bug-bounty-reference
Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature
Top Related Projects
A list of resources for those interested in getting started in bug bounties
A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.
A list of interesting payloads, tips and tricks for bug bounty hunters.
A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference
This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
Quick Overview
The ngalongc/bug-bounty-reference repository is a comprehensive collection of bug bounty write-ups, resources, and tools for security researchers and bug hunters. It serves as a centralized reference point for various types of vulnerabilities, providing valuable insights and examples for those involved in bug bounty programs.
Pros
- Extensive collection of bug bounty write-ups across multiple platforms and vulnerability types
- Well-organized structure, making it easy to find specific information
- Regularly updated with new content and resources
- Includes links to tools and additional learning materials
Cons
- May be overwhelming for beginners due to the large amount of information
- Some links may become outdated over time
- Lacks a standardized format for write-ups, which can make comparison difficult
- Does not provide in-depth explanations for each vulnerability type
This repository is not a code library, so the code example and quick start sections have been omitted.
Competitor Comparisons
A list of resources for those interested in getting started in bug bounties
Pros of Resources-for-Beginner-Bug-Bounty-Hunters
- More comprehensive and structured content, organized into categories like methodologies, tools, and resources
- Includes learning paths and tutorials for beginners
- Regularly updated with new content and community contributions
Cons of Resources-for-Beginner-Bug-Bounty-Hunters
- May be overwhelming for absolute beginners due to the large amount of information
- Lacks specific vulnerability references found in bug-bounty-reference
Code Comparison
While both repositories primarily consist of markdown files and don't contain much code, here's a comparison of their directory structures:
Resources-for-Beginner-Bug-Bounty-Hunters:
├── assets/
├── methodologies/
├── resources/
└── README.md
bug-bounty-reference:
├── README.md
└── CONTRIBUTING.md
Resources-for-Beginner-Bug-Bounty-Hunters has a more organized structure with separate directories for different types of content, while bug-bounty-reference keeps all information in a single README file.
Both repositories serve as valuable resources for bug bounty hunters, with Resources-for-Beginner-Bug-Bounty-Hunters offering a more comprehensive guide for beginners, and bug-bounty-reference providing a focused list of vulnerability references and write-ups.
A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.
Pros of awesome-bug-bounty
- More comprehensive and regularly updated list of resources
- Better organized with clear categories and subcategories
- Includes a wider range of topics, such as tools, platforms, and educational resources
Cons of awesome-bug-bounty
- May be overwhelming for beginners due to the large amount of information
- Less focused on specific vulnerabilities and their write-ups
Code comparison
While both repositories are primarily curated lists of resources, they don't contain significant code samples. However, here's a comparison of their README structures:
awesome-bug-bounty:
# awesome-bug-bounty
## Table of Contents
- [Getting Started](#getting-started)
- [Write Ups & Authors](#write-ups--authors)
- [Platforms](#platforms)
bug-bounty-reference:
# Bug Bounty Reference
- [XSS](#xss)
- [SQL Injection](#sql-injection)
- [XXE](#xxe)
The awesome-bug-bounty repository has a more structured and detailed table of contents, reflecting its broader scope and organization. The bug-bounty-reference repository focuses more on specific vulnerability types in its structure.
A list of interesting payloads, tips and tricks for bug bounty hunters.
Pros of bugbounty-cheatsheet
- More structured and organized content, with clear categories and subcategories
- Includes practical examples and payloads for various vulnerability types
- Regularly updated with contributions from the community
Cons of bugbounty-cheatsheet
- Less comprehensive in terms of overall resources and references
- Focuses primarily on specific vulnerabilities and techniques, rather than providing a broad overview of bug bounty programs
Code comparison
bugbounty-cheatsheet:
<script>alert(document.domain)</script>
<script>alert(1)</script>
<script>alert(1);</script>
<script>alert('XSS')</script>
bug-bounty-reference:
No direct code examples provided in the main repository.
The project focuses on linking to external resources rather
than providing code snippets.
Summary
bugbounty-cheatsheet is a more focused and practical resource for bug bounty hunters, providing specific examples and payloads for various vulnerabilities. It's well-organized and regularly updated, making it easy for users to find relevant information quickly.
bug-bounty-reference, on the other hand, offers a broader collection of resources and references for bug bounty programs. It covers a wider range of topics but doesn't provide direct code examples or payloads within the repository itself.
