https://wiki.cyberdiary.net/ 2026-06-28T19:06:43+00:00 https://wiki.cyberdiary.net/ https://wiki.cyberdiary.net/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2026-05-14T18:03:59+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=start&rev=1778781839&do=diff Cybersecurity Wiki Knowledge base for bug bounty hunting and web security research. Bug Bounty Bootcamp (BBC) All 25 chapters from Vickie Li's Bug Bounty Bootcamp (No Starch Press, 2021). * Ch 01 - Picking a Program | Ch 02 - Sustaining Success | Ch 03 - How the Internet Works | Ch 04 - Environment Setup * Ch 08 - Clickjacking | Ch 12 - Race Conditions * Ch 14 - Deserialization | Ch 15 - XXE | Ch 16 - SSTI * Ch 17 - Logic Errors | Ch 18 - RCE * Ch 19 - SOP/CORS | Ch 20 - SSO | Ch 2… text/html 2026-05-14T18:03:59+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=all_articles&rev=1778781839&do=diff All Articles Complete index of every page on this wiki. Bug Bounty Bootcamp (BBC) Vickie Li, No Starch Press, 2021. All 25 chapters processed. Standalone BBC Articles * Ch 01 - Picking a Bug Bounty Program * Ch 02 - Sustaining Your Success * Ch 03 - How the Internet Works * Ch 04 - Environment Setup * Ch 08 - Clickjacking * Ch 12 - Race Conditions * Ch 14 - Insecure Deserialization * Ch 15 - XML External Entity (XXE) * Ch 16 - Server-Side Template Injection (SSTI) * Ch 1… text/html 2026-05-14T18:02:46+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:16_template_injection&rev=1778781766&do=diff BBC Ch 16: Server-Side Template Injection (SSTI) Source: Bug Bounty Bootcamp by Vickie Li Template engines (Jinja2, Twig, FreeMarker, ERB, Smarty) combine application data with templates to generate HTML pages. SSTI occurs when user input is concatenated directly into a template string rather than passed in as a safe data variable. text/html 2026-05-14T18:02:46+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:25_fuzzing&rev=1778781766&do=diff BBC Ch 25: Automated Vulnerability Discovery / Fuzzing Source: Bug Bounty Bootcamp by Vickie Li Top bug bounty hunters automate the majority of their workflow: continuous recon, automated scanning, and immediate verification when a potential vulnerability is flagged. Fuzzing (fuzz testing) drives a large share of new CVE discoveries and is equally applicable to web applications. text/html 2026-05-14T17:59:20+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:22_code_reviews&rev=1778781560&do=diff BBC Ch 22: Code Reviews Source: Bug Bounty Bootcamp by Vickie Li Source code review is one of the most effective ways to find vulnerabilities. Even partial access to source code (leaked repos, JS files, open-source components) dramatically increases your attack surface visibility. text/html 2026-05-14T17:59:20+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:23_android_hacking&rev=1778781560&do=diff BBC Ch 23: Android Hacking Source: Bug Bounty Bootcamp by Vickie Li Android apps communicate with the same backend APIs as web apps. Many web vulnerabilities (IDORs, SQLi, XSS, auth bugs) appear in the mobile surface. Android-specific issues include certificate pinning bypass, hardcoded secrets in APKs, and insecure local storage. text/html 2026-05-14T17:59:19+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:24_api_hacking&rev=1778781559&do=diff BBC Ch 24: API Hacking Source: Bug Bounty Bootcamp by Vickie Li APIs are the backbone of modern web and mobile apps. They often expose the same backend logic with fewer protections than the main web interface. Many programs explicitly include API endpoints in scope. text/html 2026-05-14T17:53:25+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:19_sop&rev=1778781205&do=diff BBC Ch 19: Same-Origin Policy (SOP) Vulnerabilities Source: Bug Bounty Bootcamp by Vickie Li The Same-Origin Policy (SOP) restricts scripts on one origin from reading data from another origin. Two URLs share an origin only if they have the same protocol, hostname, and port. Because browsers automatically attach session cookies to every request for a matching domain, the SOP prevents cross-origin scripts from using those cookies to read private data. text/html 2026-05-14T17:53:25+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:20_sso&rev=1778781205&do=diff BBC Ch 20: Single Sign-On (SSO) Security Issues Source: Bug Bounty Bootcamp by Vickie Li SSO lets users log in once and access multiple services. Three common implementations: cookie sharing, SAML, and OAuth. Each has unique vulnerabilities. Cookie Sharing text/html 2026-05-14T17:53:25+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:21_info_disclosure&rev=1778781205&do=diff BBC Ch 21: Information Disclosure Source: Bug Bounty Bootcamp by Vickie Li Information disclosure bugs occur when an application exposes data it shouldn't -- version numbers, config files, source code, credentials, internal IPs, or users' private data. These bugs are among the most commonly found during bug bounty hunting. text/html 2026-05-14T15:51:42+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:18_rce&rev=1778773902&do=diff BBC Ch 18: Remote Code Execution (RCE) Source: Bug Bounty Bootcamp by Vickie Li RCE lets an attacker execute arbitrary OS commands on the target server. It can be achieved via SQL injection, insecure deserialization, template injection, and two additional vectors covered here: code injection and file inclusion. text/html 2026-05-14T15:51:42+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:17_logic_errors&rev=1778773902&do=diff BBC Ch 17: Application Logic Errors and Broken Access Control Source: Bug Bounty Bootcamp by Vickie Li Unlike injection vulnerabilities, logic errors and broken access control are triggered by perfectly valid HTTP requests. No illegal characters or malformed input are needed text/html 2026-05-14T15:51:42+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:15_xxe&rev=1778773902&do=diff BBC Ch 15: XML External Entity (XXE) Source: Bug Bounty Bootcamp by Vickie Li How XXE Works XML documents can define external entities via the DOCTYPE tag: <code xml> <?xml version=“1.0” encoding=“UTF-8”?> <!DOCTYPE example [ <!ENTITY file SYSTEM "file:///etc/shadow"> text/html 2026-05-14T15:51:42+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:14_insecure_deserialization&rev=1778773902&do=diff BBC Ch 14: Insecure Deserialization Source: Bug Bounty Bootcamp by Vickie Li Mechanisms Serialization converts a program object into a format (byte stream or string) suitable for storage or network transfer. Deserialization reconstructs the object. Many languages support this: Java, PHP, Python, Ruby. text/html 2026-05-14T15:16:27+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:ssrf&rev=1778771787&do=diff SSRF Testing Server-Side Request Forgery: trick the server into making requests to internal/cloud resources. Where to Look * Features that take a URL parameter -- API consoles, webhooks, developer tools * Import from URL features * PDF/screenshot generators text/html 2026-05-14T14:57:50+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:06_sqli&rev=1778770670&do=diff Tactical Fuzzing - SQLi SQL Injection Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e (Mathias Karlsson): SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ Works in single quote context, works in double quote context, works in text/html 2026-05-14T14:57:50+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:12_race_conditions&rev=1778770670&do=diff BBC Ch 12: Race Conditions Source: Bug Bounty Bootcamp by Vickie Li How Race Conditions Work A race condition occurs when the security of a system depends on the sequence or timing of events, and that sequence can be disrupted by an attacker. Web applications are particularly vulnerable when they perform a check-then-act sequence without atomic locking: the state can change between the check and the act. text/html 2026-05-14T09:52:24+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:12_idor&rev=1778752344&do=diff Insecure Direct Object References IDOR Overview To be continued... Zseano IDOR Additions * Try integers even when you see GUIDs -- server may accept both formats * Inject “id”:“1” into JSON POST bodies even when not normally present * text/html 2026-05-14T09:50:28+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:08_csrf&rev=1778752228&do=diff CSRF Testing Testing CSRF On Application * CSRF Normal * Change Method To GET-Based * Change Value Of CSRF-Token To undefined * Delete CSRF Token Value Or Delete Token Parameter * Use The same CSRF Value In Different Accounts * Replace Value CSRF Token with Same Length Characters