intercept@proxy: ~/targets
0%
interceptrepeaterhistory
request — editing
response

INTERCEPT

A practice ground for web application hacking — every vulnerability class mapped to a free, legal lab you can break right now, plus the methodology and tooling to take it to real, in-scope targets.

26vuln classes
5tools onboard
100%legal targets
00

Scope is the law

You already know this, but it's the part that's worth re-reading before every session. As a bug hunter, the program's scope document is the only thing standing between research and a crime. The labs linked below exist precisely so you can attack without that risk.

// RULES OF ENGAGEMENT

  • Test only what a program authorizes, in writing. A public/private bug-bounty scope, a signed pentest agreement, or a deliberately vulnerable app you control. Nothing else.
  • Stay strictly in scope. Out-of-scope assets, even of the same org, aren't covered. Wildcard domains, acquisitions, and third-party services are common traps — confirm before you touch.
  • Don't pivot, exfiltrate, or pillage. Prove impact with the minimum necessary. Reading one record demonstrates IDOR; dumping the table is abuse. No lateral movement, no persistence, no destructive payloads.
  • Respect rate limits and avoid DoS. Heavy automated scanning can break production. Throttle, and never test availability unless the program explicitly allows it.
  • Disclose responsibly. Report through the program's channel, give time to fix, and don't go public until you're cleared to.
01

The hunt

A repeatable workflow beats raw payload-spraying every time. The hunters who find the most bugs are the ones who understand the application better than anyone — then test it methodically.

00
recon · map the perimeter

Scope & reconnaissance

Read the policy, then enumerate the full attack surface: subdomains, historical URLs, JS files, parameters, and the tech stack. Most bugs live on the asset nobody else looked at.

subdomain enumcontent discoveryJS analysistech fingerprinting
01
map · understand the app

Map the attack surface

Proxy everything through Burp or Caido. Catalog every endpoint, parameter, role, and state transition. Understand auth, sessions, and how data flows before testing a single payload.

proxy & crawlauth flowsroles & statesinput mapping
02
test · class by class

Test systematically

Walk the vulnerability catalog below against each feature. Prioritize where impact is highest — auth, access control, and anything handling money, files, or other users' data.

OWASP Top 10access controlbusiness logicinjection
03
prove · minimum impact

Exploit & verify

Confirm the finding with a clean, reproducible proof of concept. Demonstrate real impact without overreaching — one stolen record, not the whole database.

PoC buildingimpact analysischainingscreenshots
04
report · get paid

Report & disclose

A great report is half the work. Clear title, accurate severity, exact reproduction steps, and a remediation suggestion. Triagers reward clarity.

writeupsCVSSrepro stepsdisclosure
02

Vulnerability catalog

The web hacker's bread and butter. Each card is a class to master, with where to look and a free lab to go practice it on a target you're allowed to break — most link straight to PortSwigger's Web Security Academy. Mark each one as you clear it; progress saves in this browser.

0 / 0 cleared
03

The workbench

The everyday encoder/decoder utilities, right here so you don't break flow. Everything runs locally in your browser — nothing is sent anywhere. Read-only by design: it transforms and inspects text, it doesn't attack anything.

URL
Base64
HTML entities
JWT decoder
Hash ID

          
04

Writing the report

The bug is only worth what you can communicate. Triagers read dozens of reports a day — make yours the easy one to validate and pay.

// anatomy of a great report

  1. Title — vuln type + impact + location. "Stored XSS in profile bio leads to account takeover" beats "XSS found".
  2. Summary — one paragraph: what it is, where, and why it matters to the business.
  3. Steps to reproduce — numbered, exact, copy-pasteable. Assume the triager has never seen the app.
  4. Proof of concept — a clean request, payload, or short video. Minimal and non-destructive.
  5. Impact — concrete worst case, tied to real data or users, not theory.
  6. Remediation — a brief, correct fix suggestion. It builds trust and speeds the patch.

// severity & signal

Score impact honestly with CVSS — inflating severity costs you credibility with triage. A few things that consistently raise report quality:

  • Chain where you can. Open redirect alone is low; chained into OAuth token theft it's critical. Show the chain.
  • Tie it to a real victim. "An attacker can read any user's messages" lands harder than a CWE number.
  • One bug per report. Don't bury a critical inside a list of lows.
  • Be calm and professional in dialogue, even on disputes. Reputation compounds across programs.
05

The arsenal

The tools, targets, and reading that web hunters actually use. Start with the free practice grounds — they'll teach you more than any paid course.

Practice targets FREE

Proxy & testing

Recon & discovery

Bug bounty platforms

Read & reference FREE

On the shelf

  • The Web App Hacker's Handbookthe canon (pairs with WSA)
  • Real-World Bug HuntingYaworski · bounty-focused
  • Bug Bounty BootcampVickie Li · end to end
  • OWASP API Security Top 10free · the API checklist