Learning to hack like zseano

zseano is the creator of BugBountyHunter and has discovered over 1,000+ vulnerabilities across bug bounty programs. He has helped others start in bug bounties for a numerous of years and zseano's methodology is designed to be an easy to follow flow/checklist to help with identifying security vulnerabilities in web applications. Most people when starting in bug bounties will jump from program to program looking for anything they can, however focusing on one program and learing as much as you can about their scope & features will usually result in more bugs being discovered.

The guide contains a complete run-down of how zseano approaches hacking on web applications & how he applies this on bug bounty programs, including how to choose the right programs! From the very start with what he does when choosing a program, all the way to the end of what you should be aiming to automate to aid you in your hunting.


Recognised by Amazon Information Security Organisation

zseano has helped Amazon's Information Security Organisation through their vulnerability disclosure program and bug bounty program for a numerous amount of years from when they first started on Bugcrowd (they have since joined HackerOne) and received recognition from them in 2018 for my research efforts.

It was also thanks to their program that zseano met Jonathan Bouman and they have since collaborated together and even finished #1 and #3 on Amazon's Live Hacking Event.

zseano's methodology is aimed at using the site as intended and over time you will be faced with a feature or certain parameter and you'll understand what it is you should be looking for in this specific area, rather than spraying payloads and hoping for the best. For example a lot of people simply register & login and begin and then begin testing, usually because they are looking for one type of vulnerability (xss), but this means they're missing out the login and register flow which may be vulnerable to something such as Oauth token leak.

Hack for features and go through the site piece by piece, understanding how it works, parameters used, features available, and as you gain experience and time passes it'll become like second nature to you. The more you stick to one program, the more you learn and soon it'll feel like you know more about a site than the developers!

Some of zseano's findings/writeups