Comprehensive Bug Bounty Hunting Methodology (2024 Edition)
Welcome to your complete bug bounty guide! 🕵️ This is designed for beginners, but even if you’re experienced, there’s always something new to learn or tools to discover. With this checklist, you’ll not only understand the “what” but also the “how” and “why.” Each section is filled with tools, commands, and examples to make your bug bounty journey smooth and productive. For non-premium medium members, you can read it for free using this link:
1. Reconnaissance: The First Step to Success
The recon phase is all about gathering information. The more data you have on your target, the higher your chances of finding vulnerabilities. This stage sets the foundation for everything that follows.
1.1 Subdomain Enumeration
Subdomains often hide forgotten features, admin panels, or unpatched vulnerabilities. Use multiple tools for better coverage.
Passive Subdomain Enumeration
Passive enumeration relies on third-party sources and APIs, such as certificate transparency logs, search engines, and public DNS databases.
- Tools:
- Subfinder Example:
subfinder -d -all -recursive -t 200 -silent -o subfinder-rescursive.txt

- Findomain Example:
findomain --quiet -t | tee findomain.txt

- Amass Example:
amass enum -passive -d -o amass.txt

- Assetfinder Example:
assetfinder -subs-only | tee assetfinder.txt

- Sublist3r Example:
sublist3r -d -t 50 -o sublist3r.txt

Active Subdomain Enumeration
Active enumeration involves brute-forcing subdomains using wordlists and DNS queries.
- Tools:
- Subbrute Example (using a wordlist for brute force):
python3 -w wordlist.txt -o brute_subs.txt
we can also use this within sublist3r
by giving -b
- MassDNS Example:
./Tools/massdns/scripts/ /usr/share/wordlists/2m-subdomains.txt | massdns -r /usr/share/wordlists/resolvers.txt -t A -o S -w

you can sort the results accordingly and save it into a file:

Subdomain Brute-Forcing
Brute-forcing is useful when passive methods miss some hidden subdomains.
- Tools:
- FFUF Example:
ffuf -u -H "Host:" -w /usr/share/wordlists/subdomains.txt -t 100 -fc 403 | tee ffuf_subs_output.txt

use this command to filter out the ffuf
for subs in $(cat ffuf_subs_output.txt | awk '{print $1}'); do
echo "${subs}" >> ffuf-subs-final.txt ;

then remove the ffuf_subs_output.txt
rm ffuf_subs.output.txt
- Combine all results into one file using
cat *.txt | anew all_subdomains.txt
1.2 DNS Resolution and Probing
Once you’ve gathered subdomains, the next step is to check which ones are live by resolving their DNS records. A tool like dnsx
or Shuffledns
can be used to filter out non-existent subdomains.
- Tools:
- Shuffledns Example:
shuffledns -d -list all_subdomains.txt -r resolvers.txt -o live_subs.txt
- dnsx Example:
dnsx -l all_subdomains.txt -r /usr/share/wordlists/resolvers.txt -o live_subs.txt

Collecting IP Addresses
Once the subdomains are resolved, it’s often useful to collect their associated IP addresses for future port scanning and fingerprinting.
- dnsx with IP Output:
dnsx -l live_subs.txt -a -resp-only -o live_with_ips.txt

- Reverse DNS Lookups
You can also find additional subdomains by performing reverse DNS lookups on IP addresses.
- Tools:
- dnsx Example for Reverse DNS:
dnsx -ptr -l live_with_ips.txt -r /usr/share/wordlists/resolvers.txt | massdns -r /usr/share/wordlists/resolvers.txt -q -o S -t PTR > reverse_dns_massdns.txt

1.3 HTTP Probing (Identifying Live Web Services)
Not every resolved subdomain will be hosting a web service. HTTP probing helps you identify which subdomains are serving websites.
- Tools:
- httpx Example:
httpx -l live_subs.txt -title -sc -location -p 80,443,8000,8080,8443 -td -cl -probe -o httpx_output.txt

We can further filter this out to get only those domains that are currently reachable using this command:
cat httpx_output.txt | grep -v "FAILED" | awk '{print $1}' | tee probed_domains.txt

1.4 Screenshotting Web Services
When dealing with a large number of subdomains, taking screenshots of each live web server is a great way to visualize them quickly, identify login portals, or other points of interest.
- Tools:
- Aquatone Example:
cat web_servers.txt | aquatone -out screenshots/
- Gowitness Example:
gowitness scan file -f probed_domains.txt --threads 10 --screenshot-path screenshots/ --write-db

