Learn Bug Bounty Hunting & Web Security Testing From Scratch

Information disclosure vulnerabilities are the second most common vulnerabilities according to OWASP.

This is an introduction lecture to introduce you to these vulnerabilities and give you a brief overview of the contents of this section.

This is the first hands-on example lecture, you'll learn how to read the robots.txt file and discover the database login information.

In this lecture you'll learn how to discover hidden paths and endpoints on the target website using a program called FeroxBuster.

This lecture will teach you how to discover hidden paths in the target website.
You'll also be introduced to HTTP status codes, their meanings and the hints they give us as bug hunters or security researchers.

This lecture will teach you how to think like a hacker or a bug hunter, how to ask the right questions, research and dig deeper to discover more bugs and vulnerabilities in the target application.

This lecture will introduce you to the HTTP POST method, what it is, what it's used for and how to use it when hunting for bugs and vulnerabilities

This lecture will introduce you to the HTTP GET method, what it is, what it's used for and how to use it when hunting for bugs and vulnerabilities.

This lecture will introduce you to burp suite and Burp proxy. This one of the most essential tools for bug hunting and security testing. This video will also introduce you to Burp proxy and teach you how to use it to intercept requests and modify values sent to the target web application.

Broken Access Control are the most common security threats according to OWASP top 10. This lecture introduces you to these vulnerabilities and gives you a brief of what you'll learn in this section.

In this lecture you'll learn more about cookies, what they are, what they're used for and how to manipulate them to discover bugs and vulnerabilities in the target application.

You'll also learn how to use the find-and-replace feature of Burp Proxy to match data within HTTP flows and replace it automatically.

This lecture covers another broken access control example where you can access information that belong to other users through ID manipulation.

You'll also learn how to use the developer tools to inspect the page code and unhide masked data.

As a result you'll be able to read the password of other users in plain text.

Insecure Direct Reference or IDOR is a special type of broken access control vulnerabilities.

You'll learn all about these bugs in this lecture and you'll have a practical example on how to discover them.

This lecture will introduce you to the Burp suite repeater and teach you how to use it to exploit a broken access vulnerability to escalate your privileges from a normal user to an administrator.

This lecture will teach you how to use the HTTP trace method to debug the communication between the client and the target website.

This can be very important in some cases where more information is needed to understand the behaviour of the target application.

As a result you'll be able to login as the website administrator using a normal account!

This lecture will introduce you to Path / Directory Traversal vulnerabilities and cover a basic example on how to discover them.

This lecture will teach you how to discover path traversal vulnerabilities when relative paths are used by the target web application.

Sometimes developers hard-code file extensions in an effort to make their code more secure. This lecture teaches you how to bypass this and exploit a directory traversal bug.

Developers often filter special or dangerous characters from user input. This lecture teaches you how to bypass filtering and exploit a directory traversal vulnerability.

Sometimes developers hard-code the whole file path to prevent directory traversal. This lecture teaches you how to bypass this and exploit a directory traversal bug.

This lecture teaches you how to use encoding to bypass very restrictive filters.

As shown in all the previous lectures there are a number of ways and a number of payloads that can be used to bypass security and filters, therefore this process can be boring and time consuming.
This lecture teaches you how to automate this process using Burp Suite's intruder feature.

CSRF or Client-side request Forgery is a special type of broken access control where users can be tricked into submitting requests they don't intent to submit.

These vulnerabilities can occur in a number of ways and can be chained with other vulnerabilities.
This lecture will introduce you to these vulnerabilities and how to discover them.

Future lectures will cover more about CSRF and how its chained with other vulnerabilities.

This lecture introduces you to OAUTH 2.0, how it works and what it's used for.

This knowledge is very important to test the security of social logins.

This lecture will teach you how to analyse the functionality of social logins and discover bugs and vulnerabilities within them.

In this example you'll be able to login to other accounts using their email only!

This video teaches you how to exploit the linking flow in a social login integration to link a target account to your social account. As a result you'll be able to login to any account on the target website using your social media account.

This video teaches you how to exploit a an OAUTH 2.0 social login flow and chain it with a CSRF to login to any account on the target website using your social media account.

This lecture introduces you to injection vulnerabilities and gives you a brief of what you'll learn in this section.

In this lecture you'll learn the basics of command injection vulnerabilities.

This lecture will teach you how to discover advanced blind command injection vulnerabilities like a professional bug hunter.

This lecture will teach you how to discover blind command injection vulnerabilities.

Exploiting blind command injection vulnerabilities can be quite tricky due to the fact that the result is not returned.

This lecture will introduce you to the collaborator feature of Burp Suite and teach you how to use it to exploit blind command injection vulnerabilities.

This video will teach you the theory behind XSS vulnerabilities, the different types and their impact.

In this lecture you'll learn how to discover HTML injection vulnerabilities.

This video lecture will teach you how to discover reflected and stored XSS vulnerabilities and  highlights the difference between them.

This lecture will introduce you to DOM based XSS vulnerabilities and highlight the difference between it and reflected and stored XSS vulnerabilities.

This lecture will teach you how to discover XSS vulnerabilities in a link tag.

In this lecture you will learn more about how to properly discover and exploit XSS vulnerabilities, as an example you'll learn how to inject XSS payloads in image tags.

This lecture continues with advanced XSS discover and exploitation, in this video lecture you'll learn how to inject XSS payloads directly into the page's javascript.

XSS vulnerabilities can occurs anywhere within the page, this video shows you a practical example and teaches you how to inject an XSS payload in a drop down menu.

Understanding the target application is crucial to bug hunters, this lecture highlights how important this is when it comes to discovering XSS vulnerabilities.
You'll learn how to list all of the technologies and frameworks used on the target website and use this knowledge to discover an XSS in an application that is based on angularJS.