0xMarvul Playbook

Quick Resources & Tools

SecLists Burp Suite OWASP ZAP OWASP Top 10

Easy Understand Program Scope

Thoroughly read and understand the bug bounty program's policy (scope, out-of-scope, rewards, disclosure rules).
💡 Tip: Missing scope details causes 30% of invalid reports
Identify all in-scope assets (domains, subdomains, applications, IPs).
Note any specific vulnerabilities the program is *not* interested in.
Note any testing restrictions (e.g., no DoS, rate limits).
⚠️ Warning: Violating test restrictions can get you banned

Easy Set Up Your Environment

VPN or proxy configured for anonymity/testing (if permitted/needed).
Dedicated browser profile for testing.
Note-taking application ready (e.g., Obsidian, CherryTree, Notion, text files).
Burp Suite / OWASP ZAP (or preferred proxy) installed and configured.

Medium Review Basic Security Concepts

Refresh knowledge of OWASP Top 10.
🔗 Resource: OWASP Top 10 2021
Review common web application vulnerabilities.
Understand HTTP basics (methods, headers, status codes).

Easy Choose Your Target(s) within the Program

Select an initial asset or feature to focus on.
💡 Tip: Start with less popular subdomains for lower competition

Recon Tools & Resources

Subfinder Amass crt.sh Shodan Waybackurls

Easy Passive Reconnaissance

Program Policy Review (Again): Double-check scope related to recon.
Google Dorking / Search Engine Hacking (e.g., `site:target.com`, `inurl:admin`).
💡 Success Story: Found exposed .git directory via Google dork - $1,500 bounty
WHOIS Lookup.
DNS Enumeration (Passive - e.g., dnsdumpster, securitytrails).
Certificate Transparency Logs (e.g., crt.sh).
💡 Tip: CT logs often reveal hidden subdomains before they're public
Wayback Machine / Archive.org.
GitHub/GitLab Recon (Public Repositories).
🔗 Tool: Use Gitrob for automated scanning
Shodan / Censys / Zoomeye.
Social Media & Public Information (Ethically and within scope).

Medium Active Reconnaissance

Subdomain Enumeration (Active - e.g., Subfinder, Amass).
💡 Tip: Combine multiple tools - each finds unique subdomains
Port Scanning (Nmap - common ports, service versions).
⚠️ Warning: Check if port scanning is allowed in program policy
Technology Fingerprinting (Wappalyzer, WhatWeb).
Directory & File Brute-forcing (Dirb, Gobuster).
Virtual Host Enumeration.
API Endpoint Discovery (JS files, DevTools, Fuzzing).
💡 Success Story: Found undocumented API endpoint in JS files - Critical IDOR - $5,000

Easy Map Application Structure

Manually browse the entire application.
Understand functionality and user roles.
Use Burp Suite's site map or ZAP's site tree.

Hard OWASP Top 10 & Common Vulnerabilities

Medium Other Common Vulnerabilities

File Upload Vulnerabilities.
💡 Tip: Test: Double extensions, MIME type bypass, SVG XSS, path traversal in filename
XML External Entities (XXE).
🔗 CVE Example: CVE-2016-3092 (Apache Commons XXE)
HTTP Request Smuggling.
💡 Success Story: CL.TE smuggling on load balancer - Cache poisoning - $12,000
Open Redirects.
💡 Tip: Chain with OAuth flows for account takeover
Subdomain Takeover.
🔗 Tool: Use Can I Take Over XYZ for service fingerprints
Business Logic Flaws.
💡 Success Story: Negative quantity in shopping cart - Free items - $5,000
Race Conditions.
🔗 Tool: Use Turbo Intruder for parallel requests
Information Disclosure (e.g., `.git` folder, debug pages).
💡 Success Story: /.git/config exposed - Source code leaked - $4,000

Hard API Testing (if applicable)

Test for OWASP API Security Top 10.
🔗 Resource: OWASP API Top 10
Authentication and Authorization bypasses.
💡 Tip: Test HTTP methods (PUT, DELETE), parameter pollution, JWT manipulation
Mass Assignment.
💡 Success Story: Added "isAdmin":true in signup request - Admin access - $6,500
Rate Limiting issues.
Excessive Data Exposure.

