Bug Hunting Methodology

Passive Recon

Using Shodan to detect similar app

can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'

Search for similar websites using the same favicon: pielco11/fav-up

python3 favUp.py --favicon-file favicon.ico -sc
python3 favUp.py --favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
python3 favUp.py --web domain.behind.cloudflare -s

Search inside Shortener URLs: shorteners.grayhatwarfare.com, utkusen/urlhunter

urlhunter --keywords keywords.txt --date 2020-11-20

Search inside Buckets: buckets.grayhatwarfare.com
Using The Wayback Machine to detect forgotten endpoints

look for JS files, old links
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"

Using laramies/theHarvester

python theHarvester.py -b all -d domain.com

Look for private information in GitHub repositories with michenriksen/GitRob

gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2

Perform Google Dorks search

site: *.example.com -www
intext:"dhcpd.conf" "index of"
intitle:"SSL Network Extender Login" -checkpoint.com

Active Recon

Network Discovery

Subdomains enumeration
- Enumerate already found subdomains: projectdiscovery/subfinder, OWASP/Amass
```
subfinder -d hackerone.com
amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
```
- Permutate subdomains: infosec-au/altdns
- Bruteforce subdomains: Josue87/gotator
- Resolve subdomains to IP with blechschmidt/massdns, remember to use a good list of resolvers like trickest/resolvers
```
massdns -r resolvers.txt -o S -w massdns.out subdomains.txt
```
- Subdomain takeovers: EdOverflow/can-i-take-over-xyz
Network discovery
- Scan IP ranges with nmap, robertdavidgraham/masscan and projectdiscovery/naabu
- Discover services, version and banners
Review latest acquisitions
ASN enumeration
- projectdiscovery/asnmap: asnmap -a AS45596 -silent
- asnlookup.com
DNS Zone Transfer

host -t ns domain.local
domain.local name server master.domain.local.

host master.domain.local        
master.domain.local has address 192.168.1.1

dig axfr domain.local @192.168.1.1

Web Discovery

Locate robots.txt, security.txt, sitemap.xml files
Retrieve comments in source code
Discover URL: tomnomnom/waybackurls, lc/gau
Search for hidden parameters: PortSwigger/param-miner, s0md3v/Arjun and Sh1Yo/x8
List all the subdirectories and files with OJ/gobuster, ffuf/ffuf and bitquark/shortscan

gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'
ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'

Find backup files with mazen160/bfac

bfac --url http://example.com/test.php --level 4
bfac --list testing_list.txt

Map technologies: Web service enumeration using projectdiscovery/httpx or projectdiscovery/wappalyzergo
- Favicon hash
- JARM fingerprint
- ASN
- Status code
- Services
- Technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
Look for WAF with projectdiscovery/cdncheck and identify the real IP with christophetd/CloudFlair

echo www.hackerone.com | cdncheck -resp
www.hackerone.com [waf] [cloudflare]

Crawl through website pages and files: hakluke/hakrawler and projectdiscovery/katana

katana -u https://tesla.com
echo https://google.com | hakrawler

Take screenshots for every websites using sensepost/gowitness
Automated vulnerability scanners
- projectdiscovery/nuclei: nuclei -u https://example.com
- Burp Suite's web vulnerability scanner
- sullo/nikto: ./nikto.pl -h http://www.example.com
Manual Testing: Explore the website with a proxy:

Looking for Web Vulnerabilities

Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
Test for Business Logic weaknesses
- High or negative numerical values
- Try all the features and click all the buttons
The Web Application Hacker's Handbook Checklist copied from http://mdsec.net/wahh/tasks.html
Subscribe to the site and pay for the additional functionality to test
Inspect Payment functionality - @gwendallecoguic

if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free

From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g :

Test card numbers and tokens

NUMBER	BRAND	TOKEN
4242424242424242	Visa	tok_visa
4000056655665556	Visa (debit)	tok_visa_debit
5555555555554444	Mastercard	tok_mastercard

International test card numbers and tokens

NUMBER	TOKEN	COUNTRY	BRAND
4000000400000008	tok_at	Austria (AT)	Visa
4000000560000004	tok_be	Belgium (BE)	Visa
4000002080000001	tok_dk	Denmark (DK)	Visa
4000002460000001	tok_fi	Finland (FI)	Visa
4000002500000003	tok_fr	France (FR)	Visa