├── README.md
├── bugbounty_checklist.md
├── bugbounty_public_program_list.md
└── bugbounty_toolkit.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Bug bounty  
 2 | 
 3 | ***
 4 | 
 5 | You can find here some resources I use to do bug bounty hunting.  
 6 | 
 7 | ## Inventory of resources  
 8 | - [bug bounty checklist](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md)  
 9 | - [bug bounty toolkit](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_toolkit.md)
10 | - [bug bounty public program list](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_public_program_list.md)
11 | 


--------------------------------------------------------------------------------
/bugbounty_checklist.md:
--------------------------------------------------------------------------------
  1 | # Bug Bounty Checklist for Web App
  2 | 
  3 | > This checklist may help you to have a good methodology for bug bounty hunting  
  4 | When you have done a action, don't forget to check ;)  
  5 | Happy hunting !  
  6 | 
  7 | ## Table of Contents
  8 | 
  9 | * [Recon on wildcard domain](#"Recon_on_wildcard_domain")
 10 | * [Single domain](#Single_domain)
 11 | * [Information Gathering](#Information)
 12 | * [Configuration Management](#Configuration)
 13 | * [Secure Transmission](#Transmission)
 14 | * [Authentication](#Authentication)
 15 | * [Session Management](#Session)
 16 | * [Authorization](#Authorization)
 17 | * [Data Validation](#Validation)
 18 | * [Denial of Service](#Denial)
 19 | * [Business Logic](#Business)
 20 | * [Cryptography](#Cryptography)
 21 | * [Risky Functionality - File Uploads](#File)
 22 | * [Risky Functionality - Card Payment](#Card)
 23 | * [HTML 5](#HTML)
 24 | 
 25 | 
 26 | ## <a name="Recon_on_wildcard_domain">Recon on wildcard domain</a>  
 27 | 
 28 | - [ ] Run amass  
 29 | - [ ] Run subfinder  
 30 | - [ ] Run assetfinder  
 31 | - [ ] Run dnsgen  
 32 | - [ ] Run massdns  
 33 | - [ ] Use httprobe  
 34 | - [ ] Run aquatone (screenshot for alive host)  
 35 | 
 36 | 
 37 | ## <a name="Single_domain">Single Domain</a>  
 38 | 
 39 | ### Scanning  
 40 | 
 41 | - [ ] Nmap scan   
 42 | - [ ] Burp crawler   
 43 | - [ ] ffuf (directory and file fuzzing)
 44 | - [ ] hakrawler/gau/paramspider  
 45 | - [ ] Linkfinder  
 46 | - [ ] Url with Android application   
 47 | 
 48 | ### Manual checking  
 49 | 
 50 | - [ ] Shodan  
 51 | - [ ] Censys  
 52 | - [ ] Google dorks  
 53 | - [ ] Pastebin  
 54 | - [ ] Github  
 55 | - [ ] OSINT     
 56 | 
 57 | ### <a name="Information">Information Gathering</a>
 58 | - [ ] Manually explore the site  
 59 | - [ ] Spider/crawl for missed or hidden content  
 60 | - [ ] Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store  
 61 | - [ ] Check the caches of major search engines for publicly accessible sites  
 62 | - [ ] Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)  
 63 | - [ ] Perform Web Application Fingerprinting  
 64 | - [ ] Identify technologies used  
 65 | - [ ] Identify user roles  
 66 | - [ ] Identify application entry points  
 67 | - [ ] Identify client-side code  
 68 | - [ ] Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)  
 69 | - [ ] Identify co-hosted and related applications  
 70 | - [ ] Identify all hostnames and ports  
 71 | - [ ] Identify third-party hosted content  
 72 | - [ ] Identify Debug parameters  
 73 | 
 74 | 
 75 | ### <a name="Configuration">Configuration Management</a>
 76 | 
 77 | - [ ] Check for commonly used application and administrative URLs  
 78 | - [ ] Check for old, backup and unreferenced files  
 79 | - [ ] Check HTTP methods supported and Cross Site Tracing (XST)  
 80 | - [ ] Test file extensions handling  
 81 | - [ ] Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)  
 82 | - [ ] Test for policies (e.g. Flash, Silverlight, robots)  
 83 | - [ ] Test for non-production data in live environment, and vice-versa  
 84 | - [ ] Check for sensitive data in client-side code (e.g. API keys, credentials)  
 85 | 
 86 | 
 87 | ### <a name="Transmission">Secure Transmission</a>
 88 | 
 89 | - [ ] Check SSL Version, Algorithms, Key length  
 90 | - [ ] Check for Digital Certificate Validity (Duration, Signature and CN)  
 91 | - [ ] Check credentials only delivered over HTTPS  
 92 | - [ ] Check that the login form is delivered over HTTPS  
 93 | - [ ] Check session tokens only delivered over HTTPS  
 94 | - [ ] Check if HTTP Strict Transport Security (HSTS) in use  
 95 | 
 96 | 
 97 | 
 98 | ### <a name="Authentication">Authentication</a>
 99 | - [ ] Test for user enumeration  
100 | - [ ] Test for authentication bypass  
101 | - [ ] Test for bruteforce protection  
102 | - [ ] Test password quality rules  
103 | - [ ] Test remember me functionality  
104 | - [ ] Test for autocomplete on password forms/input  
105 | - [ ] Test password reset and/or recovery  
106 | - [ ] Test password change process  
107 | - [ ] Test CAPTCHA  
108 | - [ ] Test multi factor authentication  
109 | - [ ] Test for logout functionality presence  
110 | - [ ] Test for cache management on HTTP (eg Pragma, Expires, Max-age)  
111 | - [ ] Test for default logins  
112 | - [ ] Test for user-accessible authentication history  
113 | - [ ] Test for out-of channel notification of account lockouts and successful password changes  
114 | - [ ] Test for consistent authentication across applications with shared authentication schema / SSO  
115 | 
116 | 
117 | 
118 | ### <a name="Session">Session Management</a>
119 | - [ ] Establish how session management is handled in the application (eg, tokens in cookies, token in URL)  
120 | - [ ] Check session tokens for cookie flags (httpOnly and secure)  
121 | - [ ] Check session cookie scope (path and domain)  
122 | - [ ] Check session cookie duration (expires and max-age)  
123 | - [ ] Check session termination after a maximum lifetime  
124 | - [ ] Check session termination after relative timeout  
125 | - [ ] Check session termination after logout  
126 | - [ ] Test to see if users can have multiple simultaneous sessions  
127 | - [ ] Test session cookies for randomness  
128 | - [ ] Confirm that new session tokens are issued on login, role change and logout  
129 | - [ ] Test for consistent session management across applications with shared session management  
130 | - [ ] Test for session puzzling  
131 | - [ ] Test for CSRF and clickjacking  
132 | 
133 | 
134 | 
135 | ### <a name="Authorization">Authorization</a>
136 | - [ ] Test for path traversal  
137 | - [ ] Test for bypassing authorization schema  
138 | - [ ] Test for vertical Access control problems (a.k.a. Privilege Escalation)  
139 | - [ ] Test for horizontal Access control problems (between two users at the same privilege level)  
140 | - [ ] Test for missing authorization  
141 | 
142 | 
143 | ### <a name="Validation">Data Validation</a>
144 | - [ ] Test for Reflected Cross Site Scripting  
145 | - [ ] Test for Stored Cross Site Scripting  
146 | - [ ] Test for DOM based Cross Site Scripting  
147 | - [ ] Test for Cross Site Flashing  
148 | - [ ] Test for HTML Injection  
149 | - [ ] Test for SQL Injection  
150 | - [ ] Test for LDAP Injection  
151 | - [ ] Test for ORM Injection  
152 | - [ ] Test for XML Injection  
153 | - [ ] Test for XXE Injection  
154 | - [ ] Test for SSI Injection  
155 | - [ ] Test for XPath Injection  
156 | - [ ] Test for XQuery Injection  
157 | - [ ] Test for IMAP/SMTP Injection  
