# Bug Bounty - Web Recon

## Before you start

### **Program**

{% hint style="warning" %}
Read all bug bounty program conditions, especially FAQ section, excluded domains and **max probe rate.**
{% endhint %}

### Burp - Project

Create project and set max rate for resource pool (automated tasks).

![](https://1354665097-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYLPTPmXutfLTHzDEhx%2F-McVVfPyzRF9qEe60bol%2F-McVWp5_6YXMfMxPKgEG%2Fimage.png?alt=media\&token=b6e0d7a7-eedc-459d-8210-4f5c84473b7d)

Add the domain to the scope

Edit Craws and Audit tasks and set Suited scope

![](https://1354665097-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MYLPTPmXutfLTHzDEhx%2F-McVYKeyXuD3jM3rSCg6%2F-McVYkF8gyMuIP_EPXT4%2Fimage.png?alt=media\&token=31245d0b-48f1-4e9d-be03-b5d6b68ed507)

## Nmap - TCP Scan

Discover server ports and platform

```
nmap -F -sV -sC -v domain
```

Perform the detailed scan with [adjusted probe speed ](https://nmap.org/book/man-performance.html)(T1-T3) or (--max-rate 1)

```
nmap -p- -sV -sC -v --max-rate 1 domain
```

## Browser 

### robots.txt

This can app/domain /robots.txt

### Web Server

Fingerprint the webserver / web cache

Nonsense method, proto version

Path traversal

Host header injection - different domain, IP, multiple host headers

## Directory & URI - Discovery

```
gobuster dir -t1 --delay 1s --url fdomain:443 -k --wildcard -b 404,401 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```

## App

review HTML, title & comments