engagement
Reconnaissance
Reconnaissance Scanning
Scanning Exploitation
Post Exploitation
Exploitation Covering Tracks
Reporting Reporting
More Information !
● Web Apps Pen Testing
Course eLearnSecurity Web Application Pen Testing Module 1
[Link]

● Bug Bounty Hunting


DEF CON 22 - Nir Valtman - Bug Bounty Programs Evolution
[Link]
Infrastructure
● CCNA Routing and Switching
CCNA Routing and Switching OR N+ ?
Do Not Study Both

Course INE CCNA Routing and Switching


[Link]
nologies/8536ecd3-4010-11e4-a79f-22000b3582a3
Infrastructure
● Domain Name Server Protocol

Managing Mission - Critical Domains and DNS:


Demystifying nameservers, DNS, and domain names
[Link]
mystifying-nameservers/dp/1789135079
Infrastructure
● HyperText Transfer Protocol

HTTP: The Definitive Guide


[Link]
s/dp/1565925092
Operating System
● Your Main Distribution
Kali Linux with XFCE Desktop Environment
Why Kali Linux ?

Kali Linux Revealed: Mastering the Penetration Testing


Distribution
[Link]
-Distribution/dp/0997615605
Operating System
● Commands

Linux® Notes for Professionals book


[Link]
Operating System
● Tmux Terminal
Tmux OR Terminator

Getting Started with tmux


[Link]
started-tmux
Operating System
● HTTP Command Line
Curl AND HTTPie

Everything curl - the book


[Link]

HTTPie: a CLI, cURL-like tool for humans


[Link]
Operating System
● Regular Expression
Why Regular Expression ?

Mastering Regular Expressions


[Link]
Jeffrey-Friedl/dp/0596528124
Operating System
● Bash Scripting

Bash Notes for Professionals book


[Link]
Operating System
● Sed And Awk

sed & awk: UNIX Power Tools


[Link]
ooks-ebook/dp/B004D4Y302
Web Server
● Nginx Web Server

Nginx Fundamentals
High Performance Servers from Scratch
[Link]
Web Server
● HTTP Secure
How to Configure ?

SSL Complete Guide: HTTP to HTTPS


[Link]
Web Server

Reference
You Want To Learn Nginx AND Apache
Servers for Hackers
[Link]
Web Apps Pen Testing

Prerequisite
CS50
Web Apps Pen Testing
CS50 Lectures 2018
[Link]
tF75Wa4lmlC7sxNDH

CS50's Web Programming with Python and JavaScript


[Link]
-IsOVuXP1uMzEvmcE5
Web Apps Pen Testing
● Web App Hacker's Handbook

The Web Application Hacker's Handbook


[Link]
ndbook-Exploiting/dp/1118026470
Web Apps Pen Testing
● Web Security Testing Guide

Web Security Testing Guide v4.2


[Link]
2/[Link]
Reconnaissance
● Bugcrowd University
Sajeeb Lohani OR Jason Haddix

Recon & Discovery


[Link]
Bug Bounty Hunter Methodology v3
[Link]
Reconnaissance
● Nahamsec

Ben Sadeghipour - It’s the Little Things - BSides Portland


2018
[Link]
Reconnaissance

Nahamsec Live Bug Bounty Recon


Live
[Link]
Youtube Channel
[Link]
ODLBw
Reconnaissance
● NahamCon2020-2021
The Bug Hunter's Methodology v4.0
[Link]
How to Use Amass Efficiently
[Link]
Amassive Leap in Host Discovery
[Link]
Distributed Recon Automation Using Axiom
[Link]
Reconnaissance
● Dirty Coder

Recon Like A Boss


[Link]
[Link]
Reconnaissance
● Prateek Tiwari

BUG BOUNTY FUNSHOP


[Link]
XwRqSWQ6bknJS-PQO_e242Dioy9SU2Io/edit#slide=id.
p
Reconnaissance
● Sam Erb

Hunting Certificates And Servers


[Link]
Servers/blob/master/Hunting%20Certificates%20%26%
[Link]
Reconnaissance
● Sergey Bobrov

BUG BOUNTY AUTOMATION


[Link]
s/4%20ZN2018%20WV%20-%20BugBounty%20automati
[Link]
Reconnaissance
● Google Search

