This repository contains a comprehensive methodology and checklist for bug bounty hunting, covering recon, enumeration, and exploitation techniques. It is designed to assist security researchers and penetration testers in systematically identifying vulnerabilities in web applications, networks, and infrastructure.
- Recon Phase
- Network Recon
- User Management
- Session Management
- Input Handling
- Error Handling
- Application Logic
- Other Checks
- Get ASN for IP ranges using:
- Review latest acquisitions
- Get registrant relationships:
- Move to "Medium Scope" for each domain
- Enumerate subdomains:
- Subdomain bruteforce:
- Subdomain permutation:
- Identify live subdomains:
- Subdomain takeover check:
- Cloud asset discovery:
- Screenshot subdomains:
- Identify web server and tech stack:
- Locate common files like
/robots.txt,/sitemap.xml, etc. - Source code review (using comments):
- Burp Suite Engagement Tools
- Directory enumeration:
- Web fuzzing:
- Discover URLs and APIs:
- Test CORS vulnerabilities:
- Check DMARC/SPF policies:
- Port scanning (all ports):
- UDP port scanning:
- SSL/TLS testing:
- Test for duplicate registrations (e.g.,
user+1@mail.com) - Check for weak password policies
- Rate-limiting on registration
- Test username enumeration
- Test for brute-force resilience
- Test multi-stage authentication (OAuth, SAML, JWT)
- Test session fixation
- Test CSRF tokens
- Validate secure cookies (
HTTPOnly,Secure) - Check session expiration on logout
- Test for Reflected XSS:
- Test for SQL Injection:
- Test for Server-Side Request Forgery (SSRF):
- Test for Local File Inclusion (LFI)
- Generate and analyze custom error pages
- Test HTTP header injection
- Use fuzzing techniques to generate error codes:
- Test for multi-step process logic flaws (e.g., gift codes, payments)
- Test for client-side validation bypass
- IDOR checks (access control for sensitive resources)
- Bypass CAPTCHA using OCR tools:
- Check for missing headers like:
X-XSS-Protection,Strict-Transport-Security,Content-Security-Policy,X-Frame-Options
Feel free to submit a pull request if you find additional tools, techniques, or methodologies that should be included. We welcome all contributions from the bug bounty community!
This checklist provides a systematic approach to finding and exploiting vulnerabilities in bug bounty programs. It serves as a quick reference to ensure you cover all critical aspects during your testing process.