Bug Bounty Methodology

1

1. Reconnaissance

Subdomains often hide forgotten features, admin panels, or unpatched vulnerabilities. Use multiple tools for better coverage.

1.1 Subdomain Enumeration

Subdomain enumeration has two phases: passive and active. Combine results and deduplicate.

1.1.1 Passive Subdomain Enumeration

• Tools: Subfinder, Findomain, Amass, Assetfinder, Sublist3r, Shuffledns

Subfinder

subfinder

subfinder -d target.com -all -recursive -t 200 -silent -o subfinder-rescursive.txt

Findomain

findomain

findomain --quiet -t target.com | tee findomain.txt

Amass

amass

amass enum -passive -d target.com -o amass.txt

Assetfinder

assetfinder

assetfinder -subs-only target.com | tee assetfinder.txt

Sublist3r

sublist3r

sublist3r -d target.com -t 50 -o sublist3r.txt

crt.sh

 curl -s "https://crt.sh/?q=%25.DOMINIO.TLD&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' > "crtsh.txt"

Methodology → sub finder with APIs and asset finder (all in one txt)

1.1.2 Active Subdomain Enumeration

Active enumeration involves brute-forcing subdomains using wordlists and DNS queries.

• Tools: Subbrute, MassDNS, FFUF, DNSX

Subbrute

subbrute

python3 subbrute.py target.com -w wordlist.txt -o brute_subs.txt

MassDNS

massdns subbrute

./Tools/massdns/scripts/subbrute.py target.com /usr/share/wordlists/2m-subdomains.txt | massdns -r /usr/share/wordlists/resolvers.txt -t A -o S -w target.com.txt

ffuf (Host header technique)

ffuf (subdomain host header)

ffuf -u https://target.com -H "Host: FUZZ.target.com" -w /usr/share/wordlists/subdomains.txt -t 100 -fc 403 | tee ffuf_subs_output.txt

Post-process ffuf results

ffuf postprocess

for subs in $(cat ffuf_subs_output.txt | awk '{print $1}'); do echo "${subs}.target.com" >> ffuf-subs-final.txt ; done

Combine results (anew)

combine results

cat *.txt | anew all_subdomains.txt sort todos_subdominios.txt | uniq > todos_subdominios_sin_duplicados.txt

1.2 DNS Resolution

Once you’ve gathered subdomains, check which ones are live by resolving their DNS records.

• Tools: dnsx, Shuffledns, MassDNS

Shuffledns

shuffledns

shuffledns -d target.com -list all_subdomains.txt -r resolvers.txt -o live_subs.txt

dnsx

dnsx

dnsx -l all_subdomains.txt -r /usr/share/wordlists/resolvers.txt -o live_subs.txt

MassDNS

massdns

massdns -t A -o S -w 200_domains.txt domains.txt -r /usr/share/wordlists/resolvers.txt

Subzy (subdomain takeover check)

subzy

sudo subzy run --targets subdomains.txt

Collect IP addresses

dnsx IP output

dnsx -l live_subs.txt -a -resp-only -o live_with_ips.txt

Reverse DNS (dnsx + massdns)

reverse dns

dnsx -ptr -l live_with_ips.txt -r /usr/share/wordlists/resolvers.txt | massdns -r /usr/share/wordlists/resolvers.txt -q -o S -t PTR > reverse_dns_massdns.txt

1.3 HTTP Probing (Identifying Live Web Services)

• Tools: httpx, httprobe

httpx

httpx

httpx -l live_subs.txt -title -sc -location -p 80,443,8000,8080,8443 -td -cl -probe -o httpx_output.txt

Get reachable domains

filter httpx results

cat httpx_output.txt | grep -v "FAILED" | awk '{print $1}' | tee probed_domains.txt

Other httpx examples

httpx simple

cat subdomains.txt | sudo httpx > alive_subdomains

httpx toolkit

cat subdomains.txt | httpx(-toolkit) -l subdomains.txt -ports 80,8080,443,8000,8888 -threads 200 > subdomains_alive.txt

1.4 Screenshotting Web Services

• Tools: Aquatone, EyeWitness, Gowitness

Aquatone

aquatone

cat web_servers.txt | aquatone -out screenshots/

gowitness

gowitness

gowitness scan file -f probed_domains.txt --threads 10 --screenshot-path screenshots/ --write-db

1.5 Content Discovery (Directory and File Bruteforcing)

• Tools: FFuF, Dirsearch, Gobuster, Feroxbuster

dirsearch

dirsearch example

dirsearch -w /usr/share/wordlists/custom.txt --full-url --random-agent -x 404,400 -e php,html,js,json,ini -u https://target.com/

