stop what you are doing and have a glance through this: https://www.infosecmatter.com/bug-bounty-tips/
my n00b notes on web_study
The Single Page badge on PA doesnt tell you where the exercises are... they are here
A good list of "todo's" is here at mrb3n's blog
To do:
Portswigger labs will take you from 0 to hero
Hack the Box/ BLUNDER
deletehead blog/ reflect on the repo
Hub Schellman blog/ follow sample projects as below:
Language Sample Project for Code Review PHP
• Beginner: simple-php-website
• Advanced: Fuel CMS ASP.NET & C#
• Beginner: SimpleWebAppMVC
• Moderate: Reddnet NodeJS
• Beginner: Employee Database
• Moderate: JS RealWorld Example App Java
• Beginner: Java Web App – Step by Step
• Advanced: GeoStore
- https://www.exploit-db.com/exploits/20009
- https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py
- Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
- https://www.exploit-db.com/exploits/39514
- Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
- https://srcincite.io/advisories/src-2016-0012/
- https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py
- Reference: PHP Type Juggling
- Install: http://archives.manageengine.com/applications_manager/13720/
- https://manageenginesales.co.uk/2018/05/manageengine-applications-manager-build-13730-released/
- Install: npm install bassmaster@1.5.1
- https://www.npmjs.com/package/bassmaster
- https://www.rapid7.com/db/modules/exploit/multi/http/bassmaster_js_injection
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/bassmaster_js_injection.rb
- https://www.exploit-db.com/exploits/40689