Welcome to the Bug Hunting Methodology guide. This section will take you through a comprehensive process for identifying and reporting bugs, leveraging various tools and techniques. Whether you're a beginner or an experienced bug hunter, this guide will help you hone your skills and improve your success rate in finding vulnerabilities.
Use subfinder to enumerate subdomains for the target domain.
subfinder -d example.com -all -recursive > subdomain.txtCheck which subdomains are alive using httpx-toolkit.
cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txtUse katana to find URLs.
katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txtSearch for sensitive files using grep.
cat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config"Identify JavaScript files for further analysis.
cat allurls.txt | grep -E "\.js$" >> alljs.txtRun nuclei against JavaScript files to find exposures.
cat alljs.txt | nuclei -t /home/indcrypt/nuclei-templates/http/exposures/Run nuclei on the main domain to find exposures.
echo www.example.com | katana -ps | grep -E "\.js$" | nuclei -t /home/indcrypt/nuclei-templates/http/exposures/ -c 30Use dirsearch for finding hidden directories and files.
dirsearch -u https://www.example.com -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js.,.jsonRun automated scanning using a combination of tools and scripts.
subfinder -d example.com | httpx-toolkit -silent | katana -ps -f qurl | gf xss | bxss -appendMode -payload '">' -parameterssubzy run --targets subdomains.txt --concurrency 100 --hide_fails --verify_sslpython3 corsy.py -i /home/indcrypt/vaitor/subdomains_alive.txt -t 10 --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"nuclei -list subdomains_alive.txt -t /home/indcrypt/Priv8-Nuclei/corsnuclei -list ~/vaitor/subdomains_alive.txt -tags cve,osint,techcat allurls.txt | gf lfi | nuclei -tags lficat allurls.txt | gf redirect | openredirex -p /home/indcrypt/openRedirectPayload:
'"><svg/onload=prompt(5);>{{7*7}}
Archive Recon (Web + CLI):
Website:
https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=originalCommand Line:
curl -G "https://web.archive.org/cdx/search/cdx" --data-urlencode "url=*.example.com/*" --data-urlencode "collapse=urlkey" --data-urlencode "output=text" --data-urlencode "fl=original" > output.txt
cat output.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.git|\.env|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'Confidential File Scanner:
cat output.txt | grep -Ea '\.pdf' | while read -r url; do
curl -s "$url" | pdftotext - - | grep -Eaiq '(internal use only|confidential|strictly private|personal & confidential|private|restricted|internal|not for distribution|do not share|proprietary|trade secret|classified|sensitive|bank statement|invoice|salary|contract|agreement|non disclosure|passport|social security|ssn|date of birth|credit card|identity|id number|company confidential|staff only|management only|internal only)' && echo "$url";
doneExample for Specific Target:
https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original&filter=original:.*\.(xls|xml|xlsx|json|pdf|sql|doc|docx|pptx|txt|zip|tar\.gz|tgz|bak|7z|rar|log|cache|secret|db|backup|yml|gz|git|config|csv|yaml|md|md5|exe|dll|bin|ini|bat|sh|tar|deb|rpm|iso|img|apk|msi|env|dmg|tmp|crt|pem|key|pub|asc)$