Bug Bounty & Web

Bug Bounty Program

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, Microsoft, and the Internet bug bounty. Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.

Web Application Penetration Testing

Web application penetration testing, also known as pentesting, simulates attacks against your web applications, to help you identify security flaws and weaknesses so they can be remediated. You can use penetration tests to detect vulnerabilities across web application components and APIs including the backend network, the database, and the source code.

A web application penetration testing process provides a detailed report with security insights. You can use this information to prioritize threats and vulnerabilities and define a remediation strategy.

Web Security Resources

• Ultimate-Roadmap-to-Get-Started-Into-Web-Penetration-Testing

• Infosec Write-ups

• Resources-for-Beginner-Bug-Bounty-Hunters

• OWASP Checklist

• OWASP Learning Path

• PortSwigger Academy CheatSheets

• Kathan's Web Application Pentesting Checklist

• Six2dez Web Checklist

• Awesome Web Security

• How HTTPS Works

• TLS 1.2 Cheatsheet

• https://www.robotstxt.org/

• JWT Attacks on Notion

• Bug Bounty Subreddit

• Web Security Research Subreddit

• PortSwigger Penetration Testing Tools

• Security Idiots

• Aditya Dixit's Blog

• Bug Bounty Hunting

• Brutelogic Blog

• Hacksplaining OWASP Checklist

• Abusing HTTP Hop-by-hop Request Headers

• Awesome Web Hacking

• All About Bug Bounty

• WAF Bypass

• Python Requests Library Documentation

• Bug Bounty Tips

• HTML5 Security

• Pentest Monkey Cheat Sheet

• Pentester Land

• Awesome WAF

• XSS Payload List

• CSRF PoC Generator

• Advance Web Application Penetration Checklist

• Bug Bounty Cheatsheet

• Awesome Oneliner Bug Bounty

• Bug Bounty Cheatsheet

• Complete Bug Bounty Cheat Sheet (PDF)

• Cyberheartmi9's Gist: Bug Bounty Cheatsheet 1

• Cyberheartmi9's Gist: Bug Bounty Cheatsheet 2

• Cyberheartmi9's Gist: Bug Bounty Cheatsheet 3

• Top 10 Web Hacking Techniques of 2017

• Top 10 Web Hacking Techniques of 2018

• Top 10 Web Hacking Techniques of 2019

• Top 10 Web Hacking Techniques of 2020

• Top 10 Web Hacking Techniques of 2021

• Top 10 Web Hacking Techniques of 2022

Web Security Tools

• OWASP Vulnerability Scanning Tools

• Nuclei

• Burp Suite

• Acunetix

• Caido

• OWASP ZAP

• BeEF (The Browser Exploitation Framework)

• Invicti Security

• Nikto

• Arjun

• Cariddi

• Wapiti Scanner

• TerminatorZ

• Subfinder

• Dirhunt

• Gobuster

• Dirsearch

• Sublist3r

• Shuffledns

• Feroxbuster

• Httpx

• Proxify

• AORT

• Katana

• Sqlmap

• Ffuf

• XssHunter

• GoLinkFinder

• CMSmap

• TheTimeMachine

• Waybackurls

• EyeWitness

• GitTools

Reconnaissance

• Web Check GitHub Repository

• Web Check Website

• Netlas Host Information

• IQWhois

• Hardenize

• CentralOps Domain Dossier

• IPVoid

• W3C Validator

• OSINT.sh

• OpenCorporates

• IP Geolocation:

• Google Apps Dig

• Hunter

• MXToolbox

• Google Apps CheckMX

• SSLlabs

• Webhint

• Virustotal

• Shodan

• Archive

• Urlscan

• Sitecheck

• Whois

• Nslookup

• Dnschecker

• Censys

• Developers Google

• Web Analyze GitHub Repository

• Builtwith

• BGP Tools

• Blacklistchecker

• Radar Cloudflare

• UpGuard Web Scan

• ImmuniWeb Web Security

• HostedScan

• Threat Intelligence Platform

• CSP Evaluator with Google

• SecurityTrails

• Certificate Search

• SSL Shopper

• Dnsdumpster

• ViewDNS

• DNSRecords

• Dns Checker

• RapidDNS

• HSTS Preload

• Security Headers

• Mozilla Observatory

• OWASP Risk Rating

• Security Net OWASP Risk Calculator

• Pastebin

• OWASP Threat Classification

• Common Weakness Enumeration (CWE)

Dorks

• OneDorkForAll

• GG-Dorking

• Github-Dork

• Bug Bounty Helper

• Shodan-Dork

Web Scraping Tools and Resources

• Botasaurus

• WebPalm

• Scrapy

• Colly

• Katana

• Beautiful Soup Web Scraper (Real Python)

• Python Web Scraping Guide (Oxylabs)

Recon - Subdomains

Passive sources

# https://github.com/OWASP/Amass  
# https://github.com/OWASP/Amass/blob/master/examples/config.ini  
amass enum -passive -d domain.com  

# https://github.com/projectdiscovery/subfinder  

# https://github.com/projectdiscovery/subfinder#post-installation-instructions  
subfinder -d domain.com -all -silent  

# https://github.com/tomnomnom/assetfinder  
assetfinder example.com  

# https://github.com/tomnomnom/waybackurls  
# https://github.com/tomnomnom/unfurl  
echo domain.com | waybackurls | unfurl -u domains  

# https://github.com/lc/gau
# https://github.com/tomnomnom/unfurl  
gau --subs example.com | unfurl -u domains  
  
## Cert Transparency  
# https://certificate.transparency.dev/  
# https://crt.sh/  
# https://github.com/glebarez/cero  
cero example.com  
# https://github.com/UnaPibaGeek/ctfr  
python3 ctfr.py -d domain.com  

# Active crtsh monitoring  
#https://github.com/g0ldencybersec/gungnir  
gungnir -r domains.txt  

# https://github.com/gwen001/github-subdomains  
github-subdomains -d example.com -t tokens.txt -o output.txt  

# https://github.com/christophetd/censys-subdomain-finder  
python3 censys-subdomain-finder.py example.com  

# https://github.com/SmoZy92/Shodomain  
python shodomain.py <SHODAN-API-KEY> example.com  

# https://github.com/Cgboal/SonarSearch  
crobat -s example.com

Active DNS resolution

# https://github.com/Josue87/gotator
gotator -sub subdomains/subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md

Crawling

# 1st resolve subdomains on valid websites  
# https://github.com/projectdiscovery/httpx  
cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt  
# Clean output  
cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt  
# Crawl them  
# https://github.com/jaeles-project/gospider  
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt  
# Clean output  
# https://github.com/tomnomnom/unfurl  
cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com"

DNS records

# https://github.com/projectdiscovery/dnsx  
dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt

Search engines

• Baidu

• Yahoo

• Google

• Bing

• Yandex

• Exalead

• Dogpile

Specialized search engines

• ZoomEye

• FOFA

• Shodan

• ThreatCrowd

Certificate transparency

• Crt.sh

• Certspotter.com

• Google Transaprency report

• Facebook CT Monitoring

• Certstream

• CertDB

• Censys.io

Public datasets

• Scans.io

• Riddler

• SecurityTrails

• Common Crawl

• PassiveTotal / RiskIQ Community API

• DNSDB

• Forward DNS dataset

• WhoisXML API

• PremiumDrops.com

Online DNS tools & DNS aggregators

• VirusTotal

• Dnsdumpster

• Cloudflare

• Netcraft

• FindSubdomains

• viewdns.info

• Site Dossier

Git repositories

• Github

• Gitlab

web

web_