Bug Hunting Methodology

Passive Recon

Using shodan.io, fofa.info, zoomeye.ai or odin.io to detect similar app

# https://github.com/glennzw/shodan-hq-nse
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'

Search for similar websites using the same favicon: pielco11/fav-up or slightly different icon: profundis.io/favicon-matcher

python3 favUp.py --favicon-file favicon.ico -sc
python3 favUp.py --favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
python3 favUp.py --web domain.behind.cloudflare -s

Search inside Shortener URLs: shorteners.grayhatwarfare.com, utkusen/urlhunter

urlhunter --keywords keywords.txt --date 2020-11-20

Search inside Buckets: buckets.grayhatwarfare.com
Using The Wayback Machine to detect forgotten endpoints

# Look for JS files, old links
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"

Using laramies/theHarvester

python theHarvester.py -b all -d domain.com

Look for private information in GitHub repositories with michenriksen/GitRob

gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2

Perform Google Dorks search: ikuamike/GoogleDorking.md

site: *.example.com -www
intext:"dhcpd.conf" "index of"
intitle:"SSL Network Extender Login" -checkpoint.com

Enumerate subdomains using HackerTarget

curl --silent 'https://api.hackertarget.com/hostsearch/?q=targetdomain.com' | grep -o '\w.*targetdomain.com'

Enumerate endpoints using CommonCrawl

echo "targetdomain.com" | xargs -I domain curl -s "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.targetdomain.com&output=json" | jq -r .url | sort -u

Active Recon

Network Discovery

Subdomains enumeration
- Enumerate already found subdomains: projectdiscovery/subfinder, OWASP/Amass
```
subfinder -d hackerone.com
amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
```
- Permutate subdomains: infosec-au/altdns
- Bruteforce subdomains: Josue87/gotator
- Resolve subdomains to IP with blechschmidt/massdns, remember to use a good list of resolvers like trickest/resolvers
```
massdns -r resolvers.txt -o S -w massdns.out subdomains.txt
```
- Subdomain takeovers: EdOverflow/can-i-take-over-xyz
Network discovery
- Scan IP ranges with nmap, robertdavidgraham/masscan and projectdiscovery/naabu
- Discover services, version and banners
Review latest acquisitions
ASN enumeration
- projectdiscovery/asnmap: asnmap -a AS45596 -silent
- asnlookup.com
DNS Zone Transfer

host -t ns domain.local
domain.local name server master.domain.local.

host master.domain.local        
master.domain.local has address 192.168.1.1

dig axfr domain.local @192.168.1.1

Web Discovery

Common Files

security.txt: A file that provides contact info for reporting security issues with your site (like an email or PGP key).

Contact: mailto:security@example.com

sitemap.xml: Lists all the important URLs of your site so search engines can index them efficiently.

<urlset>
  <url><loc>https://example.com/</loc></url>
  <url><loc>https://example.com/about</loc></url>
</urlset>

robots.txt: Tells search engine crawlers which pages or files they can or cannot access on your site.

User-agent: *
Disallow: /admin/

Enumerate Files and Folders

Enumerate all accessible files and subdirectories. Once the underlying technology has been identified, prioritize the use of targeted wordlists rather than generic ones. Technology specific wordlists such as those provided by Assetnote (https://wordlists.assetnote.io), significantly improve coverage and efficiency. Examples include httparchive_parameters_top_1m_2026_01_27.txt, httparchive_directories_1m_2026_01_27.txt, and httparchive_php_2026_01_27.txt.

ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'
gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'

Identify and enumerate backup and temporary files that may have been unintentionally exposed. These files often contain source code, credentials, or sensitive configuration data and are commonly created by editors, deployment processes, or manual backups.

mazen160/bfac

bfac --url http://example.com/test.php --level 4
bfac --list testing_list.txt

Crawl the website's pages and resources to identify additional attack surface and expand the assessment perimeter.

katana -u https://tesla.com
echo https://google.com | hakrawler

Next.js Endpoints

In Next.js, window.__BUILD_MANIFEST is a runtime global variable that the framework automatically injects into the client-side JavaScript bundle.

Go to DevTools->Console and execute this JavaScript code:

console.log(window.__BUILD_MANIFEST)
console.log(__BUILD_MANIFEST.sortedPages)

If you inspect your app in the browser console (for a production build), you might see something like this:

{__rewrites: {…}, /: Array(10), /404: Array(8), /500: Array(4), /_error: Array(1), …}
/: (10) ['static/chunks/2852872c-b605aca0298c2109.js', 'static/chunks/3748-2a8cf394c7270ee0.js']
/404: (8) ['static/chunks/2852872c-b605aca0298c2109.js', 'static/chunks/3748-2a8cf394c7270ee0.js']
/500: (4) ['static/chunks/3748-2a8cf394c7270ee0.js', 'static/chunks/1221-b44c330d41258365.js']
/[slug]: (30) ['static/chunks/2852872c-b605aca0298c2109.js', 'static/chunks/29107295-4cc022cea922dbb4.js']
/_error: ['static/chunks/pages/_error-6ddff449d199572c.js']
/about/[slug]: (31) ['static/chunks/2852872c-b605aca0298c2109.js']

JS and HTML Comments

Retrieve comments in source code.

<!-- HTML Comment -->
// JS Comment

Internet Archive

Identify historical URLs and endpoints by reviewing archived content from sources such as the Wayback Machine and the Internet Archive.

gau --o example-urls.txt example.com
gau --blacklist png,jpg,gif example.com

Hidden Parameters

Search for hidden parameters:

x8 -u "https://example.com/?something=1" -w <wordlist>

Map Technologies

Web service enumeration using projectdiscovery/httpx or projectdiscovery/wappalyzergo
- Favicon hash
- JARM fingerprint
- ASN
- Status code
- Services
- Technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
```
httpx -title -tech-detect -status-code -follow-redirects -jarm -asn -json -silent -ports 80,443 -l urls.txt
```
Look for WAF with projectdiscovery/cdncheck and identify the real IP with christophetd/CloudFlair

echo www.hackerone.com | cdncheck -resp
www.hackerone.com [waf] [cloudflare]

Take screenshots for every websites using sensepost/gowitness

Manual Testing

Explore the website with a proxy:

Automated vulnerability scanners

projectdiscovery/nuclei:

nuclei -u https://example.com

./nikto.pl -h http://www.example.com

Looking for Web Vulnerabilities

Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
Test for Business Logic weaknesses
- High or negative numerical values
- Try all the features and click all the buttons
The Web Application Hacker's Handbook Checklist
Subscribe to the site and pay for the additional functionality to test
Inspect Payment functionality - @gwendallecoguic

If the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free

From https://stripe.com/docs/testing : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S."

Test card numbers and tokens

NUMBER	BRAND	TOKEN
4242424242424242	Visa	tok_visa
4000056655665556	Visa (debit)	tok_visa_debit
5555555555554444	Mastercard	tok_mastercard

International test card numbers and tokens

NUMBER	TOKEN	COUNTRY	BRAND
4000000400000008	tok_at	Austria (AT)	Visa
4000000560000004	tok_be	Belgium (BE)	Visa
4000002080000001	tok_dk	Denmark (DK)	Visa
4000002460000001	tok_fi	Finland (FI)	Visa
4000002500000003	tok_fr	France (FR)	Visa