Don’t know where to look for bugs ?? In Depth Recon Bug Bounty — Part 02

Hello Everyone,

The Previous recon blog and video did very well, so here is part 2 of the Recon Methodology

Once again for those who don’t like reading blogs, I have created a youtube video demonstrating the process, so please make sure to check it out

Note that I am not any Big Bug bounty hunter, I write these posts to share what I’ve learned in a way that would have helped me when I was starting out. My goal is to make cybersecurity easier to understand for others who are also beginning their journey.

So,

So our main focus in this blog will be on Content Discovery, as it is one of the most important part of looking for bugs.

So we do content discovery to find endpoints or files which are hidden, what most of the people do is install a tool like ffuf, gobuster and just enter the website and start the bruteforce with the default wordlist. It is not a wrong method but the problem is that everyone is doing the same thing so it is very unlikely that you will find anything interesting.

So in the last blog we found all the subdomains and found the interesting ones.

Now we are gonna choose the subdomains on which we will do the brute forcing.

Note: Check the bug bounty program before you use any automatic scanner and see if its allowed.

There are many tools you can use for bruteforcing directories like

But The fastest one right now is FeroxBuster

It also has a recursive feature which means that if it finds a directory, it will find more subdirectories for it automatically which is very useful.

Installation

Usage

There are many other options, you can read the documentation or watch my youtube video for the demonstration.

So Once you have installed the tool and have selected the subdomain you want to search directories in, the next thing you will do is gain some more info about the website like the tech used it in and other possible info, so that it’s easier to choose the wordlist to use while bruteforcing.

You can do this by using wappalyzer

Wordlists

Instead of using one basic wordlist for all the websites you can choose a wordlist related to your website tech.

These are some wordlists that can be helpful—

This has many different wordlists for specific things for example

As you can see here there are different wordlists for apis, CGIs, Common PHP filename and many more. you can figure out the tech used and then use a wordlist according to it for better results.

These are some other helpful wordlists-

2. https://github.com/orwagodfather/My-WordLISTs/tree/main

3. https://github.com/Karanxa/Bug-Bounty-Wordlists

4. https://github.com/HacktivistRO/Bug-Bounty-Wordlists

Finding Parameters

There are tools that allows you to search for parameters in a web application, which can be helpful in looking for common bugs like open redirect, XSS, Idors etc.

One of the Tool is Arjun.

Installing Arjun

You can install arjun with pip as following:

You can then feed this parameters into different tools , for example for XSS you could use KXSS

JS Files

Analyzing Js files is also very important because sometimes developers leaves confidential information in it like credentials, api keys etc. And it can also be used to find endpoints of the website.

To Find Js Files you can use katana

Then After you have the js file you can either analyze them manually or use tools for it, for example to find secret api keys in the javascript files you can use this tool.

To find urls —

To Find Endpoints —

Functionality Mapping

This is the last part of my recon which is also the preparation for the next step after recon, which will be the next blog.

So when you decide on what website you will hunt on, you need to open the website and use it like a normal user would, and play around with all the buttons and make sure to keep burpsuite on while doing all this so that your site map fills up side by side, after you get a basic idea of how the website works, how it passes information etc, we start thinking as an attacker. we will create a list of the functionalities in the website, For Example let’s take tumblr.

These are some basic possible features in the website.

That’s it for this blog, in the next blog we will see how to utilize this to look for possible bugs.

Feel free to connect with me on:

Please Consider following and liking if you found it helpful.

You can also support me through: