Summary of "Wiz Bug Bounty Masterclass | Complete Ethical Hacking Course (Free)"

Course overview

This course is a practical, hands-on guide to bug bounty hunting that focuses on terminal-first reconnaissance, deterministic tooling, and a full web-proxy workflow (Kaido). It covers tools, techniques, labs, and real-world tutorials to find high-impact bugs like IDOR, SSRF, blind XSS, subdomain takeover, secrets leakage, and actuator/heapdump exposures.

What the course teaches (big picture)

• What bug bounties are: legal, crowdsourced vulnerability discovery; program types (vulnerability disclosure / recognition-only vs. paid bounties), severity-based payouts, scope rules, triage, responsible disclosure, and reputation management.
• Workflow mindset: combine automated reconnaissance and deterministic tooling with manual logic testing (browser → HTTP proxy → intercept, replay, tweak). Use the terminal as the primary interface for powerful, scriptable tools and automation.
• Web fundamentals for hunters: HTTP request/response flow, headers, status codes, cookies/sessions, frontend vs backend vs APIs — understanding these basics helps find logic and configuration bugs.

Reconnaissance — practical guide & tools

Goal: discover a company’s entire public attack surface (root domains, subdomains, acquisitions, certificate records).

Passive discovery:

• subfinder (aggregates many public sources)
• crt.sh / certificate transparency
• search engines and Google dorking
• Shodan
• reverse WHOIS
• Crunchbase (acquisitions)

Active discovery:

• DNS probing/resolution (puredns or similar)
• DNS brute-force (wordlists)
• Permutations (altdns / alterx-style)
• Wildcard checking and filtering
• Check for acquisitions and alternate TLDs

Filtering and probing:

• Filter hosts to those that actually resolve (DNS) and serve content (HTTP/ports)
• Tools to probe exposure:
  • httpx — HTTP probing at scale (title, status, tech fingerprinting)
  • Naabu / masscan / nmap — port scanning for unusual ports (e.g., 9000, 8123)
  • Nuclei — template-based checks for misconfigurations and common server vulns
  • FFUF — path/endpoint fuzzing for hidden pages, admin panels, dev endpoints

Tips:

• Screenshot large lists of findings and prioritize 200 responses first
• Check Wayback for historical endpoints
• Use GitHub/Google dorking to find leaked secrets or exposures

Web proxy + manual testing (Kaido-centered tutorial)

Why use an HTTP proxy:

• Inspect and modify every request/response
• Chain tools, automate flows, and speed up logic testing
• Intercept, replay, and iterate on requests

Kaido features covered (setup and hands-on labs included):

• Architecture: client-server model, built-in browser vs. browser proxy extension; install CA cert for HTTPS interception
• Projects: keep targets organized and switch contexts instantly
• HTTP History: request/response feed with pretty/raw/preview views and right-click actions
• HTTPQL: query language to filter requests/responses (field | operator | value)
• Filters & Scope: prebuilt query bundles and host-scope rules to reduce noise
• Intercept: pause and edit requests/responses in-flight
• Replay: store and tweak requests, iterative testing, named sessions/collections
• Placeholders & Environments: store tokens/IDs and substitute them in requests
• Replay Collections: organize findings, gadgets, and vulns
• Automate (fuzzing/parameter iteration): payload lists, workers, delays, preprocessors (e.g., URL encode), guided brute-force (use responsibly)
• Workflows (convert / passive / active): low-code automations to transform data, run checks on responses, or perform actions on demand
• Files: host and use wordlists for brute forcing and fuzzing
• Search: centralized, queryable history across intercept/replay/automate
• Match & Replace: simulate client-side state changes (e.g., pretend role=admin in the response) — important: only a vulnerability if the server accepts the action, not just because your browser shows admin UI

Selected hands-on labs in Kaido:

• Reconnaissance lab (subfinder / puredns / httpx)
• HTTP Hunt lottery (inspect hidden values in responses)
• Too Many Requests (HTTPQL)
• Filters lab
• IDOR lab (intercept + replay + automate)
• Automate brute-force lab
• Files lab (upload/use wordlists)
• Match & Replace lab (simulate admin UI)
• Shift (AI) lab
• Drop (collaboration) lab
• Notes++ lab
• ParamFinder plugin usage

AI in bug hunting

• Role: an assistant that augments manual testing — not a replacement for human judgement.
• Use cases: parse massive JS, strategize attack vectors, assist with post-auth flows.
• Kaido Shift plugin: contextual AI that can generate match & replace rules, build workflows, or act as “agents” inside Kaido.
• Caveat: prefer deterministic scripts for critical checks and always verify AI outputs.

