https://wiki.cyberdiary.net/ 2026-05-14T10:56:53+00:00 https://wiki.cyberdiary.net/ https://wiki.cyberdiary.net/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:auth_session&rev=1778749098&do=diff Auth & Session Bugs Authentication and session management flaws that lead to account takeover. Authentication Flaws * User/pass discrepancy -- different error messages for wrong username vs wrong password = username enumeration * No account lockout text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:cors&rev=1778749098&do=diff CORS Misconfiguration Misconfigured CORS allows attacker-controlled sites to make credentialed requests to the target. Testing Add an Origin header to every interesting request: Origin: https://attacker.com Origin: https://anythinghere-target.com Origin: null text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:csrf&rev=1778749098&do=diff CSRF Testing Find areas that should have CSRF protection and test if it's actually enforced. 8-Step Test * Standard CSRF test -- remove the token entirely * Change method to GET * Change CSRF token value to undefined * Delete CSRF token value or entire parameter text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:escalation&rev=1778749098&do=diff Bug Chaining & Escalation Individual low/medium bugs often chain together into critical impact. Always ask: can this go further? Common Chains Chain Result Open Redirect + OAuth Token theft = account takeover Self-XSS + CSRF Stored XSS affecting other users text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:feature_checklist&rev=1778749098&do=diff Feature Testing Checklist Test these feature areas on every program. Each has common recurring vulnerabilities. Registration * What info is required? Where is it reflected after signup? * What characters are allowed? < > “ '\ in name fields? text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:file_uploads&rev=1778749098&do=diff File Upload Testing File uploads are often filtered on extension, content-type, magic bytes, or image dimensions. Test each layer separately. Extension Tricks shell.php/.jpg # server may strip after slash shell.html%0d%0a.jpg # newline truncation .txt, .svg, .xml # often forgotten in filters shell.php5, shell.phtml # alternate PHP extensions text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:idor&rev=1778749098&do=diff IDOR Testing Insecure Direct Object Reference: access resources belonging to other users by manipulating IDs. Core Technique * Change integer IDs: api/user/1 to api/user/2 * Try integers even when you see GUIDs or hashed IDs -- server may accept both text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:logic_bugs&rev=1778749098&do=diff Business Logic & Privilege Escalation Logic bugs require understanding how the app should work, then breaking that assumption. Mindset * Understand the intended workflow first * Ask: what is the developer assuming the user will always do? * Break those assumptions text/html 2026-05-14T09:46:23+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:open_redirects&rev=1778751983&do=diff Open Redirect Testing Very easy to find, and chains effectively with OAuth for token theft leading to account takeover. Common Parameter Names return, return_url, rUrl, cancelUrl, redirect, goto, returnTo, returnUrl, r_url, redirectTo, redirectUrl, dest, continue, next, window, back text/html 2026-05-14T08:58:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:philosophy&rev=1778749097&do=diff Philosophy & Core Principles The foundation of zseano's approach: go deep, not wide. One program for months, not ten programs for days. Core Mindset * Spend months on the same program -- dive deep * Reverse engineer the developer's thought process text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:program_selection&rev=1778749098&do=diff Picking a Program Choosing the right target is as important as the testing itself. What to Look For * Wide scope -- bigger company = more teams = more mistakes * Well-known names -- more surface area, more legacy code * Plan to spend months, not days text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:recon&rev=1778749098&do=diff Recon & Expanding Attack Surface Run recon while doing manual testing in parallel. Don't wait for tools to finish before hacking. Pre-Hack Research Before touching the site: * Search for disclosed bugs: site:google.com “domain.com” vulnerability text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:reporting&rev=1778749098&do=diff Writing Good Reports A good report is what separates a bounty from a duplicate or a N/A. Good reports build reputation and get private invites. Report Structure Title: [Bug Type] on [Feature/Endpoint] leads to [Impact] Examples: * “Stored XSS in profile bio via unsanitized <script> tag leads to account takeover text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:sqli&rev=1778749098&do=diff SQL Injection Legacy code and APIs are most vulnerable. Blind/time-based is most common in the wild. Detection Time-based payloads work when error messages are disabled (most common case): ' or sleep(15) and 1=1# ' or sleep(15)# ' union select sleep(15),null# '%2Bbenchmark(3200,SHA1(1))%2B' '+BENCHMARK(40000000,SHA1(1337))+' text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:ssrf&rev=1778749098&do=diff SSRF Testing Server-Side Request Forgery: trick the server into making requests to internal/cloud resources. Where to Look * Features that take a URL parameter -- API consoles, webhooks, developer tools * Import from URL features * PDF/screenshot generators text/html 2026-05-14T08:58:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:start&rev=1778749097&do=diff Zseano's Methodology Based on Sean Roesner's bug bounty methodology (bugbountyhunter.com), combined with drew's personal notes. Chapters * Philosophy & Core Principles * Toolkit & Setup * Picking a Program * Recon & Expanding Attack Surface * Feature Testing Checklist * XSS Testing * CSRF Testing * Open Redirects * SSRF Testing * File Upload Testing * IDOR Testing * SQL Injection * CORS Misconfiguration * Auth & Session Bugs * Business Logic & Privilege Escalatio… text/html 2026-05-14T08:58:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:toolkit&rev=1778749097&do=diff Toolkit & Setup Tools used in the zseano/drew combined methodology. Recon Tools Tool Purpose Command amass subdomain enumeration amass enum -brute -active -d domain.com -o amass-output.txt subfinder passive subdomain enum subfinder -d domain.com -o subs.txt text/html 2026-05-14T08:58:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.cyberdiary.net/doku.php?id=zseano:xss&rev=1778749098&do=diff XSS Testing Cross-site scripting is high-frequency, chains well with CSRF and IDOR, and is worth testing on every input. Testing Process * Test basic HTML injection -- can you input <h2>, <img>, <table> without filtering? * Check encoding -- reflected as