Bug Hunting Methodology

Passive recon

Using Shodan to detect similar app

can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'

Using The Wayback Machine to detect forgotten endpoints

look for JS files, old links
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"

Using The Harvester

python theHarvester.py -b all -d domain.com

Look for private information in GitHub repos with GitRob

gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2

Perform Google Dorks search

Active recon

Network discovery

Subdomains enumeration
Enumerate already found subdomains: projectdiscovery/subfinder: subfinder -d hackerone.com
Permutate subdomains: infosec-au/altdns
Bruteforce subdomains: Josue87/gotator
Subdomain takeovers: EdOverflow/can-i-take-over-xyz
Network discovery
Scan IP ranges with nmap, robertdavidgraham/masscan and projectdiscovery/naabu
Discover services, version and banners
Review latest acquisitions
ASN enumeration
projectdiscovery/asnmap: asnmap -a AS45596 -silent

DNS Zone Transfer

host -t ns domain.local
domain.local name server master.domain.local.

host master.domain.local        
master.domain.local has address 192.168.1.1

dig axfr domain.local @192.168.1.1

Web discovery

Locate robots.txt, security.txt, sitemap.xml files
Retrieve comments in source code
Discover URL: tomnomnom/waybackurls
Search for hidden parameters: PortSwigger/param-miner

List all the subdirectories and files with gobuster or ffuf

# gobuster -w wordlist -u URL -t threads
./gobuster -u http://example.com/ -w words.txt -t 10

Find backup files with mazen160/bfac

bfac --url http://example.com/test.php --level 4
bfac --list testing_list.txt

Map technologies: Web service enumeration using projectdiscovery/httpx or Wappalyzer
Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
Take screenshots for every websites using sensepost/gowitness
Automated vulnerability scanners
projectdiscovery/nuclei: nuclei -u https://example.com
Burp Suite's web vulnerability scanner
sullo/nikto: ./nikto.pl -h http://www.example.com
Manual Testing: Explore the website with a proxy:
Caido - A lightweight web security auditing toolkit
ZAP - OWASP Zed Attack Proxy
Burp Suite - Community Edition

Looking for Web vulnerabilities

Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
Test for Business Logic weaknesses
High or negative numerical values
Try all the features and click all the buttons
The Web Application Hacker's Handbook Checklist copied from http://mdsec.net/wahh/tasks.html
Subscribe to the site and pay for the additional functionality to test
Inspect Payment functionality - @gwendallecoguic

if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free

From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g :

Test card numbers and tokens

NUMBER	BRAND	TOKEN
4242424242424242	Visa	tok_visa
4000056655665556	Visa (debit)	tok_visa_debit
5555555555554444	Mastercard	tok_mastercard

International test card numbers and tokens

NUMBER	TOKEN	COUNTRY	BRAND
4000000400000008	tok_at	Austria (AT)	Visa
4000000560000004	tok_be	Belgium (BE)	Visa
4000002080000001	tok_dk	Denmark (DK)	Visa
4000002460000001	tok_fi	Finland (FI)	Visa
4000002500000003	tok_fr	France (FR)	Visa