🎓

Bug Hunting

Search the program

inurl /bug bounty

inurl : / security
inurl:security.txt
inurl:security "reward"
inurl : /responsible disclosure
inurl : /responsible-disclosure/ reward
inurl : / responsible-disclosure/ swag
inurl : / responsible-disclosure/ bounty
inurl:'/responsible disclosure' hoodie
responsible disclosure swag r=h:com
responsible disclosure hall of fame
responsible disclosure europe
responsible disclosure white hat
white hat program
insite:"responsible disclosure" -inurl:nl
intext responsible disclosure
site eu responsible disclosure
site .nl responsible disclosure
site responsible disclosure
responsible disclosure:sites
responsible disclosure r=h:nl

Bug Hunting 1
 responsible disclosure r=h:uk
responsible disclosure r=h:eu
responsible disclosure bounty r=h:nl
responsible disclosure bounty r=h:uk
responsible disclosure bounty r=h:eu
responsible disclosure swag r=h:nl
responsible disclosure swag r=h:uk
responsible disclosure swag r=h:eu
responsible disclosure reward r=h:nl
responsible disclosure reward r=h:uk
responsible disclosure reward r=h:eu
"powered by bugcrowd" -site:bugcrowd.com
"powered by hackerone" "submit vulnerability report"
"submit vulnerability report"
site:responsibledisclosure.com
inurl:'vulnerability-disclosure-policy' reward
intext:Vulnerability Disclosure site:nl
intext:Vulnerability Disclosure site:eu
site:*.*.nl intext:security report reward
site:*.*.nl intext:responsible disclosure reward
"security vulnerability" "report"
inurl"security report"
"responsible disclosure" university
inurl:/responsible-disclosure/ university
buy bitcoins "bug bounty"
inurl:/security ext:txt "contact"
"powered by synack"
intext:responsible disclosure bounty
inurl: private bugbountyprogram
inurl:/.well-known/security ext:txt
inurl:/.well-known/security ext:txt intext:hackerone
inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbu
gbounty
inurl:reporting-security-issues
inurl:security-policy.txt ext:txt
site:*.*.* inurl:bug inurl:bounty
site:help.*.* inurl:bounty
site:support.*.* intext:security report reward
intext:security report monetary inurl:security
intext:security report reward inurl:report
site:security.*.* inurl: bounty

Bug Hunting 2
 site:*.*.de inurl:bug inurl:bounty
site:*.*.uk intext:security report reward
site:*.*.cn intext:security report reward
"vulnerability reporting policy"
"van de melding met een minimum van een" -site:responsibledisclosure.nl
inurl : /bitcon bug bounty
inurl : btc security rewards

1. Reconnaissance
Subdomain

Directory / Files ( Information disclosure

parameter

javascript

sub domain discovery using wfuzz

wfuzz -u http://10.10.10.208 -H "Host: FUZZ.crossfit.htb" -w /usr/share/se

wfuzz -u http://10.10.10.208 -H "Host: FUZZ.crossfit.htb" -w /usr/share/se

👓 Recon
2. Vulnerability

Bug Hunting 3
 OWASP TOP 10 2021
Broken Access Control

Cryptographic Failures

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Sever-Side Request Forgery

Server Side

SQL Injection :

🏑 File Upload
SSRF :

Client Side Attack

CORS : CSRF XSS IDOR

No Rate Limiting

3. Report

Bug Hunting 4
 Bug Bounty Automation
https://gowthams.gitbook.io/bughunter-handbook/automation

50 Powerful One-Liner Scripts for Bug Bounty Hunters

Are you a bug bounty hunter on the lookout for powerful and efficient tools to add to your arsenal
https://www.codelivly.com/powerful-one-liner-scripts-for-bug-bounty-hunters

Bugcrowd’s Vulnerability Rating Taxonomy - Bugcrowd

Bugcrowd's bug bounty and vulnerability disclosure platform connects the global security researcher community with your
business. Crowdsourced security testing, a better approach! Run your bug bounty programs with us.
https://bugcrowd.com/vulnerability-rating-taxonomy#methodology

Bug Bounty Tips :

Extract secret from js

#User subfinder to extract the subdomain and then httpx to search the 20
0 request and then waybackurls to find the urls of subdomain and then gr
ep the js file

subfinder -d domain.com | httpx -mc 200 | tee subdomains.txt && cat subd
omains.txt | waybackurls | httpx -mc 200 | grep .js | tee js.txt

