Bug Bounty - Web Recon

Web recon playbook for single asset

Before you start

Read all bug bounty program conditions, especially FAQ section, excluded domains and max probe rate.

Create project and set max rate for resource pool (automated tasks).

Add the domain to the scope

Edit Craws and Audit tasks and set Suited scope

Discover server ports and platform

nmap -F -sV -sC -v domain

Perform the detailed scan with adjusted probe speed (T1-T3) or (--max-rate 1)

nmap -p- -sV -sC -v --max-rate 1 domain

This can app/domain /robots.txt

Fingerprint the webserver / web cache

Nonsense method, proto version

Path traversal

Host header injection - different domain, IP, multiple host headers

gobuster dir -t1 --delay 1s --url fdomain:443 -k --wildcard -b 404,401 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

review HTML, title & comments

Last updated 3 years ago

Was this helpful?