Comprehensive Bug Bounty Hunting Methodology (2024 Edition)

3 weeks ago 25
BOOK THIS SPACE FOR AD
ARTICLE AD

Krishna Kaushal

Welcome to your complete bug bounty guide! 🕵️ This is designed for beginners, but even if you’re experienced, there’s always something new to learn or tools to discover. With this checklist, you’ll not only understand the “what” but also the “how” and “why.” Each section is filled with tools, commands, and examples to make your bug bounty journey smooth and productive.

The recon phase is all about gathering information. The more data you have on your target, the higher your chances of finding vulnerabilities. This stage sets the foundation for everything that follows.

1.1 Subdomain Enumeration

Subdomains often hide forgotten features, admin panels, or unpatched vulnerabilities. Use multiple tools for better coverage.

Passive Subdomain Enumeration

Passive enumeration relies on third-party sources and APIs, such as certificate transparency logs, search engines, and public DNS databases.

Tools: Subfinder, Findomain, Amass, Assetfinder, Sublist3r, ShufflednsSubfinder Example:subfinder -d target.com -all -recursive -t 200 -silent -o subfinder-rescursive.txt
Findomain Example:findomain --quiet -t target.com | tee findomain.txt
Amass Example:amass enum -passive -d target.com -o amass.txt
Assetfinder Example:assetfinder -subs-only target.com | tee assetfinder.txt
Sublist3r Example:sublist3r -d target.com -t 50 -o sublist3r.txt

Active Subdomain Enumeration

Active enumeration involves brute-forcing subdomains using wordlists and DNS queries.

Tools: Subbrute, MassDNS, Shuffledns, DNSXSubbrute Example (using a wordlist for brute force):python3 subbrute.py target.com -w wordlist.txt -o brute_subs.txt

we can also use this within sublist3r by giving -b argument.

MassDNS Example:./Tools/massdns/scripts/subbrute.py target.com /usr/share/wordlists/2m-subdomains.txt | massdns -r /usr/share/wordlists/resolvers.txt -t A -o S -w target.com.txt

you can sort the results accordingly and save it into a file:

Subdomain Brute-Forcing

Brute-forcing is useful when passive methods miss some hidden subdomains.

Tools: SubBrute, FFUF, dnsx, MassDNSFFUF Example:ffuf -u https://target.com -H "Host: FUZZ.target.com" -w /usr/share/wordlists/subdomains.txt -t 100 -fc 403 | tee ffuf_subs_output.txt

use this command to filter out the ffufoutput:

for subs in $(cat ffuf_subs_output.txt | awk '{print $1}'); do
echo "${subs}.target.com" >> ffuf-subs-final.txt ;
done

then remove the ffuf_subs_output.txt file:

rm ffuf_subs.output.txtCombine all results into one file using anew:cat *.txt | anew all_subdomains.txt

1.2 DNS Resolution and Probing

Once you’ve gathered subdomains, the next step is to check which ones are live by resolving their DNS records. A tool like dnsx or Shuffledns can be used to filter out non-existent subdomains.

Tools: dnsx, Shuffledns, MassDNSShuffledns Example:shuffledns -d target.com -list all_subdomains.txt -r resolvers.txt -o live_subs.txtdnsx Example:dnsx -l all_subdomains.txt -r /usr/share/wordlists/resolvers.txt -o live_subs.txt

Collecting IP Addresses

Once the subdomains are resolved, it’s often useful to collect their associated IP addresses for future port scanning and fingerprinting.

dnsx with IP Output:dnsx -l live_subs.txt -a -resp-only -o live_with_ips.txt
Reverse DNS Lookups

You can also find additional subdomains by performing reverse DNS lookups on IP addresses.

Tools: dnsx, Amassdnsx Example for Reverse DNS:dnsx -ptr -l live_with_ips.txt -r /usr/share/wordlists/resolvers.txt | massdns -r /usr/share/wordlists/resolvers.txt -q -o S -t PTR > reverse_dns_massdns.txt

1.3 HTTP Probing (Identifying Live Web Services)

Not every resolved subdomain will be hosting a web service. HTTP probing helps you identify which subdomains are serving websites.

Tools: httpx, httprobehttpx Example:httpx -l live_subs.txt -title -sc -location -p 80,443,8000,8080,8443 -td -cl -probe -o httpx_output.txt

We can further filter this out to get only those domains that are currently reachable using this command:

cat httpx_output.txt | grep -v "FAILED" | awk '{print $1}' | tee probed_domains.txt

1.4 Screenshotting Web Services

When dealing with a large number of subdomains, taking screenshots of each live web server is a great way to visualize them quickly, identify login portals, or other points of interest.

Tools: Aquatone, EyeWitness, GowitnessAquatone Example:cat web_servers.txt | aquatone -out screenshots/Gowitness Example:gowitness scan file -f probed_domains.txt --threads 10 --screenshot-path screenshots/ --write-db

This step saves time during manual analysis by visually comparing different interfaces or login panels.

