Bug Bounty Tips & Tricks

Collection of Bug Bounty tips & tricks I have discovered and/or read on Twitter. Little bit of an overlap with web application testing but less vulnerability focused.
  1. 1.
    When crawling a target and observing the "node_modules" directory, make sure to verify each one of those modules being used has a public namespace associated with it (dependency confusion).
  2. 2.
    Leverage xmlrpc.php with the command to discover a sites Origin IP address. Then supply it in the Host: header to bypass an in place rate limit.
  3. 3.
    Use one of the following extensions to open several URLs in your browser (ultimately adding them to your Interception Proxy), this can be better than using EyeWitness when there's redirect/CDN issues:
  4. 4.
    Configure Burp to display "hidden fields in forms" during proxying.
  5. 5.
    Create your own wordlists. Use SecLists as a starting point and leverage personal research + GAP to create personal and customized wordlists. This is your secret sauce during engagements.
  6. 6.
    /.well-known/apple-app-site-association often times contains "weird" endpoints specified by a developer.
  7. 7.
    Refer to the following tweet from Jason Haddix on exploring parameter fuzzing using ffuf: (can also use these wordlists with param miner)
  8. 8.
    Great general bug bounty methodology on using OpenList, GAP, and Burp Suite:​
  9. 9.
echo "" | subjs | while read -r url; do jsluice urls -R "$url" <(curl -sk "$url"); done | jq -r '.url' |qsreplace -a
Chain with the following to identify potential XSS vulnerabilities:
cat sub_root.txt | subfinder -silent | dnsx -silent | httpx -silent | subjs | while read -r url; do jsluice urls -R "$url" <(curl -sk "$url"); done | jq -r '.url' | qsreplace -a | grep = | kxss
  1. 10.
    One liner for sorting per vulnerability with tomnomnom's gf tool:
cat url_queries.txt | gf xss | sed 's/=.*/=/' | sed 's/URL: //' | tee xssout.txt
  1. 11.
    One liner for automating testing for blind xss using dalfox, note, should be paired with the command above:
dalfox file xssout.txt -b <blindXSSpayload> -o dalfox.txt
  1. 12.
    One liner for reconaissance, hosts.txt should be full of all subdomains identified, we will then ultimately grep out all URLs and paths for further fuzzing with ffuf after:
cat hosts.txt | gospider -S - --depth 1 -v -t 50 -war -c 10 -o output
cd output
cat * | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u > endpoints.txt
cat endpoints.txt | python3 -s -o dirs.txt
  1. 13.
    Proxy your tooling through BurpSuite for better results. For example, proxying GoSpider: gospider -S live-urls -a -w -r --sitemap -c 20 -d 8 -p