Skip to content

Unrealisedd/Methodology

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Pentesting / Bug Hunting Methodology

My general approach to pentesting and bug bounty hunting. Not meant to be exhaustive -- just how I actually work.

Recon

I usually start with passive recon before touching anything directly.

Subdomain enum is where most of the attack surface shows up. I run amass and assetfinder, cross-reference with crt.sh. For quick checks subfinder works fine too.

Google dorking -- still underrated. site:target.com filetype:pdf, inurl:admin, etc. I've found exposed panels and docs this way more than once.

Shodan/Censys for finding weird stuff exposed to the internet. Always worth a quick search.

Wayback Machine for finding old endpoints, deprecated pages, sometimes even old API docs that reveal internal stuff.

For active recon I go with nmap for port scanning (masscan if the scope is huge). Then enumerate whatever services are open -- ffuf or gobuster for web directories, standard enum for SMTP/SNMP if they're there.

Web App Testing

This is where I spend most of my time on bug bounty.

First things first

  • Fingerprint the stack with wappalyzer/whatweb
  • Spider the app through Burp, map out all the endpoints
  • Check JS files for hardcoded keys, hidden endpoints, API routes
  • Look for backup files (.bak, .old, .zip) and exposed .git dirs
  • Test SSL/TLS config with testssl.sh if it's in scope

Injection

SQLi is always worth testing on any input that hits a database. I'll try manual payloads first, then sqlmap if it looks promising. Also test for command injection, NoSQL injection, XXE, and SSTI depending on the stack.

SSTI is one I look for specifically on any app using templates -- throw in {{7*7}} and see what comes back.

XSS

Test reflected first (fastest to find), then look for stored XSS in any user input that gets rendered elsewhere. DOM XSS takes more effort but can be high impact. For blind XSS I use an external callback server.

Auth and Sessions

  • Brute force protections (or lack thereof)
  • Session cookie flags and entropy
  • JWT issues -- weak secrets, alg confusion, none algorithm
  • MFA bypass attempts
  • Password reset flows

Access Control

This is where a lot of the money is in bug bounty honestly. IDORs are everywhere if you look.

  • Swap user IDs, object references in every request
  • Try accessing admin endpoints as a regular user
  • Horizontal and vertical privesc
  • Check if API endpoints have the same access controls as the UI

File Uploads

If the app accepts file uploads, test everything -- extension bypass, content-type manipulation, polyglot files. Check for LFI/RFI too.

Business Logic

Hardest to automate, highest impact usually. Race conditions, workflow bypasses, price manipulation, coupon stacking -- anything where the app trusts the client too much.

Reporting

I try to write reports that actually help the devs fix the issue:

  • Clear title describing the vuln
  • Steps to reproduce (detailed enough that someone can follow them blind)
  • Impact -- what can an attacker actually do with this
  • Proof of concept (screenshots, requests, scripts)
  • Suggested fix if I have one

Tools I Use

Web testing: Burp Suite (primary), OWASP ZAP sometimes

Recon: amass, subfinder, assetfinder, ffuf, nmap

Exploitation: sqlmap, Metasploit when needed

Wordlists: SecLists mainly, rockyou for password stuff

Mobile: MobSF for static analysis, Frida for hooking

OSINT: theHarvester, recon-ng

I'm always adding to my toolkit -- half the fun is building custom scripts for specific targets.

About

My methodology for pentesting/hacking

Resources

Stars

5 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors