Project Overview & Philosophy
Why this repository exists, what it stands for, and how it can transform you from a curious beginner into a proficient bug bounty hunter.
In late 2023, I found myself staring at yet another "Awesome Hacking" list on GitHub. It had 2,000+ links to tools, articles, and resources β and it was completely overwhelming. I had bookmarked dozens of such repositories, but none of them answered a simple question:
"I have two hours. What should I actually DO right now to find a bug?"
The security resource landscape was fragmented:
| What Existed | The Gap |
|---|---|
| Awesome Lists | Curated collections of links, but no guidance on how to use them together |
| Cheatsheets | Quick payloads, but no explanation of when or why to apply them |
| Write-ups | How others found bugs, but no structured path to build those skills yourself |
| YouTube Tutorials | Scattered, varying quality, often outdated within months |
| Paid Courses | Expensive, sometimes theoretical, rarely updated for 2024+ attack surfaces |
Every security researcher I knew maintained a private Notion database, a messy folder of bookmarks, or a chaotic set of notes accumulated over years of testing. The knowledge existed β but it was scattered across a hundred different places.
During a late-night hacking session, I realized my workflow followed a predictable pattern:
- Recon β Discover the attack surface
- Identify Tech β Figure out what I'm dealing with (WordPress? GraphQL? JWT?)
- Consult Methodology β Pull up my notes on how to attack that specific technology
- Grab Cheatsheet β Get the exact commands and payloads I needed
- Exploit or Move On β Either find a bug or pivot to the next attack vector
The problem? My "notes" were dozens of markdown files, my "cheatsheets" were scattered bookmarks, and my "workflow" existed only in my head. Every time I mentored a junior researcher, I had to explain this entire system verbally.
I decided to build the resource I wished existed when I started.
This repository isn't just another collection of links. It's a deliberately structured knowledge base that mirrors how real bug bounty hunters work. Every methodology, cheatsheet, and tool is designed to answer a specific question at a specific stage of your testing workflow.
To provide a complete, production-ready knowledge base that takes a security enthusiast from "I know what SQL injection is" to "I just found my first paid bounty" β without requiring scattered research across dozens of sources.
| Goal | How We Achieve It |
|---|---|
| End Tutorial Hell | Instead of watching 50 hours of YouTube, follow our structured course and start testing within your first week |
| Close the Theory-Practice Gap | Every methodology includes detection first, then exploitation β because you can't exploit what you can't find |
| Build Real Workflows | Our automation tools aren't demos β they're the actual scripts used in production bug bounty pipelines |
| Stay Current | Focus on modern attack surfaces: APIs, GraphQL, OAuth 2.0, CI/CD pipelines, cloud services |
| Respect Ethics | Every resource reinforces responsible disclosure and authorized testing β because the community depends on trust |
| Grow Together | Open-source means the community improves every cheatsheet, fixes every tool, and shares every lesson |
| Aspect | This Repository | PayloadsAllTheThings | HackTricks | Awesome Hacking Lists |
|---|---|---|---|---|
| Structured Learning Path | β Full course | β | β | β |
| Methodology Depth | β Step-by-step | β Excellent depth | β | |
| Cheatsheets | β 68+ | β Extensive | β Integrated | β |
| Custom Automation Tools | β Included | β | β | β |
| Real Write-ups | β Included | β | β | β |
| Wordlists | β Curated | β | β | β |
| Report Templates | β Ready-to-use | β | β | β |
| CI/CD Pipeline | β GitHub Actions | β | β | β |
| Beginner Friendly | β Course + FAQ | |||
| Interconnected Design | β MethodologyβCheatsheetβTool | β Standalone files | β Internal links | β |
Every vulnerability in this repository is supported by four interconnected pillars:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITY β
β (e.g., SQLi) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ
β METHODOLOGY β β CHEATSHEET β β TOOLS β
β β β β β β
β β’ How it worksβ β β’ Payloads β β β’ sqli-tester.py β
β β’ How to find β β β’ Commands β β β’ sqlmap usage β
β β’ How to test β β β’ Bypass tricks β β β’ Burp extensions β
β β’ Step-by-stepβ β β’ Quick ref β β β’ Automation β
βββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ
β
βββββββββββββββββββββ
βΌ
βββββββββββββββββββββββ
β WRITE-UPS β
β β
β β’ Real examples β
β β’ Lessons learned β
β β’ Report snippets β
βββββββββββββββββββββββ
Why This Matters: When you're testing a target and suspect SQL injection, you don't need to search four different websites. You follow one chain:
- Read the Methodology to understand the SQLi variant you're facing
- Check the Cheatsheet for ready-to-use payloads
- Run the Tool to automate detection and exploitation
- Study Write-ups to see how others reported similar findings
This repository is designed to meet you at your current skill level and guide you forward.