Deep dirsearch example

dirsearch deep

dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql,asp,aspx,asp~,py~,rb,rb~,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp~,lock,log,rar,old,sql.gz,sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip -i 200 --full-url --deep-recursive -w /usr/share/wordlists/custom.txt --exclude-subdirs .well-known/,wp-includes/,wp-json/,faq/,Company/,Blog/,Careers/,Contact/,About/,IMAGE/,Images/,Logos/,Videos/,feed/,resources/,banner/,assets/,css/,fonts/,img/,images/,js/,media/,static/,templates/,uploads/,vendor/ --exclude-sizes 0B --skip-on-status 429 --random-agent -u http://target.com/

feroxbuster

feroxbuster

cat probed_domains.txt | feroxbuster --stdin -s 200 --no-recursion -k --random-agent --no-state -r -W 0 -w /usr/share/wordlists/custom.txt

ffuf

ffuf directory

ffuf -w /usr/share/wordlists/custom.txt -t 75 -ac -mc 200,405,401,415,302,301 -u http://assets.engage.tesla.com/FUZZ

gobuster

gobuster with xargs

xargs -a probed_domains.txt -I@ sh -c 'gobuster dir -u "@" --no-error -f -q -k -e --random-agent -w /usr/share/wordlists/custom.txt' | tee -a gobuster.txt

1.6 Parameter Discovery

Bruteforcing parameters can reveal hidden endpoints vulnerable to injections like SQLi or XSS.

• Tools: Arjun, FFuF, Paramspider

Arjun

arjun

arjun -u "https://target.com" -m get --stable

ffuf parameter fuzzing

ffuf params

ffuf -u https://target.com/page.php?FUZZ=test -w param_wordlist.txt

paramspider

paramspider

paramspider -d DOMINIO --subs

1.7 Archived URLs

Use archived data (Wayback Machine, Common Crawl) to find older endpoints/parameters.

• Tools: GAU, Waybackurls, Katana

GAU

gau

gau target.com | anew gau_urls.txt

GAU + httpx

gau + httpx

cat subs.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt

Waybackurls

waybackurls

waybackurls target.com | anew wayback_urls.txt

Katana

katana

katana -passive -pss waybackarchive,commoncrawl,alienvault -f qurl -u target.com | anew katana_urls.txt

1.8 Filtering Interesting URLs

• Tools: GF

GF usage

gf filters

cat gau_urls.txt | gf xss | anew xss_candidates.txt
cat gau_urls.txt | gf sqli | anew sqli_candidates.txt

1.9 Crawling and Spidering

Automated crawling finds deeper endpoints, hidden forms, and parameters.

• Tools: Katana, Gospider, Hakrawler

Katana

katana crawl

katana -list probed_domains.txt -silent -o katana_crawl.txt

Gospider

gospider

gospider -s https://target.com -d 1 -o gospider_crawl.txt

1.10 ASN and IP Range Enumeration

Identify the target’s IP range to expand the attack surface.

• Tools: Amass, Censys, Shodan, Netcraft

Amass ASN

amass intel

amass intel -asn <ASN_Number> -o asn_targets.txt

1.11 Cloud Asset Enumeration

Cloud providers often expose assets or storage buckets that can be publicly accessible.

• Tools: cloud_enum, S3Scanner

CloudEnum

cloud_enum

cloud_enum -k tesla.com

1.12 Fingerprinting Web Technologies

Knowing the CMS, frameworks, or web server helps tailor attacks.

• Tools: Wappalyzer, WhatWeb

WhatWeb

whatweb

whatweb target.com

2

2. Mapping the Attack Surface

After collecting subdomains, URLs, and ports, map the target’s attack surface—vulnerable technologies, hidden paths, and JS-exposed endpoints.

2.1 JS File Analysis

JavaScript files can leak API keys, hardcoded secrets, or useful endpoints.

• Tools: LinkFinder, JSFinder, subjs, SecretFinder, Katana

LinkFinder

linkfinder

python3 linkfinder.py -i https://target.com/app.js -o cli

SubJS

subjs

subjs -i https://target.com | anew js_endpoints.txt

Katana JS listing

katana js

katana -list probed_domains.txt -jc | grep "\.js"

SecretFinder

secretfinder loop

cat jsfiles.txt | while read url; do python3 SecretFinder.py -i $url -o cli >> secret.txt; done

3

3. Vulnerability Testing

Now comes the testing phase — find actual bugs. Below are common classes and testing tips.

