Advanced Tactics for Bug Bounty Hunting

Bug bounty hunting differs from penetration testing in three critical ways:

• You get paid for impact, not effort. A single critical-severity report can outearn a month of medium findings.
• Scope is public and competitive. Hundreds of hunters look at the same target; first valid report wins.
• The signal-to-noise ratio matters. Programs measure hunters by report quality. Spamming reports gets you banned.

The four pillars of a successful hunting practice:

1. Recon — knowing more of the attack surface than other hunters.
2. Vulnerability spotting — recognizing patterns that translate to high-impact bugs.
3. Exploitation and chaining — proving impact, often by combining several lower-severity issues.
4. Reporting — writing reports triagers can reproduce and reward.

Recon is where the leaderboard hunters separate themselves. The pipeline:

Asset Discovery

• Subdomain enumeration — subfinder, amass, assetfinder, findomain, chaos (ProjectDiscovery), plus DNS bruteforce with puredns and curated wordlists (Jhaddix's all.txt, commonspeak2).
• Certificate transparency — crt.sh, Censys, custom CT-log streamers for real-time new-subdomain alerts.
• ASN mapping — whois, bgp.he.net, then mapcidr to expand IP ranges; tlsx and nuclei -t exposures to fingerprint services.
• JavaScript analysis — katana, subjs, gau, waybackurls for historical URLs; linkfinder and regex-extracted secrets from JS bundles.
• Mobile app extraction — pull APKs from APKMirror, decompile with jadx, extract API endpoints and hardcoded credentials.
• Cloud-bucket enumeration — cloud_enum, s3scanner, with permutations of org name and asset names.
• GitHub recon — gitleaks, trufflehog, gitdorker for leaked secrets across the org's repos and forks.

Automate everything. Top hunters run continuous recon: new subdomains alert via Slack, new JS files diff against last week's, new HTTP responses notify on Telegram. Tools like interlace and axiom distribute scans across cheap cloud VMs.

Tech Fingerprinting

httpx, nuclei, whatweb, and wappalyzer identify stacks. Then look for version-specific known vulnerabilities, CVEs without public exploits (write your own), and recent CMS/framework releases (look at the changelog for the security fix mentions).

Access Control / IDOR

Still the most common high-impact finding. Look for any endpoint with a numeric or UUID identifier in the URL or body, and try other users' IDs. Modern variants:

• GraphQL IDORs — try node(id: ...) queries with foreign IDs.
• Tenant-scoped IDs missing tenant checks in multi-tenant SaaS.
• Soft-deleted records still accessible by ID.
• Cross-region or staging-to-prod data leakage.

SSRF

Especially against cloud-hosted apps; SSRF to the metadata service (169.254.169.254) on AWS/GCP/Azure yields IAM credentials. Look for any endpoint that fetches a URL: image upload by URL, webhook configuration, OEmbed parsing, PDF generation, SVG/HTML rendering. Use DNS rebinding when filters block IPs.

Race Conditions

The "single-packet attack" technique (James Kettle) sends 20+ HTTP/2 requests in a single TCP packet, hitting the server within microseconds. Profitable targets: coupon redemption, 2FA brute force, like/follow limits, withdrawal endpoints. Burp's Turbo Intruder is the canonical tool.

Server-Side Template Injection (SSTI) and Prototype Pollution

SSTI in Jinja, Twig, Velocity, Freemarker often leads to RCE. Prototype pollution in Node.js applications can be chained to RCE via gadgets in popular libraries (express, mongoose, ejs).

XSS Chained to Account Takeover

Self-XSS plus a CSRF in the login flow can become a full ATO. DOM XSS in OAuth callback handlers leaks tokens. Markdown rendering with HTML pass-through repeatedly produces stored XSS.

Auth & SSO Bugs

OAuth misconfiguration (open redirect in redirect_uri, missing state parameter, code reuse), SAML signature wrapping, JWT algorithm confusion (alg: none, HS256 swapped with RS256 using the public key as HMAC secret), session fixation, and password-reset poisoning via Host header.

Business Logic

The hardest bugs to find with automation. Read the docs, understand the product, then ask "what does the developer assume?" Examples: negative-quantity purchases, type juggling in payment amounts, race conditions in account creation that lead to email impersonation, payment-flow steps skippable in a different order.

File Upload to RCE

.htaccess, .phtml, polyglot images with embedded PHP, SVG XXE, MIME-type confusion, race conditions during AV scanning, ZIP slip in extraction routines.

GraphQL

Introspection enabled in production reveals every query and mutation. Look for unprotected mutations, field-level access bypasses, query-cost DoS, batched-query authorization bypass.

A medium-severity SSRF + a low-severity information disclosure = critical. A self-XSS + login CSRF = stored XSS-equivalent. An open redirect + an OAuth misconfig = full account takeover. Programs reward the chain, not the components. Always ask: "what is the worst thing this gives me?"

A great report:

• Clear title stating impact, not technique. "Critical: Full account takeover via SSO callback misconfig" beats "open redirect in /oauth/callback."
• Affected asset and prerequisites explicitly listed.
• Step-by-step reproduction that a triager can paste into Burp and run.
• Proof-of-concept video or screenshots for visual bugs.
• Impact section quantifying the business risk.
• Suggested remediation.

Avoid drama, do not pressure for higher payouts, and respect program rules. Reputation compounds; one well-handled report opens doors to private invites where bounties are 2–10x larger.

• Stay legal. Read scope carefully. Out-of-scope means out-of-scope. Do not access user data beyond what's needed for PoC.
• Use disposable infrastructure — VPS for active scanning, separate from your personal IPs.
• Maintain notes and a personal knowledge base (Obsidian, Notion). Patterns that worked once usually work again on similar targets.
• Specialize. Top hunters often own a niche — GraphQL, OAuth, Android, blockchain, BMS systems. Depth pays.
• Continuous learning. Read PortSwigger Research, Frans Rosén's blog, NahamSec, STÖK, and disclosed reports on HackerOne hacktivity feed.

• Jack Cable's Apple ATO chain (2020) — multi-step OAuth/JWT misconfiguration, $100K bounty.
• Sam Curry's automotive-industry research (2023) — full takeover of Kia, BMW, Mercedes, Toyota, and others through API and SSO weaknesses, demonstrating recurring vendor patterns.
• Orange Tsai's SAML and proxy research — multiple Black Hat presentations turned into bug-bounty-payable findings across the industry.
• Frans Rosén's postMessage and SaaS research — a long tail of disclosed XSS, ATO, and SSRF findings.
• Top-100 leaderboards on HackerOne and Bugcrowd — many hunters earning $500K–$3M annually, increasingly with small teams of collaborators.

For programs:

1. Clear, scoped, and current program briefs. Update scope as the company grows.
2. Fast triage and payment — top hunters go where the response is fastest.
3. Bonuses for chained impact and creative bugs to encourage quality over volume.
4. Safe-harbor language that explicitly authorizes the testing in scope.
5. VDP (Vulnerability Disclosure Program) as a baseline for the public, with the bounty program layered for serious researchers.

For hunters:

1. Recon discipline — automate continuously, monitor diffs, and prioritize freshly added subdomains and endpoints.
2. Targeted reading — disclosed reports for the company and similar verticals are gold.
3. Patience on the long tail — most bugs come from boring, methodical review of low-traffic endpoints.
4. Mental health and pacing — hunter burnout is real; sustainable practice beats sprints.