Bug Hunting Methodology - Recon
Recon is the very first thing that should happen when you sign up for a bug bounty program. The more attack surface you have (that is in scope, of course), the more likely you will reach uncharted territory where other bug hunters haven’t been or spent as much time on which will increase the likelyhood of you finding a bug. This will save you TONS of TIME!
Below is my methodology:
Enumerate Subdomains
Below is a list of online services for active and passive recon:
- Pentest Tools
- Virus Total
- Shodan
- crt.sh -> Search certificates
- DNS Dumpster
- Censys.io
- dnsgoodies
Below is a list of tools:
- aquatone -> Take screenshots of sites that are worth attacking
- sublist3r -> Enumerates subdomains with OSINT using various search engines
- gobuster -> Dns brute forcing with user-supplied wordlists
Enumerate Ports
Use masscan to enumerate all ports on all in-scope subdomains.
Enumerate Vhosts
Enumerate S3 Buckets
S3 buckets may have public access controls on them and you might be able to view their contents.
Google Dork
Use Google Dorks to find information leaks for the site in scope. If you’re lucky, you might find a dev’s private key!
Searching GitHub and other public version control hosting
- gitrob -> Find sensitive files in public GitHub repos.
Searching Internet History
Spider in-scope sites that are interesting
Map more attack surface from JavaScript source
The tool below will help you expose more endpoints.
- relative-url-extractor -> Uses regexes to find urls in files.
Burp Plugins
- Reflector -> Find reflected XSS faster as Burp spiders.