🐛 Bug Bounty Hunting Search Engine

Made with ❤️ by @payloadartist

Frequently Asked Questions

Learn more about the types of bugs you can find on bug bounty programs.

What is an XSS vulnerability? Cross-Site Scripting (XSS) attacks are injection attacks in which malicious scripts are inserted into otherwise trustworthy and innocuous websites. XSS attacks occur when an attacker uses a web application to send malicious code to a particular end user, usually in the form of a browser side script. The flaws that enable these attacks to succeed are common and can be found wherever a web application uses input from a user within the output it generates without validating or encoding it.

There are mainly 3 types of XSS -

What is an IDOR vulnerability? When a web application or, API exposes a reference to an internal implementation object, it is referred to as Insecure Direct Object Reference (IDOR). This method exposes the element's true identifier as well as the format/pattern it uses in the storage backend.

An example would be an API that gives you access to data belonging to other users, through an endpoint - /api/users/:id where an attacker can fetch data of any user by manipulating the id parameter.
What is an SSRF vulnerability? In a Server-Side Request Forgery (SSRF) attack, the attacker can read or update internal resources by abusing server features. The attacker may supply or change a URL to which the server's code can read or send data, and by carefully choosing the URLs, the attacker might be able to read server configuration such as AWS metadata, access internal services, and so on.
What is a SQLi vulnerability? A SQL injection attack involves inserting or "injecting" a SQL query into the application through the client's input data. an effective SQL injection exploit can read sensitive data from the database, alter database data (Insert or, Update or, Delete), perform database administration operations (such as shutting down the database management system), and recover the content of a given file on the DBMS file system.
What is an RCE vulnerability? If user input is inserted into a File or, a String and then executed (evaluated) by the backend programming language's parser, a remote code evaluation (RCE) vulnerability can be exploited. A Remote Code Evaluation will result in the entire web application and web server being compromised as it allows an attacker to execute arbitrary commands on the server.
How can I reach you? If you have any feedback or, concerns about this site, I can be reached on Twitter