Real-World Bug Hunting

1. Understand Bug Bounty Basics and Web Interactions

A vulnerability is a weakness in an application that allows a malicious person to perform some unpermitted action or gain access to information they shouldn’t otherwise be allowed to access.

Vulnerability Defined. A vulnerability is a flaw in an application that allows unauthorized actions or access to restricted information. These flaws can arise from both intended and unintended uses of the application. Bug bounties are rewards offered by companies to ethical hackers who responsibly discover and report these vulnerabilities.

Client-Server Model. The internet functions through a network of computers communicating via packets. Clients initiate requests, while servers respond. Understanding this client-server relationship is crucial for identifying potential vulnerabilities.

Website Visits. When you enter a URL, your browser extracts the domain name, resolves it to an IP address using DNS, establishes a TCP connection, sends an HTTP request, receives a server response, and renders the response. HTTP requests use methods like GET, POST, PUT, and DELETE to interact with servers.

2. Master Open Redirects to Exploit Trust

Open redirects exploit the trust of a given domain to lure targets to a malicious website.

Redirect Vulnerability. Open redirects occur when a website redirects users to another site based on untrusted input, often through URL parameters. Attackers can manipulate these redirects to send users to malicious sites, potentially for phishing or malware distribution.

Exploitation Methods. Attackers can exploit open redirects through URL parameters, HTML <meta> refresh tags, or JavaScript's window.location property. Identifying parameters like url=, redirect=, or next= is key to finding these vulnerabilities.

Mitigation Strategies. Websites can mitigate open redirects by validating redirect URLs against a whitelist of trusted domains or by using interstitial pages that warn users before redirecting them to external sites. The HackerOne interstitial redirect example shows the importance of recognizing the tools and services websites use while you hunt for vulnerabilities.

3. Utilize HTTP Parameter Pollution for Unexpected Behavior

HTTP parameter pollution (HPP) is the process of manipulating how a website treats the parameters it receives during HTTP requests.

HPP Defined. HTTP Parameter Pollution (HPP) involves injecting extra parameters into an HTTP request to manipulate how the website processes them. This can occur on the server-side, affecting how the server handles data, or on the client-side, influencing the user's browser behavior.

Server-Side HPP. Server-side HPP exploits how the server-side code uses values passed as parameters. Different server technologies handle multiple parameters with the same name differently, making experimentation crucial.

Client-Side HPP. Client-side HPP allows attackers to inject extra parameters into a URL to create effects on a user’s end. This can involve manipulating how JavaScript functions or HTML attributes are rendered, potentially leading to XSS or other client-side vulnerabilities. The HackerOne Social Sharing Buttons example shows how websites that accept content and contact other web services can be vulnerable to HPP.

4. Prevent Cross-Site Request Forgery by Understanding Authentication

A cross-site request forgery (CSRF) attack occurs when an attacker can make a target’s browser send an HTTP request to another website.

CSRF Defined. Cross-Site Request Forgery (CSRF) occurs when an attacker forces a user's browser to send a malicious HTTP request to a website where the user is authenticated, without the user's knowledge or consent. This can lead to unauthorized actions being performed on the user's account.

Authentication Methods. Websites use cookies or basic authentication to store user authentication. Cookies are small files stored in the user's browser, while basic authentication involves sending a base64-encoded username and password in the HTTP request header.

Defense Strategies. CSRF attacks can be mitigated using CSRF tokens, which are unique, unpredictable values that are included in HTTP requests to verify their authenticity. Other defenses include using the SameSite cookie attribute and checking the Origin or Referer header. The Shopify Twitter Disconnect example shows the importance of looking for HTTP requests that perform some action on the server via a GET request.

5. Recognize HTML Injection and Content Spoofing Techniques

HTML injection and content spoofing are attacks that allow a malicious user to inject content into a site’s web pages.

HTML Injection. HTML injection allows attackers to inject arbitrary HTML elements into a website, potentially defacing the site or creating phishing forms. This is similar to XSS, but it doesn't involve executing JavaScript.

Content Spoofing. Content spoofing involves injecting plaintext content into a website, which can be used to mislead users or spread misinformation. This is often less severe than HTML injection because it doesn't allow for arbitrary HTML elements.

Mitigation Strategies. Websites can mitigate HTML injection and content spoofing by properly sanitizing user input, encoding special characters, and implementing strict output encoding. The Coinbase Comment Injection example shows how character encoding can be used to bypass HTML sanitization.

