Chapter 36 Exercises: Bug Bounty Hunting

Exercise 36.1: Program Analysis and Selection

Difficulty: Beginner Objective: Develop the skill of evaluating and selecting bug bounty programs.

  1. Browse HackerOne and Bugcrowd for public programs.
  2. Select five programs across different industries (e.g., SaaS, e-commerce, fintech, social media, gaming).
  3. For each program, document: - Program name and platform - Scope (in-scope assets and vulnerability types) - Exclusions (out-of-scope items and vulnerability types) - Payout structure (minimum and maximum by severity) - Response time metrics (time to first response, time to bounty) - Program age and number of resolved reports - Any unique rules or requirements
  4. Rank the programs from most attractive to least attractive for a new researcher. Justify your ranking.
  5. For your top-ranked program, identify three specific attack vectors you would test first and explain why.

Deliverable: Five program analysis sheets and a ranked comparison with justification.

Exercise 36.2: Reconnaissance Automation

Difficulty: Beginner Objective: Build and practice a recon automation workflow.

  1. Choose a bug bounty program with a wildcard scope (e.g., *.example.com).
  2. Perform subdomain enumeration using at least three tools: - Subfinder - Amass (passive mode) - crt.sh (certificate transparency)
  3. Combine all results and remove duplicates.
  4. Probe all subdomains for live HTTP/HTTPS services using httpx.
  5. Record the following for each live host: status code, page title, technologies detected, content length.
  6. Identify any interesting findings: staging environments, admin panels, API endpoints, unusual technologies.
  7. Create a bash script that automates steps 2-6 for any given domain.
  8. Run the script against two different targets and compare results.

Deliverable: Bash automation script, output from two target runs, and analysis of interesting findings.

Exercise 36.3: Bug Report Writing Practice

Difficulty: Beginner Objective: Practice writing clear, professional bug reports.

Using vulnerabilities you find on practice platforms (DVWA, Juice Shop, WebGoat, or PortSwigger labs):

  1. Find three different vulnerability types (e.g., XSS, SQLI, IDOR).
  2. For each vulnerability, write a complete bug report including: - Descriptive title - Severity rating with CVSS score justification - Clear description of the vulnerability - Detailed steps to reproduce (numbered) - Proof of concept (screenshots and/or HTTP requests) - Impact assessment (what an attacker could achieve) - Remediation recommendations
  3. Have a peer review your reports and provide feedback on clarity and completeness.
  4. Revise reports based on feedback.
  5. Compare your reports against the sample report provided in Section 36.4.4 of this chapter.

Deliverable: Three complete bug reports, peer review feedback, and revised versions.

Exercise 36.4: Content Discovery Deep Dive

Difficulty: Intermediate Objective: Master content discovery techniques for finding hidden attack surface.

  1. Set up a deliberately vulnerable web application (DVWA or Juice Shop) and deploy it locally.
  2. Perform content discovery using three different approaches: - Directory fuzzing with ffuf using a common wordlist (e.g., SecLists Discovery/Web-Content) - Historical URL discovery using gau or waybackurls (if using a live target from a bug bounty program) - JavaScript analysis: download all JS files, search for API endpoints, secrets, and interesting comments
  3. For each approach, document: - Number of unique endpoints discovered - Interesting findings (admin panels, API docs, debug endpoints, configuration files) - False positives encountered and how you filtered them
  4. Combine all discovered endpoints into a comprehensive sitemap.
  5. Identify the five most promising endpoints for vulnerability testing and explain why.

Deliverable: Content discovery results, combined sitemap, and prioritized testing targets.

Exercise 36.5: IDOR Hunting Methodology

Difficulty: Intermediate Objective: Develop a systematic approach to finding Insecure Direct Object References.

  1. In a lab environment (Juice Shop, DVWA, or custom setup), identify all API endpoints that use object identifiers (user IDs, order IDs, document IDs).
  2. Map the object identifier patterns: - Are IDs sequential integers? - Are they UUIDs? - Are they encoded (Base64, hex)? - Are they predictable or random?
  3. For each identified endpoint, test horizontal access control: - Create two test accounts with different privilege levels - Access resources belonging to Account A using Account B's session - Document each IDOR finding with the exact request/response
  4. Test vertical access control: - Attempt to access admin functions with regular user credentials - Test whether API endpoints have different access controls than the web interface
  5. For each finding, demonstrate the maximum impact an attacker could achieve.
  6. Write remediation recommendations for each type of IDOR found.

Deliverable: IDOR testing methodology document, findings with PoC, and remediation recommendations.

Exercise 36.6: XSS Hunter Setup and Practice

Difficulty: Intermediate Objective: Set up and use blind XSS detection capabilities.

  1. Set up an XSS callback server (use XSS Hunter or build a simple one with a web server that logs incoming requests).
  2. Deploy a vulnerable application in your lab.
  3. Identify all input fields that might be rendered in other contexts (support tickets, profile fields, feedback forms, admin dashboards).
  4. Inject blind XSS payloads in each identified input field.
  5. Monitor your callback server for hits.
  6. For each successful blind XSS: - Document the injection point - Document the execution context (which page, which user role sees it) - Capture the page URL, cookies, and DOM content via the callback - Assess the impact (admin cookie theft, data exfiltration, etc.)
  7. Write a report for each finding following the template from Exercise 36.3.

Deliverable: XSS callback server setup documentation, blind XSS findings with reports, and impact analysis.

Exercise 36.7: Race Condition Testing

Difficulty: Intermediate Objective: Find and exploit race condition vulnerabilities.

  1. Set up a test application with features susceptible to race conditions (e.g., coupon redemption, account balance transfer, vote counting).
  2. Write a Python script that sends concurrent requests to the target endpoint.
  3. Test the following scenarios: - Redeem a single-use coupon code multiple times simultaneously - Transfer money from one account while simultaneously making a purchase - Submit multiple vote requests at the same time
  4. For each test: - Document the number of concurrent requests sent - Record the expected behavior vs. actual behavior - Calculate the success rate of the race condition - Determine the financial or business impact
  5. Research and apply the single-packet attack technique (sending multiple requests in a single TCP packet) for more reliable exploitation.
  6. Write remediation recommendations (database-level locking, idempotency keys, etc.).

Deliverable: Test scripts, results for each scenario, and remediation recommendations.

Exercise 36.8: API Security Testing Methodology

Difficulty: Intermediate Objective: Develop a comprehensive API testing methodology.

  1. Find a bug bounty program with an API in scope (or use a practice API like crAPI or OWASP vAPI).
  2. Map the complete API surface: - All endpoints, methods, and parameters - Authentication mechanisms - Rate limiting behavior - API versioning
  3. Test for the OWASP API Security Top 10: - BOLA (Broken Object Level Authorization) - Broken Authentication - Broken Object Property Level Authorization - Unrestricted Resource Consumption - Broken Function Level Authorization - Server Side Request Forgery - Security Misconfiguration - Lack of Protection from Automated Threats - Improper Asset Management - Unsafe Consumption of APIs
  4. Document each finding with a clear PoC.
  5. Test for additional issues: mass assignment, excessive data exposure, GraphQL-specific vulnerabilities (if applicable).

Deliverable: API map, test results for each OWASP API Top 10 category, and documented findings.

Exercise 36.9: Subdomain Takeover Assessment

Difficulty: Intermediate Objective: Identify and (safely) verify subdomain takeover vulnerabilities.

  1. Select a bug bounty program with a wildcard subdomain scope.
  2. Enumerate all subdomains using multiple tools.
  3. For each subdomain, check DNS records (CNAME, A, AAAA) for dangling references: - CNAME to non-existent S3 buckets - CNAME to deprovisioned Azure or Heroku apps - CNAME to unclaimed GitHub Pages - A records pointing to decommissioned IP addresses
  4. Use automated tools (subjack, nuclei takeover templates) to identify potential takeovers.
  5. For each potential takeover found: - Verify the vulnerability manually (check the target service for availability to claim) - DO NOT actually take over the subdomain (this changes the target's infrastructure) - Document the finding with evidence (DNS records, service error pages) - Assess the impact (cookie scope, content serving, credential theft)
  6. Write a bug report for any confirmed takeover vulnerability.

Deliverable: Subdomain enumeration results, takeover assessment for each candidate, and bug reports.

Exercise 36.10: Vulnerability Chaining Exercise

Difficulty: Advanced Objective: Practice combining multiple vulnerabilities into high-impact attack chains.

Using a deliberately vulnerable application (Juice Shop recommended):

  1. Find at least five individual vulnerabilities of varying severity.
  2. Document each vulnerability independently with severity rating.
  3. Analyze whether any vulnerabilities can be chained together to increase impact: - Can an information disclosure lead to authentication bypass? - Can a low-severity XSS be combined with CSRF or CORS misconfiguration? - Can an SSRF provide access to internal services or metadata?
  4. For each identified chain: - Document the individual vulnerabilities - Explain how they connect - Demonstrate the complete chain with a step-by-step PoC - Assess the combined severity (which should be higher than any individual finding)
  5. Write a single bug report that presents the most impactful chain, with the individual findings as supporting context.

Deliverable: Individual vulnerability reports, chain analysis, and combined chain report.

Exercise 36.11: SSRF Exploitation Lab

Difficulty: Advanced Objective: Master Server-Side Request Forgery discovery and exploitation techniques.

