Documentation & Guides

Access comprehensive guides and documentation to help you make the most of security tools and optimize your testing workflow.

Quick Navigation

Getting Started
Methodology
Tool Guides
Practice Labs

Getting Started with Bug Bounty Hunting

Bug Bounty Fundamentals

Learn the basics of bug bounty hunting:

Understanding Vulnerability Types
  • XSS (Cross-Site Scripting): Reflected, Stored, DOM-based
  • SQL Injection: Classic, Blind, Time-based
  • IDOR: Insecure Direct Object References
  • CSRF: Cross-Site Request Forgery
  • SSRF: Server-Side Request Forgery
  • Authentication Issues: Bypass, Broken logic
Legal & Ethical Guidelines
  • Always read and follow program scope
  • Never test on out-of-scope domains
  • Avoid causing damage or data loss
  • Practice responsible disclosure
  • Respect rate limits and be "polite"
Choosing Bug Bounty Platforms
  • HackerOne: Largest platform, established programs
  • Bugcrowd: Good variety, crowd-sourced testing
  • Intigriti: European focus, quality programs
  • YesWeHack: Growing platform with unique programs
  • Private Programs: Higher payouts, invitation only

Setting Up Your Lab Environment

Complete setup guide for your testing environment:

Virtual Machine Setup
Download Kali Linux VM: 
wget https://cdimage.kali.org/kali-2024.1/kali-linux-2024.1-virtualbox-amd64.ova
  • Recommended: 8GB RAM, 80GB storage
  • Alternative: Parrot Security OS, Ubuntu + tools
  • Cloud Options: AWS Kali AMI, DigitalOcean
Essential Tools Installation
Install core tools (Kali Linux): 
# Install from repositories (Kali)
sudo apt update && sudo apt install -y \
    gobuster feroxbuster nmap sqlmap burpsuite zaproxy

# Install ProjectDiscovery tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest  
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Browser Configuration
  • Firefox: Install FoxyProxy, Wappalyzer, HackTools
  • Chrome: Install REST Client, EditThisCookie, BuiltWith
  • Proxy Setup: Configure to use 127.0.0.1:8080 (Burp)
  • Certificate: Import Burp/ZAP CA certificate
Documentation Setup
  • Note-taking: Obsidian, Notion, or Joplin
  • Screenshots: Flameshot, Greenshot
  • Screen Recording: OBS Studio, SimpleScreenRecorder
  • Report Templates: Markdown templates for consistent reporting

Security Testing Methodology

Reconnaissance Phase

Passive Reconnaissance
  • Subdomain Enumeration: Subfinder, Amass, crt.sh
  • DNS Information: dig, nslookup, DNSdumpster
  • WHOIS/ASN: whois, bgp.he.net, ASN lookup
  • OSINT: LinkedIn, GitHub, job postings
  • Google Dorking: site:, filetype:, inurl:
  • Archives: Wayback Machine, CommonCrawl
Example reconnaissance workflow: 
subfinder -d target.com -all -o subdomains.txt
httpx -l subdomains.txt -o live_subdomains.txt
nuclei -l live_subdomains.txt -t ~/nuclei-templates/
Active Reconnaissance
  • Port Scanning: nmap, masscan, RustScan
  • Technology Stack: Wappalyzer, WhatWeb
  • Directory Discovery: Gobuster, Feroxbuster, FFUF
  • Parameter Discovery: Arjun, ParamSpider
  • Content Discovery: GAU, Waybackurls

Vulnerability Assessment

Common Vulnerability Types
  • XSS: Reflected, Stored, DOM-based, mXSS
  • SQL Injection: Union, Boolean, Time-based, NoSQL
  • CSRF/SSRF: State-changing requests, internal services
  • Authentication: Brute force, bypass, session fixation
  • Authorization: IDOR, privilege escalation, RBAC bypass
  • Business Logic: Race conditions, price manipulation
  • Injection: Command, LDAP, XML, template injection
Testing Methodologies
  • OWASP Testing Guide: Systematic web app testing
  • PTES: Penetration Testing Execution Standard
  • Bug Bounty Methodology: Jason Haddix approach
  • WAHH Methodology: Web Application Hacker's Handbook
XSS Testing Example: 
# Test for reflected XSS
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
javascript:alert('XSS')

Documentation & Reporting

Effective Bug Reports
  • Title: Clear, specific vulnerability description
  • Summary: Brief overview of the issue
  • Steps to Reproduce: Detailed, numbered steps
  • Proof of Concept: Working payload/exploit
  • Impact: Business risk and technical impact
  • Mitigation: How to fix the vulnerability
  • References: OWASP, CWE, CVE references
Report Quality Tips
  • Screenshots: Highlight key elements, add annotations
  • Video PoC: For complex multi-step vulnerabilities
  • HTTP Requests: Include full request/response
  • Timeline: Document discovery and testing process
Report Template Structure: 
# Vulnerability Title
## Summary
## Steps to Reproduce
1. Navigate to...
2. Enter payload...
3. Observe...
## Proof of Concept
## Impact
## Recommendation

