BIPI
BIPI

Building Your Bug Bounty Mind Map Before You Touch Burp

Cybersecurity

Before Burp, before fuzzing, before anything, draw the app. A mind map of features, roles, and trust boundaries makes the rest of your work easier.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 30, 2023 · 9 min read

#bug-bounty#methodology#threat-modeling#mind-map#planning

The mind map saves the hunt

New hunters open Burp on day one and start clicking. Experienced hunters spend the first hours drawing the app. The mind map turns a confusing target into a small set of testable surfaces, and that focus is what produces unique bugs.

What goes on the map

  • Features grouped by user flow, signup, login, billing, profile, share
  • Roles, guest, user, admin, super admin, any internal tiers
  • Trust boundaries, frontend to backend, service to service, vendor to app
  • Data flows, where user input enters, where it lands, where it leaves
  • Third party integrations, OAuth providers, payment processors, analytics

Use a tool you enjoy. Obsidian Canvas, Excalidraw, plain markdown, paper. The medium does not matter. The discipline does.

Map roles first

  1. Create one account per role the app supports
  2. Note what each role can see and do
  3. Mark every feature that one role accesses and another should not
  4. Those marks become your IDOR and authorization test list

Trace data flows

For each feature, ask where user input goes. Does it touch a database? A search index? A third party service? Does it render in HTML, in a PDF, in an email? Each rendering is a potential injection. Each external call is a potential SSRF.

Note the boring stuff

  • Webhook receivers and outbound callbacks
  • File upload paths and the services that process them
  • Background jobs and queue workers when visible
  • Admin endpoints, even if you only know they exist from JS
  • Anywhere the app emails, SMSes, or calls a user

Prioritize from the map

Map first
every new target
Top 5
features get deep review
Refresh
after every app update

Use the map during testing

Keep the mind map open while you hunt. Every finding gets pinned to a node. Every dead end gets noted on the node it came from. After a week, the map shows you which areas you have covered and which still need work. That visibility is what keeps long term bounty work productive.

Mind maps are not paperwork. They are the cheapest form of threat modeling a solo hunter can do, and they consistently outperform raw fuzzing.

Iterate

  • Update the map when the app ships changes
  • Add nodes for newly discovered endpoints from JS or Wayback
  • Strike out features that are confirmed safe after deep review
  • Use last quarter's map as a starting point for the next target in the same sector

Then, and only then, open Burp

With the map in front of you, Burp becomes a precision tool, not a slot machine. You know what to proxy, what to fuzz, and what to ignore. The hunters who consistently top leaderboards on HackerOne and Bugcrowd are not the ones with the fastest fingers. They are the ones with the clearest maps.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.