Awesome Bug Bounty Tips Awesome
Last updated
Last updated
A curated list of amazingly bug bounty tips from security researchers around the world. Here’s a detailed Awesome Scripting and Automation Tools list designed to focus on bug bounty automation. It's GitHub-ready, beginner-friendly, and curated with actionable scripts and tools for effective automation.
A curated list of scripts, tools, and techniques to automate bug bounty and cybersecurity workflows.
Bug hunting often involves repetitive tasks like subdomain enumeration, vulnerability scanning, and reporting. Automating these tasks helps to:
Save time and effort.
Focus on manual, high-value targets.
Reduce human errors.
This list focuses on tools and scripts that streamline automation while keeping the process beginner-friendly.
Install core tools for scripting and automation:
Organize your workspace:
Feel free to fork this repo, add your custom scripts, and submit pull requests!
This Awesome Scripting and Automation Tools list is designed to grow and adapt. Suggestions and contributions are always welcome! 🚀
It is hard to look for Bug Bounty Tips from different social media websites. This repo helps to keep all these scattered tips at one place.
To find vulnerable domains and subdomains that is currently pointed to GitHub due to misconfiguration. Try searching the following syntax on publicwww. "There isn't a Github Pages site here". It will return thousands of pages containing domains and subdomains that could be vulnerable to Subdomain Takeover. - [@ajdumanhug](
- Passive subdomain enumeration.
- Active reconnaissance.
- Probe live hosts.
- Template-based scanning.
- XSS scanning tool.
- SQL injection automation.
- Fuzzing tool.
- Directory brute-forcing.
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel (/users/sign_in), navigate to /explore. Once you get in, use the search function to find passwords, keys, etc. -
If you have found an authenticated stored XSS vulnerability that requires specific permissions to exploit — say administrator-level access — always check to see if the POST request that transmitts the payload is vulnerable to CSRF or an IDOR. This will increase the impact, since as an attacker you no longer need an account with certain permissions to exploit the issue. -
If you are in heroku, try calling /app/Procfile to get the installation instructions that a dev had when deploying to heroku. If that loads and you know what stack it uses, you should be able to find the source code of the app in /app directory. For example if it is rails, you can pull routes.rb by calling /app/config/routes.rb. The app folder is the main directory where all deployed code is stored. -
most java web apps allow bypassing common LFI filtering rules by doing the following: http://domain.tld/page.jsp?include=..;/..;/sensitive.txt -
If you find jsp page with no parameters. You can actually add path parameters using semicolon. Like this example.com/test.jsp;');alert(1)// & perform XSS. Apache tomcat support this. -
When you have a SSRF vulnerability on a Google Cloud server, the fastest way to grab all internal metadata is this "All in one" payload: http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true -
Always do printenv to see if your inside a container when you have a RCE you can escalate it further if you break outside the container. -
Struggling with SSL Pinning or root detection on Android or iOS? Use [Objection] (https://github.com/sensepost/objection) to easily bypass them. -
Dont just statically analyze apps. Dynamic analysis is where I find 90% of my mobile bugs. Look at old and new versions of apps. Sometimes you can derive API keys from the older apps that still work! -
Use commoncrawl for finding subdomains and endpoints. Sometimes you find endpoints that can't directly be visited from the UI but has been indexed from other sites. curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$1&output=json" | jq -r .url | sort -u -
Add to scope all your target subdomains on @Burp_Suite "Target" tab >> "Scope" >> "Use advanced scope control" checkbox >> "Add" button >> Set Protocol: Any - Host/IP range: .*.domain.com$ >> Enjoy! -
Threatcrowd is able to list domains registered by a specific email address: https://www.threatcrowd.org/email.php?email=domain@teslamotors.com Very handy for open-scope. -
Need to bypass a firewall? Use securitytrails.com to find the originating server IP. (https://github.com/vincentcox/bypass-firewalls-by-DNS-history) -
You can enumerate directories in some buckets with Wfuzz. Rule for Wfuzz: http(s):///FUZZ/ Successful: 200 Status code without content -
Want to find some internal code of companies or some sample codes of new features? Checkout with: site:repl.it intext:. In companydomain, if you know the internal domain it is even better.
Look for hackathon-related assets. Companies sometimes run hackathons and give attendees special access to certain API endpoints or temporary credentials. I have found GIT repositories that were set up for hackathons full of sensitive information. -
If you submit a report and want the triage team to quickly triage your report, include your test credenetials in the report. This is especially useful if user permissions and roles are involved. -
Do not just inspect source code, check GIT logs for information too. Here are some simple tricks that you can add to your reconnaissance workflow: https://gist.github.com/EdOverflow/a9aad69a690d97a8da20cd4194ca6596 -
Look for hackathon-related assets. Companies sometimes run hackathons and give attendees special access to certain API endpoints or temporary credentials. I have found GIT repositories that were set up for hackathons full of sensitive information. -
As a hacker you will come across many different pieces of software that you haven’t used before. It often pays off to take the time to install / use it to 1) create a sandbox to test particular scenarios and 2) understand the software better to find more vulns faster. -
Always check an e-mail's headers and body. They often contain valuable information and endpoints! -
If a bounty target offers premium features, buy them and test the new endpoints. Most of the times, it's worth the investment! -
Follow the marketing guys (e.g., Director or Manager) of the product you're targeting for #BugBounty. These guys are awesome in telling you all the new features that are in pipeline or just released. You will be the first to get your hands dirty. -
Did you know that the character '_' acts like the regex character '.' in SQL queries. https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php -
If a website does not verify email, try signing up with @domain.com (the company email). Sometimes this gives you higher privilege like deleting/viewing any other user's profiles etc.