Key tools and categories (quick list)

• Recon: subfinder, Sublist3r-style services, crt.sh, Shodan, reverse WHOIS / Crunchbase
• DNS/resolve: puredns / purdns, dig
• HTTP probing / tech fingerprinting: httpx
• Port scan: Naabu, masscan, nmap
• Template scanning / exploitation: Nuclei
• Fuzzing: FFUF
• Proxy / web-hacking UI: Kaido (proxy + ecosystem)
• Secrets discovery: GitHub search, code scanning
• Automation / tuning: custom scripts, Kaido workflows, Automate module
• Wordlists: SL Cyber wordlists, GitHub repos
• Plugins: ParamFinder, Shift (AI), Drop (collaboration), Notes++

Kaido plugins highlighted

• Shift: contextual AI assistant and “agents” inside Kaido for rule generation and task automation
• Drop: encrypted request-sharing and real-time collaboration (PGP-based sharing)
• Notes++: integrated note-taking with attached replay context
• ParamFinder: brute-forces unknown HTTP parameters and highlights anomalies/reflections

Ethics and procedure

• Always check program scope and disclosure policy before testing.
• Use a PoC approach: demonstrate a vulnerability without destructive exploitation (e.g., don’t dump entire databases unless explicitly allowed).
• Be professional and maintain reputation — triage team decisions may differ, so communicate clearly and respectfully.

Real-world case studies (9 examples)

1. DeepSeek (ClickHouse DB exposure)

   • Found via recon and port scan on an unusual port (9000). Unauthenticated ClickHouse exposed chat histories.
   • Mitigation: close public admin DB ports, require authentication, monitor certificates and hostnames.

2. Airline API / Swagger exposure

   • Swagger/OpenAPI docs revealed member endpoints returning PII without authentication.
   • Lesson: always check API docs/open API specs for sensitive endpoints.

3. “Shark” uploads directory (fuzzing → zip/sql dump)

   • FFUF discovered an uploads directory with a downloadable DB dump (SQL) containing PII — login page does not guarantee safety.

4. Blind XSS in support tickets

   • Injected script into a support field; when an admin viewed the ticket the payload exfiltrated cookies/sessions. Classic blind XSS leading to admin compromise.

5. Subdomain takeover

   • Unused host / misconfigured S3 bucket allowed claim of the bucket/host and serving content for the company subdomain. Detected via subfinder / httpx / nuclei.

6. SSRF → AWS metadata / credential retrieval

   • SSRF allowed access to 169.254.169.254 (instance metadata), leading to credentials and deeper takeover. Large bounty awarded in a live event.

7. GitHub token exposed in repo history

   • Public commit contained a token that granted access to enterprise repos and internal code. Lesson: scan commit history for secrets.

8. Spring Boot actuator heap dump

   • Nuclei templates found /actuator/heapdump exposing in-memory secrets/auth tokens — common and critical.

9. Zero-click account takeover via cookie/session switching

   • Session confusion between staging and production allowed a guest cookie from staging to be accepted in production — immediate account access with no user interaction.

How to get started — practical next steps

• Set up a local terminal environment and learn core tools: subfinder, httpx, puredns, Naabu, Nuclei, FFUF.
• Learn a web proxy (Kaido or Burp): practice intercept → inspect → replay → automate.
• Run the included labs (labs.kai.do) and use the provided cheat sheet to keep key commands handy.
• Read bug bounty writeups, follow researchers, and join community Discords (e.g., Kaido Discord, Critical Thinking Bug Bounty).
• Use AI for repetitive steps but validate outputs; keep deterministic scripts for important checks.
• Start hunting on permissive programs (public bug bounty programs, DoD VDP) to build experience.

Hands-on labs, guides, and tutorial content referenced

• Labs: labs.kai.do — reconnaissance, HTTP Hunt (lottery), Too Many Requests (HTTPQL), filters, IDOR, Automate, Files upload, Match & Replace, Shift/Drop/Notes++ demos
• Tool install & run examples: commands and examples for subfinder, puredns, httpx, Naabu, Nuclei, FFUF, and Kaido flows
• Wordlists sources: SL Cyber wordlists (tools.slcyber.io)
• Templates & automation: Nuclei templates for targeted tech checks (ClickHouse, Spring Boot actuator, takeover detectors)

Main speakers / authors / sources

• Naggi — course lead and Wiz Bug Bounty Masterclass author (walkthroughs and labs)
• Justin — Kaido advisor / guest instructor (Kaido-focused proxy and manual-hacking modules)
• Kaido team — creators of the proxy application and plugin ecosystem
• Tool/plugin authors: Bevix (ParamFinder), SL Cyber (wordlists), Nuclei community, open-router (LLM routing used by Shift)
• Platforms referenced: HackerOne, Bugcrowd, YesWeHack, integrity programs, and public services (crt.sh, Shodan, Wayback)

Bottom line

This is a practical, hands-on course that blends terminal-first recon (subfinder / httpx / puredns / Naabu / Nuclei / FFUF) with a full web-proxy workflow using Kaido. It includes labs teaching common, high-impact bugs (IDOR, SSRF, blind XSS, subdomain takeover, secrets leakage, actuator/heapdump) and productivity plugins (Shift, Drop, Notes++, ParamFinder). The curriculum emphasizes collaboration, automation, and responsible disclosure.

Category

Technology

---

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

---

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Reprocess summary

Video