Practical XSS: DOM vs Reflected vs Stored — Advanced Payloads & Bypasses

How to Find Your First Critical Bug (Beginner's Guide)

Finding your first critical bug can feel overwhelming, but it's totally doable with the right approach and mindset. This beginner's guide is designed for aspiring bug bounty hunters, QA testers, and security enthusiasts who want to discover high-impact vulnerabilities that actually matter.

Critical bugs aren't just random glitches—they're serious security flaws that could compromise user data, crash systems, or give attackers unauthorized access. The good news? You don't need years of experience to find them.

We'll walk you through the fundamentals of identifying what makes a bug truly critical and show you how to set up the essential tools that professional bug hunters rely on. You'll also learn proven target selection strategies that help you focus your efforts on the most promising applications, plus systematic testing methods that turn random clicking into strategic vulnerability discovery.

By the end of this guide, you'll have a clear roadmap for finding your first critical bug and the confidence to start your bug-hunting journey.

Understanding What Makes a Bug Critical

Define critical bugs and their impact on system functionality.

Critical bugs represent the most severe vulnerabilities that can completely break a system or expose it to significant security risks. These bugs often cause complete system failures, data breaches, or render core functionality unusable. When you discover a critical bug, you've found something that demands immediate attention from the development team.

The impact of critical bugs extends far beyond just technical problems. They can lead to financial losses, damaged reputation, and,

A Midsummer Night’s Dream by William Shakespeare is playfully written about the exploration of love, marriage, and the unrealistic expectations that can inexorably come along with them. This essay will explore how marriage is portrayed as limiting and difficult but ultimately worthwhile.

Commensurate with its origins in a court marriage, this drama speaks throughout for a sophisticated Renaissance philosophy of the nature of love in both its rational and irrational forms. This is shown by depicting the significant disparity in the expectations placed on men and women. Hermia embodies this struggle as she defies her father Egeus’s wishes to marry Demetrius, showcasing her desire for autonomy and true love rather than just fulfilling her duty to her society.

Conversely, men are generally afforded a broader range of achievements and aspirations. They are encouraged to pursue careers, adventures, and personal accomplishments that can lead to social recognition. Demetrius, for instance, initially pursues Hermia out of a sense of entitlement, thinking he can claim her because that is what society expects of her.

Another example is the marriage of Theseus and Hippolyta. Their relationship is rooted in conquest and power dynamics, which reflect the expectations of a hierarchical society. Theseus, as the Duke of Athens, represents a figure signifying his authority, and his marriage to a conquered queen, Hippolyta, suggests that marriage can also be about control and possession rather than something much purer.

In some cases, legal consequences for organizations. A critical bug might allow unauthorized access to sensitive user data, cause the entire application to crash under normal usage, or create pathways for attackers to gain administrative privileges.

Learn the difference between critical, major, and minor bugs

Understanding bug severity classifications helps you prioritize your findings and communicate their importance effectively to development teams.

Critical	System unusable, security breach	Complete application crash, SQL injection, privilege escalation	Immediate (0-24 hours)
Major	Significant functionality broken	Core features not working, performance severely degraded	1-3 days
Minor	Small issues, cosmetic problems	UI alignment issues, typos, and non-essential feature bugs	1-2 weeks

Critical bugs typically involve complete system failures or security vulnerabilities that expose sensitive data. Major bugs affect important functionality but don't completely break the system. Minor bugs are usually cosmetic issues or problems with non-essential features that don't significantly impact the user experience.

Identify common characteristics of critical vulnerabilities.

Critical vulnerabilities share several common traits that make them particularly dangerous. Authentication bypasses the top of this list - any bug that allows users to access accounts they shouldn't have access to automatically qualifies as critical. SQL injection vulnerabilities that expose database contents also fall into this category.

Remote code execution bugs represent another critical category. These allow attackers to run arbitrary code on the target system, essentially giving them complete control. Cross-site scripting (XSS) vulnerabilities that can steal user sessions or sensitive information also reach critical status.

Buffer overflows, especially in memory-unsafe languages, can lead to system crashes or code execution. Privilege escalation bugs that allow regular users to gain administrator rights are always considered critical. File inclusion vulnerabilities that let attackers read sensitive files or execute malicious code round out the most common critical bug types.

Look for bugs that affect core security controls, cause widespread system instability, or expose sensitive data to unauthorized parties. These characteristics signal you've found something that needs immediate attention.

