What is a Bug Bounty?:
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
These are some useful tools & tips:YouTube Channels Recommended Skills:
Linux basics, Networking basics, programming
Basic idea about the HTTP protocols and its headers(Request and Response) Burpsuite , Metasploit , SqlMap , Nmap , etc.
Choosing a Target:
Bug Bounty Platforms
- Bugcrowd
- Hackerone
- Synack
- Japan Bug bounty Program
- Cobalt
- Zerocopter
- Hackenproof
- BountyFactory
- Bug Bounty Programs List
Have a Target, Now what?
If you have chosen your target, then you should start finding the subdomain of the target. or we can start with the IP blocks of the targets which we can get from the ASN (some of the websites are mentioned in below)
Why do we need subdomain?
Sometimes targeting the main domain is not possible to find bugs which will cause frustration to the beginners. Because the top or other researchers are already found and reported the bugs to the target. For newbie should start with the other subdomains. (its true that most common vulnerabilities are already reported by the researcher so keep in mind that we have to find a unique target and unique bug.)
How to find Sub-domains?
Small list of tools (many more available) You can also find sub-domain via online recon tools
- Virustotal ( Use its API in tools)
- Dnsdumpster
- Findsubdomains
- Pentest-tools
- Hackertarget
Go to this link to learn about some basics to advance concepts of Subdomain takeover vulnerability. https://github.com/EdOverflow/can-i-take-over-xyz
Discovering Target Using ASN (IP Blocks): https://whois.arin.net/ui/query.do
Discovering Target Using Shodan: https://www.shodan.io/search?query=org%3A%22Tesla+Motors%22
Brand / TLD Discovery: This will increase the target scope by searching for a Acquisition of a target Acquisition — -> crunchbase, wikipedia link discovery — ->burp spidering weighted& reverse tracker → domlink, builtwith
- Trademark In Google: ” “Tesla © 2018” “Tesla © 2019” “Tesla © 2020” inurl:tesla
- Subfinder
- Gobuster
- Aquatone
Here you can find the original scripts https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration Note: Kindly replace the API key used inside the scripts which may be an invalid which results in less amount of subdomains (I recommend to use virustotal API key)
Presentation:
- Subdomain Enumeration with the SPF record
- Using CSP
- DNSrecon
- ALTDNS
- Zone transfer using dig
- DNSSEC
- Zone walking NSEC — LDNS
Port Scanning:
The port scanning is very important to find the target which is running in non-standard or standard ports. For port scanning I have used NMAP and Masscan and Aquatone scan. Then the researcher will start checking for sub-domain takeover vulnerability once they found sub-domains which running on the standard or non-standard ports.
- Enumerating Targets(Port Scanning)
- NMAP
- Visual Identification
Parsing JavaScript:
Parsing JS is very useful to find the directories which is used by the target. we can use these type of tools instead of brute-forcing the directory list on the target Note: Brute-Forcing of directory also good thing to do. Always use the multiple techniques to find the directory from the targets(I found Hotsar Aws Credentials with Directory Buster & Burp Intruder)
- linkfinder
- DIRsearch
- Dirb
- Content Discovery: “ Gobuster”
- Credential Bruteforce: “BrutesprayBrutespray”
Technology Identification and Vulnerability findings:
Here I used Wappalyzer available add-ons on for many browsers. Whatweb tool also I used to find the technologies they used on the target. The following tools to find technologies and technology-based vulnerabilities on the target.
This is just a very brief intro to new members interested in learning more about bug bounties