If you are starting in bug bounties, the most important thing is recon.
Also, one more tip is to master one vulnerability first. Do not try to master every vulnerability at once.
Recon is the Main Skill
Reconnaissance is the foundation of bug bounty hunting. There are many ways to do recon, and it is a very broad topic. Good recon helps you expand your scope and discover more assets, endpoints, and hidden functionality.
Recon is what makes your scope bigger. If your recon is strong, you will find more attack surfaces. If your recon is weak, you will miss most of the bugs.
When you start bug bounties, you must focus on recon first. It is the main skill that separates beginners from experienced hunters. A full article can be written only on recon techniques.
Open Redirect
Open redirect happens when a web application takes untrusted input and redirects the user to another site without proper validation.
This usually occurs when:
- A parameter controls the redirect destination
- The application does not verify the destination domain
Example:
https://example.com/?page=evil.com
Try combining domains:
https://example.com/?page=evil.com/?google.com
Using the @ trick:
www.google.com@evil.com
Testing with curl:
curl -I "https://example.com/?page=https://evil.com"
Look for:
HTTP/1.1 302 Found
Location: https://evil.com
Impact:
- Phishing attacks
- Token leakage
- Bypass of security checks
Cross Site Scripting (XSS)
Cross Site Scripting allows attackers to execute arbitrary client side code inside the victim’s browser. This happens when a web application takes user input and sends it back to the browser without proper sanitization or encoding.
With XSS, an attacker can:
- Read or modify page content
- Steal session cookies
- Perform actions as the victim
- Redirect users to phishing pages
- Capture keystrokes
- Inject malicious scripts into trusted sites
XSS is one of the most common vulnerabilities in bug bounty programs.
Types of XSS
- Reflected XSS
- Stored XSS
- DOM based XSS
Reflected XSS
Reflected XSS occurs when the payload is sent in the request and immediately reflected in the server response.
This usually happens in:
- Search fields
- Error messages
- URL parameters
- Headers
Example:
site.com/page?name=John
If the site returns:
Hello John
It means HTML is being rendered.
Test:
site.com/page?name=alert(1)
If the script executes, the site is vulnerable.
Basic payloads:
alert(1)
">alert(1)
'>alert(1)
Stored XSS
Stored XSS occurs when the payload is saved in the database and executed whenever the page is viewed.
Common locations:
- Comment sections
- Profile fields
- Messages
- Review forms
- File upload names
Example payload:
alert(1)
DOM Based XSS
DOM XSS occurs entirely on the client side when JavaScript reads attacker-controlled data and passes it to dangerous functions.
Common sources:
document.URL
document.referrer
location
location.href
location.search
Dangerous sinks:
eval
setTimeout
setInterval
document.write
innerHTML
outerHTML
Impact:
- Session hijacking
- Account takeover
- Phishing attacks
- Keylogging
- Admin account compromise
CSRF (Cross-Site Request Forgery)
CSRF allows attackers to perform actions on behalf of an authenticated user without their knowledge.
Conditions:
- Victim must be logged in
- Victim must interact with attacker content
- Application must lack CSRF protection
Possible impacts:
- Email change
- Password reset
- Account takeover
- Financial transactions
Example:
POST /change-email
email=attacker@mail.com
Try:
GET /change-email?email=attacker@mail.com
IDOR (Insecure Direct Object Reference)
IDOR occurs when applications expose direct references to objects without proper authorization checks.
Example:
/api/user?id=1001
Test:
/api/user?id=1002
/api/user?id=1003
Look for:
- Numeric IDs
- Sequential values
- Base64-encoded identifiers
Example:
echo "1001" | base64
IDOR is often one of the easiest bugs for beginners.
Local File Disclosure and Path Traversal
This vulnerability allows attackers to read files from the server by manipulating file paths.
Basic payload:
../../../etc/passwd
Bypass techniques:
..//..//..//
%00
%2e%2e%2f
Look for parameters:
file=
path=
page=
include=
Impact:
- Reading configuration files
- Accessing credentials
- Sensitive data exposure
- Possible path to remote code execution
SQL Injection (SQLi)
SQL injection allows attackers to interact directly with the database.
Possible actions:
- Read data
- Modify data
- Delete data
- Create new records
Types:
- Error-based SQLi
- Blind SQLi
Basic tests:
?id=1' AND 1=1--
?id=1' AND 1=2--
If responses differ, it may be injectable.
Time-based test:
?id=1' AND SLEEP(5)--
SSRF (Server-Side Request Forgery)
SSRF allows attackers to make the server send requests to internal or restricted resources.
Possible impacts:
- Access internal admin panels
- Scan internal network ports
- Read internal services
- Access cloud metadata
- Remote code execution in some cases
Example:
https://example.com/proxy?url=http://127.0.0.1
Internal targets:
http://127.0.0.1
http://localhost
http://10.0.0.1
http://172.16.0.1
http://192.168.0.1
http://169.254.169.254/latest/meta-data/
Rate Limiting Bypass
Rate limiting is used to prevent brute force attacks and abuse.
Common bypass methods:
- IP rotation
- Race conditions
- Parameter manipulation
Examples:
email@site.com%00
email@site.com%0d
email@site.com%0a
email@site.com%09
Headers to test:
X-Originating-IP
X-Forwarded-For
X-Remote-IP
X-Remote-Addr
X-Client-IP
X-Host
Check:
- OTP systems
- Login attempts
- Signup flows
- Token granting systems
CORS Misconfiguration
CORS issues occur when the server trusts untrusted origins.
Test request:
Origin: https://evil.com
Look for:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: null
Impact:
- Data theft from authenticated users
- Cross-origin account compromise
Other Vulnerabilities to Learn
- Clickjacking
- Broken link hijacking
- HTML injection
- XXE
- RCE
- File upload vulnerabilities
Conclusion
If you are starting with bug bounties:
- Focus on recon first
- Learn core web vulnerabilities
- Understand how web applications work and languages like JavaScript and SQL
- Practice consistently
Recon will always be the most important skill in bug bounty hunting.
Focus on one vulnerability at a time. Do not try to learn everything at once.
When starting out, begin with IDOR since it is usually easier to find.
Top comments (0)