🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • 💡 What is HowToHunt?
  • 📖 How to Use
  • For Readers
  • For Contributors
  • ☕ Support the Project
  • 🛠️ Contribution Guidelines
  • 🌟 Contributors

HowToHunt.md

NextHidden API Functionality Exposure

Last updated 2 months ago

Stars
Forks
Issues
License
Contributors

A collection of practical guides, methodologies, and resources for hunting vulnerabilities From Hackers for Community, because Hacking is not just a skill It’s a Mindset

💡 What is HowToHunt?

HowToHunt is a collaborative repository of step-by-step guides, methodologies, and hands-on techniques for finding specific vulnerabilities. Whether you're a beginner or an experienced hunter, you'll find valuable resources to enhance your bug hunting skills.

Note: This repository aims to provide practical, actionable guides rather than theoretical knowledge. Each guide is contributed by experienced hunters who have successfully used these techniques in the field.

📖 How to Use

For Readers

For Contributors

  1. Fork the repository

  2. Create your feature branch (git checkout -b add-new-guide)

  3. Add your guide in the appropriate category folder

  4. Commit your changes (git commit -m 'Add guide for XSS in login forms')

  5. Push to the branch (git push origin add-new-guide)

  6. Open a Pull Request

☕ Support the Project

If you find this project helpful and want to show your appreciation:

🛠️ Contribution Guidelines

  • Focus on practical, actionable techniques

  • Include real-world examples when possible

  • Provide clear step-by-step instructions

  • Add references to tools, resources, or write-ups that support your guide

  • Please mention your Twitter handle at the end of your guide

🌟 Contributors

Thanks goes to these wonderful people who have shared their knowledge and experience:

Visit our for an organized, searchable reading experience with all the guides properly categorized.

GitBook
Kathan Patel
✅
Mehedi Hasan Remon
✅
Keshav Malik
✅
Vivek Kumar Yadav
✅
Syed Mushfik Hasan Tahsin
✅
Deepak Dhiman
✅
maverickNerd
✅
Harsha Vardhan
✅
Bishal Shrestha
✅
Cyber-Pirate
✅
Naman Shah
✅
ANUGRAH S R
✅
Aishwarya Kendle
✅
MadMaxx
✅
Akshaykerkar
✅
Shadab Ansari
✅
CowlingBanana
✅
Meet
✅
Tushar
✅
Chintan Gurjar
✅
praneeth1998
✅
sumitjat
✅
Mr_p0tat0
✅
ashhadali10
✅
Nav-Prak
✅
NoBodysSafe
✅
Max Boll
✅
Yash K
✅
febinrev
✅
fatinsourav
✅
iNoSec2
✅
Manas Harsh
✅
0xsunil
✅
Rakesh
✅
Pratyaksh Singh
✅
Tamim Hasan
✅
Pratish58
✅
Kalus
✅
Zero (Arif)
✅
Chirag Agrawal
✅
Kushagra Sarathe
✅
RT
✅
Anishka Shukla
✅
Ikko Ashimine
✅
Harshit Raj Singh
✅
Sm4rty-1
✅
dipakpanchal456
✅
Anubhav Singh
✅
Anupam Singh
✅
Rishi Choudhary
✅
Yasser Khan
✅
yasser khan
✅
Fani Malik Hack
✅
dhruvin shah
✅
TCode110
✅
Faizee Asad
✅
Bikram kharal
✅
c0ff33b34n
✅
Veshraj Ghimire
✅
TX
✅
Krishna Agarwal
✅
z3dc0ps
✅
Pugalarasan
✅
Purujeet Singh
✅
Vedant
✅
Ome Mishra
✅
Suprit Pandurangi
✅
Pugalarasan
✅
Prince Prafull
✅
offensive-droid
✅
Prakhar Porwal
✅
Anmol K Sachan
✅