Essential Tools and Setup for Bug Hunting

Choose the Right Testing Environment and Virtual Machines

Setting up isolated testing environments protects your main system from potential security risks while giving you the freedom to experiment. Virtual machines are your best friend here – they create sandboxed environments where you can install sketchy software, visit suspicious websites, and test exploits without worrying about compromising your primary setup.

VMware Workstation Pro and VirtualBox are the most popular choices. VMware offers better performance and more advanced features, while VirtualBox is free and handles most testing scenarios perfectly well. Create separate VMs for different purposes: one clean Windows 10/11 instance for web application testing, a Kali Linux machine loaded with penetration testing tools, and maybe an older Windows version for legacy application testing.

Snapshot functionality becomes crucial when bug hunting. Before starting any testing session, take a VM snapshot so you can quickly revert to a clean state. This saves hours of reinstallation and reconfiguration when things go wrong.

For browser-based testing, keep multiple browser versions installed across your VMs. Different browsers handle vulnerabilities differently, and sometimes a bug only appears in specific versions or configurations.

Install Essential Browser Extensions and Debugging Tools

Your browser becomes a powerful testing platform with the right extensions. Start with developer tools that most browsers include natively – Chrome DevTools and Firefox Developer Tools offer network monitoring, JavaScript debugging, and DOM inspection capabilities that reveal how applications work under the hood.

Key extensions for bug hunters include:

• Burp Suite Browser Extension: Seamlessly integrates with Burp Suite proxy for traffic interception
• Wappalyzer: Identifies technologies used by web applications, revealing potential attack vectors
• EditThisCookie: Manipulates cookies directly from your browser for session testing
• User-Agent Switcher: Changes your browser's user agent string to test different client behaviors
• Web Developer: Adds a toolbar with numerous web development and testing tools

FoxyProxy deserves special mention for managing proxy configurations. It lets you quickly switch between different proxy settings, routing specific domains through your testing proxy while keeping normal browsing direct.

Browser developer tools themselves pack serious power. The Network tab shows all HTTP requests and responses, revealing API endpoints and data flows. The Console tab lets you execute JavaScript directly on pages, perfect for testing XSS vulnerabilities. The Elements tab helps you understand DOM structure and modify page content in real-time.

Set up Proxy Tools for Intercepting Web Traffic

Burp Suite Community Edition stands as the gold standard for web application security testing. This proxy tool sits between your browser and target applications, capturing every request and response for analysis and manipulation.

Download Burp Suite and configure your browser to route traffic through localhost:8080 (Burp's default proxy port). Install Burp's CA certificate in your browser to avoid SSL warnings when testing HTTPS sites. The Proxy tab shows all intercepted traffic, while the Target tab organizes discovered endpoints and site structure.

OWASP ZAP provides a free alternative with automated scanning capabilities. It's particularly useful for beginners because it includes guided workflows and detailed vulnerability explanations. ZAP's active scanner automatically tests for common vulnerabilities once you've mapped an application's structure.

Fiddler works well for Windows-focused testing and offers excellent .NET application debugging features. Its scripting capabilities let you automate repetitive testing tasks.

Master these proxy basics: intercepting requests, modifying parameters, repeating requests with different payloads, and analyzing responses for security issues. Practice intercepting your own web browsing to understand normal application behavior before hunting for anomalies.

Configure Automated Scanning Tools for Initial Reconnaissance

Automated tools handle the tedious initial reconnaissance work, mapping applications, and identifying obvious vulnerabilities while you focus on complex manual testing.

Nmap remains essential for network discovery and port scanning. Basic commands like nmap -sV -sC target.com reveal running services and their versions, often exposing known vulnerabilities. The -A flag enables OS detection and version scanning for comprehensive fingerprinting.

Gobuster and dirb excel at directory and file enumeration. They use wordlists to discover hidden directories, backup files, and forgotten admin panels. Start with common wordlists and expand to technology-specific dictionaries based on your reconnaissance findings.

Nikto scans web servers for thousands of known vulnerabilities and misconfigurations. While it generates false positives, it quickly identifies low-hanging fruit like outdated software versions and dangerous files.

Configure these tools with appropriate threading and delay settings to avoid overwhelming target servers. Aggressive scanning might trigger security measures or crash applications, ruining your testing opportunities.

Create scripts that combine these tools for efficient reconnaissance workflows. A simple bash script can run Nmap, feed discovered web ports to Nikto, and enumerate directories with Gobuster while you work on other tasks.

