How To Quick Start Bug Bounty Hunting - First Attack Vectors Explained

Short & Basic Intro to Bug Bounty World - XSS, CSRF, BAC vulnerability overview



2 years ago | 2 min read

Video Edition is available on YouTube #shorts —

I recommend registering on @BugCrowd, @Hacker0x01, @intigriti

Searching for bugs in the wild (not on a bug bounty platform) is great, but not for the start.

Bug bounty platforms can give you very interesting private invites over time.

Try focusing on programs that have a wide scope, where you can manage users (create roles), docs, images, etc.

And then start with a simple — create two users (one basic user & second admin), open two browsers, and start testing for BAC (Broken Access Control) vulnerability.

In short — this is the type of vulnerability, where a basic user can perform admin actions.

Some of these vulnerabilities can be found using direct links to sections/endpoints, but others will require you to modify requests that are sent to the browser

I recommend using @Burp_Suite for requests capture & modification. You can download Community Edition for Free.

Recommended Addon: Logger++

While you are testing the website/app for BAC bugs — you can highlight all GET requests to critical actions. E.g. /delete_user?id=1

Requests with critical actions that can be directly sent to a user are treated as a CSRF (Cross-Site Request Forgery) vulnerability

POST requests can be used too to perform CSRF attack, but usually has CSRF protection mechanism in place (like csrf_tokens or referrer check)

CSRF protection can be bypassed sometimes. Try to switch the POST method to GET or remove token value from a key — csrf_token=

With referrer protection, you can try to append your own domain to a referrer, like this

Or if there is a check that domain should be at the end of referrer you can try this way:

And the third basic rule while performing bug bounty hunting — is to put a basic payload in all possible inputs: qwe'"<X</

And just watch text reflection on a website. If you will see somewhere qwe'" (without angle brackets) — this could be a chance of XSS

Additionally, search for qwe text in the source code of the page. Use Developers Tools in the browser for this task.

Payloads can be reflected anywhere

1. In tag parameters:


2. In tag attributes:

<a class="qwe'"<x</">

3. In tag event attributes with location change logic:

<a onclick="location.href='qwe'">

Here you can try to inject javascript protocol. For example:


4. Inside of a <script> tag:

<script>let a = "qwe'"<x</"<script>

That’s all for now

  1. Share the word about this article
  2. Follow me on Twitter & LinkedIn for Bug Bounty Tips

I tweet & write about WebDev & InfoSec

Cheers, Happy Hunting 👍


Created by


👋 Hi, I’m Anton (therceman) 💻 Web Developer and Bug Bounty Hunter 💬 I Am Sharing My Web Development & InfoSec Knowledge ... 🌐 🐤 💼 📷







Related Articles