Best way to get into RCE XXE SSRF?


Hi everyone,

After taking a computer security class in college I got into bug bounty and got a few bounties in the last couple months.

However so far I’ve only found bugs like subdomain takeover, reflected XSS, IDOR, DOS most of which basically include me doing decent recon and playing around with parameters in a web app but so far I don’t even know where to begin to look for RCE, XXE, SQLi, SSRF etc. I try running sqlmap but I assume that is just a trivial way to go about it. I found a few possible code injections but I can never figure out how much padding I need for a command or run into a lot of 500 responses.

My main question is so far I only learned how to check the front door of an application, the part that faces the user or the surface level. How do you go even begin to look for the big bugs? I don’t expect to insert 2 quotes in a query to crash a server but there has to be a way to recognize issues other than I dont know running sqlmap and hoping for the best.

If it helps I know a little bit of React, GraphQL and basic web dev stuff but my only tools are Burp, wfuzz, aquatone and Chrome Debugger. Looking at the compressed javascript is impossible to understand for me and I only found one bug by actually looking at code. I’m not asking to getting into decompiling binaries and looking for overflows but there should be an entry point.

I’m open to any and all suggestions.


I got burp pro and use this bugcrowd addon it also works with zap if you dont have burp pro. I send my traffic to zap and then to burp. Also i practise using owasp mutillidae which gives excellent practice&tips and i read the owasp guide to get ideas you doing much better than I am so will get better checking those out. Read disclised reports sometimes the better hackers simply rehack the same endpoint but find a different exploit or manage to bypass the fix. Your certainly doing better than me i probably need to put into practice more now. Hope it helps and happy hacking


I go here to learn too