Google Hacking for Penetration Testers


[Link]
Testers-Johnny/dp/0128029641
Reconnaissance
● Alexey Morozov

Misconfiguration in development infrastructure


[Link]
s/6%20ZN2018%20WV%20-%20Misconfiguration%20in
%20development%[Link]
Reconnaissance
● Bugcrowd University
Majd Aldeen Atiyat

GitHub Recon and Sensitive Data Exposure


[Link]
Reconnaissance

Twitter Hashtag
#OSINT
#Recon
Services Scanning
● NMAP
Nmap OR Masscan

Nmap Network Scanning


[Link]
cial-Discovery/dp/0979958717
Services Scanning
CVE
[Link]

Exploit-DB
[Link]

Github
[Link]
Subdomains Takeover
DNS Hijacking
[Link]

Can I Takeover XYZ ?


[Link]

Patrik Hudak
[Link]
DNS Takeover

Can I Takeover DNS ?


[Link]

Patrik Hudak
[Link]
Content Discovery
● Assetnote
[Link]

[Link]
discovery/

[Link]
Content Discovery
● Turbo Intruder

Abusing HTTP Misfeatures To Accelerate Attacks


[Link]

[Link]
ing-the-billion-request-attack
Content Discovery
● FFUF

How to Master FFUF


For Bug Bounties
[Link]
Content Discovery
● Wordlist

Who , What , Where , When , Wordlist


[Link]

Creating Wordlists For Hacking


[Link]
PROXY
ZAP BURP SUITE

0$ 400$
PROXY
Burp Suite Cookbook
[Link]
enetration/dp/178953173X

Mastering Burp Suite


[Link]
l/
PROXY
Getting Started with ZAP
[Link]
entesting-getting-started

ZAP Deep Dive


[Link]
VyUEN1GCCnpzl5_FaJA
Broken Link Hijacking
Broken Link Hijacking
[Link]

More Than Subdomain Takeover


[Link]
hijack-and-impersonate-your

Takeover Company’s LinkedIn Page


[Link]
kedin-page-790c9ed2b04d
HTTP Methods
GET , POST , OPTIONS ,
PUT , DELETE , CONNECT ,
HEAD , TRACE , FAKE
Host Header Injection

Cracking The Lens


[Link]

Practical Host Header Attacks


[Link]
[Link]
Host Header Injection

Multiple Host Ambiguities in


HTTP Implementations
[Link]
Host Header Injection

WebSecurity

Academy Labs

[Link]
Web Cache Attacks
● Web Cache Deception

Web Cache Deception Attack


[Link]

Cached and Confused


[Link]
Web Cache Attacks
● Web Cache Poisoning
Practical Web Cache Poisoning: Redefining
'Unexploitable'
[Link]

Web Cache Entanglement


[Link]
Web Cache Attacks
● Web Cache Poisoning DOS

CPDoS: Cache Poisoned Denial of Service


[Link]

Responsible denial of service with web cache poisoning


[Link]
vice-with-web-cache-poisoning
Web Cache Attacks
● Edge Side Include Injection

DEF CON 26 Edge Side Include Injection Abusing Caching


Servers into SSRF
[Link]
Web Cache Attacks

WebSecurity

Academy Labs

[Link]
Path Normalization
Breaking Parser Logic
[Link]

Reverse Proxies
[Link]
[Link]

[Link]
Open Redirection

PwnFunction
[Link]

Cheat Sheet
[Link]
[Link]
CRLF
CRLF and Open Redirection
[Link]
17_Karbutov_CRLF_PDF.pdf

CRLF Reports
site:[Link] CRLF
Client Side Technologies

Front-End Roadmap
[Link]
admap#frontend-roadmap
Client Side Technologies

HTML5 Notes for Professionals


[Link]
Client Side Technologies

CSS Notes for Professionals


[Link]
Client Side Technologies
Javascript Notes for Professionals
[Link]
The Modern JavaScript Bootcamp
[Link]
The Complete JavaScript Course
[Link]
se/
Client Side Technologies

jQuery Notes for Professionals


[Link]
Client Side Technologies

How Browsers Work


[Link]
/internals/howbrowserswork/
Client Side Technologies

Third-Party JavaScript
[Link]
/dp/1617290548
Client Side Technologies

Complete JSON AJAX API


[Link]
Cross site Scripting

Reflected
Persistent
DOM-based
Blind
Cross site Scripting
XSS Attacks
[Link]
efense/dp/1597491543

