Curated lists of writeups, cheatsheets, and tools shared by the community.
A full AI-assisted hunting pipeline: prompt injection cheatsheet, automated pentesting with Claude, AI-powered Nuclei templates and URL/WordPress scanners. The new wave of automated hunting.
Start here if you are new: BSCP roadmap, general cheatsheet, Cloudflare bypass, TLS fundamentals and a subdomain enumeration tool. Everything you need to build your first hunting workflow.
From an exposed .env that opens an entire email account to unauthenticated APIs leaking PII of 500+ employees. The bug class where severity is defined by what is exposed, not the technique.
The classic injection bug classes that still pay in 2026. SQLi and XXE cheatsheets as the foundation, then two real-world cases: Code Injection in ingress-nginx and Argument Injection in Weblate.
Source-level analysis of published CVEs in core libraries and tools: curl token leak, proxy reuse, SMB UAF, pyopenssl fail-open, path traversal and DLL side-loading. For understanding how bugs are actually discovered in real code.
Sanitizer bypasses in email clients and rich-text editors: SVG, SMIL, CSS escapes, position:fixed. The bug class that consistently pays out on hardened clients like Roundcube and ProtonMail.
Denial-of-service in modern frameworks: Fastify OOM, quadratic CPU on Django ASGI, GraphQL aliasing and decompression bombs. Well-written DoS reports do get paid.
Open redirects that look like P5 but end up leaking OAuth tokens or stealing credentials. Three bypasses that teach the most common validation patterns and how to break them.
Server-Side Request Forgery and Web Cache Deception/Poisoning: how to turn a single request into RCE-equivalent impact or leak half a dataset. Start with the smuggling cheatsheet for the underlying primitives.
How to defeat second-factor authentication, OAuth flows, and clickjacking that ends in account takeover. The line between Medium and Critical findings.
Bugs no scanner can find: manipulating the app flow to bypass paid plans, assign restricted roles, or drain inventory. One of the highest-paid bug classes in bounty.
IDOR and Improper Access Control: the bugs that dominate bounty reports in 2026. Ordered from low-hanging fruit (Easy) to large-scale exploitation (Hard) with WAF bypass and PII exfiltration.
Master XSS end-to-end: start with the cheatsheets, then escalate from easy Reflected payloads up to advanced DOM and Stored exploits with WAF and filter bypasses that land full account takeover.
Want to create your own collection?
Sign in to create