6. Exploit Carriage Return Line Feed Injection for HTTP Manipulation

A carriage return line feed injection (CRLF injection) vulnerability occurs when an application doesn’t sanitize user input or does so improperly.

CRLF Injection Defined. Carriage Return Line Feed (CRLF) injection occurs when an attacker injects encoded characters (%0D and %0A) into HTTP messages, allowing them to manipulate headers and potentially perform HTTP request smuggling or response splitting attacks.

HTTP Request Smuggling. HTTP request smuggling involves appending a second HTTP request to the initial, legitimate request by exploiting a CRLF injection vulnerability. This can lead to cache poisoning, firewall evasion, or request hijacking.

HTTP Response Splitting. HTTP response splitting allows an attacker to split a single HTTP response by injecting new headers, potentially leading to XSS or redirect vulnerabilities. The v.shopify.com Response Splitting example shows the importance of looking for opportunities where a site accepts input that it uses as part of its return headers.

7. Identify and Exploit Cross-Site Scripting Vulnerabilities

Cross-Site Scripting (XSS) occurs when websites render certain characters unsanitized, causing browsers to execute malicious JavaScript.

XSS Defined. Cross-Site Scripting (XSS) vulnerabilities occur when a website allows attackers to inject malicious JavaScript code into its pages, which can then be executed by other users' browsers. This can lead to account hijacking, data theft, or defacement.

Types of XSS. There are two main types of XSS: reflected (where the payload is executed immediately) and stored (where the payload is stored on the server and executed later). XSS can also be DOM-based, blind, or self.

Mitigation Strategies. Websites can mitigate XSS vulnerabilities by properly sanitizing user input, encoding special characters, and using Content Security Policy (CSP). The Shopify Wholesale example shows that XSS vulnerabilities don’t have to be intricate and that it’s important to check how a site handles different types of input.

8. Leverage Template Injection for Code Execution

Template injection vulnerabilities occur when engines render user input without properly sanitizing it, sometimes leading to remote code execution.

Template Injection Defined. Template injection vulnerabilities occur when a web application uses a template engine to dynamically generate web pages, emails, or other media, and an attacker can inject malicious code into the template. This can lead to remote code execution (RCE) or cross-site scripting (XSS).

Server-Side Template Injection (SSTI). SSTI vulnerabilities occur when the injection happens in the server-side logic. This can allow attackers to execute arbitrary code on the server, potentially compromising the entire system.

Client-Side Template Injection (CSTI). CSTI vulnerabilities occur in client template engines and are written in JavaScript. While they typically can't be used for RCE, they can be used for XSS. The Uber AngularJS Template Injection example shows how to test for CSTI vulnerabilities by submitting simple payloads and watching for the rendered result.

9. Exploit SQL Injection to Manipulate Databases

When a vulnerability on a database-backed site allows an attacker to query or attack the site’s database using SQL (Structured Query Language), it is known as a SQL injection (SQLi).

SQL Injection Defined. SQL Injection (SQLi) vulnerabilities occur when an attacker can inject malicious SQL code into a database query, allowing them to manipulate or extract data from the database. This can lead to data theft, data modification, or even complete database takeover.

Exploitation Techniques. Attackers can exploit SQLi vulnerabilities by manipulating URL parameters, form inputs, or other user-controlled data that is used in SQL queries. Common techniques include using the OR 1=1 condition, adding comments to bypass filters, and using UNION statements to extract data.

Mitigation Strategies. Websites can mitigate SQLi vulnerabilities by using prepared statements, parameterized queries, and input validation. The Yahoo! Sports Blind SQLi example shows how to test for SQLi vulnerabilities by looking for subtle changes to query results.

10. Master Server-Side Request Forgery to Access Internal Networks

A server-side request forgery (SSRF) vulnerability allows an attacker to make a server perform unintended network requests.

SSRF Defined. Server-Side Request Forgery (SSRF) vulnerabilities occur when an attacker can make a server perform unintended network requests, potentially accessing internal resources or interacting with external services on behalf of the server.

Exploitation Techniques. Attackers can exploit SSRF vulnerabilities by manipulating URL parameters, form inputs, or other user-controlled data that is used to construct HTTP requests. This can allow them to access internal servers, read sensitive files, or perform other malicious actions.