# extrac the secret from js

cat js.txt | grep -r -E “aws_access_key|aws_secret_key|api key|passwd|pw

d|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp pass

Bug Hunting 5
 word|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh
key|.git|access key|secret token|oauth_token|oauth_token_secret”

Usage of gf pattern to ssrf, xss, lfi, openredirect

# For ssrf
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | te
e -a ssfrparams.txt

# open redirect
cat waybackdata | gf redirect | tee -a redirect.txt

Bug Bounty Report Template :

Technical Variant / Affected

VRT category Specific vulnerability name Actions
severity ▼ function

Server Security
P1 Using Default Credentials
Misconfiguration

Server-Side
P1 File Inclusion Local
Injection

Server-Side Remote Code Execution

P1
Injection (RCE)

Server-Side
P1 SQL Injection
Injection

Server-Side XML External Entity Injection

P1
Injection (XXE)

Broken
Authentication
P1 Authentication Bypass
and Session
Management

Sensitive Data For Publicly

P1 Disclosure of Secrets
Exposure Accessible Asset

P1 Broken Access Insecure Direct Object Read/Edit/Delete

Control (BAC) References (IDOR) Sensitive

Bug Hunting 6
 Information/Iterable
Object Identifiers

Insecure
P1 Command Injection
OS/Firmware

Insecure
P1 Hardcoded Password Privileged User
OS/Firmware

Automotive
Infotainment, Radio Head Sensitive data
P1 Security
Unit Leakage/Exposure
Misconfiguration

Automotive
P1 Security RF Hub Key Fob Cloning
Misconfiguration

AI Application Large Language Model

P1 Prompt Injection
Security (LLM) Security

AI Application Large Language Model LLM Output

P1
Security (LLM) Security Handling

AI Application Large Language Model Training Data

P1
Security (LLM) Security Poisoning

Server Security Server-Side Request

P2 Internal High Impact
Misconfiguration Forgery (SSRF)

High Impact
Server Security
P2 Misconfigured DNS Subdomain
Misconfiguration
Takeover

Server Security
P2 OAuth Misconfiguration Account Takeover
Misconfiguration

Token Leakage via

Sensitive Data Weak Password Reset
P2 Host Header
Exposure Implementation
Poisoning

Cross-Site Non-Privileged User

P2 Stored
Scripting (XSS) to Anyone

Edit/Delete Sensitive
Broken Access Insecure Direct Object
P2 Information/Iterable
Control (BAC) References (IDOR)
Object Identifiers

Cross-Site
P2 Request Forgery Application-Wide
(CSRF)

Application-
Critical Impact and/or Easy
P2 Level Denial-of-
Difficulty
Service (DoS)

Physical Weakness in physical Commonly Keyed

P2
Security Issues access control System

Bug Hunting 7
 Insecure
P2 Hardcoded Password Non-Privileged User
OS/Firmware

Insecure Over-Permissioned
P2
OS/Firmware Credentials on Storage

Insecure Local Administrator on

P2
OS/Firmware default environment

Cryptographic
P2 Key Reuse Inter-Environment
Weakness

Automotive
Infotainment, Radio Head OTA Firmware
P2 Security
Unit Manipulation
Misconfiguration

Automotive
Infotainment, Radio Head Code Execution
P2 Security
Unit (CAN Bus Pivot)
Misconfiguration

Automotive
CAN Injection /
P2 Security RF Hub
Interaction
Misconfiguration

Excessive
AI Application Large Language Model
P2 Agency/Permission
Security (LLM) Security
Manipulation

Server Security Server-Side Request Internal Scan and/or

P3
Misconfiguration Forgery (SSRF) Medium Impact

Server Security Basic Subdomain

P3 Misconfigured DNS
Misconfiguration Takeover

No Spoofing
Server Security Mail Server
P3 Protection on Email
Misconfiguration Misconfiguration
Domain

Server-Side HTTP Response Response Splitting

P3
Injection Manipulation (CRLF)

Server-Side
P3 Content Spoofing iframe Injection
Injection

Broken
Authentication Second Factor
P3
and Session Authentication (2FA) Bypass
Management

Broken
Authentication Remote Attack
P3 Session Fixation
and Session Vector
Management

Sensitive Data
P3 Disclosure of Secrets For Internal Asset
Exposure

Bug Hunting 8
 EXIF Geolocation Data Not
Sensitive Data Automatic User
P3 Stripped From Uploaded
Exposure Enumeration
Images

