Open in app

Sign in

Write

Sign in

Complete Bug Bounty CheatSheet | Joas Antonio

Shakhawat Hossain - 0xShakhawat
3 min readJun 2, 2022
Complete Bug Bounty CheatSheet by 0xShakhawat
Complete Bug Bounty Cheat Sheet

XSS, SQLi, SSRF, CRLF, CSV-Injection, Command Injection, Directory Traversal, LFI, XXE, Open-Redirect, RCE, Crypto, Template Injection, XSLT, Content Injection, LDAP Injection, NoSQL Injection, CSRF Injection, GraphQL Injection, IDOR, ISCM, LaTex Injection, OAuth, XPATH Injection, Bypass Upload Tricky

XSS

bugbounty-cheatsheet/xss.md at master · EdOverflow/bugbounty-cheatsheet

Chrome XSS-Auditor Bypass by @vivekchsm Chrome ...‰€ AngularJS Template Injection based XSS For manual verification on…

github.com

GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List - GitHub - payloadbox/xss-payload-list: 🎯 Cross Site…

github.com

SQLi

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/sali.md

SSRF

bugbounty-cheatsheet/ssrf.md at master · EdOverflow/bugbounty-cheatsheet

Note: The latter can be calculated using http://www.subnetmask.info/ Exotic Handlers gopher://, dict://, php://…

github.com

PayloadsAllTheThings/Server Side Request Forgery at master · swisskyrepo/PayloadsAllTheThings

Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on…

github.com

CRLF

bugbounty-cheatsheet/crlf.md at master · EdOverflow/bugbounty-cheatsheet

0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Header-based test, site root CRLF chained with Open Redirect…

github.com

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%2O0Injection

CSV-Injection

bugbounty-cheatsheet/csv-injection.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/csv-injection.md at…

github.com

PayloadsAllTheThings/CSV Injection at master · swisskyrepo/PayloadsAllTheThings

Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file…

github.com

Command Injection

PayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/Command…

github.com

Directory Traversal

PayloadsAllTheThings/Directory Traversal at master · swisskyrepo/PayloadsAllTheThings

A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied…

github.com

LFl

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/lIfi.md

PayloadsAllTheThings/File Inclusion at master · swisskyrepo/PayloadsAllTheThings

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion"…

github.com

XXE

bugbounty-cheatsheet/xxe.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/xxe.md at master ·…

github.com

Open-Redirect

bugbounty-cheatsheet/open-redirect.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/open-redirect.md at…

github.com

RCE

bugbounty-cheatsheet/rce.md at master · EdOverflow/bugbounty-cheatsheet

Werkzeug Debugger Find somewhere where user input can be supplied and submit the following string to cause an error: If…

github.com

Crypto

bugbounty-cheatsheet/crypto.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/crypto.md at master ·…

github.com

Template Injection

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/template-Injection.md

PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - PayloadsAllTheThings/Server Side…

github.com

XSLT

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xsit.md

Content Injection

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/content-Injection.md

LDAP Injection

PayloadsAllTheThings/LDAP Injection at master · swisskyrepo/PayloadsAllTheThings

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input…

github.com

NoSQL Injection

PayloadsAllTheThings/NoSQL Injection at master · swisskyrepo/PayloadsAllTheThings

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational…

github.com

CSRF Injection

PayloadsAllTheThings/CSRF Injection at master · swisskyrepo/PayloadsAllTheThings

Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web…

github.com

GraphQL Injection

PayloadsAllTheThings/GraphQL Injection at master · swisskyrepo/PayloadsAllTheThings

GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service…

github.com

IDOR

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%200bject%20References

ISCM

PayloadsAllTheThings/Insecure Source Code Management at master · swisskyrepo/PayloadsAllTheThings

The following examples will create either a copy of the .git or a copy of the current commit. Check for the following…

github.com

LaTex Injection

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTexX%20Injection

OAuth

PayloadsAllTheThings/OAuth at master · swisskyrepo/PayloadsAllTheThings

From @abugzlife1 tweet. Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site…

github.com

XPATH Injection

PayloadsAllTheThings/XPATH Injection at master · swisskyrepo/PayloadsAllTheThings

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries…

github.com

Bypass Upload Tricky

PayloadsAllTheThings/Upload Insecure Files at master · swisskyrepo/PayloadsAllTheThings

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data…

github.com

Folllow me Shakhawat Hossain for more updates @0xShakhawat

Bug Bounty
Cybersecurity
Penetration Testing
0xshakhawat
Infosec

--

--

Shakhawat Hossain - 0xShakhawat

Written by Shakhawat Hossain - 0xShakhawat

344 Followers

Learning Penetration Testing && Cyber Security

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams