Skip to content

Instantly share code, notes, and snippets.

@Th3redTea

Th3redTea/error-tringerring.md

Created September 24, 2025 14:14
Show Gist options
  • Save Th3redTea/5116f59139ecd21c2c6ecaa96d869cc1 to your computer and use it in GitHub Desktop.
Save Th3redTea/5116f59139ecd21c2c6ecaa96d869cc1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
error-tringerring.md

#Triggering Errors:

🕵️ Bug Bounty Error Triggering Checklist

1. Input Manipulation

  • Send wrong types: strings where ints expected (id=abc instead of id=123).
  • Overflow values: id=9999999999999999999.
  • Null byte injection: id=123%00.png.
  • Extremely long values (10k chars) in text fields.
  • Special characters: ';--<>${}.
  • Encoding tricks:
    • Double encode (%252e%252e%252f).
    • Mixed encoding (UTF-16, overlong UTF-8).
    • Right-to-left override (%E2%80%AEexe.jpg).

2. HTTP Layer

  • Use odd HTTP verbs: TRACE, OPTIONS, PUT, DELETE, PROPFIND.
  • Break headers: X-Test: %s%s%s.
  • Duplicate headers: two Content-Length.
  • Invalid Content-Type: send XML where JSON expected.
  • Incomplete multipart: Content-Type: multipart/form-data; boundary=foo with no parts.
  • Corrupt chunked encoding (wrong sizes).
  • Smuggle headers (Transfer-Encoding: chunked + Content-Length).

3. Authentication & Session

  • JWT tampering:
    • Change alg to none.
    • Modify payload, keep signature.
    • Use expired tokens.
  • Corrupt cookies: truncate value, pad with spaces.
  • Delete session cookie, see if verbose error is returned.
  • Replay expired session IDs.

4. File Uploads

  • Upload wrong extension (exe, php).
  • Oversized file (>100MB if limit is smaller).
  • Truncated file (half a PNG).
  • Rename a text file as .jpg.
  • Polyglot files (ZIP+PNG).
  • Special filenames: ..\evil.txt, CON, NUL, aux.jpg.
  • Unicode names: file\u202Egnp.jpg.

5. Query & Parameters

  • Send arrays where scalars expected: id[]=1.
  • Remove required params: omit username.
  • Add extra params: debug=true.
  • Numeric edge cases: negative values, decimals instead of ints.
  • Reorder steps in multi-step flow: POST step 3 without step 2.
  • Send duplicate params: id=1&id=2.

6. Race & Timing

  • Two concurrent requests that update/delete same resource.
  • Slowloris: send headers slowly.
  • Abort mid-request: cancel upload half way.
  • Replay the same request many times in parallel.

7. Cloud-Specific

  • Oversized headers (>8KB) → see AWS/GCP gateway errors.
  • Invalid signed URLs: tweak X-Amz-Signature.
  • Random paths: /dev/null, /favicon.ico, /admin.
  • Access bucket endpoints directly (https://bucket.s3.amazonaws.com/).
  • Bad API keys: send malformed key headers.

8. Business Logic

  • Negative quantities (qty=-1).
  • Currency mismatches (currency=BTC).
  • Skip steps in order (checkout without cart).
  • Replay old workflow tokens (reset password link twice).
  • Try privilege escalation via invites (invite self as admin).

9. Infrastructure & Subdomains

  • Hit random subdomains: dev.example.com, staging.example.com.
  • Try unusual ports: :8080, :3000, :5000.
  • Send requests with no Host header.
  • TLS tricks: invalid SNI, weak cipher, self-signed cert.

10. Observation & Fingerprinting

  • Look for:
    • Stack traces (NullPointerException, TypeError).
    • Cloud IDs (x-amzn-RequestId, GCP project ID).
    • Library versions (com.mysql.jdbc.Driver, express 4.x).
  • Note differences in error responses (200 vs 403 vs 500).
  • Compare error messages across roles (anon vs logged-in).

🧭 Pro Tips

  • Always screenshot errors (timestamped).
  • Compare error responses across environments (web vs mobile API).
  • Build a “fingerprint notebook” of error banners you’ve seen (fast tech-stack ID).
  • Use errors not only to find bugs but to map the system’s trust boundaries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment