Hi Friends #bugbountytips #recon #bugbountytip

Here is a good thread of my brother @tabaahi_


Beside this I am also gonna share my old Notes on Recon which I shared in past but again sharing

Below is thread 🧵🧵🧵🧵
1. Finding all subdomains -> amass + assetfinder + findomain + subfinder + github-subdomain

2. Sort and Unique mean merge them to all-subdomains.txt

3. Resolve those subdomains - is ip/domain live?

4. check for alive subdomains -> httpx or httprobe -> prefer httpx
5. got https subdomains -> arrange with status code like 200,302,403,404,500

6. visual recon on these subdomains -> gowitness, eyewitness, aquatone

7. Port scans on these subdomains => naabu + nmap

8. Content discovery on them -> ffuf, wfuzz, dirsearch, gobuster
Now, We need to check following things ->

9. what server is using by targets ?

10. what libraries & languages use by targets ?
like -> php, asp
11. We need to check cookies and session to know tech and infrastructure

Based on cookies/session -> we can enhance our attacks from experiences
Like, some cookie or session tell us about ->

11.1 what waf are using ?
11.2 what other attack can we try ?[JWT,XSS,sqli etc]
12. Check what CMS is using -> wordpress,joomla etc

13. Grab all JS Files and enumerate it for juicy information using manually or using tools

Tool -> jsscanner , linkfinder, jsfinder, relative-url-extractor and lots of one liner commands , getjs
Juicy Information like ->

interesting url
intersting js library
interesting subdomain
interesting api
internal ports or portals and their creds -> port scan on internal domains
default test user creds
db creds
hardcoded secrets
hidden paths
and lots of
14. By Understand JS Code -> we can get ->

dom xss ,
Postmessage vulns,
Logical Bugs,
check for outdated frameworks and components [multiple vulnerabilities can be there]

and many things are there
Examples to extract JS Stuffs ->

echo "target.com" | gau | grep -iE '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'

cat targets.txt | subjs
Usually What I do is ->

waybackurls + gau + hakrawl => endpoints.txt
cat targets.txt | subjs -> subjs-js.txt

cat endpoints.txt subjs-js.txt | sort -u | all-js.txt

Now enumeration on this file

Yeah I do more more ways for grabbing JS Files
15. JS Enumeration continues ->

extract API Stuff ->
cat file.js | grep -aoP "(?<=(\"|\'|\'))\\/[a-zA-Z0-9_?&=\\/\\-\\#\\.]*(?=(\\"|\\'|\\'))" | sort -u

Deobfuscate Javascript
If see -> var test=" or var page=" in JS File or page source , try to append these as GET Parameters and check for bugs there

Monitor JS Changes regularly
16. Time to Fetch all URLS or enumeration on them

Time to get all URLs and parameters from those web file that is alive-hosts and do enumeration on them for vulns or other things

Fetching URLs -> Might Lead to -> SSTI, XSS, SQLi, SSRF, Open Redirect, IDOR etc
17. Time for Github RECON ->

Now use github to more recon for juicy info using tools like gwen github tools , gitrob, git-hound etc or manually using Github Dorks

Be Smart with tools available like -> Nuclei,httpx,jaeles-signature
18. Mostly focus on Request and Response Headers during Manual Hunting

Don't make much noise by flooding useless payloads
Be smart with it

Try for Blind Attacking things like -> blind xss,blind sqli, blind ssrf etc

19. Make wordlists with custom tools using target
20. Time for Attacking things ->

20.1 Attacking Web Servers
=======================>
File inclusion
Command injection
Unrestricted upload
Server side request forgery
20.2 Attacking Data stores
=======================>
Sql injection
Xml injections
xpath injection
The XML External Entity injection (xxe)
entity expansion attack
soap injecting
Ldap injection
20.3 Attacking Users
================>
Html injection
Cross site scripting
Cross site request forgery
HTTP parameter injection
Click jacking
20.4 Other Attacks
=======================>

Subdomain takeover
Insecure cors
SMTP injection
Host Header attack
Cache poisoning attack
CRLF Injection
HTTP Request Smuggling
Insecure Deserialization
Missing SPF record
Type juggling
Php remote xdebug vulnerability
Using components with known vulnerabilities:
Race conditions
HTTP verb tempering
Insufficient Logging and Monitoring

====

20.5 Attacking Authentication
=========================>
Authentication Methods
HTTP Authentication
2 factor Authentication Bypass
Insecure captcha
20.6 Attacking Access control
=========================>
Horizontal Access control
IDOR
Vertical Access Control
Context Based Access Control
That's it my friends.

Next time -> I will share some good resources

Thanks

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Aakash Choudhary

Aakash Choudhary Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(