Bug Bounty Methodology

List of valuable bug program managers:

Bugcrowd
https://www.bugcrowd.com/

Hackerone
https://www.hackerone.com/

Synack
https://www.synack.com/

Japan Bug bounty Program
https://bugbounty.jp/

Cobalt
https://cobalt.io/

Zerocopter
https://zerocopter.com/

Hackenproof
https://hackenproof.com/

BountyFactory
https://bountyfactory.io

Bug Bounty Programs List
https://www.bugcrowd.com/bug-bounty-list/

AntiHack
https://www.antihack.me/

What to read?

OWASP Testing Guide
https://owasp.org/www-project-web-security-testing-guide/stable/

The Web Application Hacker's Handbook
https://www.amazon.com/gp/product/1118026470/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1118026470&linkCode=as2&tag=bugcrowd-20&linkId=9f9c5e3f51e50ea7092a21a04aec184f/

Cheatsheets

https://github.com/EdOverflow/bugbounty-cheatsheet

Tips

Bug Bounty Hunting Tip #1- Always read the Source Code
Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language (builtwith)
Bug Bounty Hunting Tip #4- Google Dorks is very helpful
Bug Bounty Hunting Tip #5- Check each request and response

Approach

- First review the scope
- Perform reconnaissance to find valid targets
- Find sub-domains through various tools Sublist3, virus-total etc.
- Select one target then scan against discovered targets to gather additional information (Check CMS, Server and all other information which i need)
- Use google dorks for information gathering of a particular taget.
- Review all of the services, ports and applications.
- Fuzz for errors and to expose vulnerabilities
- Attack vulnerabilities to build proof-of-concepts

Powerful google dorks

* “index of” “windows” “iso” site:.edu
* ite:.eu responsible disclosure
* inurl:index.php?id=
* site:.nl bug bounty
* “index of” inurl:wp-content/ (Identify Wordpress Website)
* inurl:”q=user/password” (for finding drupal cms )

Tools

* Information gathering
RED-HAWK (All-in-one)
https://github.com/Tuhinshubhra/RED_HAWK

* Subdomain lookup
Sub.sh (Hunting + Alive check)
https://github.com/cihanmehmet/sub.sh

Sublistr (Recursive check sub.sub.website.com)
https://github.com/aboul3la/Sublist3r

* Subdomain takeover check
Subzy 
https://github.com/LukaSikic/subzy

Subjack
https://github.com/haccer/subjack.git

* Alive check-up
Httprobe
https://github.com/tomnomnom/httprobe

* SQLi + Wayback
WaybackSqliScanner
https://github.com/ghostlulzhacks/waybackSqliScanner

WaybackURLs
https://github.com/tomnomnom/waybackurls

* ! Open Threat Exchange Search 
Gau
https://github.com/lc/gau

* Multi-tool
Hakrawler
https://github.com/hakluke/hakrawler

* Broken link checker
https://github.com/stevenvachon/broken-link-checker
` blc -r –filter-level 2 https://starbucks.com  | grep “\.js” | grep “BROKEN”`

Search engines

https://domainbigdata.com/

https://censys.io

https://shodan.io

https://viz.greynoise.io

https://zoomeye.org

https://netograph.io

https://wigle.net

https://intelx.io

https://fofa.so

https://hunter.io

https://haveibeenpwned.com
API Exploitation:
http://ghostlulz.com/swagger-api/

XXE
http://ghostlulz.com/xml-external-entityxxe/

Broken link hijacking
http://ghostlulz.com/broken-link-hijacking/

Last updated