Bug Bounty Hunter – Asecurity Academy

About Course

Bug bounty hunting is the art and science of finding security vulnerabilities in real-world applications and getting paid for responsible disclosure. This course takes you from zero knowledge to a fully equipped hunter ready to submit valid reports on HackerOne, Bugcrowd, Intigriti, and private programs.

You will learn reconnaissance, every major web vulnerability class, API hacking, mobile testing fundamentals, and — critically — how to write professional reports that get triaged and paid quickly.

Conduct professional reconnaissance on any target in scope
Discover and exploit XSS, SQLi, SSRF, IDOR, XXE, SSTI, and more
Test REST APIs, GraphQL, and WebSocket endpoints
Chain vulnerabilities for maximum impact and bounty value
Write clear, reproducible vulnerability reports that get paid
Manage your pipeline across multiple programs simultaneously
Build a personal recon automation toolkit

Course Content

MODULE 01: The Bug Bounty Ecosystem
Before writing a single payload, you need to understand the landscape: how programs work, what gets paid, legal boundaries, and how to think like a professional hunter.

1.1 What is Bug Bounty Hunting?
1.2 Platforms & Program Types
HackerOne : Largest platform, government programs
Bugcrowd : VDP & private programs
Intigriti : European focus, high bounties
Synack : Invite-only, vetted researchers
YesWeHack : European & global programs
1.3 Reading a Program Policy
Scope: in-scope domains, IP ranges, mobile apps — TEST ONLY THESE
Out-of-scope: third-party services, DoS attacks, physical attacks, social engineering
Severity ratings: Critical / High / Medium / Low / Informational
Bounty table: understand triage SLA, minimum payout, duplicates policy

MODULE 02: Environment Setup & Tooling
Your hacking environment is your workshop. Build it right once and it will serve you for years. This module covers OS setup, essential tools, browser configuration, and proxy setup.

2.1 Operating System
Kali Linux: most comprehensive pre-installed tooling — recommended
Parrot Security OS: lighter weight, privacy-focused alternative
Ubuntu + manual installs: maximum control, more work
VirtualBox / VMware for isolation — never hack from your daily driver
macOS with Homebrew: viable for web testing with some limitations
2.2 Essential Toolkit Installation
Update system
Recon
amass install
subfinder install
httpx
waybackurls
gau
ffuf
gobuster
Vulnerability scanning
sqlmap
nikto , nuclei
Wordlists
2.3 Burp Suite Setup (Core Tool)
Burp Suite Community (free) vs Professional ($449/yr — worth it)
Install FoxyProxy extension in Firefox for easy proxy toggle
Import Burp CA certificate into browser: http://burpsuite → CA Certificate
Set scope to target domain to reduce noise
Key views: Proxy, Repeater, Intruder, Scanner (Pro), Decoder, Comparer
2.4 Browser Setup
Firefox: primary browser — best extension support
Extensions: FoxyProxy, Wappalyzer, Cookie-Editor, DotGit, HackTools
Chrome/Chromium: secondary for JS debugging and mobile emulation
Configure separate Firefox profile for hacking to avoid credential leaks

MODULE 03: Reconnaissance — The Foundation of Hunting
70% of successful bug bounty findings come from thorough reconnaissance. Hunters who skip recon find the same endpoints as everyone else. Deep recon reveals forgotten assets, shadow IT, and unique attack surfaces.

