The Ultimate Web Application Bug Bounty Hunting Course

Bug Bounty Hunting from Zero to Hero. Become a successful Web Application Bug Bounty Hunter

What you'll learn

web application vulnerabilities

web application penetration testing

Become a web app bug bounty hunter

100+ ethical hacking & security videos

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

Open Redirect

Bypassing Access Control

Server-side request forgery (SSRF)

SQL injection

OS command injection

Insecure Direct Object References (IDOR)

XML external entity (XXE) injection

API Testing

File upload vulnerabilities

Java Script analysis

Cross-origin resource sharing (CORS)

Business logic vulnerabilities

Registration flaws

Login flaws

Password reset flaws

Updating account flaws

Developer tools flaws

Analysis of core application

Payment feature flaws

Premium feature flaws

Directory Traversal

Bug Hunting Methodology

Requirements

Basic IT Skills

Basic understanding of web technology

No Linux, programming or hacking knowledge required

Computer with a minimum of 4GB ram/memory

Operating System: Windows / Apple Mac OS / Linux

Reliable internet connection

Burp Suite Community (Pro optional)

Firefox Web Browser

Description

Welcome to the ultimate Web Application Bug Bounty Hunting course.Your instructor is Martin Voelk. He is a Cyber Security veteran with 25 years of experience. Martin holds some of the highest certification incl. CISSP, OSCP, OSWP, Portswigger BSCP, CCIE, PCI ISA and PCIP. He works as a consultant for a big tech company and engages in Bug Bounty programs where he found thousands of critical and high vulnerabilities.In this course Martin walks students through a step-by-step methodology on how to uncover web vulnerabilities. The theoretical lecture is complimented with the relevant free practical Burp labs to reinforce the knowledge. Martin is not just inserting the payload but explains each step on finding the vulnerability and why it can be exploited in a certain way. The videos are easy to follow along and replicate. This training is highly recommended for anyone who wants to become a professional Web Application Bug Bounty Hunter.Course outline:1. Cross-site scripting (XSS) – Theory and Labs2. Cross-site request forgery (CSRF) – Theory and Labs3. Open Redirect – Theory and Labs4. Bypassing Access Control – Theory and Labs5. Server-side request forgery (SSRF) – Theory and Labs6. SQL injection – Theory and Labs7. OS command injection – Theory and Labs8. Insecure Direct Object References (IDOR) – Theory and Labs9. XML external entity (XXE) injection – Theory and Labs10. API Testing – Theory and Labs11. File upload vulnerabilities – Theory and Labs12. Java Script analysis – Theory and Labs13. Cross-origin resource sharing (CORS) – Theory and Labs14. Business logic vulnerabilities – Theory and Labs15. Registration flaws16. Login flaws17. Password reset flaws18. Updating account flaws19. Developer tool flaws20. Analysis of core application21. Payment feature flaws22. Premium feature flaws23. Directory Traversal – Theory and Labs24. Methodology to find most bugsNotes & DisclaimerPortswigger labs are a public and a free service from Portswigger for anyone to use to sharpen their skills. All you need is to sign up for a free account. I will to respond to questions in a reasonable time frame. Learning Web Application Pen Testing / Bug Bounty Hunting is a lengthy process, so please don’t feel frustrated if you don’t find a bug right away. Try to use Google, read Hacker One reports and research each feature in-depth. This course is for educational purposes only. This information is not to be used for malicious exploitation and must only be used on targets you have permission to attack.

Overview

Section 1: Introduction

Lecture 1 Introduction

Section 2: Cross-site scripting (XSS)

Lecture 2 XSS Methodology

Lecture 3 XSS Links and Slides

Lecture 4 Reflected XSS into HTML context with nothing encoded

Lecture 5 Stored XSS into HTML context with nothing encoded

Lecture 6 DOM XSS in document.write sink using source location.search

Lecture 7 DOM XSS in innerHTML sink using source location.search

Lecture 8 DOM XSS in jQuery anchor href attribute sink using location.search source

Lecture 9 DOM XSS in jQuery selector sink using a hashchange event

Lecture 10 Reflected XSS into attribute with angle brackets HTML-encoded

Lecture 11 Stored XSS into anchor href attribute with double quotes HTML-encoded

Lecture 12 Reflected XSS into a JavaScript string with angle brackets HTML encoded

Lecture 13 DOM XSS in document.write sink using source location.search inside a select elem

Lecture 14 DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encod

Lecture 15 Reflected DOM XSS

Lecture 16 Stored DOM XSS

Lecture 17 Exploiting cross-site scripting to steal cookies

Lecture 18 Exploiting cross-site scripting to capture passwords

Lecture 19 Exploiting XSS to perform CSRF

Lecture 20 Reflected XSS into HTML context with most tags and attributes blocked

Lecture 21 Reflected XSS into HTML context with all tags blocked except custom ones