This step saves time during manual analysis by visually comparing different interfaces or login panels.
1.5 Content Discovery (Directory and File Bruteforcing)
After you’ve identified live websites, the next step is to look for hidden directories or files that may expose sensitive data.
- Tools:
- Dirsearch Examples:
dirsearch -w /usr/share/wordlists/custom.txt --full-url --random-agent -x 404,400 -e php,html,js,json,ini -u
dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql,asp,aspx,asp~,py~,rb,rb~,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp~,lock,log,rar,old,sql.gz,,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip -i 200 --full-url --deep-recursive -w /usr/share/wordlists/custom.txt --exclude-subdirs .well-known/,wp-includes/,wp-json/,faq/,Company/,Blog/,Careers/,Contact/,About/,IMAGE/,Images/,Logos/,Videos/,feed/,resources/,banner/,assets/,css/,fonts/,img/,images/,js/,media/,static/,templates/,uploads/,vendor/ --exclude-sizes 0B --skip-on-status 429 --random-agent -u
- Feroxbuster Examples:
cat probed_domains.txt | feroxbuster --stdin -s 200 --no-recursion -k --random-agent --no-state -r -W 0 -w /usr/share/wordlists/custom.txt
- FFuF Example:
ffuf -w /usr/share/wordlists/custom.txt -t 75 -ac -mc 200,405,401,415,302,301 -u
- Gobuster Example:
xargs -a probed_domains.txt -I@ sh -c 'gobuster dir -u "@" --no-error -f -q -k -e --random-agent -w /usr/share/wordlists/custom.txt' | tee -a gobuster.txt

Parameter Discovery
Bruteforcing for parameters can help uncover hidden endpoints vulnerable to injections like SQLi or XSS.
- Tools:
- Arjun Example:
arjun -u "" -m get --stable

- FFUF Example:
ffuf -u -w param_wordlist.txt
1.6 Archived URLs (Wayback Machine)
Sometimes, older versions of the website might expose endpoints or parameters that are not available on the live site. You can use archived data from the Wayback Machine to discover such URLs.
- Tools:
- GAU Example:
gau | anew gau_urls.txt

- Waybackurls Example:
waybackurls | anew wayback_urls.txt
- Katana Example:
katana -passive -pss waybackarchive,commoncrawl,alienvault -f qurl -u | anew katana_urls.txt

Filtering Interesting URLs
To focus on potentially vulnerable URLs, you can use GF
(Grep patterns for fuzzing).
- Tools:
- GF Example:
cat gau_urls.txt | gf xss | anew xss_candidates.txt
cat gau_urls.txt | gf sqli | anew sqli_candidates.txt

1.7 Crawling and Spidering
You can automate crawling of the target website to discover deeper endpoints, hidden forms, or parameters for attacks like XSS or SSRF.
- Tools:
- Katana Example:
katana -list probed_domains.txt -silent -o katana_crawl.txt

- Gospider Example:
gospider -s -d 1 -o gospider_crawl.txt
Crawling is useful to expand the attack surface by identifying all reachable URLs, forms, or parameters for fuzzing.
1.8 ASN and IP Range Enumeration
Identifying the target’s IP range can help expand the attack surface, especially if the target has services running on different IP addresses or subnets.
- Tools:

- Amass ASN Example:
amass intel -asn <ASN_Number> -o asn_targets.txt
1.9 Cloud Asset Enumeration
Cloud providers like AWS, Google Cloud, and Azure often expose assets or storage buckets that can be publicly accessible.
- Tools:
- CloudEnum Example:
cloud_enum -k

1.10 Fingerprinting Web Technologies
Understanding the technologies in use can help you tailor your attacks. For instance, knowing the CMS or the web server can lead you to specific vulnerabilities or exploits.
- Tools:
- WhatWeb Example:

- Wappalyzer (Browser Extension): Simply browse the target site to see technologies in use.
By combining all these techniques, tools, and methods, you can gather an extensive amount of information about your target, increasing the likelihood of finding exploitable vulnerabilities. Make sure to automate as much as possible but never skip manual validation — often the real bugs are hiding in plain sight!
“When you find a subdomain no one has touched in years:”️

2. Mapping the Attack Surface: Identifying Entry Points
Now that you’ve collected subdomains, URLs, and ports, it’s time to map out the target’s attack surface. This includes testing for vulnerable technologies and hidden paths.
2.1 JS File Analysis
JavaScript files can leak sensitive information like API keys, hardcoded secrets, or even useful endpoints.
- Tools:
- LinkFinder Example:
python3 -i -o cli
- SubJS Example:
subjs -i | anew js_endpoints.txt
- Katana Example:
katana -list probed_domains.txt -jc | grep "\.js"

Using automation is a great option, but always remember that the manual approach is essential.
“When you find an exposed admin panel:”

