🛡️ Bug Bounty Procedure – Beginner’s Guide
Platform: Kali Linux
Goal: Discover subdomains, hidden files, parameters, and vulnerabilities on the target to report responsibly.
Step 1: Subdomain Enumeration (Discover Hidden Assets)
Goal: Get as many subdomains as possible. Subdomains often host dev/staging sites, APIs, admin panels, etc.
Tools:
Amass (Passive + Active)
Subfinder (Fast passive)
GAU & Waybackurls (Old URLs)
httpx (Check live hosts)
Commands:
# Passive subdomain enumeration
amass enum -passive -d targetscope.com -o amass_passive.txt
# Active subdomain enumeration
amass enum -active -d targetscope.com -o amass_active.txt
# Subfinder - Fast passive method
subfinder -d targetscope.com -o subfinder.txt
# GAU - Get archived URLs (with subdomains)
gau -subs targetscope.com | tee gau.txt
# Wayback Machine URLs
waybackurls targetscope.com | tee wayback.txt
Combine & Check Live Subdomains:
# Combine all subdomains into one file
cat amass_*.txt subfinder.txt gau.txt wayback.txt | sort -u > all_subdomains.txt
# Check which subdomains are alive
httpx -l all_subdomains.txt -o alive_subdomains.txt
Step 2: Directory & File Enumeration (Find Hidden Endpoints)
Goal: Discover sensitive folders, login panels, backups, etc.
Tools:
Dirsearch
FFUF
🔧 Commands:
# Dirsearch - brute force directories
dirsearch -u https://targetscope.com -e php,asp,aspx,txt -t 50
# FFUF - Fuzz directory paths
ffuf -u https://targetscope.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 403 -t 50
Step 3: Parameter Discovery (Target for XSS, SQLi, IDOR)
Goal: Find hidden GET and POST parameters to test for injection vulnerabilities.
Tools:
ParamSpider
Arjun
🔧 Commands:
# Extract GET parameters
paramspider --domain targetscope.com --output params.txt
# Discover GET parameters using Arjun
arjun -u https://targetscope.com -m GET -o arjun_get.json
# Discover POST parameters using Arjun
arjun -u https://targetscope.com -m POST -o arjun_post.json
Step 4: Vulnerability Scanning (Find Security Holes Quickly)
Goal: Detect vulnerabilities like XSS, SSRF, Open Redirect, CORS, etc.
Tools:
Nuclei
Corsy
XSSStrike
🔧 Commands:
# Nuclei - Fast scanning with templates
nuclei -l alive_subdomains.txt -t ~/nuclei-templates/ -o nuclei_results.txt
# CORS misconfigurations
corsy -u https://targetscope.com
# XSS automated testing
xssstrike -u "https://targetscope.com/search?query=FUZZ"
Step 5: Advanced Recon (Stand Out from Other Hunters)
Find JavaScript Files & API Endpoints
# Crawl for APIs and endpoints (depth = 2)
katana -u https://targetscope.com -d 2 -o api_endpoints.txt
# Extract JavaScript files
katana -u https://targetscope.com -js -o js_links.txt
Analyze JavaScript for Secrets:
# Check JS files for sensitive data
cat js_links.txt | while read url; do
echo "[+] Checking $url"
curl -s $url | grep -iE "apiKey|token|secret|auth"
done
🛠️ Check for Exposed .git Folder (Code Exposure)
gitdumper https://targetscope.com/.git/ ./gitdump/
Final Tips for Beginners:
Always work ethically—only test assets in-scope for the program.
Read the scope and rules on HackerOne/Bugcrowd/Intigriti.
Document everything: requests, payloads, screenshots, and reproduction steps.
Report only verified vulnerabilities with clear impact.
Comments
Post a Comment