# Bug Bounty Methodology {% stepper %} {% step %} ### 1. Reconnaissance Subdomains often hide forgotten features, admin panels, or unpatched vulnerabilities. Use multiple tools for better coverage. #### 1.1 Subdomain Enumeration Subdomain enumeration has two phases: passive and active. Combine results and deduplicate. **1.1.1 Passive Subdomain Enumeration** * Tools: Subfinder, Findomain, Amass, Assetfinder, Sublist3r, Shuffledns Subfinder {% code title="subfinder" %} ```bash subfinder -d target.com -all -recursive -t 200 -silent -o subfinder-rescursive.txt ``` {% endcode %} Findomain {% code title="findomain" %} ```bash findomain --quiet -t target.com | tee findomain.txt ``` {% endcode %} Amass {% code title="amass" %} ```bash amass enum -passive -d target.com -o amass.txt ``` {% endcode %} Assetfinder {% code title="assetfinder" %} ```bash assetfinder -subs-only target.com | tee assetfinder.txt ``` {% endcode %} Sublist3r {% code title="sublist3r" %} ```bash sublist3r -d target.com -t 50 -o sublist3r.txt ``` {% endcode %} crt.sh ```bash curl -s "https://crt.sh/?q=%25.DOMINIO.TLD&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' > "crtsh.txt" ``` Methodology → sub finder with APIs and asset finder (all in one txt) **1.1.2 Active Subdomain Enumeration** Active enumeration involves brute-forcing subdomains using wordlists and DNS queries. * Tools: Subbrute, MassDNS, FFUF, DNSX Subbrute {% code title="subbrute" %} ```bash python3 subbrute.py target.com -w wordlist.txt -o brute_subs.txt ``` {% endcode %} MassDNS {% code title="massdns subbrute" %} ```bash ./Tools/massdns/scripts/subbrute.py target.com /usr/share/wordlists/2m-subdomains.txt | massdns -r /usr/share/wordlists/resolvers.txt -t A -o S -w target.com.txt ``` {% endcode %} ffuf (Host header technique) {% code title="ffuf (subdomain host header)" %} ```bash ffuf -u https://target.com -H "Host: FUZZ.target.com" -w /usr/share/wordlists/subdomains.txt -t 100 -fc 403 | tee ffuf_subs_output.txt ``` {% endcode %} Post-process ffuf results {% code title="ffuf postprocess" %} ```bash for subs in $(cat ffuf_subs_output.txt | awk '{print $1}'); do echo "${subs}.target.com" >> ffuf-subs-final.txt ; done ``` {% endcode %} Combine results (anew) {% code title="combine results" %} ```bash cat *.txt | anew all_subdomains.txt sort todos_subdominios.txt | uniq > todos_subdominios_sin_duplicados.txt ``` {% endcode %} #### 1.2 DNS Resolution Once you’ve gathered subdomains, check which ones are live by resolving their DNS records. * Tools: dnsx, Shuffledns, MassDNS Shuffledns {% code title="shuffledns" %} ```bash shuffledns -d target.com -list all_subdomains.txt -r resolvers.txt -o live_subs.txt ``` {% endcode %} dnsx {% code title="dnsx" %} ```bash dnsx -l all_subdomains.txt -r /usr/share/wordlists/resolvers.txt -o live_subs.txt ``` {% endcode %} MassDNS {% code title="massdns" %} ```bash massdns -t A -o S -w 200_domains.txt domains.txt -r /usr/share/wordlists/resolvers.txt ``` {% endcode %} Subzy (subdomain takeover check) {% code title="subzy" %} ```bash sudo subzy run --targets subdomains.txt ``` {% endcode %} Collect IP addresses {% code title="dnsx IP output" %} ```bash dnsx -l live_subs.txt -a -resp-only -o live_with_ips.txt ``` {% endcode %} Reverse DNS (dnsx + massdns) {% code title="reverse dns" %} ```bash dnsx -ptr -l live_with_ips.txt -r /usr/share/wordlists/resolvers.txt | massdns -r /usr/share/wordlists/resolvers.txt -q -o S -t PTR > reverse_dns_massdns.txt ``` {% endcode %} #### 1.3 HTTP Probing (Identifying Live Web Services) * Tools: httpx, httprobe httpx {% code title="httpx" %} ```bash httpx -l live_subs.txt -title -sc -location -p 80,443,8000,8080,8443 -td -cl -probe -o httpx_output.txt ``` {% endcode %} Get reachable domains {% code title="filter httpx results" %} ```bash cat httpx_output.txt | grep -v "FAILED" | awk '{print $1}' | tee probed_domains.txt ``` {% endcode %} Other httpx examples {% code title="httpx simple" %} ```bash cat subdomains.txt | sudo httpx > alive_subdomains ``` {% endcode %} {% code title="httpx toolkit" %} ```bash cat subdomains.txt | httpx(-toolkit) -l subdomains.txt -ports 80,8080,443,8000,8888 -threads 200 > subdomains_alive.txt ``` {% endcode %} #### 1.4 Screenshotting Web Services * Tools: Aquatone, EyeWitness, Gowitness Aquatone {% code title="aquatone" %} ```bash cat web_servers.txt | aquatone -out screenshots/ ``` {% endcode %} gowitness {% code title="gowitness" %} ```bash gowitness scan file -f probed_domains.txt --threads 10 --screenshot-path screenshots/ --write-db ``` {% endcode %} #### 1.5 Content Discovery (Directory and File Bruteforcing) * Tools: FFuF, Dirsearch, Gobuster, Feroxbuster dirsearch {% code title="dirsearch example" %} ```bash dirsearch -w /usr/share/wordlists/custom.txt --full-url --random-agent -x 404,400 -e php,html,js,json,ini -u https://target.com/ ``` {% endcode %} Deep dirsearch example {% code title="dirsearch deep" %} ```bash dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql,asp,aspx,asp~,py~,rb,rb~,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp~,lock,log,rar,old,sql.gz,sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip -i 200 --full-url --deep-recursive -w /usr/share/wordlists/custom.txt --exclude-subdirs .well-known/,wp-includes/,wp-json/,faq/,Company/,Blog/,Careers/,Contact/,About/,IMAGE/,Images/,Logos/,Videos/,feed/,resources/,banner/,assets/,css/,fonts/,img/,images/,js/,media/,static/,templates/,uploads/,vendor/ --exclude-sizes 0B --skip-on-status 429 --random-agent -u http://target.com/ ``` {% endcode %} feroxbuster {% code title="feroxbuster" %} ```bash cat probed_domains.txt | feroxbuster --stdin -s 200 --no-recursion -k --random-agent --no-state -r -W 0 -w /usr/share/wordlists/custom.txt ``` {% endcode %} ffuf {% code title="ffuf directory" %} ```bash ffuf -w /usr/share/wordlists/custom.txt -t 75 -ac -mc 200,405,401,415,302,301 -u http://assets.engage.tesla.com/FUZZ ``` {% endcode %} gobuster {% code title="gobuster with xargs" %} ```bash xargs -a probed_domains.txt -I@ sh -c 'gobuster dir -u "@" --no-error -f -q -k -e --random-agent -w /usr/share/wordlists/custom.txt' | tee -a gobuster.txt ``` {% endcode %} #### 1.6 Parameter Discovery Bruteforcing parameters can reveal hidden endpoints vulnerable to injections like SQLi or XSS. * Tools: Arjun, FFuF, Paramspider Arjun {% code title="arjun" %} ```bash arjun -u "https://target.com" -m get --stable ``` {% endcode %} ffuf parameter fuzzing {% code title="ffuf params" %} ```bash ffuf -u https://target.com/page.php?FUZZ=test -w param_wordlist.txt ``` {% endcode %} paramspider {% code title="paramspider" %} ```bash paramspider -d DOMINIO --subs ``` {% endcode %} #### 1.7 Archived URLs Use archived data (Wayback Machine, Common Crawl) to find older endpoints/parameters. * Tools: GAU, Waybackurls, Katana GAU {% code title="gau" %} ```bash gau target.com | anew gau_urls.txt ``` {% endcode %} GAU + httpx {% code title="gau + httpx" %} ```bash cat subs.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt ``` {% endcode %} Waybackurls {% code title="waybackurls" %} ```bash waybackurls target.com | anew wayback_urls.txt ``` {% endcode %} Katana {% code title="katana" %} ```bash katana -passive -pss waybackarchive,commoncrawl,alienvault -f qurl -u target.com | anew katana_urls.txt ``` {% endcode %} #### 1.8 Filtering Interesting URLs * Tools: GF GF usage {% code title="gf filters" %} ```bash cat gau_urls.txt | gf xss | anew xss_candidates.txt cat gau_urls.txt | gf sqli | anew sqli_candidates.txt ``` {% endcode %} #### 1.9 Crawling and Spidering Automated crawling finds deeper endpoints, hidden forms, and parameters. * Tools: Katana, Gospider, Hakrawler Katana {% code title="katana crawl" %} ```bash katana -list probed_domains.txt -silent -o katana_crawl.txt ``` {% endcode %} Gospider {% code title="gospider" %} ```bash gospider -s https://target.com -d 1 -o gospider_crawl.txt ``` {% endcode %} #### 1.10 ASN and IP Range Enumeration Identify the target’s IP range to expand the attack surface. * Tools: Amass, Censys, Shodan, Netcraft Amass ASN {% code title="amass intel" %} ```bash amass intel -asn -o asn_targets.txt ``` {% endcode %} #### 1.11 Cloud Asset Enumeration Cloud providers often expose assets or storage buckets that can be publicly accessible. * Tools: cloud\_enum, S3Scanner CloudEnum {% code title="cloud\_enum" %} ```bash cloud_enum -k tesla.com ``` {% endcode %} #### 1.12 Fingerprinting Web Technologies Knowing the CMS, frameworks, or web server helps tailor attacks. * Tools: Wappalyzer, WhatWeb WhatWeb {% code title="whatweb" %} ```bash whatweb target.com ``` {% endcode %} {% endstep %} {% step %} ### 2. Mapping the Attack Surface After collecting subdomains, URLs, and ports, map the target’s attack surface—vulnerable technologies, hidden paths, and JS-exposed endpoints. #### 2.1 JS File Analysis JavaScript files can leak API keys, hardcoded secrets, or useful endpoints. * Tools: LinkFinder, JSFinder, subjs, SecretFinder, Katana LinkFinder {% code title="linkfinder" %} ```bash python3 linkfinder.py -i https://target.com/app.js -o cli ``` {% endcode %} SubJS {% code title="subjs" %} ```bash subjs -i https://target.com | anew js_endpoints.txt ``` {% endcode %} Katana JS listing {% code title="katana js" %} ```bash katana -list probed_domains.txt -jc | grep "\.js" ``` {% endcode %} SecretFinder {% code title="secretfinder loop" %} ```bash cat jsfiles.txt | while read url; do python3 SecretFinder.py -i $url -o cli >> secret.txt; done ``` {% endcode %} {% endstep %} {% step %} ### 3. Vulnerability Testing Now comes the testing phase — find actual bugs. Below are common classes and testing tips. #### 3.1 XSS Cross-site scripting occurs when input is not sanitized and allows JS injection. * Tools: KXSS, XSStrike, Dalfox KXSS {% code title="kxss" %} ```bash cat xss.txt | kxss | grep "\" ' < >" | tee kxss.txt ``` {% endcode %} dalfox {% code title="dalfox" %} ```bash dalfox url "https://target.com/?q=search" -o dalfox_xss.txt ``` {% endcode %} #### 3.2 SQLi SQLi allows attackers to manipulate DB queries and extract data. * Tools: SQLMap, manual payloads, ghauri sqlmap {% code title="sqlmap" %} ```bash sqlmap -u "https://target.com/product.php?id=1" --dbs ``` {% endcode %} ghauri {% code title="ghauri" %} ```bash ghauri -u 'URL' --data "params with * for payload injection" --batch --flush-session ``` {% endcode %} #### 3.3 SSRF Server-side request forgery tricks the server into making requests to internal services. * Tools: Gopherus, Burp Suite, SSRFMap #### 3.4 IDOR Insecure direct object references allow accessing other users’ data by manipulating object identifiers. * Tools: Burp Suite, Postman * Testing method: Change the ID parameter in the URL or body and observe if data from other users is exposed. #### 3.5 Open Redirect Occurs when applications redirect to untrusted sites without validation. * Tools: Burp Suite, manual payloads #### 3.6 File Upload Vulnerabilities Improper file upload config can allow malicious files (web shells) to be uploaded/executed. * Tools: Burp Suite, manual payloads * Payload example: Try uploading .php, .jsp, or .exe and check execution. #### 3.7 CORS Misconfigured CORS policies can enable cross-origin attacks. * Tools: Corsy #### 3.8 LFI Local file inclusion can expose system files. * Tools: dotdotpwn Oneliner example {% code title="LFI oneliner" %} ```bash cat URL_FILE | qsreplace "/etc/passwd" | while read url; do curl -silent "$url" | grep "root:x:" && echo "$url is vulnerable"; done; ``` {% endcode %} {% endstep %} {% step %} ### 4. Advanced Enumeration & Attack Techniques Advanced techniques can find higher-impact vulnerabilities. #### 4.1 SSRF to Internal Port Scanning SSRF can be abused to scan internal networks and services. Use Burp Suite for manual testing or automate with ffuf/dnsx for large-scale probing. #### 4.2 Host Header Injection Manipulating the Host header may bypass access controls, trigger SSRF-like behavior, or enable cache poisoning. * Tool: Burp Suite #### 4.3 Cache Poisoning Craft requests to pollute caches with malicious content, possibly leading to XSS or other attacks. * Tool: Burp Suite or manual payloads Payload example {% code title="cache poisoning xss payload" %} ```bash https://target.com/?q= ``` {% endcode %} {% endstep %} {% step %} ### 5. Post-Exploitation & Reporting Document findings clearly so the target can reproduce and remediate issues. #### 5.1 Document Your Findings * Take clear screenshots of exploitation steps. * Include tools used, exact URLs tested, and payloads. * Offer remediation advice (code fixes, config changes, security practices). #### 5.2 Prioritize by Impact * Highlight high-risk vulnerabilities (unauthorized data access, RCE). * Use scoring frameworks like CVSS to assess severity. #### 5.3 Submit a Clear Report * Use platforms like HackerOne, Bugcrowd, or contact the company directly. * Keep reports concise but informative with reproduction steps, screenshots, tools, and payloads. Related resources: * Tools: * Mindmap: * Cheatsheet: {% endstep %} {% step %} ### EXTRA. Other techniques #### Fastty automated XSS with airixss Finds urls archived in waybackurls, delete duplicates, replace parameter with the payload and check it with airixss and finally filter. Airixss: ```bash waybackurls domain.com | urldedipe -qs | qsreplace "" | airixss -payload "confirm(1)" | egrep -v 'Not' ``` #### Find Origin IP behind Cloudflare Inspect favicon hash. First get get favicon url with: {% embed url="" %} Get the hash with: {% embed url="" %} And with the hash do Shodan hunting with the filter: ``` http.favicon.hash:[hash] ``` In censys (more effective) ``` services.http.response.favicons.md5_hash:[hash] ``` {% endstep %} {% endstepper %}