Jump to content

Beginner friendly bug bounty/OffSec methodology


Recommended Posts

When doing bug bounties/offensive security testing, I've found that it can be really useful to have an uncomplicated methodology to at least start on, so I've put together one that I think is pretty beginner friendly if you're just staring on bug bounties, or can be adapted to fit your needs if you have more experience. This is, naturally, for educational purposes only, and I'm not responsible if you're foolish enough to break the law.

- Find a note taking app you like; I can't stress how important it is to be able to keep track of what you've found

- Start by finding the autonomous systems number (ASN) for your target (this can be done using http://bgp.he.net)

- Find all the IP addresses associated with the ASN (this can be done using http://asnlookup.com)

- Now that you have a list of IP addresses, you can perform a reverse WHOIS scan (this can be done using http://whoxy.com)

- You should also consider doing a reverse IP lookup using https://reverseip.domaintools.com

- Now that you have all this data, you can try to find some juicy information on the target - I suggest using DomLink (check out the GitHub repo at https://github.com/vysecurity/DomLink)

- Pass the domains that you've found through Dehashed to see if there's any credentials you can make use of (this mostly applies to penetration tests rather than bug bounties)

- Hop on https://shodan.io and see if it gives you an interesting information on the IPs you found

- You now probably have loads of information at your fingertips, but fear not, we're not done yet!

- You're now going to want to find all the subdomains you can... there are three main ways of doing this: manually, enumeration, and brute forcing (I suggest doing all three!)

- To do it manually, Google dorks are your best friend... you can use the dork: site:target.com -www.target.com

- For enumeration, I suggest using sublist3r (clone the GitHub repo at https://github.com/aboul3la/Sublist3r.git)

- For the brute forcing method, OWASP has a pretty good tool called Amass (https://github.com/OWASP/Amass)

- Ok, now that we have all these subdomains, we have two main recon steps left before we get to finding vulnerabilities

- Scan everything you found that you think could be interesting with a tool like nmap (depending on your needs, you may decide to use something else, like naabu, but that's up to your needs)

- Ok, now that you have a list of services and ports from nmap, you're going to want to store those away and start trying to find some juicy information within the target's directories

- If you decide to go down the manual route for this, https://exploit-db.com has great dorks for finding juicy information

- And if you want to go down the less granular route (I'd once again suggest doing both) then dirbuster is your friend!

- Ok, now we get to finding vulnerabilities!

- My first step is to run the juiciest subdomains through xss vulnerability scanners XSStrike (https://github.com/s0md3v/XSStrike) and toxssin (https://github.com/t3l3machus/toxssin)

- You can also test for subdomain takeover using https://github.com/EdOverflow/can-i-take-over-xyz

- I'd also suggest running some vulnerability scans using Nuclei to find CVEs

- You can run more scans using all the hundreds of tools available on things like Kali or Parrot, but I'm not going to go over all of those; after all, give a person a fish, and they'll eat for a day, but teach a person to fish and they'll never go hungry; this methodology is just a starting point for you to alter and expand on depending on what you need!

- You can then use BurpSuite, but people have already published far better guides to that (check out John Hammond on youtube for a great tutorial)


That's it! I apologize for the length, but I hope some people may find this little beginner's OffSec guide useful! If you have any other nifty little things to add, please do!

  • Like 2
Link to comment
Share on other sites

Nice set of steps, but I wouldn't label this as bug bounty in my opinion.

Anyway, it's a cool path to follow when starting from scratch towards a target. Thank you for sharing.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...