XSS Magic Tricks


[Link]
Cross site Scripting

BLIND XSS
[Link]
20ZN2018%20WV%20-%20Blind%20Xss%20%28femida%20p
lugin%[Link]
Cross site Scripting

XSS Cheat Sheet


[Link]
eat-sheet
Cross site Scripting
XSS Reports
site:[Link] xss

Twitter Hashtag
#Bugbountytip xss
#bugbounty blind xss
#xss
#bxss
Content Security Policy
CSP
[Link]

Bypassing CSP
[Link]
[Link]
[Link]
[Link]
Cross site Scripting

WebSecurity

Academy Labs

[Link]
Cross site Scripting

Get Invitation

HackerOne CTF

[Link]
CSRF
Cross-Site Request Forgery
[Link]
uest-web-app

CSRF-protection Bypassing
[Link]
srfprotection
CSRF
CSRF Reports
site:[Link] csrf

Twitter Hashtag
#Bugbountytip csrf
#bugbounty csrf
#csrf
CSRF

WebSecurity

Academy Labs

[Link]
CORS Misconfiguration

CORS in Action
[Link]
g-cross-origin/dp/161729182X

Exploiting CORS
[Link]
CORS Misconfiguration

WebSecurity

Academy Labs

[Link]
WebSocket Hijacking
Guide to HTML5 WebSocket
[Link]
ket/dp/1430247401
Security Testing of WebSockets
[Link]
+Kuosmanen+-+Masters+thesis+-+Security+Testing+of+We
bSockets+-+[Link]?sequence=1
WebSocket Hijacking

WebSecurity

Academy Labs

[Link]
postMessage

Hunting postMessage Vulnerabilities


[Link]
[Link]
postMessage Reports
site:[Link] postmessage
Clickjacking

All about Clickjacking


[Link]

clickjacking Reports
site:[Link] clickjacking
Clickjacking

WebSecurity

Academy Labs

[Link]
More Client-side Bugs

Learning and Reports


T o o l s - P a y l o a d s
[Link]
tend
Client-side Books
The Tangled Web
[Link]
273886

The Browser Hacker's Handbook


[Link]
2091

Browser security whitepaper


[Link]
[Link]
Server Side Technologies

Back-End Roadmap
[Link]
admap#back-end-roadmap
Server Side Technologies

Great Course
[Link] , SQL , NOSQL , REST API , GraphQL and More

NodeJS - The Complete Guide


[Link]
E-mail Injection
Exploiting E-Mail Systems
[Link]
U&feature=emb_logo
SMTP Injection Via Recipient Email
Addresses
[Link]
SQL Injection
ERROR-Based
UNION-Based
BOOLEAN-Based
TIME-Based
SQL Injection
SQL Notes for Professionals
[Link]
SQL Injection Strategies
[Link]
9781839215643
SQL Injection Attacks and Defense
[Link]
Clarke/dp/1597499633
SQL Injection

SQLi Reports
site:[Link] sqli

Twitter Hashtag
#Bugbountytip sqli
#bugbounty sqli
SQL Injection

WebSecurity

Academy Labs

[Link]
NOSQL Injection
MongoDB Notes for Professionals
[Link]
Investigation and Validation of NoSQL Injection
[Link]
NOSQL INJECTION
[Link]
NOSQL Injection

NOSQL Reports
Use Google
Twitter Hashtag
#Bugbounty nosql
Local File Inclusion

Local file inclusion


[Link]
urity?id=local-file-inclusion
Local File Inclusion

WebSecurity

Academy Labs

[Link]
Remote Code Execution

Remote Code Execution


[Link]
rity?id=remote-code-execution
Remote Code Execution

Commix
[Link]
YvLMYQo
Remote Code Execution

WebSecurity

Academy Labs

[Link]
Template Injection

Server-side Template Injection


[Link]

Client-side Template Injection


[Link]
Template Injection

SPEL INJECTION
[Link]
%20ZN2018%20WV%20-%20Spel%20injection%[Link]
Template Injection

SSTI Reports
site:[Link] ssti
Template Injection

Client-Side Template Injection


[Link]
N17_Karbutov_CSTI_PDF.pdf
Template Injection

AngularJS Security
[Link]
gUqwRTjwJTIkNopKuGLk3Pm9Ri1sF
Template Injection

WebSecurity

Academy Labs

[Link]
Broken Authentication

Advanced REST API Course


F l a s k a n d P y t h o n
E-mail Confirmation , Image upload , OAuth 2.0 and Payment
[Link]
hon/
Broken Authentication
● Login Page
Hacking Authentication
[Link]
ntication-web-app
Cookie Attacks
[Link]
-web-app-hacking
Broken Authentication
● OAuth 2.0
OAuth 2 in Action
[Link]
her/dp/161729327X
Oauth security
[Link]
th-security
Broken Authentication
● OAuth 2.0