Security Tool Guides

Command Line Tools

Subfinder Deep Dive

Complete guide to subdomain enumeration with Subfinder

Installation: 
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Basic usage: 
subfinder -d target.com -all -recursive -o subdomains.txt
  • -all: Use all sources for maximum coverage
  • -recursive: Enable recursive subdomain discovery
  • -t 20: Set thread count for speed
  • -config: Use custom configuration file
Nuclei Templates Mastery

Creating and customizing Nuclei templates

Installation & update: 
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
nuclei -ut
Running scans: 
nuclei -l targets.txt -t ~/nuclei-templates/
nuclei -u https://target.com -tags cve,misconfig
nuclei -l targets.txt -severity critical,high
  • Custom Templates: Create YAML templates for specific tests
  • Matchers: Use status, word, regex, dsl matchers
  • Extractors: Extract data from responses
Gobuster Techniques

Advanced directory and file discovery

Directory brute-forcing: 
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -t 20 -x php,html,js
gobuster dir -u https://target.com -w ~/SecLists/Discovery/Web-Content/big.txt -s "200,204,301,302,307,401,403"
  • -x: Search for specific file extensions
  • -s: Positive status codes to look for
  • -k: Skip TLS certificate verification
  • -H: Add custom headers
SecLists Wordlist Guide

Choosing the right wordlists

Clone SecLists: 
git clone https://github.com/danielmiessler/SecLists.git
  • Discovery/Web-Content/big.txt: Comprehensive directory list
  • Discovery/Web-Content/raft-medium-directories.txt: Quality over quantity
  • Discovery/Web-Content/api/api-endpoints.txt: API-specific endpoints
  • Fuzzing/special-chars.txt: Special characters for injection testing

GUI Applications

Burp Suite Cheatsheet

Essential features and shortcuts

Key Features:
  • Proxy: Intercept and modify HTTP requests
  • Repeater: Manual request manipulation
  • Intruder: Automated attack tool
  • Scanner: Automated vulnerability detection (Pro only)
  • Sequencer: Test session token randomness
Common Actions:
  • Right-click: Context menu with "Send to" options
  • Ctrl+R: Send to Repeater
  • Ctrl+I: Send to Intruder
  • Decoder tab: Manual encoding/decoding
OWASP ZAP Configuration

Setting up ZAP for automated scanning

Installation options: 
# Kali Linux
sudo apt update && sudo apt install zaproxy

# Ubuntu/Debian via snap
sudo snap install zaproxy --classic

# Or download from https://www.zaproxy.org/download/
Configuration Steps:
  • Proxy Setup: Configure browser to use 127.0.0.1:8080
  • SSL Certificate: Import ZAP root CA in browser
  • Context Creation: Define application scope
  • Authentication: Configure login sequences
  • Spider Configuration: Set crawling parameters
Automated Scanning:
  • Quick Start: Use automated scan for rapid testing
  • Full Scan: Spider + Active Scan for comprehensive results
  • API Scan: Import OpenAPI/Postman collections
Browser Extensions

Essential extensions for security testing

Firefox Extensions:
  • FoxyProxy: Proxy switching and management
  • Wappalyzer: Technology stack identification
  • HackTools: Collection of web security tools
  • Cookie-Editor: Advanced cookie manipulation
Chrome Extensions:
  • REST Client: In-browser API testing
  • EditThisCookie: Cookie editor and manager
  • BuiltWith: Technology profiler
  • User-Agent Switcher: Change browser user agent

Practice Labs & Challenges

Beginner Labs

OWASP Juice Shop Guide

Modern web application with OWASP Top 10 vulnerabilities

Beginner
Docker setup: 
docker run --rm -p 3000:3000 bkimminich/juice-shop
Key Challenges:
  • DOM XSS: Find and exploit DOM-based XSS vulnerability
  • SQL Injection: Login bypass using SQLi
  • Broken Access Control: Access admin section
  • Insecure Deserialization: Object manipulation attacks

URL: https://owasp.org/www-project-juice-shop/

DVWA Tutorial Series

Damn Vulnerable Web Application for practice

Beginner
Installation: 
# Prerequisites: Install Docker and docker-compose
git clone https://github.com/digininja/DVWA.git
cd DVWA
docker-compose up -d
Available Modules:
  • SQL Injection: All types with difficulty levels
  • XSS: Reflected and stored XSS challenges
  • CSRF: Cross-site request forgery
  • File Upload: Unrestricted file upload vulnerabilities

Default login: admin/password

WebGoat Lessons

Interactive security lessons and challenges

Beginner
Docker setup: 
docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/goatandwolf
Learning Modules:
  • Injection: SQL, NoSQL, and command injection
  • Authentication: Broken authentication mechanisms
  • Session Management: Session hijacking and fixation
  • Access Control: Horizontal and vertical privilege escalation