Cross-Site Privileged User to

P3 Stored
Scripting (XSS) Privilege Elevation

Cross-Site
P3 Stored CSRF/URL-Based
Scripting (XSS)

Cross-Site
P3 Reflected Non-Self
Scripting (XSS)

Read Sensitive
Broken Access Insecure Direct Object
P3 Information/Iterable
Control (BAC) References (IDOR)
Object Identifiers

Application-
High Impact and/or Medium
P3 Level Denial-of-
Difficulty
Service (DoS)

Firmware does not

Insecure Weakness in Firmware
P3 validate update
OS/Firmware Updates
integrity

Insecure Shared Credentials on

P3
OS/Firmware Storage

Cryptographic Insufficient Key

P3 Insecure Key Generation
Weakness Space

Use of Broken
Cryptographic
P3 Broken Cryptography Cryptographic
Weakness
Primitive

Client-Side Default Folder

P3 Binary Planting
Injection Privilege Escalation

Automotive
Infotainment, Radio Head Code Execution (No
P3 Security
Unit CAN Bus Pivot)
Misconfiguration

Automotive Unauthorized
Infotainment, Radio Head
P3 Security Access to Services
Unit
Misconfiguration (API / Endpoints)

Automotive Data Leakage / Pull

P3 Security RF Hub Encryption
Misconfiguration Mechanism

Automotive Injection (Battery

P3 Security CAN Management
Misconfiguration System)

P3 Automotive CAN Injection (Steering

Security Control)

Bug Hunting 9
 Misconfiguration

Injection
Automotive
(Pyrotechnical
P3 Security CAN
Device Deployment
Misconfiguration
Tool)

Automotive
Injection
P3 Security CAN
(Headlights)
Misconfiguration

Automotive
P3 Security CAN Injection (Sensors)
Misconfiguration

Automotive
Injection (Vehicle
P3 Security CAN
Anti-theft Systems)
Misconfiguration

Automotive
Injection
P3 Security CAN
(Powertrain)
Misconfiguration

Automotive
Injection (Basic
P3 Security CAN
Safety Message)
Misconfiguration

Automotive
Battery Management
P3 Security Firmware Dump
System
Misconfiguration

Automotive
P3 Security Immobilizer Engine Start
Misconfiguration

Automotive
Automatic Braking System Unintended
P3 Security
(ABS) Acceleration / Brake
Misconfiguration

Server Security
P4 Misconfigured DNS Zone Transfer
Misconfiguration

Email Spoofing to
Inbox due to Missing
Server Security Mail Server
P4 or Misconfigured
Misconfiguration Misconfiguration
DMARC on Email
Domain

Database Management Excessively

Server Security
P4 System (DBMS) Privileged User /
Misconfiguration
Misconfiguration DBA

Server Security Lack of Password

P4 Delete Account
Misconfiguration Confirmation

Bug Hunting 10
 Server Security
P4 No Rate Limiting on Form Registration
Misconfiguration

Server Security
P4 No Rate Limiting on Form Login
Misconfiguration

Server Security
P4 No Rate Limiting on Form Email-Triggering
Misconfiguration

Server Security
P4 No Rate Limiting on Form SMS-Triggering
Misconfiguration

Server Security Missing Secure or

P4 Session Token
Misconfiguration HTTPOnly Cookie Flag

Server Security Sensitive Click-

P4 Clickjacking
Misconfiguration Based Action

Server Security
P4 OAuth Misconfiguration Account Squatting
Misconfiguration

Server Security Implementation

P4 CAPTCHA
Misconfiguration Vulnerability

Server Security Cache-Control for a

P4 Lack of Security Headers
Misconfiguration Sensitive Page

Server Security Web Application Firewall Direct Server

P4
Misconfiguration (WAF) Bypass Access

Impersonation via
Server-Side
P4 Content Spoofing Broken Link
Injection
Hijacking

External
Server-Side
P4 Content Spoofing Authentication
Injection
Injection

Server-Side Email HTML

P4 Content Spoofing
Injection Injection

Server-Side Server-Side Template

P4 Basic
Injection Injection (SSTI)

Broken
Authentication Cleartext Transmission of
P4
and Session Session Token
Management

Broken
Other Plaintext
Authentication
P4 Weak Login Function Protocol with no
and Session
Secure Alternative
Management

P4 Broken Weak Login Function Over HTTP

Authentication

Bug Hunting 11
 and Session
Management

Broken
Authentication On Logout (Client
P4 Failure to Invalidate Session
and Session and Server-Side)
Management

Broken
Authentication On Password Reset
P4 Failure to Invalidate Session
and Session and/or Change
Management

Broken
Authentication Weak Registration
P4 Over HTTP
and Session Implementation
Management

Sensitive Data
P4 Disclosure of Secrets Pay-Per-Use Abuse
Exposure

EXIF Geolocation Data Not

Sensitive Data Manual User
P4 Stripped From Uploaded
Exposure Enumeration
Images

Sensitive Data Visible Detailed Error/Debug Detailed Server

P4
Exposure Page Configuration

Sensitive Data
P4 Token Leakage via Referer Untrusted 3rd Party
Exposure

Sensitive Data
P4 Token Leakage via Referer Over HTTP
Exposure

Sensitive Data
P4 Sensitive Token in URL User Facing
Exposure

Password Reset
Sensitive Data Weak Password Reset
P4 Token Sent Over
Exposure Implementation
HTTP

Sensitive Data Via

P4 Sensitive Token
Exposure localStorage/sessionStorage

Privileged User to
Cross-Site
P4 Stored No Privilege
Scripting (XSS)
Elevation

Cross-Site
P4 Referer
Scripting (XSS)

Cross-Site
P4 Universal (UXSS)
Scripting (XSS)

Cross-Site
P4 Off-Domain Data URI
Scripting (XSS)

Bug Hunting 12
 Read/Edit/Delete
Sensitive
Broken Access Insecure Direct Object
P4 Information/Complex
Control (BAC) References (IDOR)
Object
Identifiers(GUID)

Broken Access Username/Email

P4 Non-Brute Force
Control (BAC) Enumeration

Unvalidated
P4 Redirects and Open Redirect GET-Based
Forwards

Insufficient
P4 Security No Password Policy
Configurability

Insufficient
Weak Password Reset Token is Not
P4 Security
Implementation Invalidated After Use
Configurability

Insufficient
2FA Secret Cannot
P4 Security Weak 2FA Implementation
be Rotated
Configurability

Insufficient 2FA Secret Remains

P4 Security Weak 2FA Implementation Obtainable After 2FA
Configurability is Enabled

Insecure Data Sensitive Application Data

P4 On External Storage
Storage Stored Unencrypted

Insecure Data Server-Side Credentials

P4 Plaintext
Storage Storage

Insecure Data No Secure Integrity

P4 Executable Download
Transport Check

Limited Random
Cryptographic Number Generator
P4 Insufficient Entropy
Weakness (RNG) Entropy
Source

Predictable Pseudo-
Cryptographic Random Number
P4 Insufficient Entropy
Weakness Generator (PRNG)
Seed

Small Seed Space in

Cryptographic Pseudo-Random
P4 Insufficient Entropy
Weakness Number Generator
(PRNG)

P4 Cryptographic Insufficient Entropy Predictable

Weakness Initialization Vector

Bug Hunting 13
 (IV)

Cryptographic Insufficient Verification of Integrity Check

P4
Weakness Data Authenticity Value (ICV)

Key Exchage
Cryptographic
P4 Insecure Key Generation Without Entity
Weakness
Authentication

Cryptographic Lack of Perfect

P4 Key Reuse
Weakness Forward Secrecy

Use of Vulnerable
Cryptographic
P4 Broken Cryptography Cryptographic
Weakness
Library

Cryptographic Padding Oracle

P4 Side-Channel Attack
Weakness Attack

Cryptographic
P4 Side-Channel Attack Timing Attack
Weakness

Use of Expired
Cryptographic
P4 Cryptographic Key (or
Weakness
Certificate)

Privacy Unnecessary Data

P4 WiFi SSID+Password
Concerns Collection

Automotive
Infotainment, Radio Head
P4 Security Source Code Dump
Unit
Misconfiguration

Automotive
Infotainment, Radio Head Denial of Service
P4 Security
Unit (DoS / Brick)
Misconfiguration

Automotive
Infotainment, Radio Head
P4 Security Default Credentials
Unit
Misconfiguration

Automotive
Unauthorized
P4 Security RF Hub
Access / Turn On
Misconfiguration

Automotive
Injection (Disallowed
P4 Security CAN
Messages)
Misconfiguration

Automotive
P4 Security CAN Injection (DoS)
Misconfiguration

Automotive
Battery Management
P4 Security Fraudulent Interface
System
Misconfiguration

Bug Hunting 14
 Automotive
P4 Security GNSS / GPS Spoofing
Misconfiguration

Automotive
P4 Security Roadside Unit (RSU) Sybil Attack
Misconfiguration

Server Security Server-Side Request External - Low

P5
Misconfiguration Forgery (SSRF) impact

Server Security Server-Side Request External - DNS

P5
Misconfiguration Forgery (SSRF) Query Only

Server Security Non-Sensitive Data

P5 Directory Listing Enabled
Misconfiguration Exposure

Server Security
P5 Same-Site Scripting
Misconfiguration

Missing Certification
Server Security Authority
P5 Misconfigured DNS
Misconfiguration Authorization (CAA)
Record

Server Security Mail Server Email Spoofing to

P5
Misconfiguration Misconfiguration Spam Folder

Missing or
Server Security Mail Server
P5 Misconfigured SPF
Misconfiguration Misconfiguration
and/or DKIM

Server Security Mail Server Email Spoofing on

P5
Misconfiguration Misconfiguration Non-Email Domain

Server Security Lack of Password Change Email

P5
Misconfiguration Confirmation Address

Server Security Lack of Password

P5 Change Password
Misconfiguration Confirmation

Server Security Lack of Password

P5 Manage 2FA
Misconfiguration Confirmation

Server Security
P5 No Rate Limiting on Form Change Password
Misconfiguration

Server Security
P5 Unsafe File Upload No Antivirus
Misconfiguration

Server Security
P5 Unsafe File Upload No Size Limit
Misconfiguration

Server Security File Extension Filter

P5 Unsafe File Upload
Misconfiguration Bypass

Server Security Cookie Scoped to Parent

P5
Misconfiguration Domain

Bug Hunting 15
 Server Security Missing Secure or
P5 Non-Session Cookie
Misconfiguration HTTPOnly Cookie Flag

Server Security
P5 Clickjacking Form Input
Misconfiguration

Server Security Non-Sensitive

P5 Clickjacking
Misconfiguration Action

Server Security
P5 CAPTCHA Brute Force
Misconfiguration

Server Security
P5 CAPTCHA Missing
Misconfiguration

Server Security
P5 Exposed Admin Portal To Internet
Misconfiguration

Server Security
P5 Missing DNSSEC
Misconfiguration

Server Security Fingerprinting/Banner

P5
Misconfiguration Disclosure

Server Security Username/Email

P5 Brute Force
Misconfiguration Enumeration

Server Security Potentially Unsafe HTTP

P5 OPTIONS
Misconfiguration Method Enabled

Server Security Potentially Unsafe HTTP

P5 TRACE
Misconfiguration Method Enabled

Server Security Lack of Forward

P5 Insecure SSL
Misconfiguration Secrecy

Server Security Insecure Cipher

P5 Insecure SSL
Misconfiguration Suite

Server Security
P5 Insecure SSL Certificate Error
Misconfiguration

Server Security Reflected File Download

P5
Misconfiguration (RFD)

Server Security
P5 Lack of Security Headers X-Frame-Options
Misconfiguration

Server Security Cache-Control for a

P5 Lack of Security Headers
Misconfiguration Non-Sensitive Page

Server Security
P5 Lack of Security Headers X-XSS-Protection
Misconfiguration

Server Security Strict-Transport-

P5 Lack of Security Headers
Misconfiguration Security

Server Security X-Content-Type-

P5 Lack of Security Headers
Misconfiguration Options

Bug Hunting 16
 Server Security Content-Security-
P5 Lack of Security Headers
Misconfiguration Policy

Server Security
P5 Lack of Security Headers Public-Key-Pins
Misconfiguration

Server Security X-Content-Security-

P5 Lack of Security Headers
Misconfiguration Policy

Server Security
P5 Lack of Security Headers X-Webkit-CSP
Misconfiguration

Server Security Content-Security-

P5 Lack of Security Headers
Misconfiguration Policy-Report-Only

Server Security
P5 Email Verification Bypass
Misconfiguration

Server Security Missing Subresource

P5
Misconfiguration Integrity

Server Security
P5 Bitsquatting
Misconfiguration

Server-Side Social Media

P5 Parameter Pollution
Injection Sharing Buttons

Flash Based External

Server-Side
P5 Content Spoofing Authentication
Injection
Injection

Server-Side HTML Content

P5 Content Spoofing
Injection Injection

Email Hyperlink
Server-Side
P5 Content Spoofing Injection Based on
Injection
Email Provider

Server-Side
P5 Content Spoofing Text Injection
Injection

Server-Side Homograph/IDN-
P5 Content Spoofing
Injection Based

Server-Side Right-to-Left
P5 Content Spoofing
Injection Override (RTLO)

Broken
Not Operational or
Authentication
P5 Weak Login Function Intended Public
and Session
Access
Management

Broken
Authentication
P5 Session Fixation Local Attack Vector
and Session
Management

Bug Hunting 17
 Broken
Authentication On Logout (Server-
P5 Failure to Invalidate Session
and Session Side Only)
Management

Broken
Authentication Concurrent Sessions
P5 Failure to Invalidate Session
and Session On Logout
Management

Broken
Authentication
P5 Failure to Invalidate Session On Email Change
and Session
Management

Broken
Authentication On 2FA
P5 Failure to Invalidate Session
and Session Activation/Change
Management

Broken
Authentication
P5 Failure to Invalidate Session Long Timeout
and Session
Management

Broken
Authentication
P5 Concurrent Logins
and Session
Management

Sensitive Data Intentionally Public,

P5 Disclosure of Secrets
Exposure Sample or Invalid

Sensitive Data
P5 Disclosure of Secrets Data/Traffic Spam
Exposure

Sensitive Data
P5 Disclosure of Secrets Non-Corporate User
Exposure

Sensitive Data Visible Detailed Error/Debug

P5 Full Path Disclosure
Exposure Page

Sensitive Data Visible Detailed Error/Debug Descriptive Stack

P5
Exposure Page Trace

Sensitive Data Disclosure of Known Public

P5
Exposure Information

Sensitive Data
P5 Token Leakage via Referer Trusted 3rd Party
Exposure

Sensitive Data Password Reset

P5 Token Leakage via Referer
Exposure Token

Sensitive Data
P5 Sensitive Token in URL In the Background
Exposure

Bug Hunting 18
 Sensitive Data
P5 Sensitive Token in URL On Password Reset
Exposure

Sensitive Data
P5 Non-Sensitive Token in URL
Exposure

Sensitive Data Mixed Content (HTTPS

P5
Exposure Sourcing HTTP)

Sensitive Data
P5 Sensitive Data Hardcoded OAuth Secret
Exposure

Sensitive Data
P5 Sensitive Data Hardcoded File Paths
Exposure

Sensitive Data
P5 Internal IP Disclosure
Exposure

Sensitive Data
P5 JSON Hijacking
Exposure

Sensitive Data Via

P5 Non-Sensitive Token
Exposure localStorage/sessionStorage

Cross-Site
P5 Stored Self
Scripting (XSS)

Cross-Site
P5 Reflected Self
Scripting (XSS)

Cross-Site
P5 Flash-Based
Scripting (XSS)

Cross-Site
P5 Cookie-Based
Scripting (XSS)

Cross-Site
P5 IE-Only
Scripting (XSS)

Cross-Site
P5 TRACE Method
Scripting (XSS)

Read/Edit/Delete
Broken Access Insecure Direct Object
P5 Non-Sensitive
Control (BAC) References (IDOR)
Information

Cross-Site
P5 Request Forgery Action-Specific Logout
(CSRF)

Cross-Site
CSRF Token Not Unique Per
P5 Request Forgery
Request
(CSRF)

Cross-Site
P5 Request Forgery Flash-Based
(CSRF)

Bug Hunting 19
 Application-
Malformed Android
P5 Level Denial-of- App Crash
Intents
Service (DoS)

Application-
Malformed iOS URL
P5 Level Denial-of- App Crash
Schemes
Service (DoS)

Unvalidated
P5 Redirects and Open Redirect POST-Based
Forwards

Unvalidated
P5 Redirects and Open Redirect Header-Based
Forwards

Unvalidated
P5 Redirects and Open Redirect Flash-Based
Forwards

Unvalidated
P5 Redirects and Tabnabbing
Forwards

Unvalidated
Lack of Security Speed
P5 Redirects and
Bump Page
Forwards

External Plaintext Password

P5 Browser Feature
Behavior Field

External
P5 Browser Feature Save Password
Behavior

External Autocomplete
P5 Browser Feature
Behavior Enabled

External
P5 Browser Feature Autocorrect Enabled
Behavior

External Aggressive Offline

P5 Browser Feature
Behavior Caching

External
P5 CSV Injection
Behavior

External
P5 Captcha Bypass Crowdsourcing
Behavior

External
P5 System Clipboard Leak Shared Links
Behavior

External User Password Persisted in

P5
Behavior Memory

P5 Insufficient Weak Password Policy

Security

Bug Hunting 20
 Configurability

Insufficient
P5 Security Password Policy Bypass
Configurability

Insufficient Token is Not

Weak Password Reset
P5 Security Invalidated After
Implementation
Configurability Email Change

