Want to sharpen your skills when it comes to finding and exploiting server-side template injection (SSTI), cache poisoning or business logic error vulnerabilities?
Who better to teach you than the Bug Bounty hunters who topped our most recent annual leaderboards for these CWE categories?
We asked the three ethical hackers in question – respectively supr4s, codejump and Kto94 – to share the secrets of their success in these vulnerability niches. They kindly obliged, giving us tips around recon, tools and hacking techniques, as well as some recommendations for vulnerability labs and resources for further reading and hands-on training.
These invaluable insights were first published in the YesWeHack Bug Bounty Report 2025.
supr4s’s magic methodology for SSTI bugs (CWE-1336)
Insights from our #1 hunter for CWE-1336 in 2024
“For the SSTI/CSTI hunt, it’s important to analyse the technologies offered by the application (with Wappalyzer <3). Naturally, I like to go for big web applications with several technologies and different rendering depending on the part of the application you're accessing.
“This has enabled me to find CSTIs that are not visible at first glance, but can be triggered in another part of the application. Once you’ve got your injection point, you need to think IMPACT! A CSTI in your pocket? Try extracting session cookies, localStorage or any other way to get an ATO from your victim. An SSTI? Go for the RCE!
“One of my CSTIs was triggered by an exotic view of the application, via a VueJS that converted my {{8*8}} input into 64. Knowing this view was accessible for several other people, it was essential not to affect other users by using ‘silent’ payloads like console.log ({{_openBlock.constructor('console.log(\"Stored XSS via CSTI by Supr4s\")')()}}).
“My recommended resources for SSTIs/CSTIs: SSTIMap, TInjA and tplmap tools; the template injection chapter of Bug Bounty Bootcamp by Vicky Li (p261-274); Template Injection Playground on GitHub and other ‘Hackmanit’ resources; and ‘Evading defences using VueJS script gadgets’ by PortSwigger researcher Gareth Heyes.”
Codejump’s magic methodology for cache poisoning bugs (CWE-349)
Insights from our #1 hunter for CWE-349 in 2024
“First, do the PortSwigger labs for web cache poisoning, which are really very useful for getting a good understanding of the vulnerability. Then it’s a lot of research to understand how the cache works on each technology, reading blog posts of research already done in this field etc...
“This vulnerability interested me, so I started looking at tools that existed to find/scan this vulnerability. But I noticed that most tools only checked a small part [of the process] or were out of date. From what I saw, only one checked for Cache-Poisoned Denial-of-Service (CPDoS) and was very verbose, so was therefore complicated to understand at a glance.
“So I built a tool that would be accessible and understandable for everyone: HExHTTP. Thanks to this, I’ve been able to research cache poisoning (and CPDoS in particular) in greater depth. I’m now putting pretty much all my research and findings into it, so I can re-scan Bug Bounty applications.”
Kto94’s magic methodology for business logic error bugs (CWE-840)
Insights from our #1 hunter for CWE-840 in 2024
“I start by using the application as a regular user to understand how it works, exploring as many features as possible. I try to bypass limitations on features that I believe could have a business impact. If I succeed, I delve deeper to identify a business logic error that could have a real impact on the company.
“Most of the time, I focus on identifying a financial impact, whether direct or indirect.
“For example, take a booking company that adjusted its prices based on user demand. The more often users initiated a booking, the higher the prices would go.
“It was possible therefore for an attacker to manipulate the prices simply by initiating bookings without completing payment. Carried out on a large scale, this could lead to a loss of revenue for the company, as its prices would no longer be competitive.
“My main advice for business logic error bugs is to prioritise impactful issues rather than technically complex ones.”
HANDS-ON HACKING TRAINING Tackle labs and CTF challenges around common vulnerabilities on Dojo, our CTF training platform for bug hunters