Hacking OAuth 2.0


For Fun And Profit
[Link]
Broken Authentication
● Password Reset
Hacking Password Reset Functionality
[Link]
ng-password-reset-functionality
D o y o u R e m e m b e r
Host Header Injection
Broken Authentication

Hack Your API First


[Link]

API Security: Offence and Defence


[Link]
Broken Authentication
● Bugcrowd LevelUP 0x03
Bad API , hAPI Hackers
[Link]
API Security 101
[Link]
th-security
Broken Authentication
● Attacking JSON WEB TOKENS
JSON WEB TOKENS
[Link]
n-web-tokenjwt
JWT Parkour
[Link]
df
Broken Authentication
Security Assertion Markup Language
[Link]
SSO Wars
[Link]
Identity Theft: Attacks on SSO Systems
[Link]
Broken Authentication

Insecure Direct Object Reference


[Link]

IDOR Vulnerability Automation


[Link]
Broken Authentication
Advanced API Security
[Link]
Connect/dp/1430268182

OWASP API Security TOP 10


[Link]
oject
Broken Authentication

WebSecurity

Academy Labs

[Link]
Cryptography
Crypto 101
[Link]

Hash Crack
[Link]
anual-ebook/dp/B075QWTYPM
Cryptography

Get Invitation

HackerOne CTF

[Link]
GraphQL
The Modern GraphQL
[Link]

Abusing GraphQL to Attack


[Link]
=emb_logo
GraphQL

GraphQL Apps Security


Testing Automation
[Link]
blic/materials/2_ZN2019_sorokinpf_graphql.pdf
GraphQL

Get Invitation

HackerOne CTF

[Link]
DevOps Technologies

DevOps Roadmap
[Link]
admap#devops-roadmap
Amazon Web Services
AWS Certified Solutions Architect
[Link]
itect-associate/

AWS Serverless APIs


[Link]
ntroduction/
Amazon Web Services
Hands-On AWS Penetration Testing
[Link]
nux/dp/1789136725

Deep dive into AWS S3


[Link]
3-access-controls-taking-full-control-over-your-assets/?utm
_source=blog&utm_campaign=s3_buckets
SSRF

Server Side Request Forgery


[Link]

Server side browsing


[Link]
SSRF
BLIND SSRF Morozov Alexey
[Link]
blic/materials/4_ZN2019_Morozov_SSRF.pdf

A Glossary of Blind SSRF Chains


[Link]
SSRF

New Era of SSRF Exploiting


[Link]

SSRF AND PDF GENERATOR


[Link]
SSRF

SSRF bible. Cheatsheet


[Link]
BcdLUedXGb9njTNIJXa3u9akHM/edit
SSRF

WebSecurity

Academy Labs

[Link]
Microservices

Microservices Web App


React AND Django AND Flask
[Link]
Microservices

Attacking Secondary Contexts


[Link]

Traversing My Way In The Internal Network


[Link]
Microservices
Middleware , Middleware Everywhere
[Link]
everywhere-and-lots-of-misconfigurations-to-fix/

Methodology Using Fuzzing AND Info Disclosure


[Link]
note-at-bsides-ahmedabad
XML Schema

XML Schema and XSLT


[Link]
ice-to-ninja/
XML External Entity
XML External Entity Injection
[Link]

XXE: How to become a Jedi


[Link]
e-a-jedi
XML External Entity
Attacking xml processing
[Link]

XML Out-Of-Band Exploitation


[Link]
ML_Out_Of_Band.pdf
XML External Entity

DTD Attacks
Against a XML Parsers
[Link]
arbeiten/2015/11/04/spaeth-dtd_attacks.pdf
XML External Entity

WebSecurity

Academy Labs

[Link]
HTTP Parameter Pollution
PwnFunction
[Link]
0
Marco Balduzzi
[Link]
[Link]
File Uploading

File Uploading Vulnerabilities


[Link]
-application-file-upload-vulnerabilities-36487
File Uploading
FFmpeg Video Converters
[Link]