3.1 Passive Reconnaissance
Subdomain enumeration (passive)
subfinder -d target.com -all -recursive -o subs.txt
amass enum -passive -d target.com -o amass_subs.txt
assetfinder –subs-only target.com >> subs.txt
Certificate transparency
curl ‘https://crt.sh/?q=%.target.com&output=json’ | jq ‘.[].name_value’ | sort -u
Historical URLs
gau target.com | tee urls_gau.txt
waybackurls target.com | tee urls_wayback.txt
Google dorks
Shodan / Censys
3.2 Active Reconnaissance
Probe live subdomains
cat subs.txt | httpx -title -tech-detect -status-code -o live_subs.txt
Port scanning
nmap -sV -sC -p- –open -oA nmap_target target.com
masscan -p1-65535 10.0.0.0/24 –rate=1000
Directory / endpoint bruteforce
ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt (case 1)
ffuf -u https://target.com/FUZZ -mc 200,204,301,302,307,401,403
gobuster dir -u https://target.com
gobuster -w /opt/SecLists/Discovery/Web-Content/common.txt
gobuster -x php,html,js,json,txt -t 50
Virtual host enumeration
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
ffuf -H ‘Host: FUZZ.target.com’ -u https://target.com -mc 200
3.3 JavaScript Analysis
Extract JS files from crawl
Download and analyze
Find endpoints & secrets in JS
3.4 Technology Fingerprinting
Wappalyzer: browser extension for instant stack detection
whatweb: command-line tech fingerprinting
builtwith.com: historical technology data
Check response headers: Server, X-Powered-By, X-Framework
Check cookies: PHPSESSID=PHP, JSESSIONID=Java, .ASPXAUTH=ASP.NET
3.5 Recon Automation (building bash tool)

MODULE 04: Cross-Site Scripting (XSS)
XSS remains one of the most reported bug classes. Understanding all three types deeply — and knowing when each is exploitable for real impact — is essential for consistent bounties.

4.1 XSS Types
Reflected XSS
Stored XSS
DOM-based XSS
4.2 Finding XSS
Identify reflection points
1. Map all input fields: search, comments, profile, params
2. Test each with a canary: abc123XSS
3. Search response for your canary
Basic test payloads
WAF bypass payloads
4.3 Automated XSS Discovery
dalfox — fast XSS scanner
XSStrike
Passive hunting via Burp
Proxy > HTTP history > filter for your canary value
4.4 Proving Impact — Beyond alert(1)
4.5 DOM XSS Hunting
Dangerous sources (user-controlled input)
Dangerous sinks (places that execute code)
Hunt in JS files

MODULE 05: SQL Injection
SQL injection can lead to complete database compromise, authentication bypass, and in some cases remote code execution. Despite being well-known, SQLi still appears regularly in bug bounty programs.

5.1 Types of SQL Injection
In-band SQLi: Classic (UNION) and Error-based — results visible in response
Blind Boolean-based: infer data from True/False responses
Blind Time-based: infer data from response delay
Out-of-band: exfiltrate via DNS or HTTP to external server
5.2 Manual Detection
Test for errors
Boolean tests
Time-based detection
ORDER BY column count
UNION SELECT
5.3 sqlmap — Automated Exploitation
Basic detection
POST request
From Burp request file
Dump specific data
WAF bypass
Blind SQLi (slower, more thorough)
5.4 Second-Order SQLi & NoSQL
Second-order: payload stored then executed later
Example: register with username: admin’–
Later, when system uses it in a query, it fires
NoSQL Injection (MongoDB)
Normal JSON login
NoSQL bypass
URL parameter

MODULE 06: IDOR & Broken Access Control
Insecure Direct Object Reference (IDOR) and broken access control are consistently the #1 most rewarded vulnerability class on bug bounty platforms. They require creativity and deep understanding of application logic rather than automated tools.

6.1 Understanding IDOR
Classic IDOR examples
Non-numeric IDs — still testable
6.2 Finding IDORs Systematically
6.3 Advanced IDOR Patterns
UUID IDOR — IDs look random but may be predictable
Chained IDOR: use leaked ID from response A to attack resource B
Parameter pollution
HTTP method switch
6.4 Broken Access Control Beyond IDOR
Forced browsing to restricted pages
Privilege escalation via parameter
JWT manipulation
Account switching via state manipulation

MODULE 07: Server-Side Request Forgery (SSRF)
SSRF is one of the highest-impact vulnerabilities in cloud environments. It can expose internal services, cloud metadata APIs, and in chained scenarios lead to full server compromise and AWS credential theft.

