RatSec Blog

A Very Basic Bug Bounty Methodology

- Posted in Bug bounties by

Cross-Site Scripting (XSS)

Reflected XSS:

  • Look for parameters and user inputs that are reflected back in the page without proper encoding.
  • Use fuzzing with a list of XSS payloads to test how inputs are sanitized.

Stored XSS:

  • Test all inputs that could be stored and displayed to other users (comments, profiles, etc.).
  • Pay special attention to rich-text fields which may allow HTML content.

DOM-based XSS:

  • Investigate client-side scripts to identify points where user-supplied input may modify the DOM.
  • Use tools like browser development tools to track how JavaScript manipulates user input.

Cross-Site Request Forgery (CSRF)

Simple CSRF:

  • Check for forms and state-changing requests that do not have CSRF tokens or other anti-CSRF mechanisms.
  • Attempt to craft malicious requests that could be sent from an attacker-controlled site.

SQL Injection

Basic SQL Injection:

  • Input classic payloads like ' OR '1'='1 to see if inputs are directly placed into SQL queries.
  • Observe error messages for hints about the database structure.

Blind SQL Injection:

  • Use time-based techniques to infer data, such as adding SLEEP(5) commands and seeing if the page response is delayed.
  • Employ automated tools like SQLmap for systematic testing.

File Inclusion Vulnerabilities

Local File Inclusion (LFI):

  • Test file parameters with local paths (../../etc/passwd) to read local files.
  • Look for scripts that include files based on user input without proper sanitization.

Remote File Inclusion (RFI):

  • Where input is used to construct file URLs, attempt to replace these with external URLs to your own server.

Insecure Direct Object References (IDOR)


  • Try changing parameters like user IDs in the URL or hidden fields to access data belonging to other users.
  • Test incrementing numerical IDs or substituting filenames to access unauthorized data.

Security Misconfiguration

Directory Listing:

  • Check if directory listing is enabled by accessing directories directly.
  • Look for backup files or directories that are not meant to be public.

Unprotected Files and Directories:

  • Enumerate common directory and file names to discover unprotected resources.

Default Credentials:

  • Try logging in with default username/password combinations for common software.

Sensitive Data Exposure

Weak Encryption:

  • Look for data transmission over HTTP or weak encryption methods.
  • Check password reset functionalities and how they handle user information.

Improperly Protected Credentials and Session Tokens:

  • Check for hard-coded credentials in client-side code.
  • Test for session tokens that don't expire or aren't properly protected with secure flags.

XML External Entity (XXE) Injection

Basic XXE:

  • Where applications parse XML, try to introduce DOCTYPE elements that define external entities containing file URIs.
  • Test error messages for information leakage that might confirm the XXE.

Broken Authentication and Session Management

Session Hijacking:

  • Look for cookies that are not protected with Secure and HttpOnly flags.
  • Test session invalidation during logout and password change operations.

Credential Stuffing:

  • Where rate limiting is not in place, check how the application handles automated login attempts with known email/password combinations.

Server-Side Request Forgery (SSRF)

Basic Internal Network Probing:

  • Use payloads that call back to your server (http://yourserver.com) to see if the application fetches external resources.
  • Attempt to access internal IP addresses (, http://192.168.x.x) through the vulnerable application.

Exploitation of Poorly Secured HTTP Clients:

  • Test different schema like file://, dict://, ftp:// to access local resources or make unexpected protocol requests.