.png)
8 months ago
44 BOOK THIS SPACE FOR AD
ARTICLE AD
Each bug bounty hunting process should be started with recon. As a beginner or not, the first step is to choose correct target. To do this I prefer to focus on programs with wildcards within scope without some limitations. To work on targets without any scope details just “Any domains related to Example business” is not my cup of tea. So to find target with one or many wildcards is not a huge problem. Next step to find all subdomains. Locally I use tool subfinder. Example below shows some specific flags to find more subdomains.
subfinder -dL urlForSubfinder.txt --all -o subfinderResult.txtsubfinder -dL urlForSubfinder.txt -nW --all -o subfinderResult.txt
Flag “nW” means display active subdomains only. I have here a question regarding 404 response code and probably intersting domains to find subdomain takeover vulenrability. What do you think?
Flag “all” means using all sources for enumeration. It leads to more time consuming, but more comprehensive result.
Don’t forget to add different keys to config file of subfinder tool. https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration
Path to config file on Mac devices: /Users/<yourusername>/.config/subfinder/provider-config.yaml
As you probably know there is not so fast, but good tool amass. For this tool, I use time to time site https://shrewdeye.app/tools/amass. To use 2–3 different tools and combine results is the best practive as I understood.
Next step to filter found subdomains to exclude not working ones. Almost all subdomains could be interested even with response code 404,403. To be honest I exclude 503 error code, but I’m not sure that it’s correct decision. Let me know please if there are some interesting opportinutes in this case.
cat subfinderResult.txt | httpx -o httpxResults/hackerone/example.txt -fc 503,502,400 -rl 50
Bengali (Bangladesh) · 
English (United States) ·