The Bug Hunter’s Methodology (TBHM) is a paid training that aims to equip you with the latest tools, techniques, and strategies, plus provide a data-driven methodology on how and where to search for vulnerabilities that are currently common in the wild.
Unlike other courses, TBHM Live is not an A-Z or beginner-oriented course.
True to the spirit of my public TBHM talks, my emphasis is on expert tips, time-saving tricks, practical Q&As, automation strategies, vetted resources, and engagement via the dedicated community on Discord.
Each module will use real-time targets where possible. You’ll have access to all source material to refer back to after the training.
TBHM is also much more than just a course. I am dedicated to fostering a vibrant and supportive community for our learners. In keeping with this commitment, I will maintain a Discord channel for ongoing support, including resume guidance and job placement assistance.
Join us for TBHM and get ready to supercharge your skills, refine your strategies, and join an active community of like-minded professionals.
Attendees should have:
Burp Suite (PRO preferably), VM or equivalent access to *nix command line.
Pre-requisites for attendees:
General Web application and network security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities and previous experience.
A full list of tools needed will be included after purchase.
Full Syllabus:
General Topics
Project tracking for Large scope assessments (Red Team and Bounty)
Mental Health in Offensive Security
Templating and Reporting
Testing Env
Providers
Tools
Recon Topics
Recon Concepts
Introduction to Recon
Recon Techniques:
Acquisitions and Domains
Shodan
ASN Analysis
Crunchbase ++
SSL Recon
ReconGTP
Reverse WHOIS
Reverse DNS
Reverse IP
DMARC Analysis
Add and Analytics Relationships
Supply chain investigation and SaaS
Google-fu (trademark & Priv Pol)
TLDs Scanning
0365 Enumeration for Apex Domains
Subdomain Scraping (all the best sources and why to use them)
Sources
Brute force
Wildcards
Permutation Scanning
Linked Discovery
Wordlists
Advantageous Subs (WAF bypass – Origins)
Favicon analysis
Sub sub domains
Port Scanning
Screenshotting
Esoteric techniques
Service Bruteforce
Application Analysis Topics
Best resources to follow to stay sharp
print resources
trainings
podcasts and youtube
labs
Recon Adjacent Vulnerability Analysis
CVE scanners vs Dynamic Analysis
Subtakeover
S3 buckets
Quick Hits (swagger, .git, configs, panel analysis)
Analysis Concepts
Indented usage (not holistic, contextual)
Analysis Layers
Application Layers as related to success.
Tech profiling
The Big Questions
Change monitoring
Vulnerability Automation
More on CVE and Dynamic Scanners
Dependencies
Early running so you can focus on manual.
Secrets of automation kings
Content Discovery
Intro to CD (walking, brute/fuzz, historical, JS, spider, mobile, params)
Importance of walking the app
Bruteforce Tooling
Bruteforce Tooling Lists:
based on tech
make your own (from-install, dockerhub, trials, from word analysis)
best base wordlists
quick configs
API lists
Bruteforce Tooling Tips: Recursion
Bruteforce Tooling Tips: sub as path
Bruteforce Tooling Tips: 403 bypass
Historical Content Discovery
Spidering
Mobile Content Discovery
Parameter Content Discovery
JavaScript
Cheatsheets (BETA)
Raw Analysis
Inline JS
Obfuscated JS
Lazy Loaded JS
Minified JS
Mobile JS Analysis
Advanced tooling and tips for all the above
The Big Questions
How does the app pass data?
How/where does the app talk about users?
Does the site have multi-tenancy or user levels?
Does the site have a unique threat model?
Has there been past security research & vulns?
How does the app handle common vuln classes?
Where does the app store data?
Application Heat Mapping
Common Issue Place: Upload functions
Common Issue Place: Content type multipart-form
Common Issue Place: Content type XML / JSON
Common Issue Place: Account section and integrations
Common Issue Place: Errors
Common Issue Place: Paths/URLs passed in parameters
Common Issues Place: Chatbots
Web Fuzzing & Analyzing Fuzzing Results
Parameters and Paths (generic fuzzing)
Reducing Similar URLs
Dynamic only fuzzing
Fuzzing resources SSWLR – “Sensitive Secrets Were Leaked Recently”
Backslash powered Scanner
XSS Tips and Tricks
Stored and Reflected
Polyglots
Blind
DOM Tools
Common Parameters
Automation and Tools
IDOR Tips and Tricks
IDOR, Access, Authorization, MLAC, Direct browsing Business logic, parameter manipulation
Numeric IDOR
Identifying user tokens GUID IDOR
Common Parameters
Resources
SSRF Tips and Tricks
SSRF intro
Schemas
Alternate IP encoding
Common Parameters
Resources
XXE
Common areas of exploitation
Payloads
Common Parameters
Resources
File Upload Vulnerabilities Tips and Tricks
Common bypasses
Common Parameters
Resources
SQL Injection Tips and Tricks
SQLmap tamper
ghauri
Resources
Common Parameters
Bypass of Security Controls
Sec control types (CDN, Server, Code-level)
Block Triggers
Bypass techniques
Dependency Confusion
How it works
Where and what to looks for
Resources
