Critical Thinking - Bug Bounty Podcast
Posts
[HackerNotes Ep. 145]: Gr3pme's Secret: Bug Bounty Note Taking Methodology

[HackerNotes Ep. 145]: Gr3pme's Secret: Bug Bounty Note Taking Methodology

In this episode of CTBB podcast Brandyn lets us in on some of his notetaking tips, including his templates, threat modeling, and ways he uses notes to help with collaboration.

Nin Jeeter
October 24, 2025

Hacker TLDR;

Syntax Confusion: Two or more components in a system may interpret the same input differently due to ambiguous or inconsistent syntax rules. Learn more in YesWeHack's new blog: The Minefield Between Syntaxes: Exploiting Syntax Confusions in the Wild
The Note GOAT: Download Brandyn's note templates:
- General Template
- JS Monitoring Template

https://www.criticalthinkingpodcast.io/tl-nc

With ThreatLocker® Network Control, you regain complete control over network access, no matter where your employees connect from. While traditional firewalls rely on static ACLs that require manual reconfiguration for every new location, our Zero Trust network protection solution provides your organization with:

✓ Direct connections between clients and servers
✓ A centrally managed firewall for every endpoint and server
✓ Dynamic access control that adapts automatically
✓ Granular policies by IP, user, device, or keyword
✓ Automatic port closure and invisibility to unauthorized devices

Start controlling your network—wherever your team works.

Syntax Confusion

In a YesWeHack article, Brumens shares his research on 'syntax confusion'.

Syntax confusion occurs when two or more components in a system interpret the same input differently due to ambiguous or inconsistent syntax rules... Modern web applications often involve a chain of parsers: a browser normalises input, a CDN may rewrite it, a proxy forwards, the application framework parses it, and helper libraries interpret it again. If any two stages disagree on what the input ‘means’ semantically, validation applied at one stage may no longer hold in another – creating a consistent path from ‘sanitised’ input to exploitable behaviour.

Some syntactic quirks that can be used to bypass protections are:

C

In the C programming language, certain character sequences are treated as single characters by the preprocessor and/or compiler.

Trigraphs:

Character Sequence	Converts To
`??=`	`#`
`??/`	`\`
`??'`	`^`
`??(`	`[`
`??)`	`]`
`??!`	`\|`
`??<`	`{`
`??>`	`}`
`??-`	`~`

Digraphs:

Character Sequence	Converts To
`<:`	`[`
`:>`	`]`
`<%`	`{`
`%>`	`}`
`%:`	`#`

Check out Mini-post: Digraphs and Trigraphs by William Woodruff for more information.

Python/Perl

Python and Perl support Unicode character escapes using character names.

Escape	Converts To
`\N{DOLLAR SIGN}`	`$`
`\N{LEFT CURLY BRACKET}`	`{`
`\N{RIGHT CURLY BRACKET}`	`}`
`\N{ASTERISK}`	`*`

Unicode character names are available at: https://www.unicode.org/charts/charindex.html

Content-Disposition

The filename parameter of the Content-Disposition header suggests filenames for uploaded or downloaded files:

HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Disposition: attachment; filename="invoice.pdf"

POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="myfile.txt"
Content-Type: text/plain

An alternate syntax that includes an asterisk allows you to specify the charset and use percent encoding:

Content-Disposition: form-data; name="file"; filename*=UTF8''myfile%0a.txt

If a system accepts filename* you can inject control characters or bypass filename restrictions which may allow you to overwrite files.

The 3rd /

While the file URI schema can point to files as an absolute path on the local system with file:///, it can also access remote files with the syntax file://<host>/<path>.

View the blog post to read about real world examples of syntax confusion.

The Note GOAT

Brandyn is actually the reason each episode is now accompanied by these notes.

A Template for the Templates

Although the true templates are available for download here, this template to the template describes what each section should include, according to Brandyn.

# Target

Be organized from the start by using the program name or target as the H1 header.

## Scope & Credentials

In this section, list the assets in scope and any corresponding credentials.

## Behavior

In this section, describe the purpose of the application. It should serve as a quick reminder as to what's going on if you haven't tested this target for a bit. Include references such as:

- Documentation
- Release notes
- Scheduled demos
- Etc.

## Tech Stack

In this section, list the technologies in use, such as:

- The framework
- Programming language
- Database
- 3rd-party components:
  - Libraries
  - Widgets
  - Webhooks
  - Etc.
- Etc.

## Brainstorming/Risks

In this section, threat model and list possible attack vectors. For each attack vector, track what you have tried and have yet to try.

## High Signal

In this section, take note of:

- Critical findings
- Attack vectors that have a high chance of success
- Important patterns in behavior
- High-priority endpoints
- Etc.

## Error Oracles

In this section, list endpoints that can be used to infer information.

## Attack Paths + Gadgets

In this section, build out attack chains based on the previous two sections and the available gadgets.

## Tracker

In this section, keep track of:

- What there is left to do
- What is in progress
- What has been completed

If you have taken the time to set up JavaScript monitoring, Brandyn also has a note template for that.

In Closing

Implementing thorough note taking can help you level-up your hunting methodology.

As always, keep hacking!