AllAboutBugBounty/README.md

All about bug bounty

These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!

List

• Account Takeover
• Business Logic Errors
• Cross Site Scripting (XSS)
• Denial of Service (DoS)
• Exposed Source Code
• Host Header Injection
• Insecure Direct Object References (IDOR)
• Password Reset Flaws
• Web Cache Poisoning

List Bypass

• Bypass 2FA
• Bypass 403
• Bypass CSRF
• Bypass Captcha
• Bypass File Upload
• Bypass Rate Limit

List CMS

• WordPress

List Framework

• Laravel
• Zend

Miscellaneous

• Jira

Reconnaissance

• Small Scope

Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.

• Directory Enumeration
• Technology Fingerprinting
• Port Scanning
• Parameter Fuzzing
• Wayback History
• Known Vulnerabilities
• Hardcoded Information in JavaScript
• Domain Specific GitHub & Google Dorking
• Broken Link Hijacking
• Data Breach Analysis
• Misconfigured Cloud Storage

• Medium Scope

Usually the scope is wild card scope where all the subdomains are part of scope

• Subdomain Enumeration
• Subdomain Takeover
• Probing & Technology Fingerprinting
• Port Scanning
• Known Vulnerabilities
• Template Based Scanning (Nuclei/Jeales)
• Misconfigured Cloud Storage
• Broken Link Hijacking
• Directory Enumeration
• Hardcoded Information in JavaScript
• GitHub Reconnaissance
• Google Dorking
• Data Breach Analysis
• Parameter Fuzzing
• Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
• IP Range Enumeration (If in Scope)
• Wayback History
• Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
• Heartbleed Scanning
• General Security Misconfiguration Scanning

• Large Scope

Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.

• Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) ​
• Subsidiary & Acquisition Enumeration (Depth – Max)​
• Reverse Lookup
• ASN & IP Space Enumeration and Service Identification​
• Subdomain Enumeration
• Subdomain Takeover
• Probing & Technology Fingerprinting
• Port Scanning
• Known Vulnerabilities
• Template Based Scanning (Nuclei/Jeales)
• Misconfigured Cloud Storage
• Broken Link Hijacking
• Directory Enumeration
• Hardcoded Information in JavaScript
• GitHub Reconnaissance
• Google Dorking
• Data Breach Analysis
• Parameter Fuzzing
• Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
• IP Range Enumeration (If in Scope)
• Wayback History
• Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
• Heartbleed Scanning
• General Security Misconfiguration Scanning
• And any possible Recon Vector (Network/Web) can be applied.​

Source: Link

Coming Soon!