1.

Set Realistic Expectations & Mindset

• Why it matters: When starting out, it's essential to shift focus from immediate rewards to
skill-building. Bug hunting is as much about learning and experience as it is about payouts.
• Deep dive: Many top bug bounty hunters spend years honing their skills, understanding
patterns, and learning from the community. Success often comes from persistence and
continuous learning rather than luck.
• Tip: Treat every engagement as a learning opportunity. Celebrate small wins, like
discovering a new technique, even if you don’t find a bug immediately.

2. Reconnaissance (Recon): The Foundation of Effective Bug

Hunting
• Purpose: To gather as much information as possible about the target before actively testing.
• Why it’s crucial: Knowing the infrastructure, technologies, and scope helps you craft
targeted tests and avoid wasting time on irrelevant areas.
• Deep dive: Think of recon as building a mental map of the application’s environment. The
more accurate and detailed your map, the more efficient your testing will be.

Key questions to answer:

• What’s the scope?
Clarify whether you’re testing just the main domain, subdomains, or specific endpoints. This
prevents legal issues and helps focus your efforts.
• How many subdomains?
Subdomains often host different parts of the application (e.g., API, admin panel, user portal).
Each may have unique vulnerabilities.
• What infrastructure?
Identifying whether the platform uses cloud providers (AWS, GCP), CDN services, or third-
party integrations helps anticipate common misconfigurations or vulnerabilities.
• Technologies used:
Understanding the tech stack (JavaScript frameworks, server software, databases) influences
your testing strategies. For example, knowing an app uses AngularJS can lead to specific
XSS payloads.

3. Subdomain Enumeration: Discovering Hidden Attack

Surfaces
• Why it’s important:
Subdomains can run different applications, old versions, or third-party services—each
potentially vulnerable.
• In-depth explanation:
Subdomains might be overlooked or forgotten, especially if they’re used for testing, staging,
or third-party integrations. Attackers often scan for subdomains with less security oversight.
• Tools & Techniques:
 • SubFinder:
Uses various sources like certificate transparency logs, DNS records, search engines,
and archives to find subdomains efficiently.
• Brute-force with wordlists:
Use common subdomain names (admin, dev, test, staging) combined with
permutations to uncover obscure subdomains.
• Certificate Transparency Logs:
Many websites register SSL certificates for subdomains; these logs are public and
can reveal subdomains not linked from the main site.
• SSL certificate analysis:
Use crt.sh or censys.io to find wildcard certificates (e.g., *.example.com) which
suggest a large attack surface.

Best practices:
• Cross-reference findings from different sources.
• Investigate subdomains of subdomains, e.g., api.corp.example.com.
• Be aware of wildcard certificates that cover entire subdomains (e.g., *.example.com),
as they can hide numerous subdomains.

4. Port Scanning: Identifying Running Services and Potential

Entry Points
• Why it’s critical:
Open ports indicate active services—some might be poorly configured or outdated.
• Deep explanation:
A web server running on port 80 and 443 is standard, but other open ports (like 8080, 8443,
21, 22, 3306) can host services with vulnerabilities.
• Tools & Techniques:
• Nmap:
Highly customizable, allows for detailed service detection, OS fingerprinting, and
script execution.
• Masscan:
Extremely fast, ideal for scanning large IP ranges or many subdomains quickly.
• What to look for:
• Services like Memcached, Redis, or Elasticsearch exposed to the internet.
• Outdated or unpatched services.
• Unnecessary open ports that increase attack surface.

Deep dive:
• Cluster analysis:
If many subdomains resolve to similar IP ranges (e.g., cloud providers), focus on outliers
that might be hosting different or less secure services.
• Service fingerprinting:
Use Nmap scripts to identify version numbers, which can reveal outdated or vulnerable
software.
5. Screenshot & Visual Recon: Gaining a Quick Overview
• Why:
Visual snapshots help identify signs of misconfigurations or vulnerabilities, such as
subdomain takeover risks or exposed admin pages.
• In-depth:
Screenshots allow you to see the application's UI, error messages, or default pages that may
reveal misconfigurations.
• What to look for:
• Error messages:
Indicate misconfigured DNS or vulnerable services.
• Default pages:
Such as "Apache/2.4.41" or "WordPress installation."
• Sensitive content:
Unprotected admin dashboards, user data, or test environments.
• Different application types:
Recognize frameworks or CMSs from their appearance to tailor your attack
approach.

