Bug Bounty - Web Recon
Web recon playbook for single asset
Before you start
Program
Read all bug bounty program conditions, especially FAQ section, excluded domains and max probe rate.
Burp - Project
Create project and set max rate for resource pool (automated tasks).

Add the domain to the scope
Edit Craws and Audit tasks and set Suited scope

Nmap - TCP Scan
Discover server ports and platform
nmap -F -sV -sC -v domain
Perform the detailed scan with adjusted probe speed (T1-T3) or (--max-rate 1)
nmap -p- -sV -sC -v --max-rate 1 domain
Browser
robots.txt
This can app/domain /robots.txt
Web Server
Fingerprint the webserver / web cache
Nonsense method, proto version
Path traversal
Host header injection - different domain, IP, multiple host headers
Directory & URI - Discovery
gobuster dir -t1 --delay 1s --url fdomain:443 -k --wildcard -b 404,401 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
App
review HTML, title & comments
Last updated
Was this helpful?