Both repositories serve different purposes and can be valuable for bug bounty hunters depending on their specific needs and level of expertise.
A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference
Pros of Awesome-Bugbounty-Writeups
- More comprehensive and regularly updated collection of writeups
- Organized by vulnerability types, making it easier to find specific topics
- Includes a section on tools and resources for bug bounty hunting
Cons of Awesome-Bugbounty-Writeups
- Less focus on specific bug bounty programs and their references
- May be overwhelming for beginners due to the large number of writeups
- Lacks a clear rating system for the importance or impact of vulnerabilities
Code Comparison
While both repositories primarily consist of markdown files with lists of links, Awesome-Bugbounty-Writeups includes more detailed categorization:
## SQL Injection
- [SQL Injection Cheat Sheet](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
- [Blind SQL Injection](https://www.acunetix.com/websitesecurity/blind-sql-injection/)
bug-bounty-reference uses a simpler structure:
### SQL Injection
* [SQL injection in an UPDATE query - a bug bounty story!](https://zombiehelp54.blogspot.com/2017/02/sql-injection-in-update-query-bug.html)
Both repositories serve as valuable resources for bug bounty hunters, with Awesome-Bugbounty-Writeups offering a more extensive collection of writeups and bug-bounty-reference providing a focused list of references for specific bug bounty programs.
This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
Pros of bounty-targets-data
- Provides up-to-date, machine-readable data on bug bounty programs
- Includes automated daily updates of target scopes and rewards
- Offers a comprehensive list of in-scope URLs for various bug bounty platforms
Cons of bounty-targets-data
- Focuses solely on program data, lacking educational resources or vulnerability references
- May require additional processing or tools to extract actionable insights
- Limited to specific bug bounty platforms, potentially missing some programs
Code comparison
bug-bounty-reference:
## Cross-Site Scripting (XSS)
- [Comprehensive XSS Guide](https://github.com/s0md3v/AwesomeXSS)
- [XSS Payloads](https://github.com/payloadbox/xss-payload-list)
bounty-targets-data:
{
"name": "Example Program",
"url": "https://example.com/security",
"domains": ["*.example.com"],
"rewards": {
"low": 100,
"medium": 500,
"high": 1000
}
}
The bug-bounty-reference repository provides curated links to vulnerability resources, while bounty-targets-data focuses on structured program information. The former is better suited for learning and reference, while the latter is ideal for automation and data analysis in bug bounty hunting.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Bug Bounty Reference
A list of bug bounty write-up that is categorized by the bug nature, this is inspired by https://github.com/djadmin/awesome-bug-bounty
Introduction
I have been reading for Bug Bounty write-ups for a few months, I found it extremely useful to read relevant write-up when I found a certain type of vulnerability that I have no idea how to exploit. Let say you found a RPO (Relativce Path Overwrite) in a website, but you have no idea how should you exploit that, then the perfect place to go would be here. Or you have found your customer is using oauth mechanism but you have no idea how should we test it, the other perfect place to go would be here
My intention is to make a full and complete list of common vulnerability that are publicly disclosed bug bounty write-up, and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit pull request. Okay, enough for chit-chatting, let's get started.