URL: https://owasp.org/www-project-webgoat/

Intermediate Labs

PortSwigger Web Security Academy

Free online web security training from Burp Suite creators

Intermediate
Learning Paths:
  • Server-side: SQL injection, command injection, SSRF
  • Client-side: XSS, CSRF, clickjacking, DOM manipulation
  • Advanced: Insecure deserialization, XXE, JWT attacks
  • Authentication: Password-based, multi-factor bypass

Features: Interactive labs, video explanations, progress tracking

URL: https://portswigger.net/web-security

HackTheBox Academy & Web Challenges

Gamified cybersecurity learning platform

Intermediate
Web Application Modules:
  • Web Requests: HTTP fundamentals and manipulation
  • File Inclusion: LFI and RFI exploitation
  • File Upload Attacks: Bypass techniques
  • Command Injections: OS command execution
  • Web Attacks: IDOR, XXE, SSTI

Active Machines: Practice on live vulnerable systems

URL: https://www.hackthebox.com/

PentesterLab Exercises

Hands-on penetration testing exercises and courses

Intermediate
Exercise Categories:
  • Web Application: Real-world vulnerable apps
  • Unix Privilege Escalation: Linux exploitation
  • Windows Privilege Escalation: Windows exploitation
  • Code Review: Static analysis and source auditing

Format: ISO downloads for offline practice

URL: https://pentesterlab.com/

Advanced Labs

Advanced XSS Techniques

Complex XSS scenarios and WAF bypass techniques

Advanced
Advanced Techniques:
  • mXSS (Mutation XSS): Browser parser exploitation
  • CSP Bypass: Content Security Policy circumvention
  • WAF Evasion: Filter bypass using encoding
  • Template Injection: SSTI to XSS escalation
  • Polyglot Payloads: Multi-context exploitation
Example CSP bypass: 
<script src="data:text/javascript,alert(1)"></script>
<iframe srcdoc="<script>parent.alert(1)</script>">
API Security Testing

Modern API vulnerability assessment techniques

Advanced
API Testing Areas:
  • GraphQL: Introspection, injection, DoS attacks
  • REST API: BOLA, rate limiting, mass assignment
  • Authentication: JWT manipulation, OAuth flows
  • Rate Limiting: Bypass techniques and DoS
Tools & Resources:
  • Postman: API collection testing
  • Insomnia: GraphQL and REST testing
  • OWASP API Top 10: Common API vulnerabilities
Cloud Security Challenges

AWS, Azure, and GCP security assessment

Advanced
Cloud Platforms:
  • AWS: S3 buckets, IAM misconfigurations, Lambda
  • Azure: Blob storage, Active Directory, Functions
  • GCP: Cloud Storage, IAM, Cloud Functions
Practice Environments:
  • flAWS.cloud: AWS security challenges
  • CloudGoat: Vulnerable AWS environment
  • AzureGoat: Vulnerable Azure environment

flAWS URL: http://flaws.cloud/

OWASP Top 10 Guide

Understanding the OWASP Top 10 is crucial for any security professional. Here's our comprehensive guide covering each vulnerability category with practical examples and testing approaches.

Top 10 Web Application Security Risks
  1. Broken Access Control

    Restrictions on what authenticated users are allowed to do are often not properly enforced.

  2. Cryptographic Failures

    Failures related to cryptography which often leads to sensitive data exposure.

  3. Injection

    User-supplied data is not validated, filtered, or sanitized by the application.

  4. Insecure Design

    Risks related to design flaws and architectural vulnerabilities.

  5. Security Misconfiguration

    Missing appropriate security hardening across any part of the application stack.

  1. Vulnerable and Outdated Components

    Components with known vulnerabilities that may undermine application defenses.

  2. Identification and Authentication Failures

    Confirmation of the user's identity, authentication, and session management.

  3. Software and Data Integrity Failures

    Code and infrastructure that does not protect against integrity violations.

  4. Security Logging and Monitoring Failures

    Insufficient logging, detection, monitoring, and active response.

  5. Server-Side Request Forgery

    SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL.

Testing Techniques by Category
A01: Broken Access Control

Test for IDOR, privilege escalation, and unauthorized access

# Test IDOR
GET /user/profile/123 (change to 124, 125...)
POST /admin/delete_user {"user_id": "victim_id"}

# Privilege escalation
POST /api/promote {"role": "admin"}
A03: Injection

SQL, NoSQL, OS command, and LDAP injection testing

# SQL Injection
' OR '1'='1' --
' UNION SELECT version() --
'; DROP TABLE users; --

# Command Injection
; ls -la
| whoami
& ping -c 4 google.com
A02: Cryptographic Failures

Identify weak encryption and exposed sensitive data

# Check for:
- Unencrypted data transmission (HTTP)
- Weak hash algorithms (MD5, SHA1)
- Hard-coded cryptographic keys
- Default certificates
A07: Authentication Failures

Session management and authentication bypass

# Test vectors:
- Brute force attacks
- Session fixation
- Credential stuffing
- Weak password policies

Additional Resources

Community & Forums
Podcasts & Videos
Essential Reading
Essential Tool Collections
Bug Bounty Platforms