7.1 SSRF Fundamentals
Where to look for SSRF
Parameters: url=, link=, src=, href=, path=, dest=, redirect=
File upload: URL-based import
Webhooks: callback URLs
PDF/image generators with URL input
API integrations: fetch external resource
Header-based: X-Forwarded-Host, X-Original-URL
Basic SSRF test
Burp Collaborator: generate a unique URL and check for DNS/HTTP callbacks
7.2 Cloud Metadata — The Crown Jewel
AWS EC2 metadata (HUGE impact — leaks IAM credentials)
GCP metadata
Azure metadata
AWS IMDSv2 (newer, requires session token)
7.3 Bypassing SSRF Filters
IP obfuscation
DNS rebinding bypass
Register: attacker.com → 127.0.0.1
Protocol smuggling
Redirect bypass
Open redirect chaining
7.4 Blind SSRF
Use Burp Collaborator or interactsh
Send SSRF payload with your interaction URL
Check interactsh for incoming DNS/HTTP requests
If you see a request → confirmed blind SSRF

MODULE 08: Other Critical Vulnerability Classes
A well-rounded hunter needs to recognize and exploit a broad range of vulnerability types. This module covers XXE, SSTI, Open Redirect, CSRF, Business Logic flaws, and Subdomain Takeover.

8.1 XML External Entity (XXE)
Classic XXE — read local file
Blind XXE via out-of-band
evil.dtd hosted on attacker server:
Test in: XML parsers, SOAP endpoints,
SVG upload, Office file upload, API with Content-Type: text/xml
8.2 Server-Side Template Injection (SSTI)
Detection — inject math in template syntax
Jinja2 RCE payload (Python)
Twig (PHP) RCE
Freemarker RCE
8.3 Open Redirect
Find open redirects
Bypass filters
Upgrade impact: chain with OAuth token theft
If OAuth redirect_uri validation uses open redirect:
8.4 CSRF
Check if state-changing actions are protected:
1. No CSRF token in request
2. CSRF token is not validated server-side
3. CSRF token is tied to session but shared
Basic CSRF PoC HTML
JSON CSRF (rare, needs content-type bypass)
Test with application/x-www-form-urlencoded
If server accepts it → CSRF possible
8.5 Subdomain Takeover
Find dangling CNAME records
Subdomain → CNAME → provider (e.g., GitHub Pages, Heroku)
If provider account is deleted but DNS record remains → takeover!
Detection
If CNAME points to xyz.github.io but repo doesn’t exist > takeover!
Automated scan
Common vulnerable providers
GitHub Pages, Heroku, Netlify, Fastly, AWS S3
Azure App Service, Shopify, Zendesk, Helpjuice

MODULE 09: API Security Testing
Modern applications are API-first. REST APIs, GraphQL endpoints, and WebSockets present unique attack surfaces that require specialized testing techniques beyond traditional web vulnerability hunting.

9.1 REST API Reconnaissance
Discover API documentation
Swagger/OpenAPI import into Burp:
Extender > BApp Store > OpenAPI Parser
API versioning — test old versions!
Mass assignment — send extra fields
9.2 Authentication & Authorization Flaws
JWT attacks
API key leakage locations
OAuth flow testing
State parameter missing → CSRF
redirect_uri not validated → token theft
Implicit flow → token in URL (logs, referer)
PKCE bypass
9.3 GraphQL Security
Introspection (find all types & queries)
Introspection disabled? Try field suggestions:
Batch query attacks (bypass rate limiting)
GraphQL IDOR
Tools
9.4 WebSocket Testing
Intercept WebSocket in Burp:
Proxy > WebSockets history
Common WebSocket vulns:
Test with wscat
Then send JSON payloads manually

MODULE 10: Vulnerability Chaining & Business Logic
Individual vulnerabilities rated Medium can chain to Critical findings. Business logic flaws are unique to each application and cannot be found with automated tools — they require understanding the application's intended flow and breaking it creatively.

