In this write up I am going to describe the path I walked through the bug hunting from the beginner level. This write-up is purely for new comers to the bug bounty community. And I hope this will help you to understand that how a researcher or bug hunter find bug in Web-Application.

lets Start With The Intro Of Bug Bounty:

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

Note: Here I have added some tools and useful Links which i use while hunting the bugs.

These are the tools & tips which I use daily for hunt a bug.

Useful YouTube Channels for learning

• LiveOverflow
• Bugcrowd
• JackkTutorials
• Nahamsec
• STÖK
• SecurityIdiots
• Required Skills Before Hunting:

Linux basics, Networking basics, programming (require when you code)

Basic idea about the HTTP protocols and its headers(Request and Response)

Burpsuite, Metasploit , SqlMap , Nmap etc.

• How to choose our target ?

Bug Bounty Platforms

1. Bugcrowd
   https://www.bugcrowd.com/
2. Hackerone
   https://www.hackerone.com/
3. Synack
   https://www.synack.com/
4. Japan Bug bounty Program
   https://bugbounty.jp/
5. Cobalt
   https://cobalt.io/
6. Zerocopter
   https://zerocopter.com/
7. Hackenproof
   https://hackenproof.com/
8. BountyFactory
   https://bountyfactory.io
9. Bug Bounty Programs List
   https://www.bugcrowd.com/bug-bounty-list/
10. AntiHack
    https://www.antihack.me/

Or we can find targets from the google by searching for responsible disclosure policy of a website. I recommend to start with responsible disclosure , so there are more chances for acceptence of report. And then after a experience start with Bug Bounty Platform.

• We have a target then how to start ??

If you have chosen your target, then you should start finding the subdomain of the target.

or we can start with the IP blocks of the targets which we can get from the ASN (some of the websites are mentioned in below)

• Why we need subdomain?

Sometimes targeting the main domain is not possible to find bugs which will frustrated to the noobs. Because the top or other researchers are already found and reported the bugs to the target. For newbie should start with the other subdomains. (its true that most common vulnerabilities are already reported by the researcher so keep in mind that we have to find a unique target and unique bug.)

• How to find Sub-domains?

As per my recon I am using the following tools to find the sub-domains for the target.

• Subfinder
• Amass
• Sublist3r
• Aquatone
• Knockpy

We can also find sub-domain via online recon tools. (sites are given below)

• Virustotal ( Use its API in tools)
• Dnsdumpster
• Findsubdomains
• Pentest-tools
• Hackertarget
• Sub-domain Takeover Vulnerability:

Goto this link and learn about some basics to advance concepts of Subdomain takeover vulnerability.

https://github.com/EdOverflow/can-i-take-over-xyz

• Discovering Target Using ASN (IP Blocks):

  https://whois.arin.net/ui/query.do

• Discovering Target Using Shodan

https://www.shodan.io/search?query=org%3A%22Tesla+Motors%22

• Brand / TLD Discovery:

This will increase the target scope by searching for a Aquiasition of a target

Acquisition — -> crunchbase, wikipedia

link discovery — ->burp spidering

weighted& reverse tracker → domlink, builtwith

• Trademark In Google: ” “Tesla © 2018” “Tesla © 2019” “Tesla © 2020” inurl:tesla
• Subfinder
• Gobuster
• Aquatone
• Subdomain Enumberation:

Here you can find the original scripts https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration

Note: Kindly replace the API key used inside the scripts which may be an invalid which results in less amount of subdomains (I recommend to use virustotal API key)

• Presentation:

Slides are available at: https://speakerdeck.com/yamakira/esoteric-sub-domain-enumeration-techniques

• Subdomain Enumeration with the SPF record
• Using CSP
• DNSrecon
• ALTDNS
• Zone transfer using dig
• DNSSEC
• Zone walking NSEC — LDNS
• Port Scanning:

The port scanning is very important to find the target which is running in non-standard or standard ports.

For port scanning I have used NMAP and Masscan and Aquatone scan.

Then some researcher start checking for sub-domain takeover vulnerability once they found sub-domains which running on the standard or non-standard ports.

• Enumerating Targets(Port Scanning)
• NMAP
• Visual Identification

This part will help us to find a application which is running on standard or non-standard ports on the target machine.

The following tools are grabbing banner if they found on the target machine which is running on specific ports. That will help us to sort list our target sub-domains.

• Eyewitness
• Wayback Enumeration →> waybackurl

This technology will help us if we seen any one of the HTTP responses like 401,403,404. This will show you the old stored data using Archive.

Here we can find some sensitive information even the target page is not currently accessible.
https://archieve.org/web

• waybackurls
• Parsing JavaScript

Parsing JS is very useful to find the directories which is used by the target. we can use these type of tools instead of brute-forcing the directory list on the target

Note: Brute-Forcing of directory also good thing to do. Always use the multiple techniques to find the directory from the targets(I found Hotsar Aws Credentials with Directory Buster & Burp Intruder)

• linkfinder
• DIRsearch
• Dirb
• Content Discovery: “ Gobuster”
• Credential Bruteforce: “BrutesprayBrutespray”

These tools are having the ability to brute-force the different type of protocols like http, ssh,smtp, etc

• Technology Identification and Vulnerability findings:

Here I used Wappalyzer and build with addons on the browsers. Whatweb tool also I used to find the what technologies they used on the target.

The following tools to find technologies and technology based vulnerabilities on the target.

• WPScan
• Cmsmap
• Before start testing I recommend this book for bug hunter bcoz it help a lot to understand & Exploit the bug!

The testing is based on our opinion. some of them start with the xss and other vulnerabilities which we can easily found from the target.

Still you are stuck with the testing for a bug means you can start reading the following books which always helpful for Bug hunter or Application Penetration Tester.

1. https://www.amazon.in/Web-Application-Hackers-Handbook-Exploiting/dp/8126533404
2. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
3. https://leanpub.com/web-hacking-101

And for our Mobile hacking friends:

1. The Mobile Application Hacker’s Handbook
2. iOS Application Security
3. Owasp Mobile AppSec

I hope these books are very helpful for how to test for a bugs

CheatSheet

• SQL Injection Cheat-Sheet
• XSS Cheat-Sheet
• XXE Payload

Pen Testing Methodologies

1. Penetration Testing Framework
2. The Penetration Testing Execution Standard
3. The WASC Threat Classification
4. OWASP Top Ten Project
5. The Social Engineering Framework

Popular Google Dorks Use(finding Bug Bounty Websites)

1. site:.eu responsible disclosure
2. inurl:index.php?id=
3. site:.nl bug bounty
4. “index of” inurl:wp-content/ (Identify Wordpress Website)
5. inurl:”q=user/password” (for finding drupal cms )

Browsers Plugins

• Chrome : http://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/
• Firefox : http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
• My Tips & Tricks
• Bug Bounty Hunting Tip #1- Always read the Source Code
• Bug Bounty Hunting Tip #2- Try to Hunt Subdomains
• Bug Bounty Hunting Tip #3- Always check the Back-end CMS & backend language
• Bug Bounty Hunting Tip #4- Google Dorks is very helpful
• Bug Bounty Hunting Tip #5- Active Mind — Out of Box Thinking ; )

“Special Thanks To Jhaddix For Sharing This Methodology With Us”

Twitter: https://twitter.com/Mah3Sec_