The Ultimate Web Application Bug Bounty Hunting Course
- Description
- Curriculum
- FAQ
- Reviews
Welcome to the ultimate Web Application Bug Bounty Hunting course.
Your instructor is Martin Voelk. He is a Cyber Security veteran with 25 years of experience. Martin holds some of the highest certification incl. CISSP, OSCP, OSWP, Portswigger BSCP, CCIE, PCI ISA and PCIP. He works as a consultant for a big tech company and engages in Bug Bounty programs where he found thousands of critical and high vulnerabilities.
In this course Martin walks students through a step-by-step methodology on how to uncover web vulnerabilities. The theoretical lecture is complimented with the relevant free practical Burp labs to reinforce the knowledge. Martin is not just inserting the payload but explains each step on finding the vulnerability and why it can be exploited in a certain way. The videos are easy to follow along and replicate. This training is highly recommended for anyone who wants to become a professional Web Application Bug Bounty Hunter.
Course outline:
1. Cross-site scripting (XSS) – Theory and Labs
2. Cross-site request forgery (CSRF) – Theory and Labs
3. Open Redirect – Theory and Labs
4. Bypassing Access Control – Theory and Labs
5. Server-side request forgery (SSRF) – Theory and Labs
6. SQL injection – Theory and Labs
7. OS command injection – Theory and Labs
8. Insecure Direct Object References (IDOR) – Theory and Labs
9. XML external entity (XXE) injection – Theory and Labs
10. API Testing – Theory and Labs
11. File upload vulnerabilities – Theory and Labs
12. Java Script analysis – Theory and Labs
13. Cross-origin resource sharing (CORS) – Theory and Labs
14. Business logic vulnerabilities – Theory and Labs
15. Registration flaws
16. Login flaws
17. Password reset flaws
18. Updating account flaws
19. Developer tool flaws
20. Analysis of core application
21. Payment feature flaws
22. Premium feature flaws
23. Directory Traversal – Theory and Labs
24. Methodology to find most bugs
Notes & Disclaimer
Portswigger labs are a public and a free service from Portswigger for anyone to use to sharpen their skills. All you need is to sign up for a free account. I will to respond to questions in a reasonable time frame. Learning Web Application Pen Testing / Bug Bounty Hunting is a lengthy process, so please don’t feel frustrated if you don’t find a bug right away. Try to use Google, read Hacker One reports and research each feature in-depth. This course is for educational purposes only. This information is not to be used for malicious exploitation and must only be used on targets you have permission to attack.
-
2
XSS Methodology -
3
XSS Links and Slides -
4
Reflected XSS into HTML context with nothing encoded
-
5
Stored XSS into HTML context with nothing encoded
-
6
DOM XSS in document.write sink using source location.search
-
7
DOM XSS in innerHTML sink using source location.search
-
8
DOM XSS in jQuery anchor href attribute sink using location.search source
-
9
DOM XSS in jQuery selector sink using a hashchange event
-
10
Reflected XSS into attribute with angle brackets HTML-encoded
-
11
Stored XSS into anchor href attribute with double quotes HTML-encoded
-
12
Reflected XSS into a JavaScript string with angle brackets HTML encoded
-
13
DOM XSS in document.write sink using source location.search inside a select elem
-
14
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encod
-
15
Reflected DOM XSS
-
16
Stored DOM XSS
-
17
Exploiting cross-site scripting to steal cookies
-
18
Exploiting cross-site scripting to capture passwords
-
19
Exploiting XSS to perform CSRF
-
20
Reflected XSS into HTML context with most tags and attributes blocked
-
21
Reflected XSS into HTML context with all tags blocked except custom ones
-
22
Reflected XSS with some SVG markup allowed
-
23
Reflected XSS in canonical link tag
-
24
Reflected XSS into a JavaScript string with single quote and backslash escaped
-
25
Reflected XSS into a JavaScript string with angle brackets and double quotes HTM
-
26
Stored XSS into onclick event with angle brackets and double quotes HTML-encoded
-
27
Reflected XSS into a template literal with angle brackets, single, double quotes
-
28
CSRF Methodology
-
29
CSRF Links and Slides
-
30
CSRF vulnerability with no defenses
-
31
CSRF where token validation depends on request method
-
32
CSRF where token validation depends on token being present
-
33
CSRF where token is not tied to user session
-
34
CSRF where token is tied to non-session cookie
-
35
CSRF where token is duplicated in cookie
-
36
SameSite Lax bypass via method override
-
37
SameSite Strict bypass via client-side redirect
-
38
SameSite Strict bypass via sibling domain
-
39
SameSite Lax bypass via cookie refresh
-
40
CSRF where Referer validation depends on header being present
-
41
CSRF with broken Referer validation
-
48
Bypassing Access Control Methodology
-
49
Bypassing Access Control Links and Slides
-
50
Unprotected admin functionality
-
51
Unprotected admin functionality with unpredictable URL
-
52
User role controlled by request parameter
-
53
User role can be modified in user profile
-
54
User ID controlled by request parameter
-
55
User ID controlled by request parameter, with unpredictable user IDs
-
56
User ID controlled by request parameter with data leakage in redirect
-
57
User ID controlled by request parameter with password disclosure
-
58
URL-based access control can be circumvented
-
59
Method-based access control can be circumvented
-
60
Multi-step process with no access control on one step
-
61
Referer-based access control
-
62
Server-side request forgery (SSRF) Methodology
-
63
Server-side request forgery (SSRF) Links and Slides
-
64
Basic SSRF against the local server
-
65
Basic SSRF against another back-end system
-
66
SSRF with blacklist-based input filter
-
67
SSRF with filter bypass via open redirection vulnerability
-
68
Blind SSRF with out-of-band detection
-
69
SQL injection Methodology
-
70
SQL injection Links and Slides
-
71
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
-
72
SQL injection vulnerability allowing login bypass
-
73
SQL injection UNION attack, determining the number of columns returned
-
74
SQL injection UNION attack, finding a column containing text
-
75
SQL injection UNION attack, retrieving data from other tables
-
76
SQL injection UNION attack, retrieving multiple values in a single column
-
77
SQL injection attack, querying the database type and version on Oracle
-
78
SQL injection attack, querying the database type and version on MySQL and MS
-
79
SQL injection attack, listing the database contents on non-Oracle databases
-
80
SQL injection attack, listing the database contents on Oracle
-
81
Blind SQL injection with conditional responses
-
82
Blind SQL injection with conditional errors
-
83
Blind SQL injection with time delays
-
84
Blind SQL injection with time delays and information retrieval
-
85
Blind SQL injection with out-of-band interaction
-
86
Blind SQL injection with out-of-band data exfiltration
-
87
SQL injection with filter bypass via XML encoding
