This page contains a streamlined methodology tailored for Bug Bounty Hunting, Web Application Penetration Testing (WAPT), and Vulnerability Assessment and Penetration Testing (VAPT). It serves as a practical guide for Red Teamers, Blue Teamers, and CTF players, focusing on key phases like Reconnaissance, Scanning, Exploitation, Post-Exploitation, and Reporting. Each phase includes actionable steps and tools, making it a comprehensive resource for systematically identifying and exploiting vulnerabilities in web applications and networks.
- hackify.sh: Use this to install important tools and wordlists.
- Top tools list: Remaining tools can be installed manually.
- h1asset by adysec, h1domains by zricethezav, Inventory by Trickest, bounty-targets-data by arkadiyt, bug-bounty-recon-dataset by inth3wild
- Google dork https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
- Bug Bounty Hunting Platforms
- https://github.com/projectdiscovery/public-bugbounty-programs For Downloading subdomains of all programs https://chaos.projectdiscovery.io/
- Find New Acquisitions by target companies https://index.co/company/COMPANY/acquirees. Example: https://index.co/company/google/acquirees
- Reverse IP to wider scope in case of red teaming Hacker Target, ViewDNS.info and SecurityTrails Account Needed.
- Subdomain Automation
- Subdomain Enumeration subauto Subdomain Enumeration Tool by ZishanAdThandar
subauto domain.com - Subdomain Takeover Greping subzy vulnerable results
cat *Takeover.txt |grep " \[ "ORcat *Takeover.txt |grep " \[ \|EdOverflow"and verify with can-i-take-over-xyz by EdOverflow
- Subdomain Enumeration subauto Subdomain Enumeration Tool by ZishanAdThandar
- naabu + nmap
naabu -list domain.comsubs.txt >>naabu.txtornaabu -list domain.comips.txt >>naabu.txtnaabu -l instamojo.comsubs.txt -nmap-cli 'nmap --script vuln -Pn -T5 -A' | tee -a domain.comnmapvuln.txt
- DorkScout: Golang tool to automate google dork scan against the entiere internet or specific targets.
- pagodo (Passive Google Dork)
- FGDS
curl https://raw.githubusercontent.com/IvanGlinkin/Fast-Google-Dorks-Scan/master/FGDS.sh -s |bash -s domain.com - sitedorks by Zarcolio
- git-hound
- Install git-hound with Hackify or from repo release then
which git-hound - Login Details:
nano /root/go/bin/config.ymlExample: https://github.com/tillson/git-hound/blob/main/config.example.yml - Entering OTP
git-hound --otp-code 1234568 git-hound --config-file /root/go/bin/config.yml --subdomain-file subdomains.txt
- Install git-hound with Hackify or from repo release then
- SecurityTrails, ViewDNS.info: For DNS history and records.
- dnsdumpster.com
- Shodan, Censys: For Internet device searches.
- Google, Bing: For cached search engine results.
- crt.sh, Censys, CertDB: For certificate transparency logs.
dig: To find DNS misconfigeration ip leak.
- Burp Suite Pro [Windows Linux] File: https://portswigger.net/burp/pro Loader:...... Zer0DayLab
- Burp Bounty Pro Extension
- Burp Turbo Intruder
- HUNT by BugCrowd
- Unlimited BurpSuite Extensions
- nuclei with nuclei-templates or external templates
- nuclei template install (as root):
nuclei -ut - nuclei command:
nuclei -l httpsubdomain.txt -resume nuclei.txt -nmhe[rate-limit 10/second to avoid error of rapid request,-nmheto skip error]
- nuclei template install (as root):
- Acunetix Pro [Windows Linux] Pwn3rzs
- Creating Acunetix CSV list from https links
for i in $(cat domain.comhttpssubdomain.txt); do echo \"$i\", \" \"; done > domain.comacunetix.csv
- Creating Acunetix CSV list from https links
- Afrog
afrog -T domain.comhttpsubs.txt - Owasp NetTracker
- Wapiti [Linux]
- XAttacker
perl XAttacker.pl -l list.txt
- RCE: Commix
- SQL Injection: sqlmap, jSQL or NoSQLMap
- Cross Site Scripting: XSStrike, XSSxrapy
- File inclusion: LFIMap, liffy
- Fileupload: fuxploider
- CORS: Corsy
- CRLF Injection: crlfuzz
- GraphQL: batchql by assetnote, INQL Scanner Burpsuite Extension or INQL Script
- 403 bypass: bypass-403 by iamj0ker, 403bypasser by yunemse48, 4-ZERO-3 by Dheerajmadhukar or 403 Bypasser Burpsuite Extension
- GF Pattern Commands: Gf-Patterns
- Hidden Link Discovery: LinkFinder by GerbenJavado
- Hidden Paramter Discovery: x8
- Subdomain Enueration:
ffuf -w /opt/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://FUZZ.target.com -H "Host: FUZZ.target.com" - Virtual Host Discovery:
ffuf -w /opt/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://target.com -H "Host: FUZZ.target.com" - Parameter Fuzzing:
ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://target.com/page.php?FUZZ=value - Directory/Files Enumeration:
ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ/ - Fuzzing HTTP Headers:
ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u https://target.com -H "FUZZ: test" - Fuzzing Post Data:
ffuf -w /opt/wordlists/SecLists/Fuzzing/fuzz.txt -u https://target.com/login -X POST -d "username=FUZZ&password=pass"
Manual exploitation is often the most effective way to identify vulnerabilities. Unlike automated scanners, manual techniques allow you to discover bugs that might otherwise go unnoticed. To perform manual exploitation, you can use tools such as Burp Suite, OWASP ZAP, mitmproxy, Postman, and Browser Inspector. These tools enable you to analyze and manipulate HTTP requests and responses, inspect web elements, and more, allowing for a deeper investigation into potential security flaws.
- Advanced Reconnaissance and Web Application Discovery (ARWAD) by Ahmad Halabi
- How to Hunt by Kathan Patel
- Awesome Bug Bounty Roadmap
- AllAboutBugBounty by Muhammad Daffa
- BugBounty Tips punishell
- Web Checklist by six2dex pentestbook
- Web Checklist JHaddix forked gist
- OWASP WSTG
- Bug Bounty Cheat Sheet by EdOverflow
