Tutorials & Guides


Tutorials and guides around various bug types from verified mentors as well as researchers from around the world.

Share your content

Approved Mentor: zseano

Open URL Redirects

I'm sure by now you've heard of an open url redirect, but if you haven't: Open url redirects are simply urls like https://www.example.com/?go=https://www.google.com/, which when visited will go from example.com -> google.com. Generally they are classed as low impact and some programs even list them as Out-of-scope and not accepted. So what can we do actually do with them and should you ign

Approved Mentor: zseano

Indirect Object Reference (IDOR)

What is an IDOR? An IDOR is simply https://api.example.com/api/user/139349 - in which you supply the endpoint with a userid/guid, or some sort of identification and it'll execute & respond. An application that is not vulnerable will not let you change 139349 to another users ID, but if it is vulnerable, the IDOR bug would enable a malicious user to enumerate ``https://api.example.c

Approved Mentor: zseano

Rate Limits

I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blocked from performing that action for x amount of time, or they are hit with captcha. In this tutorial we're going to go over so

Approved Mentor: zseano

Cross Site Scripting (XSS)

Before we begin, if you don't already I highly recommend checking out http://brutelogic.com.br/blog/ run by BruteLogic for great in-depth tutorials about XSS. You can always follow him aswell on https://www.twitter.com/brutelogic

Now, let's begin. XSS is usually the most common and also the most easiest type of vulnerability to find, but what happens when WAF's and other filters are in place st

Approved Mentor: zseano

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) tokens are designed to stop a hidden FORM POST on evil.com from being submitted secretly to hijack your account on example.com. Websites such as Facebook implement this by using something called fb_dtsg, and the general purpose is you can only do an action (such as update your email) if a valid fb_dtsg value is sent with the request. Unless the attacke

Approved Mentor: zseano

Recon & discovery

A wild invite appears..

Nice. The scope is big with multiple domains and wildcard * - meaning all subdomains are in scope except those listed in out of scope. Where do we begin? First things first is to set our scanners off. Here is a list of scanners I use and what they do.

  1. https://github.com/aboul3la/Sublist3r - Almost everyone knows what this tool is/does. Sublist3r is an easy-