Tools:
• HTTPScreenShot, Gowitness, Aquatone:
Automate the process of capturing and organizing screenshots for analysis.

6. Content Discovery: Digging for Hidden Files & Endpoints

• Why it’s important:
Hidden directories or files may contain sensitive data, configuration files, or endpoints
vulnerable to attack.
• Deep explanation:
Many websites have unlinked or forgotten files—old backups, admin panels, or API
endpoints—that are accessible and vulnerable.
• Methods:
• Brute-force with Gobuster, Dirb, or Burp Intruder:
Use wordlists (like SecLists) that contain common filenames and directory names.
• API endpoint discovery:
Find undocumented or hidden API paths that might be exploitable.
• Testing for server defaults:
Files like /admin, /config.php, /uploads, /backup can reveal
vulnerabilities.

Best practices:
• Focus on directories suggested by previous reconnaissance.
• Test for common security misconfigurations like directory listing or improper permissions.
7. External Research & Intelligence Gathering
• Why:
Past disclosures, CVEs, or open-source code can reveal vulnerabilities or insecure
configurations.
• Deep dive:
• Google Dorking:
Use advanced search operators to find sensitive info, exposed credentials, or
misconfigured endpoints.
• GitHub & code repositories:
Search for open repos, secrets, or sensitive code snippets.
• Past bug reports and CVEs:
Study previous vulnerabilities to identify common weaknesses or patterns.
• Exploit-DB and security blogs:
Learn about known exploits relevant to the target’s tech stack.

8. Understanding Application & Technology Stack

• Why it’s essential:
Tailoring your tests to specific frameworks increases efficiency and effectiveness.
• Deep dive:
• Use Wappalyzer or analyze network traffic to identify:
• Frontend frameworks: React, Angular, Vue.
• Backend platforms: Django, Rails, ASP.NET, Node.js.
• Middleware or third-party services: Stripe, Twilio, Cloudflare.
• Recognize patterns in URLs and responses:
• REST API structures.
• URL parameters and their typical values.
• Response headers revealing server info.

Tips:
• Knowing the stack helps predict common vulnerabilities (e.g., Rails apps often have
predictable URL patterns, ASP.NET may have specific XSS vectors).

9. Functionality Mapping & Planning

• Why:
To systematically identify potential attack vectors.
• Deep dive:
• Explore all features:
• User registration/login.
• File uploads.
• Webhook integrations.
• Admin interfaces.
• Look for markers of vulnerabilities:
• Input fields without validation.
 • API endpoints accepting user-supplied data.
• URL parameters susceptible to tampering.
• Define goals:
Decide whether you’re hunting for:
• Authentication bypass.
• IDOR (Insecure Direct Object References).
• SSRF (Server-Side Request Forgery).
• RCE (Remote Code Execution).

10. Active Application Testing

• Manual exploration:
Pretend to be a regular user or attacker.
• Payload submission:
Use crafted inputs:
• Injection payloads: <script>alert(1)</script>, ' OR '1'='1.
• Polyglot payloads: Combining different languages to test multiple injection points.
• Context-specific payloads: For example, AngularJS {{7*7}}.
• Observe responses:
Look for:
• Error messages.
• Unexpected behavior.
• Data leaks.
• Reflected or stored XSS.

Additional tips:
• Use XSS hunters like XSSer or Burp Suite Intruder to automate payload testing.
• Try to trigger blind vulnerabilities by monitoring responses or using external tools like
XSS Hunter.

11. Use of Automated Tools & Manual Focus

• Why manual is better:
Automated scanners often produce noise and false positives.
• Deep insight:
Manual testing allows you to understand the context, tweak payloads, and follow up on
interesting findings.
• Tools for automation:
• Burp Suite’s scanner (use selectively).
• Custom scripts for specific tests.
• Fuzzers for brute-force testing.

12. Reassess & Explore Further

• Revisit findings:
Check unvisited pages, hidden endpoints, or linked files.
 • Follow links suggested by proxies:
Tools like Burp can parse responses and suggest new paths.
• Test patches & fixes:
Revisit areas where vulnerabilities were previously found or suspected.

Final Thoughts & Mindset

• Approach every target with curiosity and a mindset of discovery.
• Recognize that many vulnerabilities are subtle; patience and thoroughness are key.
• Keep learning from your own experiences, community resources, and past disclosures.
By understanding each phase deeply, you develop a comprehensive, methodical approach to bug
hunting that maximizes your chances of success while continuously improving your skills.