Based on Learning about Vulnerabilities

“Being a hacker is lots of fun, but it’s a kind of fun that takes lots of effort. The effort takes motivation.”

Now let’s start with the basic learning about InfoSec the first and really most important step would be to choose a proper initial path that you are going to start learning. Choosing the right path to start in Bug Bounty is very important. It totally depends upon your interest, like some people choose Web Application path first coz it’s easy to learn and go through than mobile and others… (Some of the resources are moved here from my old blog that’s I’m going to remove but these are updated and properly arranged by my experience) I’ll focus on Web, & Mobile Here coz this is what my interest is.

Before I add anything else I’ll suggest You to actually go through Hacker101 By HackerOne https://www.hacker101.com/ And Bugcrowd University https://www.bugcrowd.com/hackers/bugcrowd-university/ Both of these contain a Huge list of resources and lectures that can help you in even a better way than many of us can’t but as you guys are following this as well so I decided to add them here also.

Web App Security:

Before I Suggest you what to Learn first if you follow my suggested path l’ll like to tell you some ways you can practice your skills..

CTF(Capture The Flag): Now to practice for Bug Bounties you can participate in CTF challenges. Just like the name suggests “Capture The Flag” there are several challenges for you to solve which deals with real-world vulnerabilities. The more you practice on these challenges the more you will learn about the different technologies required to break into an application or a system.

For Web App, I’ll suggest you guys read the following books & guides first >https://www.packtpub.com/networking-and-servers/mastering-modern-web-penetration-testing >https://www.amazon.com/Hackers-Underground-Handbook-secure-systems/dp/1451550189 >https://leanpub.com/web-hacking-101 >https://www.amazon.com/gp/product/1593275641/ >https://www.amazon.com/gp/product/1512214566/ >https://www.amazon.com/Tangled-Web-Securing-Modern-Applications-ebook/dp/B006FZ3UNI/

Reading these books you will get good knowledge about Web App Penetration testing & Security testing in general and in-depth. In addition to these books, I’ll suggest you guys should really give good time reading and understanding OWASP Testing Guide & OWASP Top 10 Vulnerabilities from 2010-2017 OWASP Testing project: >https://www.owasp.org/index.php/OWASP_Testing_Project

OWASP Top 10 Project: >https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2010 >https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2013 >https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Adding a Few basic Pdfs for you guys to go through and save locally to you can keep it revised and keep learning from them. I’ll say they gonna help you almost a hundred percent of the time. So do give these a good time > Kali Linux Revealed https://docs.kali.org/pdf/kali-book-en.pdf > Nmap Cheat Sheet https://s3-us-west-2.amazonaws.com/stationx-public-download/nmap_cheet_sheet_0.6.pdf > Metasploit Cheat Sheet: https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf

Now by this point, I’ll say You have done Good enough research and given good time to practice and learn that you can jump into a Bug Bounty Program to test in real-life environment outside CTF, or test environments. So you can happily jump to the pages at https://bugcrowd.com/programs https://hackerone.com/directory

PentesterLab There’s only one way to properly learn web penetration testing: by getting your hands dirty. PentesterLab teaches how to manually find and exploit vulnerabilities and is a good resource to learn and practice all at once.

Pentester Academy

Another Great resource to practice using online labs and learn, they also provide certifications.

And Select a Program But I’ll suggest you read till the end.

Following all of them books, testing guides you might have an idea of vulnerabilities so i’ll name a few common ones and try to give good reference to learn them easily.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. References to read: >https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/?utm_campaign=Incapsula-moved >https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) >https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/ Some POCs:

CSRF Account Takeover famebit by Hassan Khan
Hacking PayPal Accounts with one click (Patched) by Yasser Ali
Add tweet to collection CSRF by vijay kumar
Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun by phwd
How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) by Florian Courtial
CSRF Account Takeover by Vulnerables
Uber CSRF Account Takeover by Ron Chan
Messenger.com CSRF that show you the steps when you check for CSRF by Jack Whitton

Cross-Site Scripting (XSS)

XSS enables attackers to inject client-side scripts into web pages viewed by other users.

