Full actionable workflow Hackerone program

 Full actionable workflow & checklist you can start on example.com RIGHT NOW (HackerOne-style public program).

This is a complete “from zero to paid report” pipeline. I’ve classified everything by bug type (OWASP Top 10 2021 + the most common high-paying bug-bounty extras like IDOR, SSRF, Subdomain Takeover). For each bug you get:

  • Why it pays (impact)
  • Exact tests (tools + commands + why you run them)
  • Quick-win order so you can hunt immediately

Phase 0 – Preparation (10 minutes)

  • Read the program policy on HackerOne (in-scope domains/subdomains).
  • Create 2–3 test accounts (different roles if possible).
  • Install free tools: Burp Suite Community (intercept everything — this is your #1 weapon because it lets you modify requests live without coding), Nuclei, ffuf, subfinder, httpx, waybackurls, gf (for patterns).

Phase 1 – Recon & Attack Surface Mapping (start here — 1–2 hours)

  1. Subdomains: subfinder -d example.com -o subs.txt && httpx -l subs.txt -o live.txt (why: passive + active finds forgotten subdomains that often have old code).
  2. Endpoints: cat live.txt | waybackurls | gf xss | tee urls.txt (pulls historical URLs).
  3. Tech stack & ports: nuclei -l live.txt -t tech/ + nmap -iL live.txt -T4.
  4. Screenshots + JS files: katana -u https://example.com or gau.
  5. Check for dangling records (subdomain takeover) later in specific section.

Now switch to systematic testing per bug type. Always proxy through Burp.

1. Broken Access Control (OWASP A01) – IDOR, Privilege Escalation, Missing Authorization (highest payout category on HackerOne)

Why it pays: Lets you view/edit other users’ data → often $1k–$10k+.

  • Create two accounts (User A & User B).
  • Test IDOR: Change user_id=123 → 124 in URL, cookies, JSON body, headers. Try base64/UUID versions too.
  • Horizontal: Same role, different user. Vertical: Low-priv → admin (change role=0 → role=1).
  • Test object references in API endpoints (e.g., /api/v1/users/{id}/profile).
  • Use Burp Autorize or Auth Analyzer extension (why: automates “can User B access User A’s data?”).
  • Check mass assignment (JSON with extra fields like “is_admin”:true). Quick win: Fuzz every numeric/ID parameter with ffuf.

2. Injection Flaws (OWASP A03) – SQLi, Command Injection, NoSQL, etc.

Why it pays: Full takeover or data dump.

  • Every input field + URL param: ' OR 1=1 --, ; ls, {{7*7}}, etc.
  • Use Burp Intruder + payloads from SecLists (why: time-based blind or error-based reveals backend).
  • For APIs: JSON injection, GraphQL introspection ({__schema{...}}).
  • Command injection in any file/URL parameter that processes external input.

3. Cross-Site Scripting (XSS) – Reflected, Stored, DOM (still the most reported high-payout bug)

Why it pays: $500–$5k+ easy.

  • Test every parameter, form, search box, JSON response with <script>alert(1)</script>, "><svg/onload=alert(1)>.
  • DOM-based: break out of JS context ('-alert(1)-').
  • Stored: post comment → view as another user.
  • Use Burp + XSStrike or manual (why: automated scanners miss context).

4. Server-Side Request Forgery (SSRF) (OWASP A10)

Why it pays: Internal network access, cloud metadata → critical.

5. Cryptographic Failures (OWASP A02) + Sensitive Data Exposure

  • Check for HTTP (not HTTPS), weak TLS (sslscan).
  • Look for API keys, passwords in JS files or responses.
  • Test JWT: change alg=none, modify payload, no signature.
  • Weak password reset tokens (predictable or not invalidated).

6. Security Misconfiguration (OWASP A05)

  • Nuclei scan: nuclei -l live.txt -t misconfiguration/.
  • Exposed files: /.git/, /.env, /debug, robots.txt, backup files.
  • Default creds, directory listing, debug mode enabled.
  • Missing security headers (HSTS, CSP, X-Frame-Options) → clickjacking.

7. Broken Authentication (OWASP A07)

  • User enumeration on login/register.
  • Brute-force / rate-limit bypass (why: many programs forget mobile/API endpoints).
  • Password reset token reuse or email in URL.
  • Session fixation, weak session cookies (no HttpOnly/Secure).

8. Cross-Site Request Forgery (CSRF)

  • Any state-changing action without CSRF token or SameSite=Strict.
  • Test with Burp Repeater + HTML PoC.

9. Insecure File Uploads + Path Traversal / LFI / RFI

  • Upload .php, .svg with XSS, .jpeg with PHP code.
  • Path traversal: ../../etc/passwd, ..%2f..%2f.
  • Test after upload if file is served from same domain (RCE potential).

10. Business Logic Flaws (huge payouts, least automated)

  • Price manipulation, negative quantities, race conditions (two tabs).
  • Bypass flow (skip payment step, reuse gift card).
  • Trust client-side limits (e.g., change quantity=1 → 999999).

Extra High-Value Bug Bounty Specifics (not pure OWASP)

  • Subdomain Takeover: subfinder ... | nuclei -t takeover/ or manual DNS check for dangling CNAMEs pointing to expired services (Heroku, GitHub, etc.).
  • CORS Misconfiguration: Change Origin header → check Access-Control-Allow-Origin: *.
  • Open Redirect: ?redirect=//evil.com or relative //evil.com.
  • GraphQL / API-specific: Introspection, batching, depth attacks.

Daily Workflow to Get Paid Fast

  1. Morning: New recon on fresh subdomains.
  2. Setup 2 accounts + Burp.
  3. Run Nuclei quick scan (30 min).
  4. Pick one bug class above and test every endpoint systematically (use Burp history).
  5. When you find something, reproduce in private browser, make clean PoC video/screenshot, write report with impact + steps.

Reporting tip: Title = “IDOR on /api/user/profile allows account takeover”, Severity = High/Critical, always include impact (“attacker can view PII of any user”). Most programs pay within days if clear.

Start right now on any public HackerOne program with example.com in scope: run subfinder + httpx, proxy through Burp, and test IDOR/XSS first — these two alone get people their first $500–$2k bounties in the first week.

Comments

Post a Comment

Popular posts from this blog

Turn Kali skills into a real business

 **Yes — this is exactly how pros .**   You're already intermediate, so we're skipping baby steps. Below is the **exact professional workflow** I (and many Kenyan freelancers) use for paid “Router Security Cleanup” gigs: detect malware (Mirai/botnets), exploits, payloads, weak WiFi, then harden and prove it. Clients love it because you show them the attack live, then fix it in 30–45 mins and charge KSh 3,000–7,000 per router (or KSh 15k+ for whole home/office). **Legal & Ethics First (non-negotiable for services)**   - Get **written permission** (simple WhatsApp/Email: “I authorise you to test and secure my router”).   - Never run on neighbours or public networks.   - Start every job with a backup of the router config.   - In Kenya, common targets: TP-Link Archer, Huawei HG series, ZTE, Safaricom-branded routers — all vulnerable to Mirai-style telnet exploits in 2026. sudo apt update && sudo apt install -y nmap nuclei ai...
Read more

Kali Linux terminal commands on router security

Router Cleanup & Hardening All commands assume ethical use: **your own router/lab**, written permission for clients, or legal targets like scanme.nmap.org. Run as root (`sudo -i`) where needed. ### 1. Network Discovery & Device Mapping (Find the router + connected devices) - Basic live host discovery:   ```bash   sudo nmap -sn 192.168.0.0/24          # Replace with your subnet (Tenda often 192.168.0.0/24)   ``` - Detailed ARP scan (great for local WiFi networks):   ```bash   sudo arp-scan --localnet --interface=wlan0   # Or eth0 if wired   ``` - Find router specifically:   ```bash   ip route | grep default   # Shows gateway IP (your router)   arp -a | grep -i "router\|tenda"   # Look for Tenda MAC/vendor   ``` ### 2. Router-Specific Deep Scanning (Detect open ports, services, OS, vulns) - Aggressive scan with vuln scripts (your go-to for before/after hardening proof):   ...
Read more