Lecture 22 Reflected XSS with some SVG markup allowed

Lecture 23 Reflected XSS in canonical link tag

Lecture 24 Reflected XSS into a JavaScript string with single quote and backslash escaped

Lecture 25 Reflected XSS into a JavaScript string with angle brackets and double quotes HTM

Lecture 26 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded

Lecture 27 Reflected XSS into a template literal with angle brackets, single, double quotes

Section 3: Cross-site request forgery (CSRF)

Lecture 28 CSRF Methodology

Lecture 29 CSRF Links and Slides

Lecture 30 CSRF vulnerability with no defenses

Lecture 31 CSRF where token validation depends on request method

Lecture 32 CSRF where token validation depends on token being present

Lecture 33 CSRF where token is not tied to user session

Lecture 34 CSRF where token is tied to non-session cookie

Lecture 35 CSRF where token is duplicated in cookie

Lecture 36 SameSite Lax bypass via method override

Lecture 37 SameSite Strict bypass via client-side redirect

Lecture 38 SameSite Strict bypass via sibling domain

Lecture 39 SameSite Lax bypass via cookie refresh

Lecture 40 CSRF where Referer validation depends on header being present

Lecture 41 CSRF with broken Referer validation

Section 4: Open Redirect

Lecture 42 Open Redirect Methodology

Lecture 43 Open Redirect Links and Slides

Lecture 44 Open Redirect Lab 1

Lecture 45 Open Redirect Lab 2

Lecture 46 Open Redirect Lab 3

Lecture 47 Open Redirect Lab 4

Section 5: Bypassing Access Control

Lecture 48 Bypassing Access Control Methodology

Lecture 49 Bypassing Access Control Links and Slides

Lecture 50 Unprotected admin functionality

Lecture 51 Unprotected admin functionality with unpredictable URL

Lecture 52 User role controlled by request parameter

Lecture 53 User role can be modified in user profile

Lecture 54 User ID controlled by request parameter

Lecture 55 User ID controlled by request parameter, with unpredictable user IDs

Lecture 56 User ID controlled by request parameter with data leakage in redirect

Lecture 57 User ID controlled by request parameter with password disclosure

Lecture 58 URL-based access control can be circumvented

Lecture 59 Method-based access control can be circumvented

Lecture 60 Multi-step process with no access control on one step

Lecture 61 Referer-based access control

Section 6: Server-side request forgery (SSRF)

Lecture 62 Server-side request forgery (SSRF) Methodology

Lecture 63 Server-side request forgery (SSRF) Links and Slides

Lecture 64 Basic SSRF against the local server

Lecture 65 Basic SSRF against another back-end system

Lecture 66 SSRF with blacklist-based input filter

Lecture 67 SSRF with filter bypass via open redirection vulnerability

Lecture 68 Blind SSRF with out-of-band detection

Section 7: SQL injection

Lecture 69 SQL injection Methodology

Lecture 70 SQL injection Links and Slides

Lecture 71 SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Lecture 72 SQL injection vulnerability allowing login bypass

Lecture 73 SQL injection UNION attack, determining the number of columns returned

Lecture 74 SQL injection UNION attack, finding a column containing text

Lecture 75 SQL injection UNION attack, retrieving data from other tables

Lecture 76 SQL injection UNION attack, retrieving multiple values in a single column

Lecture 77 SQL injection attack, querying the database type and version on Oracle

Lecture 78 SQL injection attack, querying the database type and version on MySQL and MS

Lecture 79 SQL injection attack, listing the database contents on non-Oracle databases

Lecture 80 SQL injection attack, listing the database contents on Oracle

Lecture 81 Blind SQL injection with conditional responses

Lecture 82 Blind SQL injection with conditional errors

Lecture 83 Blind SQL injection with time delays

Lecture 84 Blind SQL injection with time delays and information retrieval

Lecture 85 Blind SQL injection with out-of-band interaction

Lecture 86 Blind SQL injection with out-of-band data exfiltration

Lecture 87 SQL injection with filter bypass via XML encoding

Section 8: OS command injection

Lecture 88 OS command injection Methodology

Lecture 89 OS command injection Links and Slides

Lecture 90 OS command injection, simple case

Lecture 91 Blind OS command injection with time delays

Lecture 92 Blind OS command injection with output redirection

Lecture 93 Blind OS command injection with out-of-band interaction

Lecture 94 Blind OS command injection with out-of-band data exfiltration

Section 9: Insecure Direct Object References (IDOR)