1.5 Content Discovery (Directory and File Bruteforcing)

After you’ve identified live websites, the next step is to look for hidden directories or files that may expose sensitive data.

Tools: FFuF, Dirsearch, Gobuster, FeroxbusterDirsearch Examples:dirsearch -w /usr/share/wordlists/custom.txt --full-url --random-agent -x 404,400 -e php,html,js,json,ini -u https://target.com/dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql,asp,aspx,asp~,py~,rb,rb~,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp~,lock,log,rar,old,sql.gz,sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip -i 200 --full-url --deep-recursive -w /usr/share/wordlists/custom.txt --exclude-subdirs .well-known/,wp-includes/,wp-json/,faq/,Company/,Blog/,Careers/,Contact/,About/,IMAGE/,Images/,Logos/,Videos/,feed/,resources/,banner/,assets/,css/,fonts/,img/,images/,js/,media/,static/,templates/,uploads/,vendor/ --exclude-sizes 0B --skip-on-status 429 --random-agent -u http://target.com/Feroxbuster Examples:cat probed_domains.txt | feroxbuster --stdin -s 200 --no-recursion -k --random-agent --no-state -r -W 0 -w /usr/share/wordlists/custom.txtFFuF Example:ffuf -w /usr/share/wordlists/custom.txt -t 75 -ac -mc 200,405,401,415,302,301 -u http://assets.engage.tesla.com/FUZZGobuster Example:xargs -a probed_domains.txt -I@ sh -c 'gobuster dir -u "@" --no-error -f -q -k -e --random-agent -w /usr/share/wordlists/custom.txt' | tee -a gobuster.txt

Parameter Discovery

Bruteforcing for parameters can help uncover hidden endpoints vulnerable to injections like SQLi or XSS.

Tools: Arjun, FFuFArjun Example:arjun -u "https://target.com" -m get --stable
FFUF Example:ffuf -u https://target.com/page.php?FUZZ=test -w param_wordlist.txt

1.6 Archived URLs (Wayback Machine)

Sometimes, older versions of the website might expose endpoints or parameters that are not available on the live site. You can use archived data from the Wayback Machine to discover such URLs.

Tools: GAU, WaybackurlsGAU Example:gau target.com | anew gau_urls.txt
Waybackurls Example:waybackurls target.com | anew wayback_urls.txtKatana Example:katana -passive -pss waybackarchive,commoncrawl,alienvault -f qurl -u target.com | anew katana_urls.txt

Filtering Interesting URLs

To focus on potentially vulnerable URLs, you can use GF (Grep patterns for fuzzing).

Tools: GFGF Example:cat gau_urls.txt | gf xss | anew xss_candidates.txt
cat gau_urls.txt | gf sqli | anew sqli_candidates.txt

1.7 Crawling and Spidering

You can automate crawling of the target website to discover deeper endpoints, hidden forms, or parameters for attacks like XSS or SSRF.

Tools: Katana, Gospider, HakrawlerKatana Example:katana -list probed_domains.txt -silent -o katana_crawl.txt
Gospider Example:gospider -s https://target.com -d 1 -o gospider_crawl.txt

Crawling is useful to expand the attack surface by identifying all reachable URLs, forms, or parameters for fuzzing.

1.8 ASN and IP Range Enumeration

Identifying the target’s IP range can help expand the attack surface, especially if the target has services running on different IP addresses or subnets.

Tools: Amass, Censys, Shodan, Netcraft
Amass ASN Example:amass intel -asn <ASN_Number> -o asn_targets.txt

1.9 Cloud Asset Enumeration

Cloud providers like AWS, Google Cloud, and Azure often expose assets or storage buckets that can be publicly accessible.

Tools: cloud_enum, S3ScannerCloudEnum Example:cloud_enum -k tesla.com

1.10 Fingerprinting Web Technologies

Understanding the technologies in use can help you tailor your attacks. For instance, knowing the CMS or the web server can lead you to specific vulnerabilities or exploits.

Tools: Wappalyzer, WhatWebWhatWeb Example:whatweb target.com
Wappalyzer (Browser Extension): Simply browse the target site to see technologies in use.

By combining all these techniques, tools, and methods, you can gather an extensive amount of information about your target, increasing the likelihood of finding exploitable vulnerabilities. Make sure to automate as much as possible but never skip manual validation — often the real bugs are hiding in plain sight!

“When you find a subdomain no one has touched in years:”️

Now that you’ve collected subdomains, URLs, and ports, it’s time to map out the target’s attack surface. This includes testing for vulnerable technologies and hidden paths.

2.1 JS File Analysis

JavaScript files can leak sensitive information like API keys, hardcoded secrets, or even useful endpoints.

