A curated list of resources that will level up your bounty game. For more, head back to the main page.
Assetnote dropped a whole bunch of incredible wordlists to use in your bug bounty hunting endeavours, check them out here: https://wordlists.assetnote.io/
Source: https://twitter.com/Jhaddix/status/1315755608851668993
Just FYI my content discovery file is:
https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10
My subdomain enumeration file is:
https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a
My github dork section of http://hunter.sh is:
https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4
Enjoy!
Nahamsec maintains a Github repository full of beginner resources to checkout, you can see it here: https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
Hakluke wrote a 3-part guide to OSCP.
Part 1, Is OSCP for you? Some things you should know before you start https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-1-is-oscp-for-you-b57cbcce7440
Part 2: Workflow and documentation tips https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-2-workflow-and-documentation-tips-9dd335204a48
Part 3: Practical hacking tips and tricks https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-3-practical-hacking-tips-and-tricks-c38486f5fc97
Assetnote dropped an incredible resource for chaining blind SSRF vulnerabilities, you can check it out here: https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/
How to find XXE bugs: Severe, Missed and Misunderstood: https://www.bugcrowd.com/blog/how-to-find-xxe-bugs/
https://johnjhacking.com/blog/the-oscp-preperation-guide-2020/
https://www.youtube.com/watch?v=1nJgupaUPEQ
https://securib.ee/beelog/must-watch-infosec-talks-of-2020/
https://www.youtube.com/watch?v=jyjGneKJynk
Damn Vulerable Graphql app for practice https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
Seclists by Daniel Miessler is amazing collection of Wordlists: https://github.com/danielmiessler/SecLists/