You are here if: You understand basic web concepts but have never tested a real application.
| Step | Action | Resource |
|---|---|---|
| 1 | Understand ethical boundaries | Code of Conduct |
| 2 | Set up your learning environment | Course README |
| 3 | Learn the HTTP protocol deeply | Web Penetration Methodologies (start with XSS, IDOR) |
| 4 | Practice in a safe lab | PortSwigger Academy, OWASP Juice Shop |
| 5 | Run your first automated scan | Bug Bounty Workflow Script |
Milestone: You can explain and manually test for the OWASP Top 10 vulnerabilities.
You are here if: You've completed labs and understand basic vulnerabilities, but haven't tested a real program yet.
| Step | Action | Resource |
|---|---|---|
| 1 | Pick one vulnerability class to master | Choose from [Complete Vulnerability Index] |
| 2 | Deep-dive the methodology | Read the full guide, don't skip sections |
| 3 | Memorize key cheatsheet payloads | Use flashcards or daily review |
| 4 | Join your first bug bounty program | HackerOne, Bugcrowd, or Intigriti (start with VDPs) |
| 5 | Do manual recon on your target | [Reconnaissance Tool Guide] |
| 6 | Write your first (even invalid) report | [Bug Report Template] |
Milestone: You submit your first valid bug report, even if it's a duplicate or low severity.
You are here if: You've found a few bugs and want to increase your impact and bounty amounts.
| Step | Action | Resource |
|---|---|---|
| 1 | Specialize in high-impact vulnerabilities | SSRF, SSTI, HTTP Request Smuggling, Race Conditions |
| 2 | Learn modern attack surfaces | API Security, GraphQL, OAuth 2.0, CI/CD |
| 3 | Study advanced write-ups | [Anatomy of a $10,000+ Bug] |
| 4 | Build custom automation | Modify our tools; create your own scripts |
| 5 | Chain vulnerabilities together | [The Master Attack Flow] |
| 6 | Mentor beginners | Answer questions in Discord; reinforce your own learning |
Milestone: You consistently find valid bugs and receive bounties above $500.
You are here if: Bug bounty hunting is a significant income source, and you're contributing back to the community.
| Step | Action | Resource |
|---|---|---|
| 1 | Discover novel attack techniques | Extend existing methodologies with your findings |
| 2 | Contribute to this repository | New methodologies, tools, or cheatsheets |
| 3 | Speak or write about your research | Conference talks, blog posts, detailed write-ups |
| 4 | Build and share automation frameworks | Publish your own tools; open-source your pipelines |
| 5 | Push the boundaries | Zero-day research, protocol-level attacks, new vulnerability classes |
Milestone: You're a recognized contributor to the security community, and your work helps thousands of others.
These principles govern every decision made in this repository:
You can't exploit a vulnerability you haven't found.
Every methodology begins with detection techniques before jumping to exploitation. Too many resources skip this and leave beginners wondering, "But how do I know if the vulnerability exists?"
Every cheatsheet should contain commands you can copy, paste, modify, and run immediately.
No vague advice like "test for injection vulnerabilities." Instead: ' OR 1=1-- - with context on where and why to use it.
No resource is an island.
If you're reading about OAuth exploitation, you should be one click away from the OAuth cheatsheet, the JWT attack methodology (token-based auth), and any write-ups that involve OAuth bugs.
Start simple, build complexity naturally.
The course introduces concepts in order: IDOR (simple logic flaw) β XSS (context-dependent) β SQLi (syntax-dependent) β SSRF (chained with other bugs) β Request Smuggling (protocol-level). Each builds on the last.
Skill without ethics is just criminality.
Every page carries the warning. Every tool assumes authorization. Every write-up emphasizes responsible disclosure. The community's reputation depends on us policing ourselves β and helping newcomers understand why this matters.
The web changes. So must we.
This repository is designed for contributions. Standardized markdown formats, clear directory structures, and tooling that's easy to update mean this won't be a ghost repository in two years. The community keeps it alive.
I built this repository because when I started bug bounty hunting, I was lost. I had technical skills but no methodology. I could run tools but couldn't find bugs. What changed everything wasn't a new tool or a clever payload β it was a systematic approach to thinking about web applications.
This repository is that system, externalized and shared. It's the guide I wish someone had handed me on day one. It won't find bugs for you β there's no script that replaces human creativity and persistence. But it will give you the framework, the commands, and the confidence to sit down in front of a target and think: "I know what to do next."
Happy hacking. Stay ethical. And remember β every expert was once a beginner who didn't quit.