3.1 XSS

Cross-site scripting occurs when input is not sanitized and allows JS injection.

• Tools: KXSS, XSStrike, Dalfox

KXSS

kxss

cat xss.txt | kxss | grep "\" ' < >" | tee kxss.txt

dalfox

dalfox

dalfox url "https://target.com/?q=search" -o dalfox_xss.txt

3.2 SQLi

SQLi allows attackers to manipulate DB queries and extract data.

• Tools: SQLMap, manual payloads, ghauri

sqlmap

sqlmap

sqlmap -u "https://target.com/product.php?id=1" --dbs

ghauri

ghauri

ghauri -u 'URL' --data "params with * for payload injection" --batch --flush-session

3.3 SSRF

Server-side request forgery tricks the server into making requests to internal services.

• Tools: Gopherus, Burp Suite, SSRFMap

3.4 IDOR

Insecure direct object references allow accessing other users’ data by manipulating object identifiers.

• Tools: Burp Suite, Postman

• Testing method: Change the ID parameter in the URL or body and observe if data from other users is exposed.

3.5 Open Redirect

Occurs when applications redirect to untrusted sites without validation.

• Tools: Burp Suite, manual payloads

3.6 File Upload Vulnerabilities

Improper file upload config can allow malicious files (web shells) to be uploaded/executed.

• Tools: Burp Suite, manual payloads

• Payload example: Try uploading .php, .jsp, or .exe and check execution.

3.7 CORS

Misconfigured CORS policies can enable cross-origin attacks.

• Tools: Corsy

3.8 LFI

Local file inclusion can expose system files.

• Tools: dotdotpwn

Oneliner example

LFI oneliner

cat URL_FILE | qsreplace "/etc/passwd" | while read url; do curl -silent "$url" | grep "root:x:" && echo "$url is vulnerable"; done;

4

4. Advanced Enumeration & Attack Techniques

Advanced techniques can find higher-impact vulnerabilities.

4.1 SSRF to Internal Port Scanning

SSRF can be abused to scan internal networks and services. Use Burp Suite for manual testing or automate with ffuf/dnsx for large-scale probing.

4.2 Host Header Injection

Manipulating the Host header may bypass access controls, trigger SSRF-like behavior, or enable cache poisoning.

• Tool: Burp Suite

4.3 Cache Poisoning

Craft requests to pollute caches with malicious content, possibly leading to XSS or other attacks.

• Tool: Burp Suite or manual payloads

Payload example

cache poisoning xss payload

https://target.com/?q=<script>alert('xss')</script>

5

5. Post-Exploitation & Reporting

Document findings clearly so the target can reproduce and remediate issues.

5.1 Document Your Findings

• Take clear screenshots of exploitation steps.

• Include tools used, exact URLs tested, and payloads.

• Offer remediation advice (code fixes, config changes, security practices).

5.2 Prioritize by Impact

• Highlight high-risk vulnerabilities (unauthorized data access, RCE).

• Use scoring frameworks like CVSS to assess severity.

5.3 Submit a Clear Report

• Use platforms like HackerOne, Bugcrowd, or contact the company directly.

• Keep reports concise but informative with reproduction steps, screenshots, tools, and payloads.

Related resources:

• Tools: https://www.notion.so/Tools-191110a35b6a8049b205e417c5718501?pvs=21

• Mindmap: https://www.notion.so/Mindmap-192110a35b6a80788be9ce08af83932a?pvs=21

• Cheatsheet: https://www.notion.so/Cheatsheet-193110a35b6a803c9de1fbdc4116f0f9?pvs=21

6

EXTRA. Other techniques

Fastty automated XSS with airixss

Finds urls archived in waybackurls, delete duplicates, replace parameter with the payload and check it with airixss and finally filter.

Airixss: https://github.com/ferreiraklet/airixss

waybackurls domain.com | urldedipe -qs | qsreplace "</script><script>confirm(1)</script>" | airixss -payload "confirm(1)" | egrep -v 'Not'

Find Origin IP behind Cloudflare

Inspect favicon hash. First get get favicon url with:

The Favicon Finderfavicons.teamtailor-cdn.com

Get the hash with:

Get the favicon hash of a website for Shodan huntingFavicon hash

And with the hash do Shodan hunting with the filter:

http.favicon.hash:[hash]

In censys (more effective)

services.http.response.favicons.md5_hash:[hash]