Approach
Last updated
Was this helpful?
Last updated
Was this helpful?
Recon
Sub Domain
Public Exploits
Assest Discovery
Google Search
Censys
censys.io
Look for SSL certificates
443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com
Look for Internal certificates
"COMPANY" + internal (get creative)
=> might allow you to find a company internal subdomain or IP address not mentioned anywhere
Shodan
Web Archive
Sensitive info from public resources - github, gist, pastebin , Trello , google sites , google groups , prezi , scribd , slideshare , online IDE's , github wiki , Graffana , zookeeper
Trello -
OSINT -
Javascript Recon / Client Side Recon
Reverse DNS / Whois
Virtual Host
Retrive HTTP Status -
Broken link hijacking
Reffere Header Check
Rate Limiting
BFAC - BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. -
Bruteforce GET / POST methods
Vhost bruteforcing
vhost 0
vhost -
content discovery - For Content Discovery : , , , httpx, Subfinder,
urlscan.io Get directory and files from public scans for fun & profit url(){ gron "" | grep 'url' | gron --ungron } .bash_profile Make sure you have gron installed