Notes
Search…
Bug Bounty Methodology

List of valuable bug program managers:

1
Bugcrowd
2
https://www.bugcrowd.com/
3
4
Hackerone
5
https://www.hackerone.com/
6
7
Synack
8
https://www.synack.com/
9
10
Japan Bug bounty Program
11
https://bugbounty.jp/
12
13
Cobalt
14
https://cobalt.io/
15
16
Zerocopter
17
https://zerocopter.com/
18
19
Hackenproof
20
https://hackenproof.com/
21
22
BountyFactory
23
https://bountyfactory.io
24
25
Bug Bounty Programs List
26
https://www.bugcrowd.com/bug-bounty-list/
27
28
AntiHack
29
https://www.antihack.me/
Copied!

What to read?

1
OWASP Testing Guide
2
https://owasp.org/www-project-web-security-testing-guide/stable/
3
4
The Web Application Hacker's Handbook
5
https://www.amazon.com/gp/product/1118026470/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1118026470&linkCode=as2&tag=bugcrowd-20&linkId=9f9c5e3f51e50ea7092a21a04aec184f/
Copied!

Cheatsheets

1
https://github.com/EdOverflow/bugbounty-cheatsheet
Copied!

Tips

1
Bug Bounty Hunting Tip #1- Always read the Source Code
2
Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
3
Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language (builtwith)
4
Bug Bounty Hunting Tip #4- Google Dorks is very helpful
5
Bug Bounty Hunting Tip #5- Check each request and response
Copied!

Approach

1
- First review the scope
2
- Perform reconnaissance to find valid targets
3
- Find sub-domains through various tools Sublist3, virus-total etc.
4
- Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
5
- Use google dorks for information gathering of a particular taget.
6
- Review all of the services, ports and applications.
7
- Fuzz for errors and to expose vulnerabilities
8
- Attack vulnerabilities to build proof-of-concepts
Copied!

Powerful google dorks

1
* “index of” “windows” “iso” site:.edu
2
* ite:.eu responsible disclosure
3
* inurl:index.php?id=
4
* site:.nl bug bounty
5
* “index of” inurl:wp-content/ (Identify Wordpress Website)
6
* inurl:”q=user/password” (for finding drupal cms )
Copied!

Tools

1
* Information gathering
2
RED-HAWK (All-in-one)
3
https://github.com/Tuhinshubhra/RED_HAWK
4
5
* Subdomain lookup
6
Sub.sh (Hunting + Alive check)
7
https://github.com/cihanmehmet/sub.sh
8
9
Sublistr (Recursive check sub.sub.website.com)
10
https://github.com/aboul3la/Sublist3r
11
12
* Subdomain takeover check
13
Subzy
14
https://github.com/LukaSikic/subzy
15
16
Subjack
17
https://github.com/haccer/subjack.git
18
19
* Alive check-up
20
Httprobe
21
https://github.com/tomnomnom/httprobe
22
23
* SQLi + Wayback
24
WaybackSqliScanner
25
https://github.com/ghostlulzhacks/waybackSqliScanner
26
27
WaybackURLs
28
https://github.com/tomnomnom/waybackurls
29
30
* ! Open Threat Exchange Search
31
Gau
32
https://github.com/lc/gau
33
34
* Multi-tool
35
Hakrawler
36
https://github.com/hakluke/hakrawler
37
38
* Broken link checker
39
https://github.com/stevenvachon/broken-link-checker
40
` blc -r –filter-level 2 https://starbucks.com | grep “\.js” | grep “BROKEN”`
Copied!

Search engines

1
https://domainbigdata.com/
2
3
https://censys.io
4
5
https://shodan.io
6
7
https://viz.greynoise.io
8
9
https://zoomeye.org
10
11
https://netograph.io
12
13
https://wigle.net
14
15
https://intelx.io
16
17
https://fofa.so
18
19
https://hunter.io
20
21
https://haveibeenpwned.com
Copied!

Blog links

1
API Exploitation:
2
http://ghostlulz.com/swagger-api/
3
4
XXE
5
http://ghostlulz.com/xml-external-entityxxe/
6
7
Broken link hijacking
8
http://ghostlulz.com/broken-link-hijacking/
Copied!
Last modified 1yr ago