Tools: LinkFinder, JSFinder, subjsLinkFinder Example:python3 linkfinder.py -i https://target.com/app.js -o cliSubJS Example:subjs -i https://target.com | anew js_endpoints.txtKatana Example:katana -list probed_domains.txt -jc | grep "\.js"

Using automation is a great option, but always remember that the manual approach is essential.

“When you find an exposed admin panel:”

Now comes the fun part — finding actual bugs. In this section, we cover the most common vulnerabilities and how to test for them.

3.1 Cross-Site Scripting (XSS)

XSS occurs when a web application doesn’t sanitize user input, allowing the attacker to inject malicious JavaScript.

Tools: KXSS, XSStrike, DalfoxKXSS Example:cat xss.txt | kxss | grep "\" ' < >" | tee kxss.txt
Dalfox Example:dalfox url "https://target.com/?q=search" -o dalfox_xss.txt

3.2 SQL Injection (SQLi)

SQLi allows attackers to manipulate queries sent to a database, extracting sensitive information.

Tools: SQLMap, Manual payloadsSQLMap Example:sqlmap -u "https://target.com/product.php?id=1" --dbs

3.3 Server-Side Request Forgery (SSRF)

In SSRF, the attacker tricks the server into making requests to internal services.

Tools: Gopherus, Burp SuitePayload Example:https://target.com/?url=http://internal-server/admin

3.4 IDOR (Insecure Direct Object Reference)

IDOR allows you to access other users’ data by manipulating object identifiers.

Tools: Burp Suite, PostmanTesting Method: Change the ID parameter in the URL or body and observe if data from other users is exposed.

3.5 Open Redirect

This occurs when a web application redirects users to an untrusted website without proper validation.

Tools: Burp Suite, manual payloadsPayload Example:https://target.com/redirect?url=https://evil.com

3.6 File Upload Vulnerabilities

Improperly configured file upload functionality can allow attackers to upload malicious files (e.g., web shells).

Tools: Burp Suite, manual payloadsPayload Example: Try uploading .php, .jsp, or .exe files and check if they are executed on the server.

“When your XSS alert pops:”

Some bugs require more advanced techniques to discover. These are a bit more complex but can result in higher rewards.

4.1 DNS Rebinding

This attack tricks a target into visiting a malicious DNS server, allowing the attacker to send requests to internal services.

Tool: DNSRebind

Sometimes SSRF can be used to scan the internal network or services running on the target. You can craft requests to target internal IP ranges, looking for open ports or vulnerable services.

Tool: Burp Suite for manual testing, or automation tools like ffuf or dnsx for large-scale probing.Payload Example:https://target.com/?url=http://127.0.0.1:80 https://target.com/?url=http://10.0.0.1:8080

This can be extended to target specific internal services like databases, admin panels, or APIs.

4.3 Host Header Injection

By manipulating the Host header in an HTTP request, you might be able to bypass access control, generate SSRF-like behavior, or conduct cache poisoning attacks.

Tool: Burp SuitePayload Example: Change the Host header to an external domain or a local IP:Host: attacker.com

This could potentially lead to a variety of attacks depending on how the server handles the Host header.

4.4 Cache Poisoning

Cache poisoning attacks target web caches by sending crafted requests that pollute the cache with malicious content, leading to XSS or other vulnerabilities.

Tool: Burp Suite or manual payloadsPayload Example: Modify query strings or headers in a way that gets reflected back to users:https://target.com/?q=<script>alert('xss')</script>

If the server stores this response in its cache, other users may see the injected script when visiting the cached page.

After identifying vulnerabilities, it’s crucial to properly document your findings for a bug bounty report. This helps the target organization understand the severity and reproduce the issue.

5.1 Document Your Findings

Take clear screenshots of any steps leading to vulnerability exploitation.Include detailed descriptions of each step, starting with the tools used, exact URLs tested, and payloads.Offer remediation advice: Suggest how the target can fix the vulnerability, whether through code changes, configuration updates, or better security practices.

5.2 Prioritize by Impact

Highlight which vulnerabilities pose the highest risk (e.g., those leading to unauthorized data access or remote code execution).Use vulnerability scoring frameworks like CVSS (Common Vulnerability Scoring System) to assess the severity.

5.3 Submit a Clear Report

Use platforms like HackerOne, Bugcrowd, or directly contact the target company.Keep your reports concise but informative, with clear reproduction steps, including screenshots, tools, and payloads used.

Bug bounty hunting is a continuous learning process. Regularly update your knowledge with new techniques, tools, and vulnerabilities. Follow bug bounty write-ups, stay active in security communities, and continuously practice on platforms like Hack The Box, TryHackMe, or CTF challenges.

“When you get a high-severity bug:”

This checklist should serve as a solid foundation for your bug bounty journey, covering key areas from reconnaissance to advanced exploitation techniques. Remember, the more you practice and refine your skills, the better you’ll become at finding high-impact bugs.

Happy hunting! 🕵️‍♂️

Let’s connect on LinkedIn for more: LinkedIn Profile

Read Entire Article