Metodología para bug bounties v2 de @jhaddix

Jason Haddix (@jhaddix) es un californiano que durante el 2014 y 2015 fue número 1 de los cazadores de bugs de Bugcrowd y actualmente está liderando la parte de seguridad y confianza de la compañía. Tal bagaje es para tener en cuenta, sobretodo cuando comparte una útil y valiosa metodología para bug bounties. Su primera versión se basa en la charla de la Defcon 23 "How to shot Web: better hacking in 2015" y recientemente y con motivo de la primera Virtual Hacking Conference de Bugcrowd (LevelUp) ha publicado la segunda versión que, de seguro, será una guía a revisar e incluso un referente para muchos pentesters y “bug hunters”:

Las secciones, actualizadas la mayoría hace cuatro meses, son las siguientes:

  • Philosophy
  • Discovery
  • Mapping
  • Authorization and Sessions
  • Tactical fuzzing
  • Privilege, Transport and Logic
  • Web services
  • Mobile vulnerabilities
  • Auxiliary Information

  • Las herramientas incluidas en la presentación del Bug Hunters Methodology V2:

    • Sublist3r (Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT).
    • Brutesubs (An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose).
    • Cloudflare_enum (Cloudflare DNS Enumeration Tool for Pentesters).
    • (Quick and Dirty script to use the Censys API to query subdomains of a target domain).
    • massdns (A high-performance DNS stub resolver).
    • ListSubs.txt (A list with a lot of subs).
    • EyeWitness (EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible).
    • GoBuster (Directory/file & DNS busting tool written in Go).
    • RobotsDisallowed (The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt).
    • Parameth (This tool can be used to brute discover GET and POST parameters).
    Web Content
    • GroundControl (A collection of scripts that run on my web server).
    • Sleepy-Puppy (Sleepy Puppy XSS Payload Management Framework).
    • XSSHunter (The XSS Hunter service - a portable version of
    • TPLMap (Code and Server-Side Template Injection Detection and Exploitation Tool).
    • PsychoPATH (Hunting file uploads & LFI in the dark).
    • Commix (Automated All-in-One OS command injection and exploitation tool)

    • AutoSubTakeover (A tool used to check if a CNAME resolves to the scope adress).
    • HostileSubBruteforcer (This app will bruteforce for exisiting subdomains)
    • Tko-Subs (A tool that can help detect and takeover subdomains with dead DNS records).
    • SandCastle (Python script for AWS S3 bucket enumeration).
    • GitRob (Reconnaissance tool for GitHub organizations).
    • TruffleHog (Searches through git repositories for high entropy strings, digging deep into commit history)
    Plugins BurpSuite

    Metodología para bug bounties v2 de @jhaddix Metodología para bug bounties v2 de @jhaddix Reviewed by Zion3R on 19:15 Rating: 5