- XSSI
- Cross-Site Scripting (XSS)
- Brute Force
- SQL Injection (SQLi)
- External XML Entity Attack (XXE)
- Remote Code Execution (RCE)
- Cross-Site Request Forgery (CSRF)
- Insecure Direct Object Reference (IDOR)
- Stealing Access Token
- Server Side Request Forgery (SSRF)
- Unrestricted File Upload
- Race Condition
- Business Logic Flaw
- Authentication Bypass
- HTTP Header Injection
- Email Related
- Money Stealing
- Miscellaneous
Cross-Site Scripting (XSS)
- Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach
- RPO that lead to information leakage in Google by filedescriptor
- God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
- An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
- he is able to make stored XSS from a irrelevant domain to main facebook domain
- Stored XSS in *.ebay.com by Jack Whitton
- Complicated, Best Report of Google XSS by Ramzes
- Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek
- Command Injection in Google Console by Venkat S
- Facebook's Moves - OAuth XSS by PAULOS YIBELO
- Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos
- Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
- Yahoo Mail stored XSS by Klikki Oy
- Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
- Youtube XSS by fransrosen
- Best Google XSS again - by Krzysztof Kotowicz
- IE & Edge URL parsin Problem - by detectify
- Google XSS subdomain Clickjacking
- Google Japan Book XSS
- Flash XSS mega nz - by frans
- xss in google IE, Host Header Reflection
- Years ago Google xss
- xss in google by IE weird behavior
- xss in Yahoo Fantasy Sport
- xss in Yahoo Mail Again, worth $10000 by Klikki Oy
- Sleeping XSS in Google by securityguard
- Decoding a .htpasswd to earn a payload of money by securityguard
- Google Account Takeover
- AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy
- Uber Self XSS to Global XSS
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
- Airbnb â When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities by Brett
- XSSI, Client Side Brute Force
- postMessage XSS Bypass
- XSS in Uber via Cookie by zhchbin
- Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans
- XSS due to improper regex in third party js Uber 7k XSS
- XSS in TinyMCE 2.4.0 by Jelmer de Hen
- Pass uncoded URL in IE11 to cause XSS
- Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
- Auth DOM Uber XSS
- XSS in www.yahoo.com
- Stored XSS, and SSRF in Google using the Dataset Publishing Language
- Stored XSS on Snapchat
- Researching Polymorphic Images for XSS on Google Scholar
- OLX Bug Bounty: Reflected XSS in 404 Page
Brute Force
- Web Authentication Endpoint Credentials Brute-Force Vulnerability by Arne Swinnen
- InstaBrute: Two Ways to Brute-force Instagram Account Credentials by Arne Swinnen
- How I Could Compromise 4% (Locked) Instagram Accounts by Arne Swinnen
- Possibility to brute force invite codes in riders.uber.com by r0t
- Brute-Forcing invite codes in partners.uber.com by Efkan GökbaŠ(mefkan)
SQL Injection
- SQL injection in Wordpress Plugin Huge IT Video Gallery in Uber by glc
- SQL Injection on sctrack.email.uber.com.cn by Orange Tsai
- Yahoo â Root Access SQL Injection â tw.yahoo.com by Brett Buerhaus
- Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
- GitHub Enterprise SQL Injection by Orange
- Yahoo SQL Injection to Remote Code Exection to Root Privilege by Ebrahim Hegazy
Stealing Access Token
-
Facebook Access Token Stolen by Jack Whitton -
-
Obtaining Login Tokens for an Outlook, Office or Azure Account by Jack Whitton
-
Bypassing Digits web authentication's host validation with HPP by filedescriptor
-
Bypass of redirect_uri validation with /../ in GitHub by Egor Homakov
-
Bypassing callback_url validation on Digits by filedescriptor
-
Stealing livechat token and using it to chat as the user - user information disclosure by Mahmoud G. (zombiehelp54)
-
Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) by mongo (mongo)
-
Internet Explorer has a URL problem, on GitHub by filedescriptor.
-
How I made LastPass give me all your passwords by labsdetectify
-
Bypass redirect_uri by nbsriharsha
Google oauth bypass
Clickjacking
CSRF
- Messenger.com CSRF that show you the steps when you check for CSRF by Jack Whitton
- Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) by Florian Courtial
- Hacking PayPal Accounts with one click (Patched) by Yasser Ali
- Add tweet to collection CSRF by vijay kumar
- Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun by phwd
- How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
- FORM POST JSON: JSON CSRF on POST Heartbeats API by Dr.Jones
- Hacking Facebook accounts using CSRF in Oculus-Facebook integration
Remote Code Execution
- JDWP Remote Code Execution in PayPal by Milan A Solanki
- XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers by Reginaldo Silva
- How I Hacked Facebook, and Found Someone's Backdoor Script by Orange Tsai
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! by Orange Tsai
- uber.com may RCE by Flask Jinja2 Template Injection by Orange Tsai
- Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution by Orange Tsai (Sorry its in Chinese Only)
- How we broke PHP, hacked Pornhub and earned $20,000 by Ruslan Habalov
- Alert, God-like Write-up, make sure you know what is ROP before clicking, which I don't =(
- RCE deal to tricky file upload by secgeek
- WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic by Cure53 (cure53)
- Read-Only user can execute arbitraty shell commands on AirOS by 93c08539 (93c08539)
- Remote Code Execution by impage upload! by Raz0r (ru_raz0r)
- Popping a shell on the Oculus developer portal by Bitquark
- Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit - 10,000$ by 5haked
- PayPal Node.js code injection (RCE) by Michael Stepankin
- eBay PHP Parameter Injection lead to RCE
- Yahoo Acqusition RCE
- Command Injection Vulnerability in Hostinger by @alberto__segura
- RCE in Airbnb by Ruby Injection by buerRCE
- RCE in Imgur by Command Line
- RCE in git.imgur.com by abusing out dated software by Orange Tsai
- RCE in Disclosure
- Remote Code Execution by struct2 Yahoo Server
- Command Injection in Yahoo Acquisition
- $50k RCE in JetBrains IDE
- Telekom.de Remote Command Execution! by Ebrahim Hegazy
- Magento Remote Code Execution Vulnerability! by Ebrahim Hegazy
- Yahoo! Remote Command Execution Vulnerability by Ebrahim Hegazy
Deserialization
- Java Deserialization in manager.paypal.com by Michael Stepankin
- Instagram's Million Dollar Bug by Wesley Wineberg
- (Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
- Java deserialization by meals
Image Tragick
- Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) by NaHamSec
- Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57
- Trello bug bounty: Access server's files using ImageTragick by Florian Courtial
- 40k fb rce
- Yahoo Bleed 1
- Yahoo Bleed 2
Direct Object Reference (IDOR)
- Trello bug bounty: The websocket receives data when a public company creates a team visible board by Florian Courtial
- Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility by Florian Courtial
- Change any user's password in Uber by mongo
- Vulnerability in Youtube allowed moving comments from any video to another by secgeek
- It's Google Vulnerability, so it's worth reading, as generally it is more difficult to find Google vulnerability
- Twitter Vulnerability Could Credit Cards from Any Twitter Account by secgeek
- One Vulnerability allowed deleting comments of any user in all Yahoo sites by secgeek
- Microsoft-careers.com Remote Password Reset by Yaaser Ali
- How I could change your eBay password by Yaaser Ali
- Duo Security Researchers Uncover Bypass of PayPalâs Two-Factor Authentication by Duo Labs
- How I got access to millions of [redacted] accounts
- All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)
- Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)
- Downloading password protected / restricted videos on Vimeo by Gazza (gazza)
- Get organization info base on uuid in Uber by Severus (severus)
- How I Exposed your Primary Facebook Email Address (Bug worth $4500) by Roy Castillo
- DOB disclosed using âFacebook Graph API Reverse Engineeringâ by Raja Sekar Durairaj
- Change the description of a video without publish_actions permission in Facebook by phwd
- Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!
- Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)
- Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)
- View private tweet
Hacking Facebookâs Legacy API, Part 1: Making Calls on Behalf of Any User by Stephen SclafaniHacking Facebookâs Legacy API, Part 2: Stealing User Sessions by Stephen Sclafani- Delete FB Video
- Delete FB Video
- Viewing private Airbnb Messages
- IDOR tweet as any user by kedrisec
