search
Go To ReconDock

Methodology 2025

hashtag
Bug Bounty Hunting Methodology 2025

Welcome to the Bug Bounty Methodology 2025 Edition! This methodology is a basic guide to help you kickstart your bug bounty journey. It outlines the essential steps to navigate your target effectively, but the real challenge lies in identifying high-impact vulnerabilities through your own skills and creativity. This methodology will be updated regularly as new and interesting techniques emerge to enhance your testing process. ## 📜 Table of Contents

Section
Description

1. Reconnaissance

Subdomain Enumeration & Initial Scanning

2. Discovery

HTTP Probing & Asset Discovery

3. Enumeration

Advanced Techniques & Parameter Discovery

4. Testing

Vulnerability Assessment

5. Two-Eye Approach

What is that?

6. POC Creation

Documentation & Evidence

7. Reporting

Final Documentation

hashtag
1. Reconnaissance and Subdomain Enumeration

hashtag
1.1 Passive Subdomain Enumeration

🛠️Tools: Subfinderarrow-up-right, Amassarrow-up-right, CRTSHarrow-up-right, Github-Searcharrow-up-right

Subfinder

subfinder -d target.com -silent -all -recursive -o subfinder_subs.txt

Amass (Passive Mode)

CRT.sh Query

Github Dorking

Results Combination

hashtag
1.2 Active Subdomain Enumeration

🛠️Tools: MassDNSarrow-up-right, Shufflednsarrow-up-right, DNSXarrow-up-right, SubBrutearrow-up-right, FFuFarrow-up-right

MassDNS

Shuffledns

DNSX Resolution

SubBrute

FFuF Subdomain

hashtag
1.3 Handling Specific (Non-Wildcard) Targets

🛠️Tools: GAUarrow-up-right, Waybackurlsarrow-up-right, Katanaarrow-up-right, Hakrawlerarrow-up-right

GAU

Waybackurls

Katana

Hakrawler

hashtag
Additional Advanced Techniques

🛠️Tools: CloudEnumarrow-up-right, AWSBucketDumparrow-up-right, S3Scannerarrow-up-right

Reverse DNS

ASN Enumeration

Cloud Asset Enumeration

Results Validation

hashtag
2. Discovery and Probing

hashtag
2.1 HTTP Probing

🛠️Tools: httpxarrow-up-right, httprobearrow-up-right

HTTPX Probing

Custom Filtering

hashtag
2.2 JavaScript Analysis

🛠️Tools: LinkFinderarrow-up-right, subjsarrow-up-right, JSFinderarrow-up-right, GFarrow-up-right

JS Extraction

LinkFinder Analysis

Sensitive Pattern Search

API Key Validation

hashtag
2.3 Advanced Google Dorking

🛠️Tools: GitDorkerarrow-up-right

Automated Dorking

Admin/Login Files

Config Files

Public Keys

hashtag
2.4 URL Discovery

🛠️Tools: Katanaarrow-up-right, Gospiderarrow-up-right, Hakrawlerarrow-up-right

Katana Crawling

Gospider

Hakrawler

hashtag
2.5 Archive Enumeration

🛠️Tools: GAUarrow-up-right, Waybackurlsarrow-up-right, ParamSpiderarrow-up-right

Archive URL Collection

Parameter Extraction

hashtag
3. Advanced Enumeration Techniques

hashtag
3.1 Parameter Discovery

🛠️Tools: Arjunarrow-up-right, ParamSpiderarrow-up-right, FFuFarrow-up-right

Arjun Parameter Discovery

ParamSpider Web Parameters

FFuF Parameter Bruteforce

hashtag
3.2 Cloud Asset Enumeration

🛠️Tools: CloudEnumarrow-up-right, AWSBucketDumparrow-up-right, S3Scannerarrow-up-right

Cloud Bucket Enumeration

S3 Bucket Access Test

S3 Bucket Content Dump

hashtag
3.3 Content Discovery

🛠️Tools: Feroxbusterarrow-up-right, FFuFarrow-up-right, Dirsearcharrow-up-right

Feroxbuster

Dirsearch

FFuF Recursive

hashtag
3.4 API Enumeration

🛠️Tools: Kiterunnerarrow-up-right, Postmanarrow-up-right, Burp Suitearrow-up-right

Kiterunner

hashtag
3.5 ASN Mapping

🛠️Tools: Amassarrow-up-right, Shodanarrow-up-right, Censysarrow-up-right

ASN Lookup

Shodan Enumeration

Censys Asset Search

hashtag
4. Vulnerability Testing

hashtag
4.1 High-Priority Vulnerabilities

🐞CSRF Testing

🐞LFI Testing

🐞RCE Testing

🐞SQLi Testing

🐞Sensitive Data Search

🐞Open Redirect Test

hashtag
5. The "Two-Eye" Approach 👀

  1. First Eye: Focus on testing every gathered subdomain, endpoint, or parameter for common vulnerabilities.

  2. Second Eye: Identify “interesting” findings like exposed credentials, forgotten subdomains, or admin panels.

hashtag
Actionable Steps:

  • If a vulnerability is identified, create a proof of concept (POC) and test its impact.

  • If no vulnerabilities are found, pivot to deeper testing on unique subdomains or endpoints.

hashtag
6. Proof of Concept (POC) Creation

hashtag
🎥Video POC

Demonstrate vulnerabilities in action using screen recording tools like Greenshot or OBS Studio.

hashtag
📸Screenshot POC

Capture clear screenshots with annotations to explain each step.

  • 🛠️Tool: Greenshot.

hashtag
7. Reporting

hashtag
📝Report Structure

  1. Executive Summary

    • Target Scope

    • Testing Timeline

    • Key Findings Summary

    • Risk Ratings

  2. Technical Details

    • Vulnerability Title

    • Severity Rating

    • Affected Components

    • Technical Description

    • Steps to Reproduce

    • Impact Analysis

    • Supporting Evidence (POC)

  3. Remediation

    • Detailed Recommendations

    • Mitigation Steps

    • Additional Security Controls

    • References & Resources

  4. Supporting Materials

    • Video Demonstrations

    • Screenshots & Annotations

    • HTTP Request/Response Logs

    • Code Snippets

    • Timeline of Discovery

hashtag
Best Practices

  • Write clear, concise descriptions

  • Include detailed reproduction steps

  • Provide actionable remediation advice

  • Support findings with evidence

  • Use professional formatting

  • Highlight business impact

  • Include verification steps

hashtag
Report Format

PreviousBug Bounty Beginner's RoadmapNextAdvanced Recon Methodology

Last updated