1UC1F3R616/hunter.md

## hunter.md

      
    Raw
  

              hunter.md
            
          
    Finding what websites you can hunt as a BBH

Google Dorks


"responsible disclosure program" | "vulnerability disclosure program" | "vulnerability program rewards" | "bug bounty reward program"
inurl: vulnerability disclosure inurl: responsible disclosure

Recon

Discovering Subdomain and Content


amass enum -brute -active -d domain.com -o amass-output.txt

Finding working http/https servers via httpx


cat amass-output.txt | httpx -silent
For getting more info related to servers: httpx -l amass-output.txt -follow-host-redirects -ip -status-code -title -content-length -web-server -silent
For finding some hidden gems: cat amass-output.txt | dnsgen - | httpx -silent

Discover files and Directories


dirsearch.py: python3 dirsearch.py -u https://www.domain.com/ -e js,html
FUFF: ffuf -ac -v -u https://www.domain.com/FUZZ -w /home/kush/Pentest/SecLists/Discovery/Web-Content/directory-list-1.0.txt
Finding directories from earlier point via wayback: use this

Discovering params


use arjun to find hidden parameters: arjun -u https://www.domain.com/login -c 10

General Approach


Do check 169.254.169.254/latest/meta-data
Try double encoding while checking for xss or uri redirect and other encoding formats. Check this
XSS FilterByPass cheatsheet: here