+- I Red Team DEV (https://ired.dev)
+-- Forum: Bug Bounty (https://ired.dev/forumdisplay.php?fid=11)
+--- Forum: Writes-up (https://ired.dev/forumdisplay.php?fid=12)
+--- Thread: #WebApp_Security (/showthread.php?tid=33)
#WebApp_Security - Unix_Root - 07-06-2025
#WebApp_Security
Bug Bounty Cheat Sheet, Ver.1.0.
1. Account Takeover (ATO) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeover)
2. API Key and Token Leaks (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks)
3. Bypass Upload Tricky (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files)
4. Clickjacking (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Clickjacking)
5. Client Side Path Traversal (CSPT) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Client%20Side%20Path%20Traversal)
6. Command Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
7. Content Injection (https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/content-injection.md)
8. CORS (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration)/OAuth (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/OAuth%20Misconfiguration) Misconfiguration
9. CRLF Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection)
10. CSV Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20Injection)
11. Cross-Site WebSocket Hijacking (CSWSH) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Web%20Sockets)/Request Forgery (CSRF/XSRF) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Cross-Site%20Request%20Forgery)
12. DNS Rebinding (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/DNS%20Rebinding)
13. DOM Clobbering (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/DOM%20Clobbering)
14. Dependency Confusion (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Dependency%20Confusion)
15. Directory Traversal (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal)
16. External Variable Modification (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/External%20Variable%20Modification)
17. File Inclusion/LFI (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion)
18. GraphQL Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection)
19. HTTP Request Smuggling (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Request%20Smuggling)/Parameter Pollution (HPP) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/HTTP%20Parameter%20Pollution)
20. Insecure Deserialization (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserialization)/Direct Object References (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References)/Management Interface (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Management%20Interface)/Randomness (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Randomness)/Source Code Management (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Source%20Code%20Management)
21. LDAP Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)
22. LaTeX Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection)
23. Mass Assignment (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Mass%20Assignment)
24. Memory Exhaustion (DoS) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Denial%20of%20Service)
25. NoSQL Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
26. ORM Leak (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/ORM%20Leak)
27. Open URL Redirect (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect)
28. Prompt Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Prompt%20Injection)
29. Prototype Pollution (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Prototype%20Pollution)
30. Race Condition (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Race%20Condition)
31. Regular Expression DoS (ReDoS) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Regular%20Expression)
32. SAML Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SAML%20Injection)
33. SQL Injection (SQLi) (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
34. Server Side Include Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Include%20Injection)/Request Forgery (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)/Template Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection)
35. SMTP Header Injection (https://www.acunetix.com/blog/articles/email-header-injection)
36. Tabnabbing (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Tabnabbing)
37. Type Juggling (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Type%20Juggling)
38. Web Cache Deception (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Web%20Cache%20Deception)
39. XPATH (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection)/XSLT (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)/XSS (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)/XXE Injection (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection)
40. Zip Slip Command Execution (https://github.com/snyk/zip-slip-vulnerability)