31 Tips — Advanced Bug Bounty & Pentesting
To welcome Blackhat & Defcon conferences, we published a daily tip on Bug Bounty & AppSec during the month of July 2021.
We started this project because we wanted to help developers, security engineers, and pentesters learn about AppSec and API pentesting.
We realize it’s not easy to find resources in these fields, so this is only one project among many others yet to come :)
Don’t forget to follow us on Twitter (@InonShkedy and @Traceable.ai)!
31 API tips — chronological order, raw format
You can find a compiled list of all the tips in a GitHub repository:
31 API tips + categories & statistics
I created a detailed spreadsheet including statistics (# of likes/retweets) and separated the tips into the following categories:
Authorization (6) | Authentication (3) | CSRF (1) | Detailed Errors (2) | File Upload (1) | Injection (5) | Path Manipulation (2) | Reconnaissance (5) | XXE (2) | IDK (3) | Mental Health (1) |
You can use filters and find what are the tips that gained the most traction:
The Best Tip for Bug Bounty Hunters
The best tip I can give you as a pentester:
Bug bounty hunting is a stressful job. If you find yourself getting overwhelmed after not finding vulns, remind yourself that some apps are just more secure than others. Apply mindfulness to your daily routine and meditate between RCEs 🧘♂️
