Attack Surface

Organized by what you're attacking, not by vulnerability class. The same bug class (say IDOR) looks completely different on a REST API vs. a GraphQL endpoint vs. a mobile app's local storage. Context matters.

Web Applications

The bread and butter. Authentication, authorization, injection, SSRF, client-side vulns, business logic, infrastructure misconfigs. Deepest section because it's where most of the bounty money is.

flowchart TD
    W["Web Attack Surface"]
    W --> W1["Authentication"]
    W --> W2["Authorization"]
    W --> W3["Injection"]
    W --> W4["SSRF"]
    W --> W5["Client-Side"]
    W --> W6["Business Logic"]
    W --> W7["Infrastructure"]

APIs

REST, GraphQL, gRPC, and WebSocket APIs. Attack patterns overlap with web but enumeration and testing approach is different enough for its own section.

Mobile Applications

Android and iOS. The app itself is a goldmine of hardcoded secrets, API endpoints, and client-side logic you can reverse engineer. The interesting bugs are usually in how the mobile app talks to the backend, not in the app itself.

Cloud Infrastructure

AWS, Azure, GCP. Bucket misconfigs, IAM privilege escalation, serverless exploitation, the ever-popular metadata endpoint. Natural escalation path for SSRF findings.

CD Pipelines

GitHub Actions, GitLab CI, Jenkins. Supply chain attacks through build pipelines. Increasingly popular attack surface as more companies expose their CI/CD to external contributors.

Choosing Your Focus

You don't need to be good at all of these. Most successful hunters specialise in one or two attack surfaces and go deep. If you're starting out, web applications are the best investment. Largest number of programs, most documentation, widest variety of bugs.

If you want to differentiate yourself though, the less crowded surfaces (cloud, CI/CD, mobile) have a better competition-to-reward ratio. Fewer hunters means fewer duplicates.