# Approach
* Recon
* Sub Domain
* Public Exploits
* Assest Discovery
* Google Search
* Censys
* censys.io
* Look for SSL certificates
* `443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com`
* Look for Internal certificates
* `"COMPANY" + internal (get creative)`\
\=> might allow you to find a company internal subdomain or IP address not mentioned anywhere
* Shodan
* Web Archive
* Sensitive info from public resources - github, gist, pastebin , Trello , google sites , google groups , prezi , scribd , slideshare , online IDE's , github wiki , Graffana , zookeeper
* Trello -
*
* OSINT -
* Javascript Recon / Client Side Recon
* Reverse DNS / Whois
* Virtual Host
* Retrive HTTP Status -
* Broken link hijacking
* Reffere Header Check
* Rate Limiting
* BFAC - BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. -
* Bruteforce GET / POST methods
* Vhost bruteforcing
* vhost 0
* vhost -
[Use ffuf for vhosting on every new domain to find hidden servers/admin panels: ffuf -c -u https://target .com -H “Host: FUZZ” -w vhost\_wordlist.txt #BugBountyTips #BugBountyTip #BugBounty](https://twitter.com/rez0__/status/1254588390114287617)
* content discovery - For Content Discovery : [gau](https://github.com/lc/gau), [Paramspider](https://github.com/devanshbatham/ParamSpider), [Waybackurl](https://github.com/tomnomnom/waybackurls), httpx, Subfinder, [sublist3r,](https://github.com/aboul3la/Sublist3r)
* urlscan.io\
Get directory and files from[@urlscanio](https://twitter.com/urlscanio) public scans for fun & profit url(){ gron "[https://urlscan.io/api/v1/search/?q=domain:$1…](https://t.co/O4Fu4MIrQQ?amp=1)" | grep 'url' | gron --ungron } [$source](https://twitter.com/search?q=%24source\&src=cashtag_click) .bash\_profile [$url](https://twitter.com/search?q=%24url\&src=cashtag_click) [http://target.com](https://t.co/t98T7KNObr?amp=1) Make sure you have[@TomNomNom](https://twitter.com/TomNomNom) gron installed