In my opinion the best way to learn hacking and security is to read public disclosure. It’s a great resources of tips and tools to use to make your life easier.
Here are some blogs I frequently visit from bounty hunters themself. They explain their findings, why it occurs, how they were able to exploit and sometimes how much they win. I visit them once a week and I also follow their writer on Twitter to not miss the bugs they don’t review.
Ben Sadeghipour, plays with many various vulns:
Filedescriptor, I don’t know who is this guy but his profil on HackerOne is truely awesome:
Sean Melia, swings between the first and the second place on HackerOne:
Jack Whitton, is a true XSS jedi:
Nir Goldshlager, CEO of Break Security:
To stay aware of new bugs who run in wild I follow some other blogs about web security. Those are professional blogs, they always try to sell you something but whatever, the goal here is to learn. Most of the time they also explain how to protect agains the attacks, wich is a very good point to add in a bug report.
PortSwigger Web Security Blog
Finally here are some of my favorites issues, my current top 15, the ones I like to read again and again to understand the vulnerability and try to discern the state of mind of the hacker who found it. It’s also a good way to improve your report skill and see the way hackers communicates with security teams to keep good feelings.
XSS on OAuth authorize/authenticate endpoint
Remote Code Execution on Shopify
XSS in the all widgets of shopifyapps.com
Private program activity timeline information disclosure
AWS S3 bucket writeable for authenticated aws users
uber.com may RCE by Flask Jinja2 Template Injection
CSV Injection in business.uber.com
Reflected XSS on developer.uber.com via Angular template injection
Pixel flood attack
XSS In archive.uber.com Due to Mime Sniffing in IE
CRLF Injection in developer.uber.com
Reflected XSS via Unvalidated / Open Redirect in uber.com
Reflected XSS via Livefyre Media Wall in newsroom.uber.com
Each Time I learn a new kind of issue, I try to reproduce it on on my local lab, then I try it on security programs I’m currently working on. Sometime it works, sometimes not but bug bounty is also about patience.
Happy reading !