Exploring Bugs? A Comprehensive Guide to Recon for Bug Bounty
Written on
Hello Everyone,
The prior blog and video on reconnaissance were well-received, so I am excited to present the second part of the Recon Methodology.
For those who prefer visual content, I have also created a YouTube video that showcases the processes involved, so be sure to check it out.
I want to clarify that I am not a seasoned bug bounty hunter; I write these articles to share insights I wish I had when starting my journey. My aim is to make the field of cybersecurity more accessible for newcomers.
Thus, let's dive into our main focus: Content Discovery. This is a crucial aspect of identifying bugs.
Content discovery is essential for uncovering hidden endpoints or files. Many people tend to use tools like ffuf or gobuster, simply inputting the website and launching a brute force attack with a default wordlist. While this approach isn't incorrect, it's common enough that the chances of discovering something unique are slim.
In our previous blog, we identified various subdomains and highlighted the noteworthy ones. Now, we will select specific subdomains to target for brute forcing.
Note: Always review the bug bounty program’s guidelines before employing automated scanners to ensure compliance.
There are numerous tools available for directory brute forcing, including:
- dirb
- dirbuster
- ffuf
- gobuster
Currently, FeroxBuster stands out as the fastest option.
For more details, you can check out the GitHub page for FeroxBuster:
GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.
This tool features a recursive option that automatically detects subdirectories when a directory is found, which can be quite advantageous.
Installation
sudo apt update && sudo apt install -y feroxbuster
Usage
feroxbuster -u https://target.com
There are many additional options available; refer to the documentation or my YouTube video for a demonstration.
Once you have installed the tool and selected the subdomain for directory searches, the next step involves gathering more information about the website, such as the technologies in use. This will help you choose a more appropriate wordlist for brute forcing.
You can utilize Wappalyzer for this purpose.
Find out what websites are built with - Wappalyzer
Instead of relying on a generic wordlist for all websites, you can select a wordlist tailored to the specific technology of the website.
Here are some useful wordlists:
- Seclists
GitHub - danielmiessler/SecLists: A collection of multiple types of lists used during security testing.
This repository contains various wordlists for specific needs. For instance, you can find wordlists for APIs, CGI scripts, common PHP filenames, and much more.
Additionally, here are some other helpful repositories:
Finding Parameters
There are tools available to help you search for parameters within web applications, which can be beneficial for identifying common vulnerabilities such as open redirects, XSS, and IDORs.
One such tool is Arjun.
GitHub - s0md3v/Arjun: HTTP parameter discovery suite.
Installing Arjun
You can install arjun using pip:
pip3 install arjun
The parameters you discover can be input into various tools. For example, for XSS testing, you could use KXSS.
GitHub - Emoe/kxss: An adaptation of tomnomnom's kxss tool with a different output format.
JS Files
Examining JavaScript files is crucial, as developers may inadvertently leave sensitive information such as credentials or API keys within them. Additionally, this can aid in locating website endpoints.
To find JavaScript files, you can use Katana.
GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.
katana -u https://target.com -jc -d 2 | grep ".js$" | uniq | sort > js.txt
After obtaining the JavaScript files, you can analyze them manually or use tools designed for this purpose. For instance, to detect secret API keys in JavaScript files, you can use this tool.
GitHub - m4ll0k/SecretFinder: A Python script for identifying sensitive data (API keys, access tokens, JWTs, etc.) in JavaScript files.
cat js.txt | while read url; do python3 SecretFinder.py -i $url -o cli >> secrets.txt; done
To find URLs:
GitHub - nahamsec/JSParser
To identify endpoints:
GitHub - GerbenJavado/LinkFinder: A Python script that finds endpoints in JavaScript files.
Functionality Mapping
The final aspect of my reconnaissance process sets the stage for the next steps, which will be covered in the upcoming blog.
When you select a website to target, interact with it as a typical user would. Explore all features while keeping Burp Suite running to document your actions. After gaining a basic understanding of the website's functionality and data flow, begin thinking like an attacker. Create a list of the website's functionalities. For example, consider the features available on Tumblr.
That's a wrap for this blog. In the next installment, we will explore how to leverage this information to identify potential vulnerabilities.
Feel free to connect with me on:
- Email: [email protected]
# Thank you for reading until the end
If you found this content helpful, please consider following and liking it.
You can also support my work at:
Om Arora
Hey, I am Om, a cybersecurity enthusiast and an 18-year-old student pursuing a BTech degree.
buymeacoffee.com