Skip to content

Bug Bounty Reference

Cross-Site Scripting (XSS)

Brute Force

SQL Injection

Stealing Access Token

Google oauth bypass


Remote Code Execution


- Java Deserialization in by Michael Stepankin - Instagram's Million Dollar Bug by Wesley Wineberg - (Ruby Cookie Deserialization RCE on by Michiel Prins (michiel) - Java deserialization by meals

Image Tragick

- Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) by NaHamSec - Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57 - Trello bug bounty: Access server's files using ImageTragick by Florian Courtial - 40k fb rce - Yahoo Bleed 1 - Yahoo Bleed 2

Direct Object Reference (IDOR)


Unrestricted File Upload

Server Side Request Forgery (SSRF)

Race Condition

Business Logic Flaw

Authentication Bypass

HTTP Header Injection

Subdomain Takeover


Money Stealing

2017 Local File Inclusion