10.1 The Art of Chaining
Example chain: Medium → Critical
Step 1: Find open redirect (Low/Info)
Step 2: Find OAuth flow trusts target.com domain
Step 3: Chain them
XSS + CSRF bypass = Account Takeover
SSRF + metadata = Credential Theft
IDOR + Password Reset = Account Takeover
Open Redirect + OAuth = Token Theft
10.2 Business Logic Vulnerabilities
Price manipulation
Race conditions
Redeem voucher twice in parallel (same millisecond)
Password reset logic
Token not expiring → reuse old reset link
Predictable token → enumerate
Token leak in response/email header
Host header injection → reset link sent to attacker domain
2FA bypass
Skip step 2 after step 1 (direct URL access)
Response manipulation: {“2fa_required”:true} → false
Reuse 2FA token (no invalidation)
Brute force OTP (no rate limit)
10.3 Rate Limiting & Brute Force
Test rate limiting on:
Login endpoint — username enumeration, password brute force
OTP/2FA endpoint — 6-digit OTP = 1M combos
Password reset — verify token guessing
API endpoints — mass data scraping
Bypass techniques
X-Forwarded-For: change IP per request
Null byte: admin@target.com
Email variations: admin+1@target.com, admin+2@target.com
Wait between requests (sliding window resets)
Turbo Intruder (Burp Pro) for race conditions

MODULE 11: Writing Reports That Get Paid
A brilliant finding poorly reported may be triaged as duplicate or Invalid. A solid finding with an excellent report gets paid quickly, earns bonuses, and builds your reputation on the platform. Report writing is a skill as important as finding bugs.

11.1 Anatomy of a Great Report
Title
Severity
Summary
Steps to Reproduce
Proof of Concept
Impact
11.2 Report Template
Summary
Severity
Steps to Reproduce
Proof of Concept (Screenshort & Video PoC)
Impact
11.3 CVSS Scoring
Attack Vector (AV): Network (N), Adjacent (A), Local (L), Physical (P)
Attack Complexity (AC): Low (L) or High (H)
Privileges Required (PR): None (N), Low (L), High (H)
User Interaction (UI): None (N) or Required (R)
Scope (S): Unchanged (U) or Changed (C) — ‘Changed’ for XSS cookie theft
Confidentiality / Integrity / Availability Impact: None / Low / High
Use: https://www.first.org/cvss/calculator/3.1
11.4 Common Report Mistakes
Vague title: ‘XSS found’ → BAD. Be specific about location and impact
Missing reproduction steps — triagers should not have to guess
No real impact statement — ‘attacker can execute JS’ is not enough
Tested in production without asking — always use staging if available
Reporting out-of-scope issues — read policy twice before submitting
Duplicate hunting — always check existing reports first (sort by ‘Most Common’)

MODULE 12: Mobile & Thick Client Testing
Mobile applications represent a growing attack surface with unique vulnerability classes. This module covers Android APK analysis, iOS basics, certificate pinning bypass, and thick client testing fundamentals.

12.1 Android Security Testing
Setup
adb devices : list connected devices
adb shell : shell access
adb pull /data/data/com.app/ :extract app data
APK analysis
Static analysis — hunt for:
Hardcoded credentials, HTTP (not HTTPS) traffic
Exported activities, insecure broadcast receivers
MobSF — automated static + dynamic analysis
Upload APK via web UI at http://localhost:8000
12.2 Certificate Pinning Bypass
Why it matters: app won’t trust Burp’s CA → can’t intercept
Method 1: Frida (dynamic instrumentation)
Install frida-server on device
Run SSL unpinning script
Method 2: Objection
Then: android sslpinning disable
Method 3: Patch APK with apktool
Modify network_security_config.xml to trust user CAs
12.3 Common Mobile Vulnerabilities
Insecure data storage: SharedPreferences, SQLite DB, log files, external storage
Hardcoded secrets: API keys, encryption keys, passwords in APK resources
Unprotected exported components: activities accessible without permission
Deeplink hijacking: malicious app intercepts URL schemes
Insecure WebView: JavascriptInterface exposure, file:// access
Check exported components in AndroidManifest.xml
Check for cleartext traffic
Check shared preferences

MODULE 13: Automation & Building Your Toolkit
Top earners on bug bounty platforms automate the repetitive parts of hunting so they can focus on creative thinking. This module covers building pipelines, notification systems, and custom wordlists.

13.1 Continuous Monitoring Pipeline
13.2 Custom Wordlist Building
13.3 Nuclei Custom Templates
13.4 Notification & Tracking
Discord webhook: instant notifications for new findings
Notion / Obsidian: structured target notes and finding tracking
Google Sheets: program ROI tracking (hours spent, $ earned, $ per hour)
GitHub: version control your scripts and templates
Axiom: cloud-based distributed scanning at scale

MODULE 14: Career, Strategy & Getting Paid Consistently
Technical skills alone do not make a successful bug bounty hunter. This final module covers program selection strategy, building reputation, handling disputes, tax considerations, and transitioning to full-time or part-time hunting.

