Reconnaissance

After filtering for live hosts, it's time to run a port scan and map out live services. Tools like Nmap and Masscan can help scan network ports at scale. Non-standard ports regularly expose administrative panels, database interfaces, and internal APIs that are not intended to be publicly accessible. Pay particular attention to ports commonly used by development stacks, such as 3000, 8080, 8443, and 9200.

Once you've mapped out the utilized technologies, it's time to perform some content discovery. Each individual host serves files, runs on certain web frameworks, or is hosting a custom panel or application. With the help of a (custom) wordlist and the use of a bruteforcing tool like FFuf or Feroxbuster, we can identify unlinked files and folders. These results often reference back to exposed panels, configuration files, undocumented API endpoints, and sometimes even backup archives.

Your target organization uses all sorts of third-party tools and services like Atlassian Jira, AWS S3, Jenkins, Freshworks, and similar platforms. These environments are often deployed but receive less security attention compared to the main asset, making it possible for security misconfigurations to arise. Tools like Misconfig-Mapper can help identify common security misconfigurations in third-party services at scale.

The first phase involves identifying all IP ranges, ASNs, and root domains owned by your target organisation. Query ARIN, RIPE, or APNIC with your target's organization name to search for netblocks, then cross-reference with tools like Amass or bgp.he.net to discover autonomous system numbers (ASNs) and the full scope of infrastructure under the target's control.

Next phase involves mapping out all subdomains from the root domains discovered in phase one. Combine passive sources, such as Google search results, certificate transparency logs, etc., with active brute-forcing using wordlists. Subdomains frequently point to staging environments, internal tooling, and legacy applications that receive significantly less security attention than the primary domain or assets.

Filter the raw subdomain list down to hosts that actively resolve. Tools like massdns and dnsx can be used to resolve hosts at scale, This step prevents you from wasting time scanning hosts that no longer respond, plus provides you with a more accurate view of your attack surface.

Next, it's time to fingerprint technologies. Each live host (and open port) is running services, such as web servers and frameworks, file sharing services, etc. In Bug bounty, we're specifically interested in mapping technologies used by each live domains as some are vulnerable to CVEs or common security misconfigurations. There are several tools that can help map out based on the HTTP response header(s) and web structure.

Parameters can be vulnerable to all sorts of security vulnerabilities, such as injection attacks. Our next step after content discovery is to enumerate unlinked query and body parameters. With the help of tools like ParamMiner and Arjun, we can quickly find forgotten parameters that are the frequent source of injection and IDOR vulnerabilities.