Welcome to Ethical Hacking/Penetration Testing and Bug Bounty hunting Course v2.0. This course covers web application hacking and how to get bug bounties. You don't need to have hacking experience. You will be able perform web attacks, hunt bugs on live websites, and secure them.
This course is not like any other hacking or penetration test course. It does not contain outdated vulnerabilities and only lab attacks. This course includes maximum live websites to allow you to feel comfortable in the Live Hunting Environment.
This course will cover the basics of vulnerability and how to exploit them using multiple bypass techniques. You will also learn how you can fix them.
This course is extremely practical and is taught on Live websites. It will give you the exact environment you need to begin your bug hunting or penetrating testing journey.
We will begin with the basics of each vulnerability, and then move on to the advanced level of exploitation and multiple edge cases on live websites.
This course is divided into several sections. Each section covers ethical hunting, exploiting, and mitigation of vulnerability.
Once we have identified a vulnerability, we will exploit it to get the maximum severity. We will also learn how we can fix vulnerabilities that are often found on websites.
This course will teach you how to start your journey on bug hunting platforms such as Bugcrowd and Hackerone, Synack, Private RVDPs, Intigriti, NCIIPC Govt of India, and Open Bug Bounty.
You will also be able report vulnerabilities to the NCIIPC Government of India as well as to private companies and their responsible disclosure programs.
You will also learn advanced techniques to bypass filters and the developers logic that are used for each type of vulnerability. I also shared my personal tips and tricks to each attack so you can quickly trick the application and find bugs.
This course also includes the Breakdown all Hackerone Reports that are submitted by hackers to better understand each technique.
This course also contains important interview questions and answers that will be useful in any job interview for penetration testing jobs.
Here's a detailed breakdown of the course content.
We will be starting the fundamental principle of Exploitation, How to defend against attacks and How the attack works in all sections.
Lab Setup will explain what Burpsuite Proxy is and Linux. We will also learn how to set them up for pentesting and hunting.
1. Subdomain Takeovers will cover all types of cloud-based scenarios such as AWS, Github and Shopify. We will also learn about Advance fingerprints and our new Can I takeover all XYZ templates.
We will be able to see all types of Subdomain Takeovers attacks on live sites which will give us a better understanding of the environment when we start our bug hunting journey.
This course also includes a breakdown all Hackerone reports submitted to hackers for Subdomain Takeovers type vulnerability. We will be able to see and practice all types attacks in our course.
We will also discuss mitigations to secure websites and prevent attacks.
I have included Interview Questions and Answers at the end. These are useful for Subdomain Takeovers questions that may be asked in any job or internship.
2. File Inclusion will cover all possible ways to attack Linux and Windows-based systems. We will discuss both remote and local File Inclusion Attacks.
We will be able to see all types of File inclusion bypass on live sites which will give us a better understanding of the environment when we start our bug hunting journey.
We will also discuss different methods to perform File Inclusion Exploitation using various techniques. Our file inclusion will be used for Remote Code Execution on live targets.
This course also includes a breakdown all Hackerone reports submitted for File Inclusion type vulnerability. We will be able to see and practice all types attacks in our course.
We will also discuss mitigations to secure websites and prevent attacks.
I have added Interview Questions to help you with File Inclusion questions.
3. We will examine Server Side Request Forgery (SSRF Attacks) to determine if there are any injection points. Additionally, we will show you how to spot these types of vulnerabilities in multiple targets.
We will be able to see all types of SSRF attacks live on websites. This will give us a better understanding of the environment before we start our bug hunting journey.
We will also discuss different methods to carry out SSRF Attacks Exploitation using multiple types of bypass tricks on targets.
We will also learn how we can scan the internal ports on the target vulnerable running server.
We will also be able to exploit and download the metadeta from the AWS Instances via SSRF, which is something that most researchers overlook.
This course also includes a breakdown all Hackerone reports submitted to hackers for SSRF attacks type of vulnerability. We will be able to see and practice all types attack in our course.
We will also discuss mitigations to secure websites and prevent attacks.
4. Remote Code Execution Attacks (RCE) will examine this vulnerability for various injection points. We will also learn how to identify these types of vulnerabilities that can lead to execution on the target server.
We will also discuss different methods to execute code injection attacks against multiple targets in order to familiarize you with different examples and test situations.
This course also includes a breakdown all Hackerone reports submitted to hackers for RCE type vulnerability. We will be able to see and practice all types attacks in our course.
We will also discuss mitigations to secure websites and prevent attacks.
5. SQL Injection will examine the vulnerability for various injection points. We will also learn how to identify these types of vulnerabilities that can lead to Database Dumping and Sensitive Data Disclosure by other users.
We will be able to see all types of SQLi attacks on live sites, which will help you get a better understanding of the environment before you start your bug hunting journey.
We will also discuss different ways to execute SQLi attacks on live websites and bypass SQLi protection by using different WAF bypass payloads.
This course also includes a breakdown all Hackerone reports submitted for SQLi type vulnerability by hackers. We will be able to see and practice all types attacks in our course.
We will also discuss mitigations to secure websites and prevent attacks.
6. HTML Injection will examine this vulnerability for various injection points. We will also learn how to identify these vulnerabilities that can trick users into visiting malicious websites and identity theft.
We will be able to see and practice all types HTML Injection attacks on live sites. This will help you get a better understanding of the environment in which you will be bug hunting.
We will also discuss mitigations to secure websites and prevent attacks.
7. Clickjacking will show you how to identify vulnerabilities that can lead to sensitive actions on target sites.
We will be able to see all types of Clickjacking attacks on live sites which will give us a better understanding of the environment when we start our bug hunting journey.
We will also discuss mitigations to secure websites and prevent attacks.
8. Broken Link Hijacking will show you how to check for vulnerabilities in different targets.
We will be able to see and practice all types BHL attacks on live sites. This will help you understand the environment better when you start bug hunting.
We will also discuss mitigations to secure websites and prevent attacks.
Additional bonus sessions will be available, in which I will share my personal approach to hunting bugs. You can view all the videos on Live websites, so you can understand the concepts and feel more comfortable working in a live setting. Interview Questions and Answers have been added for each attack. This will be useful for those who are preparing to apply for Internships or Job Interviews in the field Information Security.
This course includes 24/7 support. If you have any questions, you can post them in our Q&A section. We'll reply as soon as possible.
Ronit Bhatt and Vaibhav Laakhani, Ritika Keni, Pranav Bhandari, and all Hacktify Team members for Vulnerability Disclosures POCs & constant support.
Send us a note at shifa@hacktify.in if you'd like to contribute.
This course is educational only. All websites I have attacked are ethically reported to me and fixed.
Testing websites that don't have a Responsible Disclosure Policy violates the law and is unethical. The author also doesn't bear any responsibility.