Lecture 95 Insecure Direct Object References (IDOR) Methodology

Lecture 96 Insecure Direct Object References (IDOR) Links and Slides

Lecture 97 IDOR Lab 1

Lecture 98 IDOR Lab 2

Lecture 99 IDOR Lab 3

Lecture 100 IDOR Lab 4

Section 10: XML external entity (XXE) injection

Lecture 101 XML external entity (XXE) injection Methodology

Lecture 102 XML external entity (XXE) injection Links and Slides

Lecture 103 Exploiting XXE using external entities to retrieve files

Lecture 104 Exploiting XXE to perform SSRF attacks

Lecture 105 Blind XXE with out-of-band interaction

Lecture 106 Blind XXE with out-of-band interaction via XML parameter entities

Lecture 107 Exploiting blind XXE to exfiltrate data using a malicious external DTD

Lecture 108 Exploiting blind XXE to retrieve data via error messages

Lecture 109 Exploiting XInclude to retrieve files

Lecture 110 Exploiting XXE via image file upload

Section 11: API Testing

Lecture 111 API Methodology

Lecture 112 API Links and Slides

Section 12: File upload vulnerabilities

Lecture 113 File upload vulnerabilities Methodology

Lecture 114 File upload vulnerabilities Links and Slides

Lecture 115 Remote code execution via web shell upload

Lecture 116 Web shell upload via Content-Type restriction bypass

Lecture 117 Web shell upload via path traversal

Lecture 118 Web shell upload via extension blacklist bypass

Lecture 119 Web shell upload via obfuscated file extension

Lecture 120 Remote code execution via polyglot web shell upload

Section 13: Java Script analysis

Lecture 121 Java Script analysis Methodology

Lecture 122 Java Script analysis Links and Slides

Lecture 123 Java Script Lab 1

Lecture 124 Java Script Lab 2

Lecture 125 Java Script Lab 3

Lecture 126 Java Script Lab 4

Section 14: Cross-origin resource sharing (CORS)

Lecture 127 Cross-origin resource sharing (CORS) Methodology

Lecture 128 Cross-origin resource sharing (CORS) Links and Slides

Lecture 129 CORS vulnerability with basic origin reflection

Lecture 130 CORS vulnerability with trusted null origin

Lecture 131 CORS vulnerability with trusted insecure protocols

Section 15: Business logic vulnerabilities

Lecture 132 Business logic vulnerabilities Methodology

Lecture 133 Business logic vulnerabilities Links and Slides

Lecture 134 Excessive trust in client-side controls

Lecture 135 High-level logic vulnerability

Lecture 136 Inconsistent security controls

Lecture 137 Flawed enforcement of business rules

Lecture 138 Low-level logic flaw

Lecture 139 Inconsistent handling of exceptional input

Lecture 140 Weak isolation on dual-use endpoint

Lecture 141 Insufficient workflow validation

Lecture 142 Authentication bypass via flawed state machine

Lecture 143 Infinite money logic flaw

Lecture 144 Authentication bypass via encryption oracle

Section 16: Registration flaws

Lecture 145 Registration flaws Methodology

Lecture 146 Registration flaws Slides

Section 17: Login flaws

Lecture 147 Login flaws Methodology

Lecture 148 Login flaws Slides

Section 18: Password reset flaws

Lecture 149 Password reset flaws Methodology

Lecture 150 Password reset flaws Slides

Lecture 151 Password reset broken logic

Lecture 152 Password reset poisoning via middleware

Lecture 153 Basic password reset poisoning

Section 19: Updating account flaws

Lecture 154 Updating account Methodology

Lecture 155 Updating account flaws Slides

Section 20: Developer tools flaws

Lecture 156 Developer tools Methodology

Lecture 157 Developer tools flaws Slides

Section 21: Analysis of the core application

Lecture 158 Analysis of the core application Methodology

Lecture 159 Analysis of the core application Slides

Section 22: Payment feature flaws

Lecture 160 Payment feature Methodology

Lecture 161 Payment feature flaws Slides

Section 23: Premium feature flaws

Lecture 162 Premium feature Methodology

Lecture 163 Premium feature flaws Slides

Section 24: Directory Traversal

Lecture 164 Directory Traversal Methodology

Lecture 165 Directory Traversal flaws Links and Slides

Lecture 166 File path traversal, simple case

Lecture 167 File path traversal, traversal sequences blocked with absolute path bypass

Lecture 168 File path traversal, traversal sequences stripped non-recursively

Lecture 169 File path traversal, traversal sequences stripped with superfluous URL-decode

Lecture 170 File path traversal, validation of start of path

Lecture 171 File path traversal, validation of file extension with null byte bypass

Section 25: Methodology to find most bugs

Lecture 172 Bug Finding Methodology

Lecture 173 Bug Finding Slides

Anybody interested in ethical web application hacking / web application penetration testing,Anybody interested in becoming a web application bug bounty hunter,Anybody interested in learning how hackers hack web applications,Developers looking to expand on their knowledge of vulnerabilities that may impact them,Anyone interested in application security,Anyone interested in Red teaming,Anyone interested in offensive security