My go to reference for everything related to bug bounty stuff

Performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

example usage: amass enum -brute -active -d domain.com -o amass-output.txt

This can be combined with Amass to probe additional ports.Take a list of domains and probe for working http and https servers.

example usage: cat amass-output.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 50 | tee online-domains.txt

To find the difference between lists of new domains

example usage: cat new-output.txt | anew old-output.txt | httprobe

This tool generates a combination of domain names from the provided input. Combinations are created based on wordlist. Custom words are extracted per execution

example usage: cat amass-output.txt | dnsgen - | httprobe

Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

example usage: cat targets.txt | aquatone

This will scrape /robots.txt for all domains I provide and scrape as many years as possible

example usage: waybackpy --url akamhy.github.io --user_agent "my-user-agent" --known_urls

A custom tool to scrape each endpoint discovered and search for input names, ids and javascript parameters. This is a combination of InputScanner LinkFinder and Parameth

example usage: python parameth.py -u “http://example.com/

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Web Application Firewalls: A web application firewall is a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.

Here is a good reference that describes WAF, and how to detect it, and how to systematically attack it.

Proces for testing XSS and Filtering

• Test for Encoding or Weird Behavior

  • payloads can be found here or here

• Reverse Engineer Developers Thoughts

  • What filter was created and why
  • Is it a black list or white list of tags allowed
  • Does it encode things? how does it encode them

• Test XSS Flow

  • How are non malicious tags handled or incomplete tags
  • what tags can you chain together

• File Upload for Stored XSS

  • Are there any filters for file names
  • Are their filters for file types

Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

In a nutshell, IDOR is about changing integer values (numbers) to another and seeing what happens.

EXAMPLE

{"example":"example","id":"1"}
{"example":"example","id":"2"}

reference [attacking drupal] (https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/drupal)

recon with subfinder/amass

look into nuclei templates

dalfox for xss

axiom for distributed scans

Zseanos Methodology Nahamsec Recon Jason Haddix Recon