Home

Welcome to the Bug Bounty Wiki

This wiki serves as the definitive guide and documentation hub for the Bug Bounty repository. It's a comprehensive, production-ready knowledge base for security researchers, penetration testers, and bug bounty hunters. Here, you'll find detailed explanations, usage guides, and best practices for every tool, methodology, and resource included in the project.

⚠️ Critical Warning: For Authorized Use Only

All techniques, tools, and methodologies documented in this wiki are intended exclusively for authorized security testing, educational purposes, and ethical hacking. You must have explicit written permission from the system owner before testing. Unauthorized use is illegal and may lead to criminal prosecution. The authors assume no liability for misuse.

---

Navigating the Knowledge Base

To help you find what you need quickly, the wiki is organized into the same main sections as the repository:

1. Course Materials

A structured learning path for anyone new to bug bounty hunting or looking to solidify their fundamentals.

• Getting Started: Syllabus, prerequisites, and learning objectives to take you from beginner to advanced.

2. Methodologies

In-depth attack strategies and frameworks for finding and exploiting vulnerabilities.

• Web Penetration Testing: Dive deep into specific vulnerability classes like SQL Injection, XSS, CSRF, SSRF, IDOR, and more. Each guide provides step-by-step detection and exploitation techniques.
• Web Technologies & Infrastructure: Explore platform-specific exploitation guides for CMSs (WordPress, Joomla), servers (Apache Tomcat), cloud services (Firebase), and core concepts like OAuth 2.0 exploitation, WAF bypassing, and CI/CD pipeline attacks.

3. Resources

A curated collection of actionable cheatsheets, templates, and wordlists to accelerate your testing workflow.

• Cheatsheets: Quick-reference guides with commands and payloads for over 60 vulnerability classes and platforms.
• Templates: A standardized bug report template to ensure your findings are professionally documented for submission.
• Wordlists: Targeted lists for subdomain discovery, directory fuzzing, and XSS payload delivery.

4. Tools

Custom-built automation, exploitation, and reconnaissance tools designed for bug bounty workflows. Each tool's wiki page includes setup instructions and usage examples.

• Automation: Scripts like the bug-bounty-workflow.sh to automate your entire reconnaissance and scanning pipeline.
• Exploitation: Dedicated testers for vulnerabilities like SQL Injection (sqli-tester.py) and Cross-Site Scripting (xss-scanner.py).
• Reconnaissance: Scripts for subdomain enumeration (subdomain-enum.py) and URL collection to map out an attack surface.
• Utilities: Helper tools for generating custom payloads and managing wordlists.

5. Write-ups

Real-world examples and lessons learned from actual bug bounty reports and vulnerability disclosures. A great way to learn by seeing how vulnerabilities are discovered and exploited in practice.

---

Quick Start Guide

1. Foundation: Start with the Course if you're new to the field.
2. Specialize: Pick a vulnerability class from the Web Penetration Methodologies that you want to master.
3. Practice: Use the corresponding Cheatsheet for quick payloads and the Tools section to automate your attack.
4. Explore: Read the Write-ups to understand real-world impact and reporting style.
5. Report: When you find a valid bug, model your report after the Bug Report Template.