About Course

What Will You Learn?

Course Content

MODULE 01: The Bug Bounty Ecosystem Before writing a single payload, you need to understand the landscape: how programs work, what gets paid, legal boundaries, and how to think like a professional hunter.

1.1 What is Bug Bounty Hunting?

1.2 Platforms & Program Types

HackerOne : Largest platform, government programs

Bugcrowd : VDP & private programs

Intigriti : European focus, high bounties

Synack : Invite-only, vetted researchers

YesWeHack : European & global programs

1.3 Reading a Program Policy

Scope: in-scope domains, IP ranges, mobile apps — TEST ONLY THESE

Out-of-scope: third-party services, DoS attacks, physical attacks, social engineering

Severity ratings: Critical / High / Medium / Low / Informational

Bounty table: understand triage SLA, minimum payout, duplicates policy

MODULE 02: Environment Setup & Tooling Your hacking environment is your workshop. Build it right once and it will serve you for years. This module covers OS setup, essential tools, browser configuration, and proxy setup.

2.1 Operating System

Kali Linux: most comprehensive pre-installed tooling — recommended

Parrot Security OS: lighter weight, privacy-focused alternative

Ubuntu + manual installs: maximum control, more work

VirtualBox / VMware for isolation — never hack from your daily driver

macOS with Homebrew: viable for web testing with some limitations

2.2 Essential Toolkit Installation

Update system

Recon

amass install

subfinder install

httpx

waybackurls

gau

ffuf

gobuster

Vulnerability scanning

sqlmap

nikto , nuclei

Wordlists

2.3 Burp Suite Setup (Core Tool)

Burp Suite Community (free) vs Professional ($449/yr — worth it)

Install FoxyProxy extension in Firefox for easy proxy toggle

Import Burp CA certificate into browser: http://burpsuite → CA Certificate

Set scope to target domain to reduce noise

Key views: Proxy, Repeater, Intruder, Scanner (Pro), Decoder, Comparer

2.4 Browser Setup

Firefox: primary browser — best extension support

Extensions: FoxyProxy, Wappalyzer, Cookie-Editor, DotGit, HackTools

Chrome/Chromium: secondary for JS debugging and mobile emulation

Configure separate Firefox profile for hacking to avoid credential leaks

MODULE 03: Reconnaissance — The Foundation of Hunting 70% of successful bug bounty findings come from thorough reconnaissance. Hunters who skip recon find the same endpoints as everyone else. Deep recon reveals forgotten assets, shadow IT, and unique attack surfaces.

3.1 Passive Reconnaissance

Subdomain enumeration (passive)

subfinder -d target.com -all -recursive -o subs.txt

amass enum -passive -d target.com -o amass_subs.txt

assetfinder –subs-only target.com >> subs.txt

Certificate transparency

curl ‘https://crt.sh/?q=%.target.com&output=json’ | jq ‘.[].name_value’ | sort -u

Historical URLs

gau target.com | tee urls_gau.txt

waybackurls target.com | tee urls_wayback.txt

Google dorks

Shodan / Censys

3.2 Active Reconnaissance

Probe live subdomains

cat subs.txt | httpx -title -tech-detect -status-code -o live_subs.txt

Port scanning

nmap -sV -sC -p- –open -oA nmap_target target.com

masscan -p1-65535 10.0.0.0/24 –rate=1000

Directory / endpoint bruteforce

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt (case 1)

ffuf -u https://target.com/FUZZ -mc 200,204,301,302,307,401,403

gobuster dir -u https://target.com

gobuster -w /opt/SecLists/Discovery/Web-Content/common.txt

gobuster -x php,html,js,json,txt -t 50

Virtual host enumeration

ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

ffuf -H ‘Host: FUZZ.target.com’ -u https://target.com -mc 200

3.3 JavaScript Analysis

Extract JS files from crawl