31 Tips — Advanced Bug Bounty & Pentesting

Inon Shkedy
2 min readAug 23, 2021


To welcome Blackhat & Defcon conferences, we published a daily tip on Bug Bounty & AppSec during the month of July 2021.

We started this project because we wanted to help developers, security engineers, and pentesters learn about AppSec and API pentesting.

We realize it’s not easy to find resources in these fields, so this is only one project among many others yet to come :)

Don’t forget to follow us on Twitter (@InonShkedy and @Traceable.ai)!

31 API tips — chronological order, raw format

You can find a compiled list of all the tips in a GitHub repository:

31 API tips + categories & statistics

I created a detailed spreadsheet including statistics (# of likes/retweets) and separated the tips into the following categories:

Authorization (6) | Authentication (3) | CSRF (1) | Detailed Errors (2) | File Upload (1) | Injection (5) | Path Manipulation (2) | Reconnaissance (5) | XXE (2) | IDK (3) | Mental Health (1) |

You can use filters and find what are the tips that gained the most traction:

The Best Tip for Bug Bounty Hunters

The best tip I can give you as a pentester:
Bug bounty hunting is a stressful job. If you find yourself getting overwhelmed after not finding vulns, remind yourself that some apps are just more secure than others. Apply mindfulness to your daily routine and meditate between RCEs 🧘‍♂️



Inon Shkedy

I love to learn, build and break things. Head of Security Research @ Traceable.ai