Mitigation Strategies. Websites can mitigate SSRF vulnerabilities by validating user input, whitelisting allowed domains, and implementing network segmentation. The ESEA SSRF example shows how to exploit SSRF vulnerabilities to query AWS metadata.

11. Exploit XML External Entity Vulnerabilities for Data Extraction

Attackers can exploit how an application parses eXtensible Markup Language (XML) by taking advantage of an XML External Entity (XXE) vulnerability.

XXE Defined. XML External Entity (XXE) vulnerabilities occur when an application parses XML input and allows the inclusion of external entities, which can be used to access local files, internal network resources, or even execute arbitrary code.

Exploitation Techniques. Attackers can exploit XXE vulnerabilities by crafting malicious XML documents that include external entity declarations, which can then be used to read sensitive files or perform other malicious actions.

Mitigation Strategies. Websites can mitigate XXE vulnerabilities by disabling external entity processing, validating XML input, and using secure XML parsers. The Read Access to Google example shows how to exploit XXE vulnerabilities to read internal files.

12. Recognize and Exploit Remote Code Execution Vulnerabilities

A remote code execution (RCE) vulnerability occurs when an application uses user-controlled input without sanitizing it.

RCE Defined. Remote Code Execution (RCE) vulnerabilities occur when an attacker can execute arbitrary code on a server, potentially compromising the entire system. This is one of the most severe types of vulnerabilities.

Exploitation Techniques. Attackers can exploit RCE vulnerabilities by injecting shell commands, executing functions in the programming language used by the application, or uploading malicious files.

Mitigation Strategies. Websites can mitigate RCE vulnerabilities by properly sanitizing user input, using secure coding practices, and implementing strict file upload policies. The Polyvore ImageMagick example shows how to exploit RCE vulnerabilities by leveraging known vulnerabilities in third-party libraries.

13. Identify and Exploit Memory Vulnerabilities

A memory vulnerability exploits a bug in the application’s memory management.

Memory Vulnerabilities Defined. Memory vulnerabilities occur when an application mishandles memory allocation or access, potentially leading to data leaks, crashes, or even remote code execution. These vulnerabilities are more common in languages like C and C++ that require manual memory management.

Types of Memory Vulnerabilities. Common types of memory vulnerabilities include buffer overflows (writing data beyond the allocated memory region) and read out of bounds (reading data beyond the allocated memory region).

Mitigation Strategies. Websites can mitigate memory vulnerabilities by using secure coding practices, performing thorough testing, and using memory-safe languages. The PHP ftp_genlist() Integer Overflow example shows how even languages with memory management can be vulnerable to memory bugs.

14. Master Subdomain Takeover Techniques

A subdomain takeover vulnerability occurs when a malicious attacker is able to claim a subdomain from a legitimate site.

Subdomain Takeover Defined. Subdomain takeover vulnerabilities occur when an attacker can claim a subdomain of a legitimate website, potentially serving malicious content or intercepting traffic. This often happens when a website forgets to remove a CNAME record pointing to a third-party service after discontinuing its use.

Exploitation Techniques. Attackers can exploit subdomain takeover vulnerabilities by registering an account on the third-party service and claiming the abandoned subdomain. Common services vulnerable to subdomain takeovers include Amazon S3, Heroku, and Zendesk.

Mitigation Strategies. Websites can mitigate subdomain takeover vulnerabilities by regularly reviewing and updating their DNS records, removing CNAME records pointing to unused services, and implementing monitoring systems to detect potential takeovers. The Ubiquiti Subdomain Takeover example shows how to exploit subdomain takeover vulnerabilities by claiming an abandoned S3 bucket.

15. Exploit Race Conditions by Manipulating Concurrent Processes

A race condition occurs when two processes race to complete based on an initial condition that becomes invalid while the processes are executing.

Race Conditions Defined. Race conditions occur when multiple processes or threads access and manipulate shared data concurrently, and the outcome depends on the order in which they execute. This can lead to unexpected behavior, data corruption, or security vulnerabilities.

Exploitation Techniques. Attackers can exploit race conditions by manipulating the timing of requests or by sending multiple requests simultaneously, potentially bypassing security checks or performing unauthorized actions.