References to read: >https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) >https://portswigger.net/web-security/cross-site-scripting >https://excess-xss.com/ Some POCs:

AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy
Uber Self XSS to Global XSS
How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities by Brett
XSSI, Client Side Brute Force
postMessage XSS Bypass
XSS in Uber via Cookie by zhchbin
Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans
XSS due to improper regex in third party js Uber 7k XSS
XSS in TinyMCE 2.4.0 by Jelmer de Hen
Pass uncoded URL in IE11 to cause XSS
Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
Microsoft XSS and Twitter XSS
Google Japan Book XSS
Flash XSS mega nz – by frans
Flash XSS in multiple libraries – by Olivier Beg
xss in google IE, Host Header Reflection
Years ago Google xss
xss in google by IE weird behavior
xss in Yahoo Fantasy Sport
xss in Yahoo Mail Again, worth $10000 by Klikki Oy
Sleeping XSS in Google by securityguard
Decoding a .htpasswd to earn a payload of money by securityguard
Google Account Takeover
Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach
RPO that lead to information leakage in Google by filedescriptor
God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
Three Stored XSS in Facebook by Nirgoldshlager
Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen
An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
- he is able to make stored XSS from a irrelevant domain to main facebook domain
Stored XSS in *.ebay.com by Jack Whitton
Complicated, Best Report of Google XSS by Ramzes
Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek
Command Injection in Google Console by Venkat S
Facebook’s Moves – OAuth XSS by PAULOS YIBELO
Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos
Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
Yahoo Mail stored XSS by Klikki Oy
Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
Youtube XSS by fransrosen
Best Google XSS again – by Krzysztof Kotowicz
IE & Edge URL parsin Problem – by detectify
Google XSS subdomain Clickjacking

SQL Injection

SQL injection, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

References to read: >https://www.owasp.org/index.php/SQL_Injection >https://portswigger.net/web-security/sql-injection >https://www.imperva.com/learn/application-security/sql-injection-sqli/ >https://www.w3schools.com/sql/sql_injection.asp

Some POCs:

SQL Injection Vulnerability nutanix by Muhammad Khizer Javed
Yahoo – Root Access SQL Injection – tw.yahoo.com by Brett Buerhaus
Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
GitHub Enterprise SQL Injection by Orange
SQL injection in WordPress Plugin Huge IT Video Gallery in Uber by glc
SQL Injection on sctrack.email.uber.com.cn by Orange Tsai

Remote Code Execution (RCE)

In RCE an attacker’s able to execute arbitrary commands or code on a target machine or in a target Machine.

References to read: >https://www.netsparker.com/blog/web-security/remote-code-evaluation-execution/ >https://en.wikipedia.org/wiki/Arbitrary_code_execution

Some POCs:

How we broke PHP, hacked Pornhub and earned $20,000 by Ruslan Habalov
- Alert, God-like Write-up, make sure you know what is ROP before clicking, which I don’t =(
RCE deal to tricky file upload by secgeek
WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic by Cure53 (cure53)
Read-Only user can execute arbitraty shell commands on AirOS by 93c08539 (93c08539)
Remote Code Execution by impage upload! by Raz0r (ru_raz0r)
Popping a shell on the Oculus developer portal by Bitquark
Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit – 10,000$ by 5haked
PayPal Node.js code injection (RCE) by Michael Stepankin
eBay PHP Parameter Injection lead to RCE
Yahoo Acqusition RCE
Command Injection Vulnerability in Hostinger by @alberto__segura
RCE in Airbnb by Ruby Injection by buerRCE
RCE in Imgur by Command Line
RCE in git.imgur.com by abusing out dated software by Orange Tsai
RCE in Disclosure
Remote Code Execution by struct2 Yahoo Server
Command Injection in Yahoo Acquisition
Paypal RCE
$50k RCE in JetBrains IDE
$20k RCE in Jenkin Instance by @nahamsec
JDWP Remote Code Execution in PayPal by Milan A Solanki
XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook’s servers by Reginaldo Silva
How I Hacked Facebook, and Found Someone’s Backdoor Script by Orange Tsai
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! by Orange Tsai
uber.com may RCE by Flask Jinja2 Template Injection by Orange Tsai
Yahoo Bug Bounty – *.login.yahoo.com Remote Code Execution by Orange Tsai (in Chinese)
Google App Engine RCE by Ezequiel Pereira
Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) by NaHamSec
Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57
Trello bug bounty: Access server’s files using ImageTragick by Florian Courtial
40k fb rce
Yahoo Bleed 1
Yahoo Bleed 2
Microsoft Apache Solr RCE Velocity Template By Muhammad Khizer Javed

Insecure Direct Object Reference (IDOR)

In IDOR an application provides direct access to objects based on the user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly.

References to read: >https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/ >https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004) >https://www.secjuice.com/idor-insecure-direct-object-reference-definition/

Some POCs:

DOB disclosed using “Facebook Graph API Reverse Engineering” by Raja Sekar Durairaj
Change the description of a video without publish_actions permission in Facebook by phwd
Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!
Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)
Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)
View private tweet
Uber Enum UUID
Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User by Stephen Sclafani
Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions by Stephen Sclafani
Delete FB Video
Delete FB Video
Facebook Page Takeover by Manipulating the Parameter by arunsureshkumar
Viewing private Airbnb Messages
IDOR tweet as any user by kedrisec
Classic IDOR endpoints in Twitter
Mass Assignment, Response to Request Injection, Admin Escalation by sean
Trello bug bounty: The websocket receives data when a public company creates a team visible board by Florian Courtial
Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility by Florian Courtial
Change any user’s password in Uber by mongo
Vulnerability in Youtube allowed moving comments from any video to another by secgeek
- It’s Google Vulnerability, so it’s worth reading, as generally it is more difficult to find Google vulnerability
Twitter Vulnerability Could Credit Cards from Any Twitter Account by secgeek
One Vulnerability allowed deleting comments of any user in all Yahoo sites by secgeek
Microsoft-careers.com Remote Password Reset by Yaaser Ali
How I could change your eBay password by Yaaser Ali
Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication by Duo Labs
Hacking Facebook.com/thanks Posting on behalf of your friends! by Anand Prakash
How I got access to millions of [redacted] accounts
All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)
Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)
Downloading password protected / restricted videos on Vimeo by Gazza (gazza)
Get organization info base on uuid in Uber by Severus (severus)
How I Exposed your Primary Facebook Email Address (Bug worth $4500) by Roy Castillo

Unrestricted File Upload

As in name unrestricted file upload allows user to upload malicious file to a system to further exploit to for Code execution

References to read: >https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/unrestricted-file-upload/ >https://www.owasp.org/index.php/Unrestricted_File_Upload >https://www.hackingarticles.in/5-ways-file-upload-vulnerability-exploitation/

Some POCs:

File Upload XSS in image uploading of App in mopub by vijay kumar
RCE deal to tricky file upload by secgeek
File Upload XSS in image uploading of App in mopub in Twitter by vijay kumar (vijay_kumar1110)
Unrestricted File Upload to RCE by Muhammad Khizer Javed

XML External Entity Attack (XXE)

XXE is an attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

References to read: >https://portswigger.net/web-security/xxe >https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet >https://phonexicum.github.io/infosec/xxe.html

Some POCs:

XXE through SAML
XXE in Uber to read local files
XXE by SVG in community.lithium.com
How we got read access on Google’s production servers by detectify
Blind OOB XXE At UBER 26+ Domains Hacked by Raghav Bisht

Local File Inclusion (LFI)

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

References to read: >https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion >https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/ >https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601

Some POCs:

Subdomain Takeover

A process of registering a non-existing domain name to gain control over another domain.

References to read: >https://blog.securitybreached.org/2017/10/11/what-is-subdomain-takeover-vulnerability/ >https://0xpatrik.com/subdomain-takeover-basics/ >https://github.com/EdOverflow/can-i-take-over-xyz

Some POCs:

Hijacking tons of Instapage expired users Domains & Subdomains by geekboy
Reading Emails in Uber Subdomains
Slack Bug Journey – by David Vieira-Kurz
Subdomain takeover and chain it to perform authentication bypass by Arne Swinnen
UBER Wildcard Subdomain Takeover by Muhammad Khizer Javed
Lamborghini Subdomain Takeover Through Expired Cloudfront Distribution by Muhammad Khizer Javed
Subdomain Takeover via Unsecured S3 Bucket Connected to the Website by Muhammad khizer Javed

Server Side Request Forgery (SSRF)

by SSRF the attacker can abuse functionality on the server to read or update internal resources.

References to read: >https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 >https://www.owasp.org/index.php/Server_Side_Request_Forgery >https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/ >https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/

Some POCs:

Some Other Interesting POCs: A huge collection at https://github.com/djadmin/awesome-bug-bounty

Deserialization

Java Deserialization in manager.paypal.com by Michael Stepankin
Instagram’s Million Dollar Bug by Wesley Wineberg
(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
Java deserialization by meals

Others

Information Disclosure

Hacking SMS API Service Provider of a Company |Android App Static Security Analysis By Muhammad Khizer Javed
Vine User Private information disclosure
The feature works as intended, but what’s in the source? By zseano
How Our Co-Founder Earned $10.6K in just 10 Hours By Tensecure Systems

So these were some common issues that one should get a grip on and learn more and more about Following is a list of some Attacks Topics that You Should do some research and read the Blogs/reports on them.

BLOGS! You should read.

Lets get towards Blogs! There are plenty of blogs Shared by Hackers on daily basis that you can read to learn more and more…

These are some Of the Websites That I like to Visit regularly to b updated and Read Their Articles………. There are Plenty of Other Blogs, Websites That are Missing from This List so be sure to add them In comments.

YouTube Channels! You should follow.

https://www.youtube.com/channel/UCq9IyPMXiwD8yBFHkxmN8zg Any Channel Link Missing? Kindly add it in Comments

Another advice…… Regularly follow http://h1.nobbd.de/ to b updated with HackerOne Public Bug reports You can learn alot from them

Alternatively, You can Join Slack Community for Hackers https://bugbounty-world.slack.com/ https://bugbountyforum.com/

Tools! You should try out.

dnscan https://github.com/rbsec/dnscan Knockpy https://github.com/guelfoweb/knock Sublist3r https://github.com/aboul3la/Sublist3r massdns https://github.com/blechschmidt/massdns nmap https://nmap.org masscan https://github.com/robertdavidgraham/masscan EyeWitness https://github.com/ChrisTruncer/EyeWitness DirBuster https://sourceforge.net/projects/dirbuster/ dirsearch https://github.com/maurosoria/dirsearch Gitrob https://github.com/michenriksen/gitrob git-secrets https://github.com/awslabs/git-secrets sandcastle https://github.com/yasinS/sandcastle bucket_finder https://digi.ninja/projects/bucket_finder.php GoogD0rker https://github.com/ZephrFish/GoogD0rker/ Wayback Machine https://web.archive.org waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050 Sn1per https://github.com/1N3/Sn1per/ XRay https://github.com/evilsocket/xray wfuzz https://github.com/xmendez/wfuzz/ patator https://github.com/lanjelot/patator datasploit https://github.com/DataSploit/datasploit hydra https://github.com/vanhauser-thc/thc-hydra changeme https://github.com/ztgrace/changeme MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/ Apktool https://github.com/iBotPeaches/Apktool dex2jar https://sourceforge.net/projects/dex2jar/ sqlmap http://sqlmap.org/ oxml_xxe https://github.com/BuffaloWill/oxml_xxe/ XXE Injector https://github.com/enjoiz/XXEinjector The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool

This was as much as I can think about sharing with you guys related to Web app Security in tools and vulns i have added a few things about mobile apps but the following sections contain some references you should definitely go through if you gonna join the mobile app security gang as well.

Mobile Application Security.

So hello to Mobile App Security section now let me clear this first i’m a complete noob at this section so it won’t be as detailed as the web app one.

Now The best and the very first thing I would suggest is to actually learn about the development phase of an app mainly my focus is Android APPs ( doesn’t necessarily mean that you should go for learning to develop an android but at least get to know. For this, You can go through the following Android App development tools. (My suggestion is you should actually give basic time to these) Android SDK ~ The Android software development kit (SDK) includes a comprehensive set of development tools. These include a debugger, libraries, a handset emulator based on QEMU, documentation, sample code, and tutorials ADT Bundle ~ The Android Developer Tools(ADT) bundle is a single download that contains everything for developers to start creating Android Application Root Tools ~ RootTools provides rooted developers with a standardized set of tools for use in the development of rooted applications.

Now if you have gone through them let’s get towards Mobile app security vulnerabilities For this I’ll suggest you first go towards OWASP Mobile Top 10 Giving them a good overview will definitely worth it. I’ll also Highly suggest these two Books specifically for Android & IOS app testing The Mobile Application Hacker’s Handbook iOS Application Security: The Definitive Guide for Hackers and Developers

For Mobile Applications, I’ll share Two of the Best places I’m currently following to learn and I would highly recommend you guys to have a look at them and giving them a proper read will definitely help you

Application Security Wiki:

Application Security Wiki is an initiative to provide all Application security-related resources to Security Researchers and developers in one place. https://appsecwiki.com/#/

Learn IOS Security:

IOS Security Guide to learn and test by Prateek http://damnvulnerableiosapp.com/#learn

owasp-workshop-android-pentest:

Learning Penetration Testing of Android Applications

Mobile Application Penetration Testing Cheat Sheets

The Mobile App Pentest cheat sheet

Mobile penetration testing android command cheatsheet

Getting Started in Android Apps Pen-testing

Summing up Phase #02 of this blog I think by following these resources at and giving them good time one can get pretty good at Bug Hunting. Here are some Websites or Places where you can play CTF Challenges and practice the skills that you have learned.

Hacker 101 https://ctf.hacker101.com/
Hack the box https://www.hackthebox.eu/
OvertheWire wargames http://overthewire.org/wargames/
Pwnable.tw https://pwnable.tw/
Vulnhub https://www.vulnhub.com/
Troy Hunt “Hack Yourself First” https://hack-yourself-first.com/
Hack.Me https://hack.me/
Hacksplaining https://www.hacksplaining.com/lessons
Penetration Testing Practice Labs https://www.amanhardikar.com/mindmaps/Practice.html
Bug Bounty Hunter https://www.bugbountyhunter.com/

Other Resources:

I saw a few friends of mine shared some really interesting and important tools, & resources so I decided to add them here as well because I’m giving some good time to them nowadays.

Tools used for Penetration testing / Red Teaming.

List-pentest-tools: A curated list of network penetration testing tools.

Password lists for use in penetration testing situations, broken up by TLD.

Penetration tests cases, resources and guidelines.

Penetration Testing notes, resources and scripts

A collection of hacking / penetration testing resources to make you better!

RedTeam-Pentest-Cheatsheets

Collection of OSCP study material && tools.

Kali Linux Offensive Security Certified Professional Survival Exam Guide

Penetration Testing / OSCP Biggest Reference Bank / Cheatsheet

An archive of everything related to OSCP

GitBook: OSCP RoadMap