3. Vulnerability Testing: Let the Hacking Begin!
Now comes the fun part — finding actual bugs. In this section, we cover the most common vulnerabilities and how to test for them.
3.1 Cross-Site Scripting (XSS)
XSS occurs when a web application doesn’t sanitize user input, allowing the attacker to inject malicious JavaScript.
- Tools:
- KXSS Example:
cat xss.txt | kxss | grep "\" ' < >" | tee kxss.txt

- Dalfox Example:
dalfox url "" -o dalfox_xss.txt

3.2 SQL Injection (SQLi)
SQLi allows attackers to manipulate queries sent to a database, extracting sensitive information.
- Tools:
,Manual payloads
- SQLMap Example:
sqlmap -u "" --dbs
3.3 Server-Side Request Forgery (SSRF)
In SSRF, the attacker tricks the server into making requests to internal services.
- Tools:
,Burp Suite
- Payload Example:
3.4 IDOR (Insecure Direct Object Reference)
IDOR allows you to access other users’ data by manipulating object identifiers.
- Tools:
Burp Suite
- Testing Method: Change the ID parameter in the URL or body and observe if data from other users is exposed.
3.5 Open Redirect
This occurs when a web application redirects users to an untrusted website without proper validation.
- Tools:
Burp Suite
, manual payloads - Payload Example:
3.6 File Upload Vulnerabilities
Improperly configured file upload functionality can allow attackers to upload malicious files (e.g., web shells).
- Tools:
Burp Suite
, manual payloads - Payload Example: Try uploading
, or.exe
files and check if they are executed on the server.
“When your XSS alert pops:”

4. Advanced Enumeration & Attack Techniques
Some bugs require more advanced techniques to discover. These are a bit more complex but can result in higher rewards.
4.1 DNS Rebinding
This attack tricks a target into visiting a malicious DNS server, allowing the attacker to send requests to internal services.
- Tool:
4.2 SSRF to Internal Port Scanning (continued)
Sometimes SSRF can be used to scan the internal network or services running on the target. You can craft requests to target internal IP ranges, looking for open ports or vulnerable services.
- Tool:
Burp Suite
for manual testing, or automation tools likeffuf
for large-scale probing. - Payload Example:
This can be extended to target specific internal services like databases, admin panels, or APIs.
4.3 Host Header Injection
By manipulating the Host header in an HTTP request, you might be able to bypass access control, generate SSRF-like behavior, or conduct cache poisoning attacks.
- Tool:
Burp Suite
- Payload Example: Change the
header to an external domain or a local IP:
This could potentially lead to a variety of attacks depending on how the server handles the Host header.
4.4 Cache Poisoning
Cache poisoning attacks target web caches by sending crafted requests that pollute the cache with malicious content, leading to XSS or other vulnerabilities.
- Tool:
Burp Suite
or manual payloads - Payload Example: Modify query strings or headers in a way that gets reflected back to users:<script>alert('xss')</script>
If the server stores this response in its cache, other users may see the injected script when visiting the cached page.
5. Post-Exploitation & Reporting
After identifying vulnerabilities, it’s crucial to properly document your findings for a bug bounty report. This helps the target organization understand the severity and reproduce the issue.
5.1 Document Your Findings
- Take clear screenshots of any steps leading to vulnerability exploitation.
- Include detailed descriptions of each step, starting with the tools used, exact URLs tested, and payloads.
- Offer remediation advice: Suggest how the target can fix the vulnerability, whether through code changes, configuration updates, or better security practices.
5.2 Prioritize by Impact
- Highlight which vulnerabilities pose the highest risk (e.g., those leading to unauthorized data access or remote code execution).
- Use vulnerability scoring frameworks like CVSS (Common Vulnerability Scoring System) to assess the severity.
5.3 Submit a Clear Report
- Use platforms like HackerOne, Bugcrowd, or directly contact the target company.
- Keep your reports concise but informative, with clear reproduction steps, including screenshots, tools, and payloads used.
6. Keep Learning and Improving
Bug bounty hunting is a continuous learning process. Regularly update your knowledge with new techniques, tools, and vulnerabilities. Follow bug bounty write-ups, stay active in security communities, and continuously practice on platforms like Hack The Box, TryHackMe, or CTF challenges.
“When you get a high-severity bug:”

This checklist should serve as a solid foundation for your bug bounty journey, covering key areas from reconnaissance to advanced exploitation techniques. Remember, the more you practice and refine your skills, the better you’ll become at finding high-impact bugs.
Happy hunting! 🕵️‍♂️
If you liked the write-up, appreciate it by giving up to 50 claps 👏🏻.
Let’s connect on LinkedIn for more: LinkedIn Profile