Bug Bounty - Web Recon

Web recon playbook for single asset

Before you start

Program

Read all bug bounty program conditions, especially FAQ section, excluded domains and max probe rate.

Burp - Project

Create project and set max rate for resource pool (automated tasks).

Add the domain to the scope

Edit Craws and Audit tasks and set Suited scope

Nmap - TCP Scan

Discover server ports and platform

nmap -F -sV -sC -v domain

Perform the detailed scan with adjusted probe speed (T1-T3) or (--max-rate 1)

nmap -p- -sV -sC -v --max-rate 1 domain

Browser

robots.txt

This can app/domain /robots.txt

Web Server

Fingerprint the webserver / web cache

Nonsense method, proto version

Path traversal

Host header injection - different domain, IP, multiple host headers

Directory & URI - Discovery

gobuster dir -t1 --delay 1s --url fdomain:443 -k --wildcard -b 404,401 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

App

review HTML, title & comments