Ethical Hacking/Pentesting & Bug Bounty Hunting v2 2025

About Ethical Hacking/Pentesting & Bug Bounty Hunting v2 2025

Welcome to

Ethical Hacking / Penetration Testing and Bug Bounty Hunting Course v2.0

. This course covers web application attacks and how to earn bug bounties. There is no prerequisite of prior hacking knowledge and you will be able to perform web attacks and hunt bugs on live websites and secure them.

This course is not like other hacking or penetration testing course with outdated vulnerabilities and only lab attacks. This contains maximum live websites to make you comfortable with the Live Hunting Environment.

This course will start from

basic principles

of each vulnerability and How to attack them using multiple

bypass

techniques, In addition to

exploitation,

you will also learn how to

fix

them. This course is

highly practical

and is made on

Live websites

to give you the exact environment when you start your penetrating testing or bug hunting journey. We will start from the basics of each vulnerability and move ahead to the advance level of exploitation and multiple

edge case scenarios

on live websites. This course is divided into a number of sections, each section covers how to

hunt, exploit and mitigate

a vulnerability in an ethical manner. After identification of a vulnerability, we will

exploit to leverage the maximum severity

out of it. We will also learn how to fix vulnerabilities which are commonly found on the websites on the internet. In this course, you will also learn How can you start your journey on many famous bug hunting platforms like

Bugcrowd, Hackerone, Synack, Private RVDP, Intigriti, NCIIPC Govt of India and Open Bug Bounty.

Along with this, you will be able to hunt and report vulnerabilities to

NCIIPC Government of India,

also

private

companies and to their

responsible disclosure programs.

You will also learn Advance techniques to bypass filters and the developers logic for each kind of vulnerability. I have also shared personal tips and tricks for each attacks where you can trick the application and find bugs quickly. This course also includes the

Breakdown of all Hackerone Reports

which are found and submitted by other hackers for better understanding as we will

cover each type of technique in the course.

This course also includes important

interview questions

and answers which will be helpful in any penetration testing

job interview.

Here's a more detailed breakdown of the course content:

In all the sections we will start the

fundamental principle of How the attack works, Exploitation and How to defend

from those attacks.

In Lab Setup,

We will cover what is Burpsuite Proxy and Linux, also we will learn how to setup both for further pentesting and hunting.

1. In Subdomain Takeovers

, we will cover all different types of cloud based scenarios like

AWS, Github, Shopify, Tumblr and many more

. In addition, we will learn

Advance fingerprints and our newly made Can I take over all XYZ templates.

We will see all the types of Subdomain takeovers attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey. This course also includes a

breakdown

of all the

Hackerone reports

submitted by other hackers for Subdomain Takeovers type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks. In the end, I have added Interview Questions and answers which be helpful for you when Subdomain Takeovers questions are asked in any job or internship.

2. In File Inclusion

, we will cover all diff types of ways to attacks Linux and Windows based systems

. We will cover Local and Remote File Inclusion Attacks.

We will see all the types of File inclusion bypass on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey. We will also cover different ways to perform File Inclusion Exploitation using different techniques. We will also leverage our file inclusion to Remote Code Execution on live targets. This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for File Inclusion type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks. I have added

Interview Questions and answers

which be helpful for you when File Inclusion questions are asked in any job or internship.

3. In Server Side Request Forgery SSRF Attacks

, we will check this vulnerability for different injection points, In addition, we will learn how to find these types of vulnerabilities in multiple targets. We will see all the types of SSRF attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey. We will also cover different ways to perform

SSRF Attacks Exploitation

using multiple types by

bypass tricks on targets.

We will also learn how to scan the internal ports of the target vulnerable running server. We will also see the exploitation and download of the metadeta of the AWS Instances using SSRF This course also includes a

breakdown

of all the

Hackerone reports

submitted by other hackers for SSRF Attacks type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks.

4. In Remote Code Execution (RCE) Attacks

, we will check this vulnerability for different injection points, In addition, we will learn how to find these types of vulnerabilities can lead to

execution of malicious code on the target server.

We will also cover different ways to perform code injection attacks on multiple targets to make you comfortable with different examples and test cases. This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for RCE type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks.

5.

In SQL Injection

, we will check this vulnerability for different injection points, In addition, we will learn how to find these types of vulnerabilities can lead to

Database Dumping &

Sensitive Data Disclosure

of other users. We will see all the types of SQLi attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey. We will also cover different ways to perform SQLi attacks and

bypass

SQLi

protection on many live websites

by using

different WAF bypass payloads.

This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for SQLi type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks.

6.

In HTML Injection

, we will check this vulnerability for different injection points, In addition, we will learn how to find these types of vulnerabilities can lead to

tricking users in visiting malicious websites and identify theft.

We will see all the types of HTML Injection attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey.This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for HTML Injection type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks.

7.

In Clickjacking

, we will check this vulnerability for different targets, In addition, we will learn how to find these types of vulnerabilities can lead to

sensitive actions on target websites.

We will see all the types of

Clickjacking

attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey.This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for Clickjacking type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks. 8.

In Broken Link Hijacking

, we will check this vulnerability for different targets, In addition, we will learn how to find these types of vulnerabilities can lead to

takeovers of files, accounts, media etc on target websites.

We will see all the types of

BHL

attacks on

live websites

which will give you a better understanding of the live environment when you will start your bug hunting journey.This course also includes

a breakdown

of all the

Hackerone reports

submitted by other hackers for BHL type of vulnerability wherein we will see and

practice all types

of attacks in our course. In the end, we will also cover

mitigations

to secure a website and prevent these types of attacks. You will also get additional

BONUS sessions

, in which I m going to share my personal approach for hunting bugs. All the videos are recorded on

Live websites

so that you understand the concepts as well as you get comfortable to work on a

live environment.

I have also added

Interview Questions and answers

for each attack which will be helpful for those are preparing for

Job Interviews and Internships

in the field of Information Security. With this course, you get

24/7 support

, so if you have any questions you can post them in the Q&A section and we'll respond to you as soon as possible.

Special Thanks to

- Ronit Bhatt, Vaibhav Lakhani, Ritika Keni, Pranav Bhandari and all other Hacktify Team Members for Vulnerability Disclosures POC's & constant support. If you would like to contribute to us mail at - shifa@hacktify.in _Notes:_

_This course is created for educational purposes only and all the websites I have performed attacks are ethically reported and fixed._

_Testing any website which doesn’t have a Responsible Disclosure Policy is unethical and against the law, the author doesn’t hold any responsibility._