Bug Bounty Methodology 🍥

• Credits to gotr00t? && gotr00t?

Hacking programs

• HackerOne (Worldwide)
• Intigrity (Europe)

Tools

• Wordlists
  • SecLists
• Spyhunt
• httpX
• feroxbuster
• Wappalyzer
• Snov.io
  • Email Finder
  • Email Verifier
  • Website Technology Checker
• ParamSpider
• Nuclei
  • Nuclei Templates

Recon Methodology

Subdomain enumeration

python3 spyhunt.py -s DOMAIN --save subdomains.txt

Probe subdomains to find valid ones

python3 spyhunt.py -p subdomains.txt

Enumerate subdomains to check for status codes, web servers, etc

cat subdomains.txt | httpx -sc -td -ip
# search for the 200,302 Status code

Start fuzzing subdomains that you find interesting

• Basics:

dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -x 404,403,500,429,301,302
 
feroxbuster -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -C 404,403,429,400,401,405,302
 
feroxbuster -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -C 404,403,429,400,401,405,302
 
gobuster dir -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -b 403,404 -n

• For api endpoints:

dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common-api-endpoints-mazen160.txt -x 404,403,500,429,301,302
 
dirsearch -u https://DOMAIN -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -x 404,403,500,429,301,302

• More info in dirsearch 📁
• More info in Gobuster 🐦

Using Nmap to find additional open ports on the system

nmap -sV -sC -p- --min-rate 5000 -T4 DOMAIN -Pn > scan.txt

More commands in Nmap 👁️‍🗨️

Checking we technologies using Wappalyzer and Snov.io

Just use them

Check the website for any user input (for injections)

paramspider -d DOMAIN
# Now search for the saved URLs the program outputed
nuclei -l /path/to/results/DOMAIN.txt -tags lfi,rfi,sqli

Extract Javascript files to find hidden endpoints

python3 spyhunt.py -j https://DOMAIN

Use The Wayback Machine and others to find old links that might be exposing endpoints

python3 spyhunt.py -w htps://DOMAIN > old_endpoints.txt

For manual check: more info in OSINT 👻

Now you are able to check for basic vulnerabilities like information disclosure, any type of injections and more :D

Gather information with BurpSuite or ZAP

Search for anything interesting capturing requests

• More info on BurpSuite 📙
• More info on ZAP 🦈