Attacks on Video Converters


[Link]
W8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.p
File Uploading
FFmpeg and Imagemagick
[Link]
N17_yngwie_ffmpeg.pdf

PostScript and ghostScript


[Link]
[Link]
File Uploading

Killing with Filedescriptor


[Link]
HTTP Smuggling

Hiding Wookiees in HTTP


[Link]

HTTP Desync Attacks


[Link]
HTTP Smuggling
Practical Attacks Using HTTP Request Smuggling
[Link]

HTTP Request Smuggling in 2020


[Link]
-[Link]

Response Smuggling: Pwning HTTP 1 1 Connections


[Link]
WJmX86A6d0isBI&index=48
HTTP Smuggling

What’s Wrong With WebSocket APIs

Smuggling Through Websocket


[Link]
HTTP Smuggling
HTTP Request Smuggling
Via Higher HTTP Versions
[Link]
st-smuggling-via-higher-http-versions/

HTTP2: The Sequel is Always Worse


[Link]
HTTP Smuggling

WebSecurity

Academy Labs

[Link]
DNS Rebinding

There’s no place like [Link]


[Link]

State of DNS Rebinding


[Link]
More Server-side Bugs

Learning and Reports


T o o l s - P a y l o a d s
[Link]
ersidesecurity
More Server-side Bugs

WebSecurity

Academy Materials

[Link]
More Server-side Bugs
● HOP BY HOP Request Header

Hop-by-Hop Request Headers


[Link]
y-hop-request-headers
More Server-side Bugs
● Shellshock Vulnerability

Shellshock Vulnerability
[Link]
dor_Enache.pdf
More Server-side Bugs
● Sensitive Files

Small Files And Big Bounties,


Exploiting Sensitive Files
[Link]
More Server-side Bugs

WebSecurity

Academy Labs

[Link]
More Server-side Bugs

Get Invitation

HackerOne CTF

[Link]
Source Code Review

OWASP Code Review


[Link]
Guide_v2.pdf
Source Code Review
● Reading Javascript Files

Let’s be a Dork and Read


javascript files with zseano
[Link]
Web App Firewall
Web Application Defender
[Link]
book-Protecting/dp/1118362187

Web Application Obfuscation


[Link]
sion-Filters/dp/1597496049
Automation

Write Your Tools


Language is Up To You
Awesome Talks
● Asynchronous Vulnerabilities

Hunting Asynchronous
Vulnerabilities
[Link]
Awesome Talks
● AEM Hacking

Approaching Adobe Experience Manager


Webapps by Mikhail Egorov
[Link]
Awesome Talks
● Hacking Jenkins

Hacking Jenkins - Orange Tsai


[Link]
Awesome Talks
● Infiltrating Corporate Internet

Orange Tsai - Infiltrating Corporate


Intranet Like NSA Preauth RCE
[Link]
Awesome Talks
● Apache Solr Injection

Apache Solr Injection


[Link]
Awesome Talks
● Hunting For Top Bounties

Nicolas Grégoire
Hunting For Top Bounties
[Link]
Awesome Talks
● Demystifying The Server Side

SSRF - XXE - RCE


Reverse Proxy
[Link]
Awesome Talks
● Backslash Powered Scanning

Backslash Powered Scanning: Hunting


Unknown Vulnerability Classes
[Link]
Awesome Talks
● NahamCon2021

Hacking IIS
[Link]
Awesome Talks
● Red Team Village

Knock knock , Who's There?


Identifying Assets in the Cloud
[Link]
Awesome Talks
● Zseano's Thoughts
A Look Into Zseano's Thoughts
When Testing a Target
[Link]

[Link]
Bug Bounty Hunting Books

Bug Bounty Playbook v1


[Link]

Bug Bounty Playbook v2


[Link]
Bug Bounty Hunting Books

Web Hacking 101


[Link]

Real-World Bug Hunting


[Link]
Certifications
Web Hacking
[Link]

Advanced Web Hacking


[Link]
cking/
Certifications

Advanced Web
Attacks and Exploitation
[Link]
Keep Learning
Twitter
Following List is Up To You

Blogs
Security Researchers !

Conferences
ZeroNights - Defconf - Blackhat - etc
Keep Learning

Google
Depending On Yourself , It Will Be Better

Google Search I’m Feeling Lucky


Thank
You
Mahmoud M. Awali
@0xAwali

You might also like