BUG HUNTING METHODOLOGY
subfinder -d yoursite.com -all -recursive > subdomain.txt
httpx -l subdomains.txt -ports 80, 8080, 8000, 8888 -threads 200 > subdomains_alive.txt
naabu -list subdomains.txt -c 50 -nmap-cli ‘nmap -SV -SC’ -o naabu-full.txt
dirsearch -l subdomains_alive.txt -i 200,204,403,443 x 500, 502,429,501, 503-R 5 — random-agent -t 50 -F -w /home/coffinxp/oneforall/onelistforallshort.txt -o directory.txt
cat subdomains_alive.txt | gau> newparms.txt
cat newparms.txt | uro > filterparm.txt
cat filterparam.txt | grep “.js$” > jsfiles.txt
cat jsfiles.txt | while read url; do python3 /home/coffinxp/SecretFinder/SecretFinder.py -i $url -o cli >> secret.txt; done
cat secret.txt | grep aws
cat secret.txt | grep google
cat secret.txt| grep twilio
cat secret.txt | grep Heroku
nuclei -list newparams.txt -t /home/coffinxp/Custom-Nuclei-Templates
let’s break down what each command does in this bug hunting methodology:
1. **subfinder**:
— It’s a subdomain enumeration tool. `-d` specifies the domain to enumerate.
— `-all` flag requests all discovered subdomains.
— `-recursive` flag performs recursive subdomain enumeration.
2. **httpx**:
— It’s an HTTP enumerator and validator. `-l` flag loads subdomains from a file.
— `-ports` specifies the ports to scan.
— `-threads` sets the number of threads for concurrency.
3. **naabu**:
— Another network recon tool. `-list` specifies the list of subdomains.
— `-c` sets the concurrency.
— `-nmap-cli` specifies Nmap commands to run. `-SV` does version detection, `-SC` does script scanning.
4. **dirsearch**:
— A directory brute-forcing tool. `-l` flag loads alive subdomains from a file.
— `-i` specifies codes to ignore.
— `-t` sets the number of threads.
— `-F` to force HTTPS.
— `-w` specifies the wordlist to use.
5. **gau**:
— A tool for extracting URLs from HTTP responses.
6. **uro**:
— it filters or manipulates the URLs in some way.
7. **grep .js$**:
— A Unix command-line utility for searching plain-text data for lines matching a regular expression.
— This particular command filters out URLs ending with `.js`.
8. **SecretFinder.py**:
— A custom Python script for finding secrets in web pages.
— Loops through each URL in `jsfiles.txt` and runs the script on it.
9. **grep aws**, **grep google**, **grep twilio**, **grep Heroku**:
— These commands filter out lines containing specific keywords (`aws`, `google`, `twilio`, `Heroku`) from `secret.txt`.
10. **nuclei**:
— A fast vulnerability scanner that checks for various issues in applications and servers.
— `-list` specifies the list of URLs to scan.
— `-t` specifies the templates to use.
So, this methodology encompasses various steps for reconnaissance, subdomain enumeration, directory brute-forcing, URL extraction, secret finding, and vulnerability scanning. Each step contributes to the discovery of potential vulnerabilities or sensitive information in the target web application.
