https://wiki.cyberdiary.net/ 2026-05-14T09:43:07+00:00 https://wiki.cyberdiary.net/ https://wiki.cyberdiary.net/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2026-05-14T09:42:21+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:05_xss&rev=1778751741&do=diff Tactical Fuzzing - XSS XSS Core Idea: Does the page functionality display something to the users? For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too! Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet) text/html 2026-05-14T09:33:20+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=start&rev=1778751200&do=diff Wiki Welcome to the knowledge base. TBHM Chapters * 01 - Philosophy & Mindset * 02 - Discovery & Recon * 03 - Mapping the Attack Surface * 04 - Authorization & Session Management * 05 - Cross-Site Scripting (XSS) * 06 - SQL Injection * 07 - File Upload Vulnerabilities * 08 - CSRF * 09 - Privilege Escalation, Logic & Transport * 10 - Mobile Testing * 11 - Auxiliary Info & Tools * 12 - IDOR * Fast Testing Checklist Quick Reference * TBHM Index * Fast Checklist *… text/html 2026-05-14T09:11:30+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:02_discovery&rev=1778749890&do=diff Discovery Find the road less traveled This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed. * ^.acme.com scope is your friend * Find domains via Google (and others!) text/html 2026-05-14T09:11:30+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:04_env_setup&rev=1778749890&do=diff Ch 4: Environmental Setup and Traffic Interception Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021) OS Use a Unix-based system. Kali Linux is recommended -- it ships with Burp Suite, Gobuster, DirBuster, Wfuzz, and other tools. macOS also works fine. text/html 2026-05-14T09:11:30+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:03_how_internet_works&rev=1778749890&do=diff Ch 3: How the Internet Works Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021) Client-Server Model Web apps operate on a client-server model. The client (browser) sends HTTP requests; the server processes them and returns responses. text/html 2026-05-14T09:05:08+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:02_sustaining_success&rev=1778749508&do=diff Ch 2: Sustaining Your Success Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021) Writing Good Reports A report is how you get paid and build reputation. Bad writing = low payouts + duplicates marked invalid. 8-step report structure: text/html 2026-05-14T09:05:08+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=bbc:01_picking_program&rev=1778749508&do=diff Ch 1: Picking a Bug Bounty Program Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021) Asset Types Bug bounty programs define scope by listing assets -- the systems you are authorized to test. * Social targets -- Twitter/Facebook/LinkedIn pages. Usually out-of-scope because you can't control what users post. text/html 2026-05-14T09:00:05+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=all_articles&rev=1778749205&do=diff All Articles Complete index of every page on this wiki. The Bug Hunter's Methodology (TBHM) * 01 - Philosophy & Mindset * 02 - Discovery & Recon * 03 - Mapping the Attack Surface * 04 - Authorization & Session * 05 - Cross-Site Scripting (XSS) * 06 - SQL Injection * 07 - File Upload * 08 - CSRF * 09 - Privilege, Logic & Transport * 10 - Mobile Testing * 11 - Auxiliary Info & Tools * 12 - IDOR * Fast Testing Checklist * TBHM Index * Test Page * TBHM v4 Zseano's… text/html 2026-05-14T08:59:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:12_idor&rev=1778749158&do=diff Insecure Direct Object References IDOR Overview To be continued... Zseano IDOR Additions * Try integers even when you see GUIDs -- server may accept both formats * Inject “id”:“1” into JSON POST bodies even when not normally present * text/html 2026-05-14T08:59:17+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:04_authorization&rev=1778749157&do=diff Auth and Session Auth (better be quick) Auth Related (more in logic, priv, and transport sections) * User/pass discrepancy flaw * Registration page harvesting * Login page harvesting * Password reset page harvesting * No account lockout text/html 2026-05-14T08:59:17+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:06_sqli&rev=1778749157&do=diff Tactical Fuzzing - SQLi SQL Injection Core Idea: Does the page look like it might need to call on stored data? There exist some SQLi polyglots, i.e (Mathias Karlsson): SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ Works in single quote context, works in double quote context, works in text/html 2026-05-14T08:59:17+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=tbhm:08_csrf&rev=1778749157&do=diff CSRF Testing Testing CSRF On Application * CSRF Normal * Change Method To GET-Based * Change Value Of CSRF-Token To undefined * Delete CSRF Token Value Or Delete Token Parameter * Use The same CSRF Value In Different Accounts * Replace Value CSRF Token with Same Length Characters text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:reporting&rev=1778749098&do=diff Writing Good Reports A good report is what separates a bounty from a duplicate or a N/A. Good reports build reputation and get private invites. Report Structure Title: [Bug Type] on [Feature/Endpoint] leads to [Impact] Examples: * “Stored XSS in profile bio via unsanitized <script> tag leads to account takeover text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:escalation&rev=1778749098&do=diff Bug Chaining & Escalation Individual low/medium bugs often chain together into critical impact. Always ask: can this go further? Common Chains Chain Result Open Redirect + OAuth Token theft = account takeover Self-XSS + CSRF Stored XSS affecting other users text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:feature_checklist&rev=1778749098&do=diff Feature Testing Checklist Test these feature areas on every program. Each has common recurring vulnerabilities. Registration * What info is required? Where is it reflected after signup? * What characters are allowed? < > “ '\ in name fields? text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:logic_bugs&rev=1778749098&do=diff Business Logic & Privilege Escalation Logic bugs require understanding how the app should work, then breaking that assumption. Mindset * Understand the intended workflow first * Ask: what is the developer assuming the user will always do? * Break those assumptions text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:auth_session&rev=1778749098&do=diff Auth & Session Bugs Authentication and session management flaws that lead to account takeover. Authentication Flaws * User/pass discrepancy -- different error messages for wrong username vs wrong password = username enumeration * No account lockout text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:cors&rev=1778749098&do=diff CORS Misconfiguration Misconfigured CORS allows attacker-controlled sites to make credentialed requests to the target. Testing Add an Origin header to every interesting request: Origin: https://attacker.com Origin: https://anythinghere-target.com Origin: null text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:sqli&rev=1778749098&do=diff SQL Injection Legacy code and APIs are most vulnerable. Blind/time-based is most common in the wild. Detection Time-based payloads work when error messages are disabled (most common case): ' or sleep(15) and 1=1# ' or sleep(15)# ' union select sleep(15),null# '%2Bbenchmark(3200,SHA1(1))%2B' '+BENCHMARK(40000000,SHA1(1337))+' text/html 2026-05-14T08:58:18+00:00 drew (drew@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:idor&rev=1778749098&do=diff IDOR Testing Insecure Direct Object Reference: access resources belonging to other users by manipulating IDs. Core Technique * Change integer IDs: api/user/1 to api/user/2 * Try integers even when you see GUIDs or hashed IDs -- server may accept both