- Mass Assignment, Response to Request Injection, Admin Escalation by sean
- Getting any Facebook user's friend list and partial payment card details
- Manipulation of ETH balance
XXE
- How we got read access on Googleâs production servers by detectify
- Blind OOB XXE At UBER 26+ Domains Hacked by Raghav Bisht
- XXE through SAML
- XXE in Uber to read local files
Unrestricted File Upload
- File Upload XSS in image uploading of App in mopub by vijay kumar
- RCE deal to tricky file upload by secgeek
- File Upload XSS in image uploading of App in mopub in Twitter by vijay kumar (vijay_kumar1110)
Server Side Request Forgery (SSRF)
- ESEA Server-Side Request Forgery and Querying AWS Meta Data by Brett Buerhaus
- SSRF to pivot internal network
- SSRF to LFI
- SSRF to query google internal server
- SSRF by using third party Open redirect by Brett BUERHAUS
- SSRF tips from BugBountyHQ of Images
- SSRF to RCE
- XXE at Twitter
- Blog post: Cracking the Lens: Targeting HTTPâs Hidden Attack-Surface
- Plotly AWS Metadata SSRF (and a stored XSS)
Race Condition
- Race conditions on Facebook, DigitalOcean and others (fixed) by Josip FranjkoviÄ
- Race Conditions in Popular reports feature in HackerOne by Fábio Pires (shmoo)
- Hacking Starbuck for unlimited money by Egor Homakov
Business Logic Flaw
- How I Could Steal Money from Instagram, Google and Microsoft by Arne Swinnen
- Facebook - bypass ads account's roles vulnerability 2015 by POUYA DARABI
- Uber Eat for Free by
Authentication Bypass
- OneLogin authentication bypass on WordPress sites via XMLRPC in Uber by Jouko Pynnönen (jouko)
- 2FA PayPal Bypass by henryhoggard
- SAML Bug in Github worth 15000
- Authentication bypass on Airbnb via OAuth tokens theft
- Administrative Panel Access by c0rni3sm
- Flickr Oauth Misconfiguration by mishre
- Slack SAML authentication bypass by Antonio Sanso
- Shopify admin authentication bypass using partners.shopify.com by uzsunny
HTTP Header Injection
- Twitter Overflow Trilogy in Twitter by filedescriptor
- Twitter CRLF by filedescriptor
- Adblock Plus and (a little) more in Google
- $10k host header by Ezequiel Pereira
Subdomain Takeover
- Hijacking tons of Instapage expired users Domains & Subdomains by geekboy
- Reading Emails in Uber Subdomains
- Slack Bug Journey - by David Vieira-Kurz
- Subdomain takeover and chain it to perform authentication bypass by Arne Swinnen
- Hacker.One Subdomain Takeover - by geekboy
XSSI
- Plain Text Reading by XSSI
- JSON hijacking
- OWASP XSSI
- Japan Identifier based XSSI attacks
- JSON Hijack Slide
Email Related
- This domain is my domain - G Suite A record vulnerability
- I got emails - G Suite Vulnerability
- How I snooped into your private Slack messages [Slack Bug bounty worth $2,500]
- Reading Uberâs Internal Emails [Uber Bug Bounty report worth $10,000]
- Slack Yammer Takeover by using TicketTrick by Inti De Ceukelaire
- How I could have mass uploaded from every Flickr account!
Money Stealing
2017 Local File Inclusion
- Disclosure Local File Inclusion by Symlink
- Facebook Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion Part II
- Multiple Company LFI
- LFI by video conversion, excited about this trick!
Miscellaneous
- SAML Pen Test Good Paper
- A list of FB writeup collected by phwd by phwd
- NoSQL Injection by websecurify
- CORS in action
- CORS in Fb messenger
- Web App Methodologies
- XXE Cheatsheet
- The road to hell is paved with SAML Assertions, Microsoft Vulnerability
- Study this if you like to learn Mongo SQL Injection by cirw
- Mongo DB Injection again by websecrify
- w3af speech about modern vulnerability by w3af
- Web cache attack that lead to account takeover
- A talk to teach you how to use SAML Raider
- XSS Checklist when you have no idea how to exploit the bug
- CTF write up, Great for Bug Bounty
- It turns out every site uses jquery mobile with Open Redirect is vulnerable to XSS by sirdarckcat
- Bypass CSP by using google-analytics
- Payment Issue with Paypal
- Browser Exploitation in Chinese
- XSS bypass filter
- Markup Impropose Sanitization
- Breaking XSS mitigations via Script Gadget
- X41 Browser Security White Paper
- Bug Bounty Cheatsheets By EdOverflow
- Messing with the Google Buganizer System for $15,600 in Bounties
- Electron Security White Paper
- Twitter's Vine Source code dump - $10080
- SAML Bible
- Bypassing Googleâs authentication to access their Internal Admin panelsâââVishnu Prasad P G
- Smart Contract Vulnerabilities
Top Related Projects
A list of resources for those interested in getting started in bug bounties
A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.
A list of interesting payloads, tips and tricks for bug bounty hunters.
A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference
This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot