r/BugBountyNoobs

▲ 35 r/BugBountyNoobs+5 crossposts

Got an AI agent past a Cloudflare WAF by giving it a RAG over past bypass research

Sharing a workflow that worked for me. The retrieval layer involved is my own project, so mentioning that upfront.

Setup: I was testing an XSS on a target behind Cloudflare, and every payload I tried was getting blocked by the WAF.

This time, instead of manually digging through old writeups, I gave my agent access to a retrieval layer built on top of a corpus of web security research (Preview RAG). The agent queries it in plain language, gets back actual writeups with sources attached, and uses that context to generate and test payload variants. One of those variants eventually got through and the XSS fired.

I'm not claiming the bypass itself is novel. It may already exist in a public writeup somewhere. What mattered to me was the workflow: the agent wasn't limited to whatever happened to be inside its training data. It could pull in relevant prior research and iterate from there.

That's the main reason I built this in the first place. Models have a training cutoff, but WAF evasion evolves quickly. Public bypasses get patched, new techniques appear, and the most useful information is usually the newest information. A retrieval layer helps bridge that gap.

The corpus is updated regularly and exposed over MCP, so it can be connected to any model with minimal setup, including smaller open-weight models.

Current limitations: it's strongest on client-side topics right now—XSS, WAF evasion, CSP, CORS, SSRF, request smuggling, and similar areas. Server-side coverage is improving, but still thinner, and it definitely won't have an answer for every problem.

Happy to share more about the setup. I'm honestly more interested in where this approach fails than where it succeeds. If you've experimented with agent-driven WAF bypassing and ran into hard limits, I'd love to hear about them.

u/Substantial_Kick4689 — 15 hours ago
▲ 14 r/BugBountyNoobs+5 crossposts

I built a CLI tool to sync your Notion pages locally & images actually work

Hey guys!

I've been using Notion for my writeups and notes for a while, and every time I tried to export or sync content programmatically, images were always broken. The official API gives you signed S3 URLs that expire in ~1 hour, so by the time your static site builds, half your images are dead.

So I built a small CLI tool that actually handles this properly, images get downloaded locally and the URLs get rewritten, so nothing breaks.

**What it does:**

- Pulls pages or entire databases as clean local markdown files

- Downloads images locally and rewrites the URLs (no more expiring links)

- Auto-detects your workspace and space ID

- Tracks sync state so it only re-pulls pages that actually changed

- Works with any stack - Astro, Hugo, Obsidian, whatever

**Setup is pretty simple:**

```

npm install -g notion-sync-cli

```

Add your Notion PAT to a `.env` file (Settings -> Personal access tokens, not integrations):

```

NOTION_TOKEN=ntn_xxxx

```

Then just run:

```

notion-sync init

```

It walks you through picking your database or pages interactively, no config file editing needed.

Package: `npm install -g notion-sync-cli`

GitHub: https://github.com/Chaelsoo/Notion-sync

Happy to answer any questions or take feedback.

u/Chaelsoo — 17 hours ago

How do I start learning bug bounty?

Hey everyone! I'm new to cybersecurity. So far I've learned the basics, including Linux, Python, and a bit of networking. My goal is to get into bug bounty hunting, but I'm feeling overwhelmed because there's so much information online that I don't know where to start.

I'd really appreciate any advice on a good learning path, beginner-friendly resources, or skills I should focus on first. Thanks in advance!

reddit.com
u/Front_Jacket_4450 — 21 hours ago

I need to start bug bounty!?

Guys please help me to start this with some idea, points, roadmap etc

I am completely new to bug bounty

Hope u guys will guide me

Thanks in advance

reddit.com
u/Funny-Appeal-4176 — 4 days ago

How to step into the world of bug bounty?

Hello bounty hunters, I'm from a non tech background entering into tech, currently learning cybersecurity. Bug bounty has always intrigued me since I came to know about it but there are endless resources, content and materials to explore from and its too much and there isn't a structure. Is there anyone experienced and kind to help me go through a structured path or a legit resource to start with the basics of bug hunting and keep learning as I practice more and more. Even if there's no earning in the start, I'm eager to learn and practice so I can get the basics clear and have an understanding of how to go about it from learning about web applications, ways to find bugs and creating a professional report to submit.

Any help, tips and guidance would be very much appreciated. Please let me know in the comments and upvote for me to reach more people, thanks in advance!

reddit.com
u/StonedInParadise24 — 4 days ago

New to bug bounty and feeling completely lost — looking for methodology advice

I'm just starting out with bug bounty hunting, but it's honestly overwhelming. I pick a target, start poking around the site, and I immediately feel completely lost. I don't feel like I have any real methodology — it feels like I'm just randomly trying things.

Questions:

1.When you land on a target, what methodology/workflow do you actually follow? Do you go feature by feature (e.g., login first, then signup, then payment flow, etc.)? Or do you focus on a specific vuln class from the start (just XSS, or just account takeover, for example)? Or do you just browse the whole site and test whatever catches your eye — basically random?

2.Any articles, books, videos, or general advice you'd recommend for someone getting into bug bounty?

Background:

Web: PortSwigger Web Security Academy (100+ labs done) plus the major topics

HackTheBox web-focused modules

Other: Active Directory pentesting, privilege escalation

Thanks in advance

reddit.com
u/TheShasec — 4 days ago
▲ 12 r/BugBountyNoobs+6 crossposts

I built 5 brownfield apps with planted bugs to stress-test MCP-driven debugging

built an MCP server that ships a "brain" per third-party API, stripe, resend, clerk, twilio, etc. each brain encodes bug patterns: symptom → likely cause → reproduce workflow → fix pattern. wanted to see if it actually catches real bugs vs just vibes.

so i made 5 small brownfield FastAPI apps, each with one planted bug:

- stripe: webhook dedup key on the wrong header. same event processed 2-3x on retry

- resend: handler only listens for email.delivered. bounces and complaints silently dropped, users stay "active" forever

- clerk: session token validation skipped on one endpoint

- agentmail: inbox webhook ignores message.received when body has attachments

- surge: SMS retry off-by-one re-sends to the wrong number

each app is 50-150 lines, .mcp.json wired. clone, run, point your agent at the dispatch prompt.

github.com/fetchsandbox/playground

two things i'm actually trying to figure out: does brain-as-yaml feel like the right curation level or too much vs lighter prompts? and how do you prove an agent fix actually worked when your test infra can't reach the handler?

honest negative findings are the most useful ones. already got one ("agent gave me a fake proof URL"), fixed it same day.

u/Common_Dream9420 — 9 days ago
▲ 3 r/BugBountyNoobs+1 crossposts

From Malware Analysis to Bug Bounty

https://preview.redd.it/fweexmzjs0ah1.png?width=683&format=png&auto=webp&s=1214ed37b1fa1a6d4b9c6677dc22d57559a96163

It's a fake account on Reddit but I really need your help, I didn't move from Malware Analysis but It for finding online jobs and investing my skills in web pentesting which allowing me to return again to Bug Bounty, If a team here need someone can do reverse engineering, malware analysis, basic exploit dev, web pentesting, also threat hunting on email detection, ( I can learn more and more because I love this field ), DM me, if not, just write a comment to advice me, thanks.

https://www.linkedin.com/feed/update/urn:li:activity:7476975083496939521/

reddit.com
u/Sea_Alternative_4229 — 8 days ago
▲ 9 r/BugBountyNoobs+1 crossposts

What’s the most difficult part of web app pentesting for you

Hey guys, What is the most difficult thing you find in web app pentesting

For me, the hardest part is definitely managing the massive mountain of enumeration data just to find the exact endpoint to start testing. Keeping track of all the roles, parameters, and API routes in my head gets overwhelming fast

What is the most annoying or boring part of web application penetration testing that you wish was easier?

Let's share our pain lol

reddit.com
u/InterestPuzzled6659 — 12 days ago
▲ 2 r/BugBountyNoobs+1 crossposts

FOUND MILLION OF DATA LEAK. need advice on how to get a bounty from a company (listed)

Hi guys as my title says , i have found P1 vulnerabilities in a listed company, i reported them some critical vulnerabilities before but they didnt even thanked me, this time i found more and more, and i want bounty. How should i approach this situation? Please help and advice. btw they don't have any public bounty program as such but i do deserve it.

reddit.com
u/Dry-Home-7434 — 11 days ago