Introducing a new feature to help you further your career in the infosec industry: mentoring!
Browse tutorials and guides from other researchers, view video content or get involved and join various live mentoring sessions that we hold.

Tutorial Creator: zseano

Open URL Redirects

I'm sure by now you've heard of an open url redirect, but if you haven't: Open url redirects are simply urls like https://www.example.com/?go=https://www.google.com/, which when visited will go from example.com -> google.com. Generally they are classed as low impact and some programs even list them as Out-of-scope and not accepted. So what can we do actually do with them and should you ign

Tutorial Creator: zseano

Indirect Object Reference (IDOR)

What is an IDOR? An IDOR is simply https://api.example.com/api/user/139349 - in which you supply the endpoint with a userid/guid, or some sort of identification and it'll execute & respond. An application that is not vulnerable will not let you change 139349 to another users ID, but if it is vulnerable, the IDOR bug would enable a malicious user to enumerate ``https://api.example.c

Tutorial Creator: zseano

Rate Limits

I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blocked from performing that action for x amount of time, or they are hit with captcha. In this tutorial we're going to go over so

Tutorial Creator: zseano

Cross Site Scripting (XSS)

Before we begin, if you don't already I highly recommend checking out http://brutelogic.com.br/blog/ run by BruteLogic for great in-depth tutorials about XSS. You can always follow him aswell on https://www.twitter.com/brutelogic

Now, let's begin. XSS is usually the most common and also the most easiest type of vulnerability to find, but what happens when WAF's and other filters are in place st

Tutorial Creator: zseano

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) tokens are designed to stop a hidden FORM POST on evil.com from being submitted secretly to hijack your account on example.com. Websites such as Facebook implement this by using something called fb_dtsg, and the general purpose is you can only do an action (such as update your email) if a valid fb_dtsg value is sent with the request. Unless the attacke

Tutorial Creator: zseano

Recon & discovery

A wild invite appears..

Nice. The scope is big with multiple domains and wildcard * - meaning all subdomains are in scope except those listed in out of scope. Where do we begin? First things first is to set our scanners off. Here is a list of scanners I use and what they do.

  1. https://github.com/aboul3la/Sublist3r - Almost everyone knows what this tool is/does. Sublist3r is an easy-

Mentor: zseano

Streamed on June 14th 2019 at 2pm GMT

My first go at live mentoring. In this session I give my advice on how to get started in bugbounties as a full time career (or even in your spare time works too!), where to find your first bug, and how to stay sane when doing it (and not burning out). I also answer various questions from fellow researchers and try go into as much detail as possible when answering.

Mentor: zseano

Streamed on June 29th 2019 at 2pm GMT

I did enough talking to get hackers in the mindset in my previous session, so now let's apply that knowledge and see some results! In this stream we will attempt to find bugs in a platform called FastFoodHackings. What sort of bugs? Well.. that would spoil it! :)

Note: You are welcome to still test on this challenge after it's ended but be aware that bugs are disclosed after the stream ends. These will not be visible unless you view them to not spoil the challenge.

Mentor: zseano

Streamed on July 21st 2019 at 2pm BST

FastFoodHackings successfully patched all of the bugs from the previous session, but have they fixed them correctly? Some new features were also introduced and they'd love your help at making sure they're secure.