158 | - [ ] Test for Code Injection  
159 | - [ ] Test for Expression Language Injection  
160 | - [ ] Test for Command Injection  
161 | - [ ] Test for Overflow (Stack, Heap and Integer)  
162 | - [ ] Test for Format String  
163 | - [ ] Test for incubated vulnerabilities  
164 | - [ ] Test for HTTP Splitting/Smuggling  
165 | - [ ] Test for HTTP Verb Tampering  
166 | - [ ] Test for Open Redirection  
167 | - [ ] Test for Local File Inclusion  
168 | - [ ] Test for Remote File Inclusion  
169 | - [ ] Compare client-side and server-side validation rules  
170 | - [ ] Test for NoSQL injection  
171 | - [ ] Test for HTTP parameter pollution  
172 | - [ ] Test for auto-binding  
173 | - [ ] Test for Mass Assignment  
174 | - [ ] Test for NULL/Invalid Session Cookie  
175 | 
176 | ### <a name="Denial">Denial of Service</a>
177 | - [ ] Test for anti-automation  
178 | - [ ] Test for account lockout  
179 | - [ ] Test for HTTP protocol DoS  
180 | - [ ] Test for SQL wildcard DoS  
181 | 
182 | 
183 | ### <a name="Business">Business Logic</a>
184 | - [ ] Test for feature misuse  
185 | - [ ] Test for lack of non-repudiation  
186 | - [ ] Test for trust relationships  
187 | - [ ] Test for integrity of data  
188 | - [ ] Test segregation of duties  
189 | 
190 | 
191 | ### <a name="Cryptography">Cryptography</a>
192 | - [ ] Check if data which should be encrypted is not  
193 | - [ ] Check for wrong algorithms usage depending on context  
194 | - [ ] Check for weak algorithms usage  
195 | - [ ] Check for proper use of salting  
196 | - [ ] Check for randomness functions  
197 | 
198 | 
199 | ### <a name="File">Risky Functionality - File Uploads</a>
200 | - [ ] Test that acceptable file types are whitelisted  
201 | - [ ] Test that file size limits, upload frequency and total file counts are defined and are enforced  
202 | - [ ] Test that file contents match the defined file type  
203 | - [ ] Test that all file uploads have Anti-Virus scanning in-place.  
204 | - [ ] Test that unsafe filenames are sanitised  
205 | - [ ] Test that uploaded files are not directly accessible within the web root  
206 | - [ ] Test that uploaded files are not served on the same hostname/port  
207 | - [ ] Test that files and other media are integrated with the authentication and authorisation schemas  
208 | 
209 | 
210 | ### <a name="Card">Risky Functionality - Card Payment</a>
211 | - [ ] Test for known vulnerabilities and configuration issues on Web Server and Web Application  
212 | - [ ] Test for default or guessable password  
213 | - [ ] Test for non-production data in live environment, and vice-versa  
214 | - [ ] Test for Injection vulnerabilities  
215 | - [ ] Test for Buffer Overflows  
216 | - [ ] Test for Insecure Cryptographic Storage  
217 | - [ ] Test for Insufficient Transport Layer Protection  
218 | - [ ] Test for Improper Error Handling  
219 | - [ ] Test for all vulnerabilities with a CVSS v2 score > 4.0  
220 | - [ ] Test for Authentication and Authorization issues  
221 | - [ ] Test for CSRF  
222 | 
223 | 
224 | ### <a name="HTML">HTML 5</a>
225 | - [ ] Test Web Messaging  
226 | - [ ] Test for Web Storage SQL injection  
227 | - [ ] Check CORS implementation  
228 | - [ ] Check Offline Web Application  
229 | 
230 | Source:  
231 | [OWASP](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)  
232 | 
233 | 
234 | 


--------------------------------------------------------------------------------
/bugbounty_public_program_list.md:
--------------------------------------------------------------------------------
  1 | # Bug bounty public program list  
  2 | > Here you can find a list of different ways to find public programs of bug bounty.