Easy Automated Scanning (supplement, if allowed)

Run Burp Scanner / ZAP Active Scan (scoped).
⚠️ Warning: Always verify automated findings manually before reporting
Use specialized scanners (Nuclei, WPScan, etc.).
🔗 Tool: Nuclei - Fast vulnerability scanner

Medium Exploitation Best Practices

Verify Vulnerability (confirm not a false positive).
💡 Tip: Test vulnerability at least 3 times to rule out false positives
Understand Impact (assess risk and potential damage).
💡 Tip: Use CVSS calculator to determine severity score
Develop a Clear PoC (simple, repeatable steps, code snippets, HTTP requests).
💡 Success Story: Video PoC showing account takeover increased bounty by 50%
Ethical Exploitation: DO NOT cause harm, access/modify/delete unauthorized data, or disrupt services. Stop if uncertain.
⚠️ Critical: Create test accounts, never use real user data

Easy Review Program's Reporting Guidelines

Use the specified platform (HackerOne, Bugcrowd, email, etc.).
Follow their required format.

Medium Write a Clear and Concise Report

Title: Descriptive and to the point.
💡 Example: "IDOR allows any user to modify other users' email addresses"
Vulnerability Type.
Asset/URL: Specific location.
Severity/Impact: Your assessment.
💡 Tip: Explain business impact clearly - "Attacker can..."
Detailed Description.
Steps to Reproduce (PoC): Numbered, clear, easy to follow.
💡 Success Tip: Clear PoC steps reduce validation time = faster payout
Screenshots/Videos: Attach as evidence.
💡 Tip: Use tools like Loom for quick screen recording
Remediation Suggestions (Optional).
💡 Success Story: Providing fix suggestion increased bounty by 25%

Easy Professionalism

Use clear language, proper grammar, and spelling.
Be polite and respectful.
💡 Tip: Good relationship with triage team = better bounties long-term

Easy Submit & Store

Submit Report.
Securely Store Your Findings (local copy).
💡 Tip: Keep your own database of reports for future reference

Easy Continuous Improvement

Monitor Report Status.
Respond Promptly to team questions.
💡 Tip: Fast response time builds trust with triage teams
Handle Duplicates/NAs Gracefully.
💡 Tip: Duplicates happen to everyone - learn from them
Learn from Disclosed Reports.
🔗 Resource: Read HackerOne Hacktivity daily
Stay Updated (security news, blogs, researchers).
💡 Success Story: Following security researchers on Twitter led to finding similar bugs - $15K total
Practice (CTFs, vulnerable labs).
🔗 Resources: HackTheBox, TryHackMe
Refine Your Methodology.
💡 Tip: Review your notes every month - identify patterns in successful findings

⚙️ Phase 1: Preparation & Mindset

Quick Resources & Tools

Easy Understand Program Scope

Easy Set Up Your Environment

Medium Review Basic Security Concepts

Easy Choose Your Target(s) within the Program

🔍 Phase 2: Reconnaissance

Recon Tools & Resources

Easy Passive Reconnaissance

Medium Active Reconnaissance

🛡️ Phase 3: Vulnerability Analysis & Manual Testing

Testing Tools & CVE References

Easy Map Application Structure

Hard OWASP Top 10 & Common Vulnerabilities

Medium Other Common Vulnerabilities

Hard API Testing (if applicable)

Easy Automated Scanning (supplement, if allowed)

⚡ Phase 4: Exploitation & Proof of Concept (PoC)

Exploitation Resources

Medium Exploitation Best Practices

📝 Phase 5: Reporting

Report Writing Resources

Easy Review Program's Reporting Guidelines

Medium Write a Clear and Concise Report

Easy Professionalism

Easy Submit & Store

🚀 Phase 6: Post-Reporting & Continuous Learning

Learning Resources

Easy Continuous Improvement

Confirm Reset