Mitigation Strategies. Websites can mitigate race conditions by using proper synchronization mechanisms, such as locks or transactions, to ensure that shared data is accessed and modified in a consistent and predictable manner. The Accepting a HackerOne Invite Multiple Times example shows how to exploit race conditions by sending multiple requests simultaneously.

16. Identify and Exploit Insecure Direct Object References

An insecure direct object reference (IDOR) vulnerability occurs when an attacker can access or modify a reference to an object, such as a file, database record, account, and so on, to which they shouldn’t have access.

IDOR Defined. Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application exposes a direct reference to an internal implementation object, such as a file, directory, or database key, without proper authorization checks. This allows attackers to access or modify resources they shouldn't have access to.

Exploitation Techniques. Attackers can exploit IDOR vulnerabilities by manipulating URL parameters, form inputs, or other user-controlled data to access or modify resources they shouldn't have access to.

Mitigation Strategies. Websites can mitigate IDOR vulnerabilities by implementing proper authorization checks, using indirect object references, and encrypting sensitive data. The Binary.com Privilege Escalation example shows how to exploit IDOR vulnerabilities to escalate privileges.

17. Exploit OAuth Vulnerabilities to Steal Authentication Tokens

OAuth vulnerabilities are a type of application configuration vulnerability, meaning they rely on a developer’s implementation mistakes.

OAuth Vulnerabilities Defined. OAuth vulnerabilities occur when there are flaws in the implementation of the OAuth protocol, which is designed to simplify and standardize secure authorization on web, mobile, and desktop applications. These flaws can allow attackers to steal authentication tokens and access a targeted user’s account information on the resource server.

Exploitation Techniques. Attackers can exploit OAuth vulnerabilities by manipulating redirect URIs, stealing authorization codes, or bypassing state parameter validation.

Mitigation Strategies. Websites can mitigate OAuth vulnerabilities by properly validating redirect URIs, using strong state parameters, and implementing strict access control policies. The Stealing Slack OAuth Tokens example shows how to exploit OAuth vulnerabilities by manipulating redirect URIs.

18. Recognize and Exploit Application Logic and Configuration Vulnerabilities

Application logic and configuration vulnerabilities take advantage of mistakes made by developers.

Application Logic and Configuration Vulnerabilities Defined. Application logic vulnerabilities occur when a developer makes a coding logic mistake that an attacker can exploit to perform some unintended action. Configuration vulnerabilities occur when a developer misconfigures a tool, framework, third-party service, or other program or code in a way that results in a vulnerability.

Exploitation Techniques. Attackers can exploit application logic vulnerabilities by manipulating the flow of the application or by bypassing security checks. They can exploit configuration vulnerabilities by leveraging misconfigured settings or default credentials.

Mitigation Strategies. Websites can mitigate application logic and configuration vulnerabilities by using secure coding practices, performing thorough testing, and implementing strict configuration management policies. The Bypassing Shopify Administrator Privileges example shows how to exploit application logic vulnerabilities by bypassing permission checks.

19. Master Reconnaissance to Find Your Own Bug Bounties

When you first start hacking, it’s best to define your success based on the knowledge and experience you gain, rather than on the bugs you find or money you earn.

Reconnaissance is Key. Reconnaissance is the process of gathering information about a target application to identify potential vulnerabilities. This includes identifying subdomains, technologies, and functionality.

Subdomain Enumeration. Subdomain enumeration involves discovering all the subdomains associated with a target domain, which can significantly expand the attack surface. Tools like SubFinder and Knockpy can automate this process.

Port Scanning and Screenshotting. Port scanning involves identifying open ports on a server, which can reveal running services and potential vulnerabilities. Screenshotting involves capturing images of websites, which can help identify misconfigurations or sensitive content.

20. Craft Credible Vulnerability Reports to Maximize Impact

If you submit a vulnerability to a company that pays a bounty, respect its decision about the payout amount, but don’t be afraid to talk to the company.

Read the Policy. Before submitting a vulnerability report, carefully review the program policy to ensure that the vulnerability is in scope and that you haven't violated any rules.

Include Details. Provide as much detail as possible in your report, including the URL, affected parameters, steps to reproduce the vulnerability, and a clear explanation of the impact. Include screenshots or videos to demonstrate the vulnerability.

Reconfirm the Vulnerability. Before submitting your report, double-check that the vulnerability is valid and that you haven't made any mistakes. This can save you from embarrassment and maintain your reputation.

Last updated: April 22, 2025