Bug Bounty Methodology — Bug Hunting Checklist (PART-1)

apex
4 min readJan 13, 2022

--

Hey, it’s me again back with another checklist. I saw various articles and tools specifically designed to exploit one vulnerability. It may be nuclei, ZAP or any other automated tools. But I noticed everyone was using these tools without having any predefined method set when testing for web application vulnerabilities.

If you automate everything, this will be the most likely situation.

Today, I designed a checklist which will be helpful for bug bounty hunters and security engineers when testing for various functionalities.

1. Recon on Wildcard Domain — Tools required:

Download the tools from github and follow the below checklist for intial recon.

  1. Amass (https://github.com/OWASP/Amass)
  2. subfinder (https://github.com/projectdiscovery/subfinder)
  3. Assetfinder (https://github.com/tomnomnom/assetfinder)
  4. dnsgen (https://github.com/ProjectAnte/dnsgen)
  5. massdns (https://github.com/blechschmidt/massdns)
  6. httprobe (https://github.com/tomnomnom/httprobe)
  7. aquatone (https://github.com/michenriksen/aquatone)

In the last step, write a bash script which collects all the domains and pipes them in a single file.

Recon Tools Required

2. Scanning:

You can either use automated tools like Nmap to check for vulnerabilities or metasploit modules or use manual tools like Linkfinder, gau for URL gathering.

Automated & Manual Scanning Tools

3. Manual Checking:

Manual Checking involves using dorks to find sensitive information like exposed API, amazon keys or database credentials.

Detailed checklist is given below:

Dorks

4. Information Gathering:

I know most of you are confused with the initial recon phase and information gathering.

Recon phase involves usage of automated frameworks like recon-ng, Sn1per,. etc., to do the boring stuff.

Information gathering phase involves checking of websites/applications manually to find sensitive info and planning of different attack vectors possible.

Information Gathering Phase

5. Configuration Management:

If you check everything as mentioned in the above checklist, you will have a rough idea of the applications you are dealing with. So, now it’s time to check for configuration errors. Follow the below checklist to know more.

Configuration Management

6. Secure Transmission:

Now that you know about the errors in the configuration, it’s time to check how the data is transmitted. The checklist is mentioned below:

Secure Transmission

7. Authentication:

Moving on to another important scenario where most of the vulnerabilities are found is the Authentication. These type of vulnerabilities are not found by automated tools and even if you find one, you will often notice that they are out-of-scope.

Testing for the below vulnerabilities you need to have solid understanding of burpsuite.

Authentication Vulnerabilities Checklist

8. Session Management:

After checking of authentication vulnerabilities, you will possibly come across a topic called cookies. If you don’t know about the topics, please google it or you can find many articles on the internet explained in detail.

Below are the areas where you should check when it comes to session management:

Session Management Checklist

That’s it for today folks, This is PART 1. Back again with PART 2. In the mean time, check for above vulnerabilities and learn how to use burpsuite. There are many tutorials available on YouTube and you will come across loads of info, so document everything you learn.

Until then… Over and Out.

--

--

apex

I try to analyze ransomware attacks | Static Code Analysis | Privacy & Security Updates | Pen Testing | Bug Bounty