β @aw-junaid
| Statistic | Count |
|---|---|
| Web Penetration Methodologies | 38 |
| Web Technology Guides | 29 |
| Quick-Reference Cheatsheets | 68 |
| Custom Tools & Scripts | 7 |
| Report Templates | 1 |
| Curated Wordlists | 3 |
| Real-World Write-ups | Growing |
| Total Markdown Files | 148+ |
| Community Contributors | Growing |
| If You Want To... | Go Here |
|---|---|
| Start learning immediately | Getting Started Guide for Bug Hunters |
| Understand the folder structure | Understanding the Repository Structure |
| See all vulnerabilities in one place | Complete Vulnerability Index |
| Read common questions | FAQ |
| Contribute to the project | How to Contribute |
| Join the community | Discord |
| Knowledge Base | Tools | Project |
|---|---|---|
| Methodologies Β· Cheatsheets Β· Write-ups Β· Course | Automation Β· Exploitation Β· Recon | Security Policy Β· Code of Conduct Β· License |
β οΈ This repository contains real exploitation techniques. Unauthorized use is a criminal offense under the CFAA, Computer Misuse Act, and equivalent laws worldwide. Use only on systems you own or have explicit written permission to test.
Β© 2026 aw-junaid Β· MIT License
For Security Researchers
Methodologies β’ Cheatsheets β’ Tools β’ Write-ups
- π Wiki Home
- β FAQ
- π Project Overview & Philosophy
- π Getting Started Guide
- π€ How to Contribute
- π Course Materials
- πΊοΈ Repository Structure
- π Glossary of Terms
- βοΈ The Master Attack Flow
Core vulnerability exploitation guides
- API Security Testing
- Brute Force Attacks
- CORS Exploitation
- CRLF Injection
- CSRF
- Clickjacking
- Crawling & Fuzzing
- DNS Rebinding
- Deserialization
- Email Attacks
- Exploit Broken Links
- Race Conditions
- File Upload Vulnerabilities
- GraphQL Security Testing
- HTTP Parameter Pollution
- HTTP Request Smuggling
- Hashes
- IDOR
- Injection Exploitation
- LFI & RFI
- OAuth
- Open Redirect
- Prototype Pollution
- SQL Injection
- SSRF
- SSTI
- Session Fixation
- Supply Chain Attack
- Tabnabbing
- VHost
- Web Cache Deception
- WebSocket Exploitation
- Webshell
- XXE Vulnerabilities
- Cookies Padding
- CSP
- Header Injection
- Cross-Site Scripting (XSS)
Platform-specific exploitation guides
- ASP.NET
- Apache Tomcat
- CI/CD Security
- ELK Stack
- Exploitation Methodologies
- Buffer Overflows
- C2 Frameworks
- File Transfer Exploitation
- Firebase
- Firebird Database
- Flask Application
- From Recon to Root
- GitHub Security
- GitLab
- JWT
- Jenkins
- Joomla
- Linux Kernel Exploitation
- MFA/2FA Exploitation
- NoSQL Injection
- OAuth Exploitation
- OpenID Connect
- Privilege Escalation
- Remote Code Execution
- Reverse Shells
- SaaS Security Testing
- WAF
- WebDAV
- WordPress Penetration Testing
Quick-reference payloads & commands
- API Security
- ASP.NET
- Broken Links
- Bruteforcing
- Buffer Overflow
- CRLF Injection
- CSRF
- Clickjacking
- Command Injection
- Cookie Padding
- Crawling
- CORS
- CSP
- DNS Rebinding
- DavTest
- Deserialization
- Elasticsearch
- Email Attacks
- File Transfer
- File Upload
- Firebase
- Firebird
- Flask
- GitHub Security
- GitLab
- GraphQL
- HTTP Parameter Pollution
- HTTP Request Smuggling
- Hashes
- Header Injection
- IDOR
- JWT
- Jenkins
- Joomla
- Linux Kernel Exploits
- LFI & RFI
- MFA/2FA
- Modern C2 Frameworks
- NoSQL Injection
- OAuth
- OAuth 1.0
- OpenID Connect
- Open Redirects
- Payloads
- Ports
- Privilege Escalation
- Prototype Pollution
- Race Conditions
- Recon & Exploitation Reference
- Reverse Shells
- SQL Injection
- SaaS Security Testing
- SSRF
- SSTI
- Session Fixation
- Supply Chain Attacks
- Tabnabbing
- Tomcat Security Testing
- VHosts
- WAFs
- Web Cache Deception
- Web Exploits & C2
- Web Sockets
- Webshells
- WordPress
- XXE
- XSS Cheatsheet
- Web Penetration Commands
π View All 68 Cheatsheets
All cheatsheets are interlinked with their corresponding methodologies. Use the search function (press
t on GitHub) to find a specific one quickly.
- π Bug Report Template
- π Custom Subdomains Wordlist
- π Directory Brute Force Wordlist
- π XSS Payloads Wordlist
βοΈ Automation
π₯ Exploitation
π Reconnaissance
π§ Utilities
| Link | Destination |
|---|---|
| π Wiki Home | Home |
| π Repository | GitHub |
| β FAQ | FAQ |
| π Report a Bug | Security Policy |
| π License | MIT License |
| π¬ Discord | Join Server |
β‘ Stay curious. Hack ethically. Report responsibly.
Β© 2026 @aw-junaid β’ Built with π¬ for the security community