My Checklist Or My Methodology in bug bounty.
Tool>
Amass - Good tool in all gathering subdomains or CIDR or Ranges IPs
Subfinder - Good tool
Assetfinder - Best tool I used
Different choice - I used Rekon bash_script tools
Sublist3r - Not bad also
Tool>
Burp Suite - Best tool I used so fun
OWASP Zap - Second best tool
Waybackmachine - hakrawler or tool tomnomnom Waybackmachine
Directory brute force or fuzzing with my tool Fuzz-xElkomy and dirb and fuff go tool
In manual Checking I searching in Google Dorks, Shodan, github
and I am using Tools like lazys3 for recon public s3 buckets
Manually explore the site
Identify user roles.
Check the SESSION Expire and check out of scope roles :( —- :)
Check count for name user in profile to test DOS attack
Check Headers with Burp -X-Forwarded-For, * - * - Host ,* - * -Server ..etc for caching server or DOS attack.
Check Version for any CMS or anything at the website or this domain
Trying bypass the authentication Or bypass the authorization Crack The Register Verify and Try Crack 2FA Authentication
In XSS exploit or recon I used XSStrike , XSpear , KNOXSS
In SSRF I used burp collaborator and Extension in burp called Taborator
In CSRF firs I check source code second check response the server after change anything and Keep going :)
Check in APIs or websites dashboards or sensitive data Improper access control
This Link is Awesome Link in github for Tips and Tricks for bug hunters.