  3 | If you have questions or suggestions, don't hesitate to contact me on twitter (https://twitter.com/_sehno_)  
  4 | 
  5 | ***
  6 | 
  7 | ## Resources  
  8 | https://github.com/arkadiyt/bounty-targets-data/tree/master/data  
  9 | https://www.vulnerability-lab.com/list-of-bug-bounty-programs.php
 10 | 
 11 | https://firebounty.com/
 12 | 
 13 | 
 14 | ## Google dorks  
 15 | site:.eu responsible disclosure  
 16 | inurl:responsible disclosure program  
 17 | inurl:vulnerability disclosure program  
 18 | inurl:vulnerability program rewards  
 19 | inurl:security@ report vulnerability  
 20 | inurl:bugbounty reward program  
 21 | inurl /bug bounty  
 22 | inurl : / security  
 23 | inurl:security.txt  
 24 | inurl:security "reward"  
 25 | inurl : /responsible disclosure  
 26 | inurl : /responsible-disclosure/ reward  
 27 | inurl : / responsible-disclosure/ swag  
 28 | inurl : / responsible-disclosure/ bounty  
 29 | inurl:'/responsible disclosure' hoodie  
 30 | responsible disclosure swag r=h:com  
 31 | responsible disclosure hall of fame  
 32 | responsible disclosure europe  
 33 | responsible disclosure white hat  
 34 | white hat program  
 35 | insite:"responsible disclosure" -inurl:nl  
 36 | intext responsible disclosure  
 37 | site eu responsible disclosure  
 38 | site .nl responsible disclosure  
 39 | site responsible disclosure  
 40 | responsible disclosure:sites  
 41 | responsible disclosure r=h:nl  
 42 | responsible disclosure r=h:uk  
 43 | responsible disclosure r=h:eu  
 44 | responsible disclosure bounty r=h:nl  
 45 | responsible disclosure bounty r=h:uk  
 46 | responsible disclosure bounty r=h:eu  
 47 | responsible disclosure swag r=h:nl  
 48 | responsible disclosure swag r=h:uk  
 49 | responsible disclosure swag r=h:eu  
 50 | responsible disclosure reward r=h:nl  
 51 | responsible disclosure reward r=h:uk  
 52 | responsible disclosure reward r=h:eu  
 53 | "powered by bugcrowd" -site:bugcrowd.com  
 54 | "powered by hackerone" "submit vulnerability report"  
 55 | "submit vulnerability report"  
 56 | site:responsibledisclosure.com  
 57 | inurl:'vulnerability-disclosure-policy' reward  
 58 | intext:Vulnerability Disclosure site:nl  
 59 | intext:Vulnerability Disclosure site:eu  
 60 | site:*.*.nl intext:security report reward  
 61 | site:*.*.nl intext:responsible disclosure reward  
 62 | "security vulnerability" "report"  
 63 | inurl"security report"  
 64 | "responsible disclosure" university  
 65 | inurl:/responsible-disclosure/ university  
 66 | buy bitcoins "bug bounty"  
 67 | inurl:/security ext:txt "contact"  
 68 | "powered by synack"  
 69 | intext:responsible disclosure bounty  
 70 | inurl: private bugbountyprogram  
 71 | inurl:/.well-known/security ext:txt  
 72 | inurl:/.well-known/security ext:txt intext:hackerone  
 73 | inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty  
 74 | inurl:reporting-security-issues  
 75 | inurl:security-policy.txt ext:txt  
 76 | site:*.*.* inurl:bug inurl:bounty  
 77 | site:help.*.* inurl:bounty  
 78 | site:support.*.* intext:security report reward  
 79 | intext:security report monetary inurl:security   
 80 | intext:security report reward inurl:report  
