====== The Bug Hunter's Methodology (TBHM) ======

A comprehensive methodology for web application bug bounty hunting, based on Jason Haddix's Bug Hunter's Methodology.

===== Chapters =====

  * [[tbhm:01_philosophy|01 - Philosophy]] - Mindset, differences from standard testing, report writing tips
  * [[tbhm:02_discovery|02 - Discovery]] - Finding the road less traveled, recon tools, port scanning
  * [[tbhm:03_mapping|03 - Mapping]] - Directory bruteforce, OSINT, platform identification
  * [[tbhm:04_authorization|04 - Authorization and Session]] - Auth flaws, session management testing
  * [[tbhm:05_xss|05 - XSS]] - Cross-site scripting, polyglot payloads, input vectors
  * [[tbhm:06_sqli|06 - SQLi]] - SQL injection, polyglots, SQLmap, cheat sheets
  * [[tbhm:07_file_upload|07 - File Upload]] - LFI, malicious uploads, RFI, open redirects
  * [[tbhm:08_csrf|08 - CSRF]] - Cross-site request forgery testing checklist
  * [[tbhm:09_privilege|09 - Privilege / Logic / Transport]] - Privilege escalation, IDOR, business logic, transport security
  * [[tbhm:10_mobile|10 - Mobile]] - Mobile app data storage, logs, iOS testing
  * [[tbhm:11_auxiliary|11 - Auxiliary Info]] - Noise vulns, data-driven assessment workflow
  * [[tbhm:12_idor|12 - IDOR]] - Insecure direct object references
  * [[tbhm:fast_checklist|Fast Testing Checklist]] - Quick reference checklist for time-boxed assessments
  * [[tbhm:v4|v4 README]] - Version 4 updates

===== Quick Reference: Data-Driven Assessment =====

  - Hit all forms (search, registration, contact, password reset, comment) with polyglot strings
  - Scan those functions with Burp's built-in scanner
  - Check cookie behavior across login/logout/timeout cycles
  - Perform user enumeration checks
  - Test password reset flows (plaintext? URL token? reusable?)
  - Rotate numeric account identifiers in URLs
  - Test sensitive functions for IDOR, auth bypass, CSRF, HTTP downgrade
  - Directory brute with SecLists top short list
  - Test upload functions for executable file types