More CVE hunting tips in case you missed them last time ⏳

An aspiring hacker’s web application penetration testing guide for 2024 by HTB’s 2023 MVP 🏆

100 Bug Bounty Tips by @ArchAngelDDay 💯

Master web technologies: HTML, CSS, JavaScript, and server-side languages (e.g., PHP, Python).

Use specific tools: Burp Suite (web proxy), OWASP ZAP (vulnerability scanner), and Metasploit (penetration testing framework).

Practice on platforms like Hack The Box to gain real-world pentesting experience.

Understand both internal (within an organization) and external (from outside the organization) testing approaches.

Engage in the testing process, starting from contract and scope definition to reporting vulnerabilities.

Spend at least 30 minutes on a new target

Look for “No”s

Use Italics Tags in your inputs instead of XSS payloads

Focus on SaaS apps that are multi-tenant

Buy Burp Pro

On a new target go straight to the User Management section

See if inviting an existing user to your org exposes their name

See if inviting an existing user removes them from their own org

If the scope has a wildcard, use sub finder to find subdomains

Run HTTPX on the list of subdomains to narrow down alive targets

On an app you’re not familiar with, use it like a normal user first

If the docs say you can’t do X, but you can do X then you have a bug

Use match & replace rules to find new endpoints

Budget time into your week specifically for hacking

Give yourself a no-bug time limit. I do 3 hours.

Go back to old dupes and see if you can still reproduce.

Look for “+2” in your reputation log to find dupes that should be now.

Make your report a conversation, not a sales pitch

Accept & expect that dupes will happen

File & Forget

If an endpoint has “api/v2/“, try “api/v1/”

If an endpoint has “api/v2”, try removing the “v2” altogether

6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs

Lows are still bugs that should be filed

Be kind to your triager

Say “thank you” when you get a bounty

If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.

If UUID IDORs exist, then look for an endpoint that exposes UUIDs

Pin your success on whether you followed your plan, not if you found bugs

A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit

Going deep will pay off

Working with new hackers will pay off in dividends

Don’t be jealous

Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your sanity

If you find a bug that’s OOS, still ask the customer if they care

There’s no end. Enjoy the journey

Have a hobby that’s not related to hacking

Have friends that don’t hack

Figure out what time of day you hack the best. Late nights aren’t for me.

Spend that extra 2 minutes to make your report look/read nice

“Subscribe” to programs that pay well and have good scope

Don’t whine on Twitter about a single report. Or at all for that matter.

IDORs and Privilege Escalations are a great place to start

Unmet expectations lead to disappointment

Teach someone else how to hack

Time spent reading/learning is time well spent

Focus on programs that you actually use in your day-to-day

Establish a relationship with the program

Try asking the program what types of bugs they want to see

Look at a program leaderboard to see who you should collab with

When collaborating, an even bounty split eliminates the hassle

Take a break when you stop having fun

At an LHE, start hacking ahead of time

Look for programs that are active in resolving reports

Look for programs that haven’t awarded a lot recently

Look for programs that have collaboration enabled

Look for programs that don’t list out a bunch of known issues

Look for programs that have a history of adding new scope

Change your strategy if you’ve gone a while without a finding

If you’re on a roll, keep doing what you’re doing

But don’t let success keep you from evolving/growing

Compare yourself against yourself from last year

Maintain online presence for new opportunities

Be thankful for failure

Read disclosed reports

Focus on one program at a time. Cycle if you get bored.

Don’t spray XSS payloads everywhere

If possible, work at a company that has a BBP

Spend bounty money on tools that will generate more bounties

Budget a specific amount of your bounties for fun. And stick to it.

When hacking a store, don’t be afraid to make small purchases

Look for changes in JS files to know when there may be new functionality

Look for references to subdomains in a company’s GH repo

Look for references to subdomains in employee’s GH repos

If the app uses Intercom, try booting it with another email

Look for second-degree IDORs

SSRFs exist when the app makes any external request. Look for these requests.

Look for actuator endpoints

Find hackers that hack differently than you.

Try hacking in a different room of the house

Try hacking at a different location altogether

If you find the same bug on different endpoints, file it as a different bugs

Try always having some pending bugs in your pipeline

Break your yearly bounty goal into monthly goals

Know when a bounty isn’t worth fighting over

Push back gently when a report gets downgraded

Use the leaderboard as motivation, not as comparison

Don’t reinvent the wheel when a tool exists

Don’t be afraid to build the wheel if the tool doesn’t

Try collabing in real time over video chat

Always ask why something works the way it does

When collabing, don’t be afraid to be the underperformer

When collabing, don’t get salty about being the overperformer

Use mediation, but use it sparingly

Be generous with your earnings

Hack for fun, not for a paycheck

LHEs are a privilege, not an expectation

Programs are your friend, not your adversary. Work with them

The platform is your friend, not your adversary. Work with them