My general approach to pentesting and bug bounty hunting. Not meant to be exhaustive -- just how I actually work.
I usually start with passive recon before touching anything directly.
Subdomain enum is where most of the attack surface shows up. I run amass and assetfinder, cross-reference with crt.sh. For quick checks subfinder works fine too.
Google dorking -- still underrated. site:target.com filetype:pdf, inurl:admin, etc. I've found exposed panels and docs this way more than once.
Shodan/Censys for finding weird stuff exposed to the internet. Always worth a quick search.
Wayback Machine for finding old endpoints, deprecated pages, sometimes even old API docs that reveal internal stuff.
For active recon I go with nmap for port scanning (masscan if the scope is huge). Then enumerate whatever services are open -- ffuf or gobuster for web directories, standard enum for SMTP/SNMP if they're there.
This is where I spend most of my time on bug bounty.
- Fingerprint the stack with wappalyzer/whatweb
- Spider the app through Burp, map out all the endpoints
- Check JS files for hardcoded keys, hidden endpoints, API routes
- Look for backup files (.bak, .old, .zip) and exposed .git dirs
- Test SSL/TLS config with testssl.sh if it's in scope
SQLi is always worth testing on any input that hits a database. I'll try manual payloads first, then sqlmap if it looks promising. Also test for command injection, NoSQL injection, XXE, and SSTI depending on the stack.
SSTI is one I look for specifically on any app using templates -- throw in {{7*7}} and see what comes back.
Test reflected first (fastest to find), then look for stored XSS in any user input that gets rendered elsewhere. DOM XSS takes more effort but can be high impact. For blind XSS I use an external callback server.
- Brute force protections (or lack thereof)
- Session cookie flags and entropy
- JWT issues -- weak secrets, alg confusion, none algorithm
- MFA bypass attempts
- Password reset flows
This is where a lot of the money is in bug bounty honestly. IDORs are everywhere if you look.
- Swap user IDs, object references in every request
- Try accessing admin endpoints as a regular user
- Horizontal and vertical privesc
- Check if API endpoints have the same access controls as the UI
If the app accepts file uploads, test everything -- extension bypass, content-type manipulation, polyglot files. Check for LFI/RFI too.
Hardest to automate, highest impact usually. Race conditions, workflow bypasses, price manipulation, coupon stacking -- anything where the app trusts the client too much.
I try to write reports that actually help the devs fix the issue:
- Clear title describing the vuln
- Steps to reproduce (detailed enough that someone can follow them blind)
- Impact -- what can an attacker actually do with this
- Proof of concept (screenshots, requests, scripts)
- Suggested fix if I have one
Web testing: Burp Suite (primary), OWASP ZAP sometimes
Recon: amass, subfinder, assetfinder, ffuf, nmap
Exploitation: sqlmap, Metasploit when needed
Wordlists: SecLists mainly, rockyou for password stuff
Mobile: MobSF for static analysis, Frida for hooking
OSINT: theHarvester, recon-ng
I'm always adding to my toolkit -- half the fun is building custom scripts for specific targets.