 81 | site:security.*.* inurl: bounty  
 82 | site:*.*.de inurl:bug inurl:bounty  
 83 | site:*.*.uk intext:security report reward  
 84 | site:*.*.cn intext:security report reward  
 85 | "vulnerability reporting policy"  
 86 | "van de melding met een minimum van een" -site:responsibledisclosure.nl  
 87 | inurl:/security ext:txt "contact"  
 88 | inurl:responsible-disclosure-policy  
 89 | "Submission Form powered by Bugcrowd" -bugcrowd.com  
 90 | "If you believe you've found a security vulnerability"  
 91 | intext:"BugBounty" and intext:"BTC" and intext:"reward"  
 92 | intext:bounty inurl:/security  
 93 | inurl:"bug bounty" and intext:"€" and inurl:/security  
 94 | inurl:"bug bounty" and intext:"$" and inurl:/security  
 95 | inurl:"bug bounty" and intext:"INR" and inurl:/security  
 96 | inurl:/security.txt "mailto*" -github.com  -wikipedia.org -portswigger.net -magento  
 97 | 
 98 |  
 99 | 
100 | 


--------------------------------------------------------------------------------
/bugbounty_toolkit.md:
--------------------------------------------------------------------------------
 1 | # Bug bounty toolkit  
 2 | > Here you can find a list of differents tools that you can use in bug bounty or pentesting.  
 3 | Some categories and tools will be added as we go.  
 4 | If you have questions or suggestions, don't hesitate to contact me on twitter (https://twitter.com/_sehno_)  
 5 | 
 6 | ***
 7 | 
 8 | ## Recon  
 9 | 
10 | ### Subdomains recon  
11 | 
12 | - [amass](https://github.com/OWASP/Amass)
13 | - [subfinder](https://github.com/projectdiscovery/subfinder)
14 | - [assetfinder](https://github.com/tomnomnom/assetfinder)
15 | - [dnsgen](https://github.com/ProjectAnte/dnsgen)
16 | - [shuffledns](https://github.com/projectdiscovery/shuffledns)
17 | - [httprobe](https://github.com/tomnomnom/httprobe)
18 | - [aquatone](https://github.com/michenriksen/aquatone)
19 | 
20 | ### Enumeration / Crawling
21 | 
22 | - [nmap](https://nmap.org/download.html)
23 | - [ffuf](https://github.com/ffuf/ffuf)
24 | - [hakrawler](https://github.com/hakluke/hakrawler)
25 | - [gau](https://github.com/lc/gau)
26 | - [paramspider](https://github.com/devanshbatham/ParamSpider)
27 | 
28 | ### Manual recon  
29 | - [shodan](https://www.shodan.io/)
30 | - [censys](https://censys.io/)
31 | - [google dorks](https://www.google.com)
32 | - [pastebin](https://pastebin.com/)
33 | - [github](https://github.com)
34 | 
35 | ## Enumeration / Crawling  
36 | 
37 | - [ffuf](https://github.com/ffuf/ffuf)
38 | - [hakrawler](https://github.com/hakluke/hakrawler)
39 | - [gau](https://github.com/lc/gau)
40 | - [paramspider](https://github.com/devanshbatham/ParamSpider)
41 | - [arjun](https://github.com/s0md3v/Arjun)
42 | - [parameth](https://github.com/maK-/parameth)
43 | 
44 | ## XSS  
45 | 
46 | - [xsshunter](https://xsshunter.com)
47 | - [xsscrapy](https://github.com/DanMcInerney/xsscrapy)
48 | - [dalfox](https://github.com/hahwul/dalfox)
49 | 
50 | ## SQL Injection
51 | - [sqlmap](https://github.com/sqlmapproject/sqlmap)
52 | - [waybacksqliscanner](https://github.com/ghostlulzhacks/waybackSqliScanner)
53 | 
54 | 


--------------------------------------------------------------------------------