Important Note: Always start with deliberately vulnerable applications like DVWA (Damn Vulnerable Web Application) or Web Security Academy before testing on real bug bounty programs.
Identify all locations where the application accepts user input:
Common SQLi injection points:
GET /users?id=1Let's imagine our target is a note-taking application: https://notes.example.com.
You browse the application and identify actions that change data on the server. These are typically non-GET requests (POST, PUT, PATCH, DELETE).
Prime candidates on notes.example.com:
Let's imagine our target is a social media site: https://socialapp.example.com.
You browse the application and look for actions that change the state of your account or data and only require a single click (no text input, drag-and-drop, etc.).
Prime candidates on socialapp.example.com:
Let's imagine our target is https://example.com.
You're browsing example.com and notice that when you click the "Login" button, it takes you to a URL like:
https://example.com/login?redirect=/dashboard
redirect parameter is a classic candidate. It tells the application where to send the user after a successful login. Other common parameter names include:Let's imagine our target is a simple, hypothetical search page on a site like https://testbounty.example.com.
You navigate the site and find a search feature at the top of the page. The URL looks like this after you search for "shoes":
https://testbounty.example.com/search?query=shoes
Complete Reference for Advanced Search Operators