Remember that automated tools provide starting points, not final answers. They miss context-specific vulnerabilities that require human creativity and domain knowledge to discover.

Target Selection and Research Strategies

Pick Beginner-Friendly Platforms and Bug Bounty Programs

Start with programs that welcome newcomers and offer clear guidelines. HackerOne, Bugcrowd, and Synack all have dedicated sections for beginners, with programs specifically marked as "easy" or "beginner-friendly." Look for companies that have been running bug bounty programs for a while - they tend to have better documentation and more patient security teams.

Avoid programs with extremely low payouts or those run by Fortune 500 companies as your first targets. These organizations often have mature security teams and well-tested applications, making it harder to find your initial bugs. Instead, focus on mid-sized SaaS companies, educational platforms, or newer startups that recently launched their bug bounty programs.

Check the program's responsiveness rate and average time to resolution. Programs that respond quickly to reports and provide constructive feedback help you learn faster. Some excellent beginner programs include:

Educational Sites	University portals, online learning platforms	Often have complex user management systems
E-commerce	Smaller online stores, marketplace apps	Multiple user roles and payment flows
Social Platforms	Newer social apps, community forums	Rich feature sets with less security maturity

Research Common Vulnerabilities in Your Chosen Target Type

Each application type has predictable weakness patterns. E-commerce sites frequently suffer from business logic flaws in checkout processes, coupon systems, and inventory management. Social platforms often have privacy issues, authentication bypasses, and content manipulation vulnerabilities.

Study the OWASP Top 10 vulnerabilities, but don't stop there. Look deeper into vulnerability categories that match your target. For web applications, focus on injection flaws, broken authentication, and insecure direct object references. Mobile apps commonly have insecure data storage, weak cryptography, and improper session handling.

Create a checklist of common vulnerabilities for your target type:

• Web Applications: SQL injection, XSS, CSRF, directory traversal, file upload vulnerabilities
• APIs: Broken object-level authorization, excessive data exposure, and rate-limiting issues
• Mobile Apps: Insecure data storage, weak encryption, reverse engineering vulnerabilities
• IoT Devices: Default credentials, firmware vulnerabilities, network protocol issues

Study Previous Bug Reports and Disclosed Vulnerabilities

Public bug reports are goldmines of learning material. Platforms like HackerOne's Hacktivity feed, Google's Project Zero blog, and CVE databases show real-world vulnerabilities with detailed explanations. Don't just read the vulnerability description - understand the researcher's methodology and thought process.

Pay attention to the testing techniques that led to discoveries. Many researchers share their recon process, the tools they used, and even the specific payloads that worked. This gives you a blueprint for your own testing approach.

Look for patterns in similar applications. If you're targeting a social media platform, study bugs found in Facebook, Twitter, or Instagram. Notice how researchers approached user interaction features, privacy controls, and content management systems. The same vulnerability classes often appear across similar application types.

Create a notebook of interesting techniques and payloads. When you see a clever IDOR bypass or an unusual XSS vector, save it for future reference. Building this personal database of techniques becomes invaluable as you develop your hunting methodology.

Map Out Application Functionality and Attack Surface

Before diving into testing, spend time understanding how the application works from a user's perspective. Create different types of accounts - regular users, premium users, administrators, if possible. Navigate through every feature, noting how data flows between different parts of the application.

Draw a mental map of the application's components. Identify user input points, file upload areas, search functions, and any place where user data gets processed or displayed. These represent potential entry points for vulnerabilities.

Document the technology stack by examining HTTP headers, JavaScript files, and error messages. Knowing whether an application uses React, Angular, or vanilla JavaScript helps you understand potential attack vectors. Different frameworks have different common misconfigurations and security pitfalls.

Use browser developer tools to examine network requests. Watch how the application communicates with its backend, what API endpoints exist, and how authentication tokens are handled. This reconnaissance phase often reveals hidden functionality or administrative interfaces that weren't meant for public access.

Create a simple spreadsheet tracking:

• All discovered endpoints and their parameters.
• Different user roles and their permissions
• File upload locations and accepted file types
• Search and filtering functionality.
• Any unusual or complex business logic flows.

This systematic approach to mapping gives you a comprehensive understanding of where vulnerabilities might hide and helps you prioritize your testing efforts.

Systematic Testing Methodologies

Start with automated scans to identify low-hanging fruit

Automated scanning tools serve as your first line of attack when hunting for critical bugs. These tools excel at quickly identifying common vulnerabilities that developers might overlook, giving you immediate wins while you prepare for more complex manual testing.