  1. Set up a lab environment with an application vulnerable to SSRF (e.g., deploy a web app on AWS EC2 with IMDS enabled).
  2. Identify SSRF injection points (URL parameters, webhook configurations, file import features).
  3. Test basic SSRF: - Access localhost services (127.0.0.1) - Access cloud metadata endpoint (169.254.169.254) - Access internal network resources
  4. Practice bypass techniques: - IP address obfuscation (decimal, hex, octal) - DNS rebinding - Redirect-based bypass - URL parsing inconsistencies
  5. Demonstrate impact escalation: - Read cloud metadata (IAM role, instance identity) - Access internal APIs not exposed to the internet - Chain with other vulnerabilities
  6. Document each bypass technique with detailed PoC.

Deliverable: Lab setup documentation, SSRF findings with bypass techniques, and impact demonstration.

Exercise 36.12: Bug Bounty Workflow Optimization

Difficulty: Intermediate Objective: Design and implement an efficient personal bug bounty workflow.

  1. Design your ideal bug bounty workflow, covering: - Target selection process - Recon automation schedule (what runs daily/weekly/on-demand) - Manual testing methodology - Note-taking and progress tracking system - Report writing and submission process
  2. Set up the tooling for your workflow: - Install and configure recon tools - Set up a note-taking system (Notion, Obsidian, or equivalent) - Create report templates - Set up a VPS for running automated scans
  3. Create a monitoring system for new programs and scope changes: - Follow platforms for new program announcements - Set up alerts for scope changes on your target programs - Monitor for new subdomain discovery on your targets
  4. Track your time and results for two weeks.
  5. Analyze your workflow efficiency: time per finding, findings per target, report acceptance rate.
  6. Identify three optimizations and implement them.

Deliverable: Workflow documentation, tooling setup guide, two-week tracking data, and optimization analysis.

Exercise 36.13: GraphQL Security Testing

Difficulty: Advanced Objective: Test GraphQL APIs for common security vulnerabilities.

  1. Set up a vulnerable GraphQL API (e.g., DVGA - Damn Vulnerable GraphQL Application).
  2. Perform introspection to discover the schema: - Query __schema to enumerate types, queries, mutations - Map all available operations and their arguments
  3. Test for the following vulnerabilities: - Introspection enabled in production (information disclosure) - Broken authorization on queries and mutations - Excessive data exposure through unprotected fields - Batched query abuse for brute-force attacks - Nested query depth attacks (denial of service) - SQL injection through GraphQL parameters - IDOR through GraphQL object references
  4. For each finding, document the GraphQL query used and the impact.
  5. Write remediation recommendations specific to GraphQL.

Deliverable: GraphQL schema map, findings for each vulnerability category, and remediation guide.

Exercise 36.14: Mobile Application Bug Bounty Testing

Difficulty: Advanced Objective: Apply bug bounty testing methodology to mobile applications.

  1. Select a bug bounty program that includes mobile applications in scope.
  2. Download the application (iOS or Android).
  3. Perform static analysis: - Extract and decompile the APK/IPA - Search for hardcoded credentials, API keys, and endpoints - Identify API base URLs and authentication mechanisms - Review certificate pinning implementation
  4. Perform dynamic analysis: - Set up a proxy (Burp Suite) to intercept mobile traffic - Bypass certificate pinning (if present) - Capture and analyze all API requests - Test API endpoints discovered in static analysis
  5. Test mobile-specific vulnerability classes: - Insecure data storage (SharedPreferences, Keychain) - Deep link injection - Intent hijacking (Android) - WebView vulnerabilities
  6. Document all findings with mobile-specific context.

Deliverable: Static analysis report, dynamic analysis findings, and mobile-specific vulnerability documentation.

Exercise 36.15: Bug Bounty Career Planning

Difficulty: Beginner Objective: Create a personal development plan for bug bounty hunting.

  1. Self-assess your current skills across these areas (rate 1-5): - Web application testing - API security testing - Mobile application testing - Network security - Cloud security - Recon and OSINT - Report writing - Tool development
  2. Based on your assessment, identify your top three areas for improvement.
  3. For each improvement area, create a 90-day learning plan: - Resources (courses, books, labs, CTFs) - Practice targets (specific platforms, programs, labs) - Milestones and checkpoints
  4. Set specific, measurable goals: - Reports submitted per month - Acceptance rate target - Revenue target (if applicable) - Skill certifications to pursue
  5. Identify three bug bounty hunters whose careers you admire. Research their backgrounds and learning paths.
  6. Create a networking plan: events to attend, communities to join, people to connect with.

Deliverable: Skills self-assessment, 90-day learning plan, goals document, and networking plan.