Bug Bounty Hunting Methodology

This page contains a streamlined methodology tailored for Bug Bounty Hunting, Web Application Penetration Testing (WAPT), and Vulnerability Assessment and Penetration Testing (VAPT). It serves as a practical guide for Red Teamers, Blue Teamers, and CTF players, focusing on key phases like Reconnaissance, Scanning, Exploitation, Post-Exploitation, and Reporting. Each phase includes actionable steps and tools, making it a comprehensive resource for systematically identifying and exploiting vulnerabilities in web applications and networks.

LinkTree YouTube Sponser ZishanAdThandar's Pentest Repo stars

Content

Installing Tools and Wordlists

  1. hackify.sh: Use this to install important tools and wordlists.
  2. Top tools list: Remaining tools can be installed manually.

Target Enumeration

  1. h1asset by adysec, h1domains by zricethezav, Inventory by Trickest, bounty-targets-data by arkadiyt, bug-bounty-recon-dataset by inth3wild
  2. Google dork https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
  3. Bug Bounty Hunting Platforms
  4. https://github.com/projectdiscovery/public-bugbounty-programs For Downloading subdomains of all programs https://chaos.projectdiscovery.io/
  5. Find New Acquisitions by target companies https://index.co/company/COMPANY/acquirees. Example: https://index.co/company/google/acquirees
  6. Reverse IP to wider scope in case of red teaming Hacker Target, ViewDNS.info and SecurityTrails Account Needed.
  7. Subdomain Automation

Scan

Port Scan

  1. naabu + nmap
    • naabu -list domain.comsubs.txt >>naabu.txt or naabu -list domain.comips.txt >>naabu.txt
    • naabu -l instamojo.comsubs.txt -nmap-cli 'nmap --script vuln -Pn -T5 -A' | tee -a domain.comnmapvuln.txt

Google DORK Scan

  1. DorkScout: Golang tool to automate google dork scan against the entiere internet or specific targets.
  2. pagodo (Passive Google Dork)
  3. FGDS curl https://raw.githubusercontent.com/IvanGlinkin/Fast-Google-Dorks-Scan/master/FGDS.sh -s |bash -s domain.com
  4. sitedorks by Zarcolio
  5. git-hound
    1. Install git-hound with Hackify or from repo release then which git-hound
    2. Login Details: nano /root/go/bin/config.yml Example: https://github.com/tillson/git-hound/blob/main/config.example.yml
    3. Entering OTP git-hound --otp-code 1234568
    4. git-hound --config-file /root/go/bin/config.yml --subdomain-file subdomains.txt

Cloudflare Bypass

  1. SecurityTrails, ViewDNS.info: For DNS history and records.
  2. dnsdumpster.com
  3. Shodan, Censys: For Internet device searches.
  4. Google, Bing: For cached search engine results.
  5. crt.sh, Censys, CertDB: For certificate transparency logs.
  6. dig: To find DNS misconfigeration ip leak.

Scanners

  1. Burp Suite Pro [Windows Linux] File: https://portswigger.net/burp/pro Loader:…… Zer0DayLab
    • Burp Bounty Pro Extension
    • Burp Turbo Intruder
    • HUNT by BugCrowd
    • Unlimited BurpSuite Extensions
  2. nuclei with nuclei-templates or external templates
    • nuclei template install (as root): nuclei -ut
    • nuclei command: nuclei -l httpsubdomain.txt -resume nuclei.txt -nmhe [rate-limit 10/second to avoid error of rapid request, -nmhe to skip error]
  3. Acunetix Pro [Windows Linux] Pwn3rzs
    • Creating Acunetix CSV list from https links for i in $(cat domain.comhttpssubdomain.txt); do echo \"$i\", \" \"; done > domain.comacunetix.csv
  4. Afrog afrog -T domain.comhttpsubs.txt
  5. Owasp NetTracker
  6. Wapiti [Linux]
  7. XAttacker perl XAttacker.pl -l list.txt

Exploitation

  1. RCE: Commix
  2. SQL Injection: sqlmap, jSQL or NoSQLMap
  3. Cross Site Scripting: XSStrike, XSSxrapy
  4. File inclusion: LFIMap
  5. Fileupload: fuxploider
  6. CORS: Corsy
  7. CRLF Injection: crlfuzz
  8. GraphQL: batchql by assetnote, INQL Scanner Burpsuite Extension or INQL Script
  9. 403 bypass: bypass-403 by iamj0ker, 403bypasser by yunemse48, 4-ZERO-3 by Dheerajmadhukar or 403 Bypasser Burpsuite Extension
  10. GF Pattern Commands: Gf-Patterns
  11. Hidden Link Discovery: LinkFinder by GerbenJavado
  12. Hidden Paramter Discovery: x8

FFUF

  1. Subdomain Enueration: ffuf -w /opt/wordlist/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://FUZZ.target.com -H "Host: FUZZ.target.com"
  2. Virtual Host Discovery: ffuf -w /opt/wordlist/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://target.com -H "Host: FUZZ.target.com"
  3. Parameter Fuzzing: ffuf -w /opt/wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://target.com/page.php?FUZZ=value
  4. Directory/Files Enumeration: ffuf -w /opt/wordlist/SecLists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ/
  5. Fuzzing HTTP Headers: ffuf -w /opt/wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://target.com -H "FUZZ: test"
  6. Fuzzing Post Data: ffuf -w /opt/wordlist/SecLists/Fuzzing/fuzz.txt -u https://target.com/login -X POST -d "username=FUZZ&password=pass"

One Liners

  1. Bug Bounty oneliners by thevillagehacker
  2. Bug Bounty Hunters oneliners by codelively

Manual Exploitation

Manual exploitation is often the most effective way to identify vulnerabilities. Unlike automated scanners, manual techniques allow you to discover bugs that might otherwise go unnoticed. To perform manual exploitation, you can use tools such as Burp Suite, OWASP ZAP, mitmproxy, Postman, and Browser Inspector. These tools enable you to analyze and manipulate HTTP requests and responses, inspect web elements, and more, allowing for a deeper investigation into potential security flaws.

External Methodology

  1. Advanced Reconnaissance and Web Application Discovery (ARWAD) by Ahmad Halabi
  2. How to Hunt by Kathan Patel
  3. Awesome Bug Bounty Roadmap
  4. AllAboutBugBounty by Muhammad Daffa
  5. BugBounty Tips punishell
  6. Web Checklist by six2dex pentestbook
  7. Web Checklist JHaddix forked gist
  8. OWASP WSTG
  9. Bug Bounty Cheat Sheet by EdOverflow