Begin with general-purpose scanners like Burp Suite's automated scanner or OWASP ZAP. These tools crawl web applications systematically, testing for standard vulnerabilities like SQL injection, XSS, and directory traversal. Run a comprehensive scan during off-peak hours to avoid disrupting normal operations.

Don't limit yourself to web application scanners. Use Nmap for network reconnaissance to discover open ports and services, Nuclei for running targeted vulnerability templates, and Nikto for web server-specific issues. Each tool brings unique capabilities to your testing arsenal.

Pay special attention to scan results that indicate authentication bypasses, sensitive data exposure, or server misconfigurations. These often translate directly to critical findings. Review false positives carefully - sometimes what appears to be a false positive actually reveals a deeper security issue.

Create a systematic approach by categorizing findings based on severity and exploitability. High-impact vulnerabilities like remote code execution or authentication bypasses should take priority over informational findings. Document everything as you go, including the specific tools and parameters used for each scan.

Perform manual testing of authentication mechanisms.

Authentication systems represent the primary gateway to applications, making them prime targets for critical vulnerabilities. Manual testing reveals flaws that automated tools frequently miss, particularly in custom authentication implementations.

Start by mapping all authentication endpoints, including login, logout, password reset, and account registration functions. Test each endpoint for SQL injection by injecting common payloads like ' OR 1=1-- into the username and password fields. Pay attention to error messages that might reveal database structure or authentication logic.

Examine session management thoroughly. After logging in, inspect session tokens for predictability or weak entropy. Test for session fixation by noting session IDs before and after authentication. Check if sessions are properly invalidated after logout or timeout periods.

Multi-factor authentication bypasses often yield critical findings. Test if you can skip MFA steps by manipulating requests or accessing protected resources directly. Look for race conditions in SMS or email-based verification codes.

Password reset mechanisms deserve special attention. Test for user enumeration through different response times or messages for valid versus invalid accounts. Check if password reset tokens are predictable, reusable, or have extended validity periods.

Don't forget about privilege escalation within authentication flows. Test if regular users can modify their roles during registration or profile updates. Look for horizontal privilege escalation where users can access other users' accounts through parameter manipulation.

Test input validation and injection vulnerabilities

Input validation flaws consistently rank among the most critical security vulnerabilities. These weaknesses allow attackers to manipulate application behavior through crafted inputs, often leading to complete system compromise.

SQL injection testing requires both automated and manual approaches. While scanners catch obvious cases, manual testing reveals complex injection points in stored procedures, second-order injections, and blind SQL injection scenarios. Test numeric parameters, JSON inputs, and HTTP headers - not just obvious form fields.

Use time-based payloads like '; WAITFOR DELAY '00:00:05'-- for MSSQL or ' OR SLEEP(5)-- for MySQL when traditional error-based injection fails. Boolean-based blind injection techniques help extract data when direct output isn't visible.

Command injection vulnerabilities often hide in file upload functionality, system administration features, or API endpoints that interact with the operating system. Test with payloads like: ping 127.0.0.1 or | whoami to identify command execution points.

NoSQL injection targets MongoDB and similar databases through different syntax. Use payloads like {"$ne": null} in JSON parameters or [$ne]=1 in URL parameters to bypass authentication or extract unauthorized data.

Cross-site scripting (XSS) testing should cover reflected, stored, and DOM-based variants. Test in various contexts, including HTML attributes, JavaScript variables, and CSS properties. Use payloads that bypass common filters like ＜img src=x onerror=alert(1)＞ or javascript: alert(1).

Examine business logic flaws and privilege escalation.

Business logic vulnerabilities often prove more valuable than technical exploits because they directly impact application functionality and user data. These flaws require understanding the application's intended behavior to identify deviations that create security risks.

Price manipulation represents a common business logic flaw in e-commerce applications. Test negative quantities, decimal values, or currency manipulation to achieve unauthorized discounts. Look for race conditions in checkout processes where multiple concurrent requests might bypass inventory checks.

Workflow bypasses occur when applications fail to enforce proper state transitions. Test if you can skip payment steps, approval processes, or verification requirements by manipulating request parameters or accessing URLs directly. Many applications trust client-side validation without server-side enforcement. Rate-limiting bypasses can escalate into critical issues when they affect security controls. Test password brute-forcing, account enumeration, or API abuse scenarios. Try different IP addresses, user agents, or request headers to circumvent rate-limiting mechanisms.

Privilege escalation testing focuses on accessing functionality or data beyond your authorized level. Test both vertical escalation (gaining admin rights) and horizontal escalation (accessing other users' data). Look for Insecure Direct Object References (IDOR) in user IDs, account numbers, or file references.

Account takeover scenarios often combine multiple business logic flaws. Test account recovery processes, profile merge functionality, or social login integrations for weaknesses that allow assuming control of other user accounts.

Review file access controls systematically. Test if you can access other users' documents, system files, or administrative interfaces through path manipulation or authorization bypasses. These vulnerabilities frequently lead to data breaches or complete system compromise.

Documentation and Reporting Best Practices

Capture detailed proof-of-concept demonstrations.

Creating a solid proof-of-concept (PoC) is what separates professional bug hunters from amateur testers. Your PoC needs to clearly show how the vulnerability works without causing unnecessary damage to the target system.

Start by taking screenshots at every step of your exploitation process. Use tools like Burp Suite or OWASP ZAP to capture HTTP requests and responses that demonstrate the vulnerability. For web applications, record your browser's developer tools showing the malicious payload execution. Screen recording software like OBS or Loom can capture dynamic vulnerabilities that static screenshots might miss.

Your PoC should follow a logical sequence that anyone can understand:

• Initial discovery: Show how you found the vulnerable endpoint
• Exploitation steps: Document each action taken to trigger the bug
• Impact demonstration: Prove the security implications without going overboard
• Environment details: Include browser versions, operating systems, and relevant configurations

Avoid destructive actions in your PoC. Instead of deleting actual data, show that you could access sensitive information. Replace real user data with dummy examples when demonstrating data exposure. The goal is to prove the vulnerability exists and show its potential impact, not causing harm.

Write clear vulnerability descriptions with impact analysis.

Your vulnerability report needs to tell a complete story that both technical and non-technical stakeholders can understand. Start with a clear, concise title that immediately communicates the issue type and affected component.

The description should answer these key questions:

• What exactly is broken?
• How does someone exploit this weakness?
• Who could be affected by this vulnerability?
• What's the worst-case scenario if left unpatched?

Structure your description using this proven format:

Summary	One-sentence overview of the vulnerability
Technical Details	Step-by-step explanation of the flaw
Impact Assessment	Business and security consequences
Affected Systems	Specific versions, components, or configurations
Remediation	High-level fix recommendations

Your impact analysis should connect technical vulnerabilities to real business risks. Don't just say "SQL injection allows database access." Explain that attackers could steal customer payment information, modify order records, or gain administrative control over the entire application.

Use severity ratings consistently. The CVSS scoring system provides a standardized framework, but also includes your own risk assessment that considers the specific context of the target organization. A low-severity information disclosure bug might become critical if it exposes API keys or internal system architecture.

Follow responsible disclosure protocols and timelines.

Responsible disclosure protects both you and the organization while ensuring vulnerabilities get fixed properly. The standard approach gives companies a reasonable time to address issues before any public disclosure occurs.

Most bug bounty programs and security researchers follow these timelines:

• Initial report: Submit your findings with complete documentation
• Acknowledgment period: 5-7 business days for the vendor to confirm receipt
• Investigation phase: 30-90 days for the vendor to validate and assess the issue
• Resolution timeline: 90-180 days total from initial report to fix deployment
• Public disclosure: Only after the vendor confirms the fix is complete

Keep detailed records of all communication. Save email timestamps, track response times, and document any changes to the agreed timeline. This information becomes crucial if disputes arise or if you need to justify public disclosure decisions later.

Respect the organization's communication preferences. Some companies prefer email, others use dedicated portals or ticketing systems. Never post vulnerability details on public forums, social media, or GitHub repositories before getting explicit permission.

If vendors become unresponsive or refuse to address legitimate security issues, follow coordinated disclosure guidelines. Organizations like CERT/CC can help mediate disputes and ensure critical vulnerabilities eventually get public attention when necessary.

Finding your first critical bug comes down to understanding what makes vulnerabilities dangerous, setting up the right tools, and approaching testing with a clear plan. The key is combining thorough research on your targets with systematic testing methods that cover all the important areas. Don't forget that proper documentation makes the difference between a good find and a report that actually gets fixed.

Start small, stay patient, and remember that even experienced bug hunters struck out many times before landing their first critical discovery. Pick targets that match your skill level, use the methodologies that work best for your testing style, and always prioritize responsible disclosure. Your first critical bug is out there waiting – now you have the roadmap to find it.