Insufficient Token is Not

Weak Password Reset
P5 Security Invalidated After
Implementation
Configurability Password Change

Insufficient
Weak Password Reset Token Has Long
P5 Security
Implementation Timed Expiry
Configurability

Token is Not
Insufficient
Weak Password Reset Invalidated After
P5 Security
Implementation New Token is
Configurability
Requested

Insufficient Token is Not

Weak Password Reset
P5 Security Invalidated After
Implementation
Configurability Login

Insufficient
Verification of Contact
P5 Security
Method not Required
Configurability

Insufficient
P5 Security Lack of Notification Email
Configurability

Insufficient
Weak Registration Allows Disposable
P5 Security
Implementation Email Addresses
Configurability

Insufficient
P5 Security Weak 2FA Implementation Missing Failsafe
Configurability

Insufficient 2FA Code is Not

P5 Security Weak 2FA Implementation Updated After New
Configurability Code is Requested

Old 2FA Code is Not

Insufficient
Invalidated After
P5 Security Weak 2FA Implementation
New Code is
Configurability
Generated

P5 Using Rosetta Flash

Components

Bug Hunting 21
 with Known
Vulnerabilities

Using
Components
P5 Outdated Software Version
with Known
Vulnerabilities

Using
OCR (Optical
Components
P5 Captcha Bypass Character
with Known
Recognition)
Vulnerabilities

Insecure Data Sensitive Application Data

P5 On Internal Storage
Storage Stored Unencrypted

Insecure Data Non-Sensitive Application

P5
Storage Data Stored Unencrypted

Insecure Data
P5 Screen Caching Enabled
Storage

Lack of Binary
P5 Lack of Exploit Mitigations
Hardening

Lack of Binary
P5 Lack of Jailbreak Detection
Hardening

Lack of Binary
P5 Lack of Obfuscation
Hardening

Lack of Binary Runtime Instrumentation-

P5
Hardening Based

Insecure Data Secure Integrity

P5 Executable Download
Transport Check

Insecure Weakness in Firmware Firmware is not

P5
OS/Firmware Updates encrypted

Insecure
P5 Data not encrypted at rest Non sensitive
OS/Firmware

Use of True Random

Cryptographic Number Generator
P5 Insufficient Entropy
Weakness (TRNG) for Non-
Security Purpose

Pseudo-Random
Cryptographic
P5 Insufficient Entropy Number Generator
Weakness
(PRNG) Seed Reuse

Cryptographic Initialization Vector

P5 Insufficient Entropy
Weakness (IV) Reuse

Cryptographic Use of Predictable

P5 Weak Hash
Weakness Salt

Bug Hunting 22
 Cryptographic
P5 Key Reuse Intra-Environment
Weakness

Cryptographic Power Analysis

P5 Side-Channel Attack
Weakness Attack

Cryptographic
P5 Side-Channel Attack Emanations Attack
Weakness

Cryptographic Incomplete Cleanup of

P5
Weakness Keying Material

Network
P5 Security Telnet Enabled
Misconfiguration

Mobile Security
P5 SSL Certificate Pinning Absent
Misconfiguration

Mobile Security
P5 SSL Certificate Pinning Defeatable
Misconfiguration

Mobile Security
P5 Tapjacking
Misconfiguration

Mobile Security
P5 Clipboard Enabled
Misconfiguration

Mobile Security Auto Backup Allowed by

P5
Misconfiguration Default

Client-Side Non-Default Folder

P5 Binary Planting
Injection Privilege Escalation

Client-Side No Privilege
P5 Binary Planting
Injection Escalation

Automotive
P5 Security RF Hub Roll Jam
Misconfiguration

Automotive
P5 Security RF Hub Replay
Misconfiguration

Automotive
P5 Security RF Hub Relay
Misconfiguration

Server Security Unsafe Cross-Origin

Varies
Misconfiguration Resource Sharing

Server Security
Varies HTTP Request Smuggling
Misconfiguration

Server Security
Varies Path Traversal
Misconfiguration

Bug Hunting 23
 Server Security Sensitive Data
Varies Directory Listing Enabled
Misconfiguration Exposure

Server Security SSL Attack (BREACH,

Varies
Misconfiguration POODLE etc.)

Server Security Missing/Broken

Varies OAuth Misconfiguration
Misconfiguration State Parameter

Server Security Insecure Redirect

Varies OAuth Misconfiguration
Misconfiguration URI

Server Security
Varies Race Condition
Misconfiguration

Server Security
Varies Software Package Takeover
Misconfiguration

Server Security
Varies Cache Poisoning
Misconfiguration

Server-Side
Varies LDAP Injection
Injection

Server-Side Server-Side Template

Varies Custom
Injection Injection (SSTI)

Broken
Authentication On Permission
Varies Failure to Invalidate Session
and Session Change
Management

Sensitive Data PII

Varies Disclosure of Secrets
Exposure Leakage/Exposure

Sensitive Data Cross Site Script Inclusion

Varies
Exposure (XSSI)

Broken Access Exposed Sensitive Android

Varies
Control (BAC) Intent

Broken Access
Varies Privilege Escalation
Control (BAC)

Broken Access Exposed Sensitive iOS URL

Varies
Control (BAC) Scheme

Cross-Site
Varies Request Forgery Action-Specific Authenticated Action
(CSRF)

Cross-Site
Unauthenticated
Varies Request Forgery Action-Specific
Action
(CSRF)

Application-
Excessive Resource
Varies Level Denial-of- Injection (Prompt)
Consumption
Service (DoS)

Bug Hunting 24
 Insecure Data Cleartext Transmission of
Varies
Transport Sensitive Data

Varies Data Biases Representation Bias

Varies Data Biases Pre-existing Bias

Algorithmic
Varies Processing Bias
Biases

Algorithmic
Varies Aggregation Bias
Biases

Varies Societal Biases Confirmation Bias

Varies Societal Biases Systemic Bias

Misinterpretation
Varies Context Ignorance
Biases

Developer
Varies Implicit Bias
Biases

Physical Bypass of physical access

Varies
Security Issues control

Physical Weakness in physical

Varies Cloneable Key
Security Issues access control

Physical Weakness in physical Master Key

Varies
Security Issues access control Identification

Insecure Weakness in Firmware Firmware cannot be

Varies
OS/Firmware Updates updated

Insecure
Varies Kiosk Escape or Breakout
OS/Firmware

Insecure Poorly Configured Disk

Varies
OS/Firmware Encryption

Insecure Poorly Configured Operating

Varies
OS/Firmware System Security

Insecure Recovery of Disk Contains

Varies
OS/Firmware Sensitive Material

Insecure Failure to Remove Sensitive

Varies
OS/Firmware Artifacts from Disk

Insecure
Varies Data not encrypted at rest Sensitive
OS/Firmware

Cryptographic Missing
Varies Insecure Implementation
Weakness Cryptographic Step

Improper Following
Cryptographic
Varies Insecure Implementation of Specification
Weakness
(Other)

Bug Hunting 25
 Cryptographic
Varies Weak Hash Lack of Salt
Weakness

Cryptographic Predictable Hash

Varies Weak Hash
Weakness Collision

Cryptographic Insufficient Verification of Cryptographic

Varies
Weakness Data Authenticity Signature

Improper
Cryptographic
Varies Insecure Key Generation Asymmetric Prime
Weakness
Selection

Improper
Cryptographic
Varies Insecure Key Generation Asymmetric
Weakness
Exponent Selection

Cryptographic Insufficient Key

Varies Insecure Key Generation
Weakness Stretching

Cryptographic Differential Fault

Varies Side-Channel Attack
Weakness Analysis

Indicators of
Varies
Compromise

P4
Email Server Misconfigure

4. Reference

https://bugcrowd.com/vulnerability-rating-taxonomy

OTP bypass
https://medium.com/@n4if/otp-bypass-through-session-manipulation-d73deceaa42f

IDOR

https://medium.com/pinoywhitehat/idor-on-hackerone-embedded-submission-form-
9e59c6f044b3

Bug Hunting 26
 Understanding the full potential of sqlmap during bug bounty hunting
Offensive website security Bug bounty Ethical hacking
https://vavkamil.cz/2019/10/09/understanding-the-full-potential-of-sqlmap-during-bug-bounty-hunting/

Bug Hunting 27