// Bug Bounty

Bug Bounty Methodology: A Systematic Approach to Finding High-Impact Vulnerabilities

📅 June 2025🕐 17 min readBug Bounty

Introduction

Bug bounty research is the practice of finding security vulnerabilities in applications and responsibly disclosing them to vendors in exchange for financial rewards and recognition. Beyond the financial aspect, active bug bounty participation is one of the best ways to continuously sharpen offensive security skills and build a public track record of security research.

This article documents the methodology I use for web application bug bounty research, covering reconnaissance automation, vulnerability hunting workflow, report writing that gets paid, and the tooling stack that makes it efficient.

Successful bug bounty research is 70% reconnaissance and 30% exploitation. Know your target better than the developers do.

Reconnaissance Framework

Subdomain Enumeration

# Comprehensive subdomain enumeration
# Step 1: Passive enumeration
subfinder -d target.com -o subfinder-results.txt
amass enum -passive -d target.com -o amass-passive.txt
assetfinder --subs-only target.com > assetfinder.txt

# Step 2: DNS brute force
gobuster dns -d target.com -w /usr/share/wordlists/subdomains-top1million-5000.txt -o gobuster-dns.txt

# Step 3: Merge and resolve
cat subfinder-results.txt amass-passive.txt assetfinder.txt gobuster-dns.txt | sort -u > all-subs.txt
cat all-subs.txt | httprobe > live-hosts.txt

# Step 4: Screenshot all live hosts
gowitness file -f live-hosts.txt --delay 3

JavaScript File Analysis

# Extract JS files and find endpoints/secrets
getallurls target.com | grep "\.js$" > js-files.txt
while read url; do
  curl -s $url | python3 -c "import sys,re; [print(m) for m in re.findall(r"['\"/]([a-z0-9_/-]{3,})", sys.stdin.read())]"
done < js-files.txt | sort -u > endpoints.txt

# Secret scanning in JS files
trufflehog filesystem --directory /tmp/js-files/ --only-verified

High-Value Vulnerability Classes

IDOR (Insecure Direct Object References)

# IDOR hunting checklist:
# 1. Find any request with an ID parameter
# 2. Change ID to another user's ID
# 3. If data belongs to another user = IDOR

# Example: Change user_id in GET /api/profile?user_id=1234
# Try: GET /api/profile?user_id=1235 (neighbor user)
# Try: GET /api/profile?user_id=1 (admin/first user)
# Try encoding: base64, URL encoding, JSON

# Automate with Burp Intruder or ffuf:
ffuf -u "https://target.com/api/profile?user_id=FUZZ" -w user-ids.txt -fc 403,401

SSRF (Server-Side Request Forgery)

# SSRF hunting - look for URL parameters
# Parameters: url, link, src, redirect, fetch, img, image, path, file

# Test payloads:
curl -s "https://target.com/api/fetch?url=http://169.254.169.254/latest/meta-data/"
curl -s "https://target.com/api/fetch?url=http://internal-service:8080/admin"

# Use Collaborator/interactsh for blind SSRF:
curl -s "https://target.com/api/fetch?url=https://your.interactsh.server/test"

Report Writing That Gets Paid

A well-written bug bounty report dramatically increases payout speed and amount. Every report must include: Summary (1-2 sentences), Affected endpoint, Vulnerability type (CWE), Severity rating (CVSS score), Step-by-step reproduction, Proof of Concept (screenshots or video), Impact statement (business risk), Suggested remediation.

## Summary
An IDOR vulnerability in the user profile API allows authenticated users to access and modify other users' private data by manipulating the user_id parameter.

## Affected Endpoint
GET /api/v1/users/{user_id}/profile

## Severity
High (CVSS 3.1: 8.1 - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

## Steps to Reproduce
1. Log in as User A (user_id=12345)
2. Navigate to /api/v1/users/12345/profile - observe your own data
3. Change user_id to 12346 in the request
4. Observe that User B's private profile data is returned without authorization check

## Impact
Any authenticated user can read or modify any other user's private profile data, including email addresses, payment methods, and personal information. This constitutes a data breach under GDPR Article 4.

Essential Bug Bounty Tooling

  • Reconnaissance: Subfinder, Amass, Assetfinder, HTTProbe, GoWitness, Hakrawler
  • Fuzzing: ffuf, Dirsearch, Gobuster
  • Exploitation: Burp Suite Pro, SQLMap, XSStrike, Nuclei
  • SSRF/OOB: Interactsh, Burp Collaborator
  • Secrets: TruffleHog, GitLeaks, SecretFinder
  • Automation: Nuclei templates, custom bash scripts
Bug BountyWeb SecurityOWASPRecon