Conducting a Manual Exploration of the Target

Before diving deeper, it's beneficial to manually navigate through the application to gain insights about its features. Explore every page and interaction available to users, including functionalities you may not typically engage with.

For instance, if you were assessing Facebook, you might want to create events, play games, or utilize payment features that you haven’t tried before. Create accounts at various privilege levels to discover all application features.

I quickly realized that to achieve success, I needed to steer clear of automated tools designed for harvesting easy targets, as those had already been claimed by more experienced individuals with superior automation setups. Many professionals invest considerable time into optimizing their automation processes, and I cannot dedicate the same level of effort.

Utilizing Google Dorking

Kickstart your bug bounty journey by employing Google Dorks to extract valuable insights about the target domain. Look for potential login pages, sensitive documents, and misconfigured servers. When searching for vulnerabilities, you often need to delve into the specifics of a potential flaw. For instance, if exploring a potential cross-site scripting (XSS) vulnerability, you may need to locate a specific payload you encountered on GitHub. Mastering advanced search-engine techniques will enable you to quickly and accurately find necessary resources.

In fact, advanced Google searches represent a powerful tool that hackers frequently leverage for reconnaissance, a practice known as Google Dorking. While the average user views Google as a mere search engine for finding images, videos, and web pages, hackers utilize it to uncover critical information such as hidden admin portals, exposed password files, and leaked authentication credentials.

Google's search engine incorporates its own query language that facilitates refined searches. Here are some of the most effective operators you can use:

1. `site:` Searches within a specific site and presents all results from that domain. For instance, specifying a target site as “.org” and searching for URLs that include “/login.aspx” can reveal potential login portals on .org domains, e.g., site:.org inurl:/login.aspx.
2. `inurl:` Searches for URLs containing specific keywords, a powerful method for identifying vulnerable pages on a given site. For example, inurl:"/geoserver/ows?service=wfs" can highlight servers with that URL structure, possibly indicating vulnerable geoserver instances.
3. `intitle:` Searches for keywords in the titles of pages, which can pinpoint specific files. For example, intitle:"index of" "pass.txt" can find files with sensitive data like passwords.
4. `link:` Searches for external links to specific pages, e.g., link:"keyword".
5. `filetype:` Searches for pages with a designated file extension, an effective method for finding sensitive files. For instance, filetype:log site:example.com can locate log files on a target site.
6. Wildcard `*` allows for searches that match any character or series of characters. For example, the query “how to hack * using Google” can return various relevant strings.
7. Quotes `“ ”` ensure an exact match for search terms. For example, how to hack: “how to hack” will return pages containing that exact phrase.
8. Or `|` allows for searching one term or another, e.g., “how to hack” site:(reddit.com | stackoverflow.com).
9. Minus `-` excludes certain results from your search, e.g., “how to hack websites” -php.

Tip: There are many advanced search engine strategies that can boost your efficiency. Consider exploring the term "Google search operators" for further insights. These operators can yield more than you might anticipate, such as uncovering all subdomains of a company with a simple search.

You can also search for specific endpoints that may lead to vulnerabilities. For instance, Kibana, a data visualization tool, displays server operational data like logs and debug messages. If compromised, a Kibana instance can provide attackers with extensive insights into a site’s operations. Many Kibana dashboards are found under the path app/kibana, so searching for this can reveal if the target has an accessible dashboard.

Google can also help locate company resources that are hosted externally, such as Amazon S3 buckets.

Look for specific file extensions that might indicate sensitive documents. In addition to .log, commonly searched extensions include .php, .cfm, .asp, .jsp, and .pl, which are often associated with script files.

Finally, you can combine search terms for more precise results. For example, searching site:example.com for text files containing "password" can yield relevant results.

Here’s a list of useful Google Dorking commands for bug bounty reconnaissance that I compiled with the assistance of ChatGPT. Don’t forget the power of artificial intelligence in our endeavors; simply ask it to generate a list of Google Dorking commands for bug hunting:

site:example.com intitle:"index of" site:example.com filetype:pdf site:example.com inurl:admin site:example.com intitle:"login" site:example.com intitle:"error" site:example.com intitle:"index of" "config" site:example.com intitle:"index of" "backup" site:example.com intitle:"index of" "database" site:example.com intitle:"index of" "log" site:example.com intitle:"index of" "wp-content" site:example.com inurl:"/etc/passwd" site:example.com filetype:sql site:example.com filetype:log site:example.com filetype:conf site:example.com filetype:env site:example.com filetype:swf site:example.com filetype:xml site:example.com filetype:json site:example.com filetype:php site:example.com filetype:txt site:example.com filetype:doc site:example.com filetype:docx site:example.com filetype:xls site:example.com filetype:xlsx site:example.com filetype:csv site:example.com filetype:zip site:example.com filetype:pdf password site:example.com filetype:php inurl:wp-content site:example.com inurl:wp-config.php site:example.com inurl:wp-login.php site:example.com inurl:wp-admin site:example.com inurl:phpinfo.php site:example.com inurl:info.php site:example.com inurl:database.php site:example.com inurl:backup.sq site:example.com inurl:backup.zip site:example.com inurl:phpinfo.php "PHP Version" site:example.com inurl:server-status site:example.com inurl:server-info site:example.com inurl:robots.txt site:example.com inurl:.git site:example.com inurl:.svn site:example.com inurl:.hg site:example.com inurl:.bzr site:example.com inurl:.htpasswd

You can discover additional commands in the Google Hacking Database or generate them using ChatGPT. Organize your attacks based on the intelligence you’ve gathered! Prioritize your testing according to the application’s functionalities and its underlying technology. In my next blog, I’ll delve into the reconnaissance aspect further, focusing on how to uncover subdomains, S3 buckets, and other critical information about your target. Thank you for reading!

Tip: If you're engaging with this content, it shows your commitment to technology and the internet. Keep up this dedication and maintain your reading habits.

I am embarking on a journey of #100 Days of Bug Bounty to learn and grow alongside all of you. Here’s the link to #Day1, #Day2, #Day3, and #Day4. If you believe you can achieve success overnight, within a week, or even a month, this may not be the field for you. Bug bounties are highly competitive and it may take at least a year to excel. Continuous learning, sharing, and practice are essential. Cultivate a curiosity to learn about new topics and explore independently. There is a wealth of free educational content available. Reach out to the hacker community for assistance, and good luck!

Tip: I’m considering launching my own blog site. If you’d like to support my efforts, you can buy me a coffee. Thank you!

Preview of #Day6 Bug Bounty Recon Part 2: (Subdomains and S3 Buckets)

Subdomain enumeration is a vital aspect of bug bounty hunting that can help identify potential vulnerabilities in web applications. By uncovering subdomains related to a target domain, bug hunters can broaden their assessment scope and find potential entry points for attackers. In the upcoming blog post, we will discuss the significance of subdomain enumeration in bug bounty hunting, how it works, and the techniques and tools that can be employed for this task. We will also provide examples illustrating how subdomain enumeration can enhance the security of your web applications. Let’s get started!