Bug Bounty Hunting! Yep, you heard it right. Recently, it's been one of the most famous topics, and that's why today's article is going to be a little different from my previous ones. In this comprehensive guide, I'm going to walk you through how to find targets, what to look for, and how to handle those bugs like a pro. We'll delve into a range of techniques and tools used by bug bounty hunters to identify and exploit vulnerabilities effectively. So, grab your coffee, get comfortable, and let's dive in.

Google Dorking

u can use a tool called BigBountyRecon that utilizes 58 different techniques using various Google dorks and open-source tools to expedite the process of initial reconnaissance on the target organization.

site:*.domain.com inurl:”*admin | login” | inurl:.php | .asp

Searches for URLs containing admin or login in the domain and with PHP or ASP extensions, potentially revealing login pages or vulnerable scripts.

site::*.domain.com intext:sql syntax near | intext:syntax error has occurred | intext:incorrect syntax near | intext:unexpected end of SQL command | intext:Warning: mysql_connect() | intext:Warning: mysql_query() | intext:Warning: pg_connect()

Searches for SQL-related error messages in URLs, indicating potential SQL injection vulnerabilities.

site::*.domain.com inurl:/geoserver/ows?service=wfs

Targets URLs related to geoserver services, which could expose sensitive information or functionality.

Finding Subdomains

echo domain.com/s > target.txt

Sets up a target file for subdomain enumeration.

subfinder -dL target.txt -all -recursive -o Subs01.txt

Discovers subdomains recursively and saves the results to a file using SubFinder.

subenum -l target.txt -u wayback,crt,abuseipdb,bufferover,Findomain,Subfinder,Amass,Assetfinder -o Subs02.txt

Enumerates subdomains using various sources and tools, consolidating the results into a single file using SubEnum.

cat Subs*.txt | anew | tee AllSubs.txt

cat AllSubs.txt | httpx -o AliveSubs.txt

These steps help refine your target list and ensure you're focusing on live, responsive subdomains, and if httpx works slowly u can use something like SegFault for a better internet connection.

Collecting and Analyzing URLs

cat AliveSubs.txt | waybackurls | tee urls.txt

Retrieves archived URLs using Wayback Machine for further analysis.

cat urls.txt | grep '=' | tee param.txt

Filters URLs with parameters and saves them for parameter-based testing.

cat urls.txt | grep -iE '.js'|grep -ivE '.json'|sort -u | tee js.txt

Extracts JavaScript files from URLs for analysis.

Nuclei for Vulnerability Scanning

nuclei -list urls.txt -t /fuzzing-templates

Scans URLs using Nuclei's fuzzing templates to identify potential vulnerabilities.

nuclei -list AliveSubs.txt -t /nuclei-templates/vulnerabilities -t /nuclei-templates/cves -t /nuclei-templates/exposures

Scans for specific vulnerabilities such as CVEs, exposures, and SQL injection based on predefined templates.

XSS Automation

cat urls.txt | uro | gf xss > xss.txt

Detects XSS patterns in URLs and saves the results to a file.

dalfox file xss.txt  | tee XSSvulnerable.txt

Uses Dalfox for fast and accurate XSS detection.

Local File Inclusion (LFI) Detection

cat AliveSubs.txt | gau | uro | gf lfi | tee lfi.txt

Detects LFI patterns in URLs and saves the results to a file.

nuclei -list target.txt -tags lfi

Specifically scans for LFI vulnerabilities based on tags.

Cross-Origin Resource Sharing (CORS) Testing

site=$(cat target.txt); gau $site | while read url; do target=$(curl -sIH Origin: https://evil.com -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found] echo $url; else echo Nothing on $url; fi; done

Checks for potential CORS vulnerabilities by sending requests with different origins.

SQL Injection (SQLi) Testing

python3 sqlifinder.py -d domain.com

Discovers SQL injection vulnerabilities on the domain using SqliFinder.

sqlmap -m param.txt --batch --random-agent --level 1 | tee sqlmap.txt

Performs SQL injection testing on parameters.

Open Redirect Detection

cat urls.txt | grep -a -i =http | qsreplace 'evil.com' | while read host do;do curl -s -L $host -I| grep evil.com && echo $host 3[0;31mVulnerable\n ;done

Checks for open redirects by replacing URLs with a malicious domain and observing the response.

Conclusion

In this guide, we've covered some basic reconnaissance techniques commonly used in bug bounty hunting. However, when you start targeting a platform like HackerOne, BugCrowd, or Intigriti, your approach needs to be thorough and systematic.

Take notice of everything. Begin by thoroughly examining the target's website. Dedicate time to each step of the process to ensure you uncover what you're looking for. For instance, when discovering subdomains, don't stop there. Investigate each subdomain for potential vulnerabilities, including fuzzing for backup files and log files. This meticulous approach is crucial in bug bounty hunting.

Remember, recon takes time. Rushing through this phase can lead to missed opportunities. What we've covered here is just the tip of the iceberg. The real magic happens when you invest time and effort into each step, uncovering vulnerabilities that others might overlook. Happy hunting!

If you have any questions about this tutorial please leave a comment below or reach out to me on Twitter @amrelsagaei.