Notes
Search…
Bug Bounty Methodology

List of valuable bug program managers:

Bugcrowd
https://www.bugcrowd.com/
Hackerone
https://www.hackerone.com/
Synack
https://www.synack.com/
Japan Bug bounty Program
https://bugbounty.jp/
Cobalt
https://cobalt.io/
Zerocopter
https://zerocopter.com/
Hackenproof
https://hackenproof.com/
BountyFactory
https://bountyfactory.io
Bug Bounty Programs List
https://www.bugcrowd.com/bug-bounty-list/
AntiHack
https://www.antihack.me/

What to read?

OWASP Testing Guide
https://owasp.org/www-project-web-security-testing-guide/stable/
The Web Application Hacker's Handbook
https://www.amazon.com/gp/product/1118026470/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1118026470&linkCode=as2&tag=bugcrowd-20&linkId=9f9c5e3f51e50ea7092a21a04aec184f/

Cheatsheets

https://github.com/EdOverflow/bugbounty-cheatsheet

Tips

Bug Bounty Hunting Tip #1- Always read the Source Code
Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language (builtwith)
Bug Bounty Hunting Tip #4- Google Dorks is very helpful
Bug Bounty Hunting Tip #5- Check each request and response

Approach

- First review the scope
- Perform reconnaissance to find valid targets
- Find sub-domains through various tools Sublist3, virus-total etc.
- Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
- Use google dorks for information gathering of a particular taget.
- Review all of the services, ports and applications.
- Fuzz for errors and to expose vulnerabilities
- Attack vulnerabilities to build proof-of-concepts

Powerful google dorks

* “index of” “windows” “iso” site:.edu
* ite:.eu responsible disclosure
* inurl:index.php?id=
* site:.nl bug bounty
* “index of” inurl:wp-content/ (Identify Wordpress Website)
* inurl:”q=user/password” (for finding drupal cms )

Tools

* Information gathering
RED-HAWK (All-in-one)
https://github.com/Tuhinshubhra/RED_HAWK
* Subdomain lookup
Sub.sh (Hunting + Alive check)
https://github.com/cihanmehmet/sub.sh
Sublistr (Recursive check sub.sub.website.com)
https://github.com/aboul3la/Sublist3r
* Subdomain takeover check
Subzy
https://github.com/LukaSikic/subzy
Subjack
https://github.com/haccer/subjack.git
* Alive check-up
Httprobe
https://github.com/tomnomnom/httprobe
* SQLi + Wayback
WaybackSqliScanner
https://github.com/ghostlulzhacks/waybackSqliScanner
WaybackURLs
https://github.com/tomnomnom/waybackurls
* ! Open Threat Exchange Search
Gau
https://github.com/lc/gau
* Multi-tool
Hakrawler
https://github.com/hakluke/hakrawler
* Broken link checker
https://github.com/stevenvachon/broken-link-checker
` blc -r –filter-level 2 https://starbucks.com | grep “\.js” | grep “BROKEN”`

Search engines

https://domainbigdata.com/
https://censys.io
https://shodan.io
https://viz.greynoise.io
https://zoomeye.org
https://netograph.io
https://wigle.net
https://intelx.io
https://fofa.so
https://hunter.io
https://haveibeenpwned.com

Blog links

API Exploitation:
http://ghostlulz.com/swagger-api/
XXE
http://ghostlulz.com/xml-external-entityxxe/
Broken link hijacking
http://ghostlulz.com/broken-link-hijacking/