Skip to content

Bug Bounty Methodology

0xhelloworld edited this page Apr 12, 2019 · 1 revision

Go the road less travelled, find programs that are not on hackerone or bugcrowd: https://www.bugcrowd.com/bug-bounty-list/ google: "Responsible Disclosure" or "Vulnerability Disclosure" or "responsible disclosure website list"

Hackerone In Scope Domains: https://github.com/zricethezav/h1domains/blob/master/domains.txt

Google Dork:

responsible disclosure "bounty"

Responsible Disclosure seems to give best results.

intext:”Responsible Disclosure Policy”

"responsible disclosure" "private program" 

"responsible disclosure" "private" "program"

Google Dork:

vulnerability disclosure program "bounty" -bugcrowd -hackerone

responsible disclosure "private program"                                         <--- find private hackerone/bugcrowd programs

Google Dorker:

https://github.com/random-robbie/bugbountydork/blob/master/main.py

Searching through source code:

If you find a vulnerable javascript script and want to find other websites vulnerable to the same script, you can use this website to search for other websites running the same script. https://nerdydata.com/search?query=ga.js

Subdomain Enumeration:

Basic Subdomain Scraping

Amass

./amass -active -d test.com -o /opt/output/company.com/amassCompany.txt

Subfinder

./subfinder -d test.com -v -o /opt/output/company.com/subfinderNoBrute.txt        <--- simple scan 
./subfinder -b -w /opt/wordlists/all.txt -d upwork.com -v -o /opt/output/company.com/subfinder.txt       <--- indepth scan

Sublist3r

python sublist3r.py -b -d example.com -v -t 40 -o /opt/output/company.com/example.txt
python sublist3r.py -p 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81

Aquatone

aquatone-discover -d test.com   

Crt.sh

curl 'https://crt.sh/?q=%.example.com&output=json' | jq '.name_value' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u 

Enumeration with aquatone: https://blog.it-securityguard.com/visual-recon-a-beginners-guide/

Subdomain bruteforcing:

Massdns

cd /opt/massdns
./scripts/subbrute.py /opt/wordlists/all.txt canva.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w canvaMassdns.txt

Gobuster

gobuster -m dns -u canva.com -t 100 -w /opt/wordlists/all.txt -o /opt/output/company.com/GoBusterCanvasubdomains.txt -q 

Don't forget to permutation scan: Ex: admin.helpdesk.company.com, help.helpdesk.company.com, then bruteforce helpdesk.company.com!

Utilizing jason haddix's all.txt wordlist for subdomain bruteforcing https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

Subdomain Analysis:

Subdomain Screenshotting:

HTTPprobe

cat aquatoneSublist.txt | httprobe -c 50 > livehosts.txt

Eyewitness

./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -d targetvanilla

Multithreaded Eyewitness:

./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" --threads 35 -d targetvanilla

Webscreenshot

webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -w 10

webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -m -w 10(HTTP & HTTPS)

epg-prep /root/adobe.com

node yourname.js

http://yourserverip:3000/photos

Port Scanning:

Ports to Find: 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81

Masscan

masscan -p- --banners targets.txt

Nmap

nmap -p 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81 -iL targets.txt 

Aquatone

aquatone-scan -d uber.com -t 30 -p medium  

aquatone-scan -d test.com -t 30 -p small (small is port 443 and 80)

Shodan Queries

port:80,443,2376,8000,8080,8443,9443 http.title:Company

Subdomain Misconfigurations

Subdomain Takeover

Aquatone

aquatone-takeover -d adobe.com

https://github.com/EdOverflow/can-i-take-over-xyz

CyberInt Takeover

https://takeover.cyberint.com/

https://hackerone.com/reports/380158

CORS Testing:

Querying Wayback Machine

http://archive.org/web/ (if subdomain name indicates critical data config.test.com or admin.test.com, try looking at it from wayback machine. may show critical data (API keys, user/pass)

site:admin.target.com (if website returns 403, try google dorking the website to see if there is any endpoints you can access)

Endpoint Discovery

Directory Bruteforcing:

Burp Discover Content Engagement Tool
./dirsearch.py -u http://target.com -e * -r
dirb http://target.com
gobuster -w /opt/wordlists/content_discovery_all.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t 50 -u http://canva.com/ -o canvagobuster.txt -fw -r

https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 <---- jason haddix directory bruteforce list

File Extensions Via Google

site:site.com ext:php,asp,aspx,jsp,jspa,txt,swf

site:test.com ext:php

site:test.com ext:asp

Querying Wayback Machine

curl(https://github.com/internetarchive/wayback/blob/master/wayback-cdx-server/README.md):

curl 'http://web.archive.org/cdx/search/cdx?url=games.sidefx.com/*&output=text&fl=original&collapse=urlkey'

^^^ more info https://www.shawarkhan.com/2018/06/getting-php-code-execution-and-leverage.html

Query commoncrawl.org with CC.py

You can query commoncrawl.org to discover endpoints as well

python3 cc.py github.com -y 18 -o github_2018.txt

Third party misconfigurations

Github Recon:

site:github.com inurl:looker "api" "key"
site:github.com inurl:looker "password"

AWS buckets:

Trello

https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724?gi=3cf919a0784b Look for invite links: Slack, Discord, etc

Javascript Files:

Link Finder & JSParser

Target Tab > Right Click Target.com > Engagement Tools > Find Scripts
Ctrl A > Copy Selected URLs (Paste to textfile linkfinder.txt)
cat linkfinder.txt | grep .js > linkfinder2.txt
      python linkfinder.py -o cli -i http://target.com/everylink.js
      OR copy and paste into JSParser:
         python handler.py (visit localhost:8008)

JSBeautifier

Identifying CMS

https://whatcms.org/ discover type of CMS running on website
Clone this wiki locally
You can’t perform that action at this time.