Professional Documents
Culture Documents
!"#$%&'()*%+ ,'(*-./0*1.(/
L5"*'/8(*!*F.((*2(2#(.Q5+$0*&@5.0*$(F@*@'%&
25+@'K
A%J+*"G*F5.*a()%"2*/+)*J(@*/+*(^@./*5+(
-./'/2*3(2($ 45$$56
758*9:;*<:<< = >*2%+*.(/) = =
?%&@(+
A/8(
!"#$%&'()#*'+
*,'&(%)-.#/0123#4%(5
6,,+7)#8,9:%&+;
<)&-=-;#>&?#05,?>&
TL;DR- One of the simplest and
surprisingly paid bounties out there.
This post is great for any bug-hunter
who’s just starting out, or developing a
real interest in the industry.
1&(9,?'@(%,&
OSINT. Open Source Intelligence. This is
a pretty popular term in cybersecurity,
and if you’re gathering any sort of
information on a potential target or
attack vector, that’s an important term to
know. If you’re just starting out, take a
look at this post on the best resources
I’ve found for cybersecurity beginners →
35)#A,>?#(,
B9,C)--%,&>7#A)?DE
3)>F#G>@:)9
,?BCDE*1$$*5F*@'(
G'0&%H/$*@55$&;I
.(G5&%@5.%(&;
2()%"2KH52
6(#&%@(&;*/+)
5G(./@%+J*&0&@(2&
05"*H5"$)*G5&&%#$0
+(()*@5*#(H52(*/I
I’ll be using Shodan, Censys and a few
other popular methods to search for
subdomains today, similar to my last
article that I wrote about subdomain
enumeration.
HI#6,,+7)#8,9:%&+
Probably the oldest method on this list,
but it still works like a charm if you’re in
a pinch. A few great dorks to try and find
admin login pages include the following:
site:target.com inurl:admin
intitle:login site:website.com
intitle:/admin site:website.com
inurl:admin
intitle:admin
intext:admin
JI#K-%&+#/L)�,'9@)#3,,7-
These do what we just did with Google
dorking, but fast and far more
efficiently. These tools automate the
process to let us sit back and have them
do the hard work while they run their
scripts. Here are three great resources I
found on Github that I’ve tested:
6%(G'M#D
N)5>?O7P'9>-5%QE
(KAR.#G%(#S>7%?#KAR
L5"*H/+M@*G(.F5.2
@'/@*/H@%5+*/@*@'%&I
@%2(K*L5"*&%J+()*%+
J%@'"#KH52
6%@'*/+5@'(.*@/#*5.
6%+)56K*L5"*&%J+()
5"@*%+*/+5@'(.*@/#
5.I
6%(G'M#D
F1@G=OFA>2)Q,E
>?F%&C%&?)9J.#T
1)2%+*G/+($*F%+)(.
O?F%&#L>&)7#C%&?)9
N*1)2%+*?5J%+*!/JI
Q#O?F%&#R,+%&
4%+)(.*O*¢σ∂є∂*ву
B>+)#U%&?)9#V
J%@'"#KH52
*P Q R* *Q
¢σ∂є∂#ву# E
-%@S"#*Q
2THS012D/7(N5U/
)2%+F%+)(.VE*W
1)2%+I
6%(G'M#D#(5)D
@"?J9Q>?F%&DE
C%&?)9.#*7>W%&+#C>-(
X$/Y%+J*F/&@*/)2%+
>?F%&#L>&)7#C%&?)9
G/+($*F%+)(.*6%@'I
X%(5#>-=&@%,#>&?
/&0+H%5*/+)*/%5'@@G
>%,5((L
J%@'"#KH52
Q*-%@S"#*Q*@'(Q
H:)V.N/)2%+Q
F%+)(.E*X$/Y%+J*F/&@
/)2%+*G/+($I
These repositories have been tested and
work as of 11/9/22. As a bonus, I’ve
included my personal automation tool
that I use for subdomain enumeration
bugs and all sorts of other bounties →
6%(G'M#D
+9>5>FW)F)7Q4E
G)@:0@>&&)9.#O
Z.%@@(+*#0*-./'/2
5>@:%&+#(,,7#C,9
3(2($;*"&%+J*7%U@5I
M'+#M,'&(%)-I
7"H$(%;*A[$2/G;
05>9%&+#>&?
J%@'"#KH52
1+(6;*-/";*/+)
F,?%C=%&+#%-E
25.(\*A[$2/G;*/
@55$*F5.*@(&@%+J*&[$
%+](H@%5+I
YI#K-%&+#5((LZ#[,&)#,C#F=#C>S,9%()#F)(5,?-\
Httpx is a great tool that’s a lot like the
one’s listed above but requires a bit of
technical know-how and command line
knowledge to get started with. If you’d
rather just have a complete graphical
interface and not worry about command
prompts, skip to the #1 tool that I’ve
found works best for website
information gathering.
6%(G'M#D
L9,])@(?%-@,S)9=QE
((LZ.#5((LZ#%-#>#C>-(
'@@G^*%&*/*F/&@*/+)
>&?#F'7(%DL'9L,-)
2"$@%QG".G5&(I
G33B#(,,7:%(#(5>(
S,,!*@55$U%@*@'/@
>77,X-#9'&&%&+E
J%@'"#KH52
/$$56&*."++%+J
2"$@%G$(*G.5#(&
"&%+J*@'(
.(@.0/#$('@@G
!I#0)>9@5#)&+%&)-I#2,;#&,(#(5)#5'F>&#,&)-I
$%#./.0K*T@I
Search engines are a phenomenal
resource for bug hunting, and they
usually provide the best data, and best
formatted data so that you’re not wasting
any time sifting through terminal
outputs or that sort of thing.
Shodan
ssl.cert.subject.cn:"website.co
m" http.title:"admin"
ssl: "website.com" http.title:
"admin"
ssl.cert.subject.cn:"website.co
m" admin
ssl: "website.com" admin
Fofa
Censys
(services.tls.certificates.leaf
_data.issuer.common_name:
website.com) AND
services.http.response.html_tit
le: admin
(services.tls.certificates.leaf
_data.issuer.common_name:
website.com) AND
services.http.response.body:
admin
0)>9@5%&+#C,9
0'M?,F>%&E
^'7&)9>M%7%(%)-
,?BCDQ*1*_'56Q@5`
'-%&+#<)&-=-
5+*"@%$%Y%+J*/*J.(/@I
@55$*@'/@*@/U(&*@'(
2()%"2KH52
H5+H(G@*5F*_-55J$(
)5.U%+J`*@5*/*6'5$(
+(6*$(8($K*,'%&I
If you end up finding a good bug that you
can submit to a bug bounty program like
HackerOne, make sure to review this
post for creating the perfect report →
G,X#3,#<9>C(#O
B9,C)--%,&>7#*'+E
*,'&(=#A)L,9(
,?BCDQ
[_Z(9>#``\
C5H"2(+@%+J*@'(I
#"J&*5.
2()%"2KH52
8"$+(./#%$%@%(&
05"`8(*F5"+)*%&*@'(
$/&@*&@(G*%+*#"J
'"+@%+J;*2/U(*&".(
@5*F%+%&'*&@.5+JI
N,%&#$)?%'F#X%(5
F=#9)C)99>7#7%&:#DE
69>5>F#a)F)7
D(/)*/$$*5F*-./'/2
3(2($M&*G5&@&;*/+)I
/+0*5@'(.*G5&@*F.52
J./'/2Y(2($K2()%"2KH
@'5"&/+)&*5F
52
a()%"2*6.%@(.&\
L5"M$$*J(@*F"$$*/HH(&&
@5*(8(.0I
Thanks!
!(+@(&@%+J X"J*X5"+@0
9:<
9:<
!"#$%&'()&*)+,-&.)/+*,&'()&/*0')*1X(@/
L5".*@%G*6%$$*J5*@5*-./'/2*3(2($*@'.5"J'*/*@'%.)QG/.@0
G$/@F5.2*5F*@'(%.*H'5%H(;*$(@@%+J*@'(2*U+56*05"
/GG.(H%/@(*@'(%.*&@5.0K
-%8(*/*@%G
203"&45&6$*&7),048&9&:()&;*+%&<*)+
X0*,'(*-./0*1.(/
1*'/+)QG%HU()*&($(H@%5+*5F*@'(*#(&@*G5&@&*F.52*@'/@
6((U;*G$"&*"G)/@(&*%+*@'(*H52G"@(.*&H%(+H(*F%($)Kb,/U(*/
$55UK
X0*&%J+%+J*"G;*05"*6%$$*H.(/@(*/*a()%"2*/HH5"+@*%F*05"*)5+`@*/$.(/)0
'/8(*5+(K*D(8%(6*5".*!.%8/H0*!5$%H0*F5.*25.(*%+F5.2/@%5+*/#5"@*5".
G.%8/H0*G./H@%H(&K
-(@*@'%&*+(6&$(@@(.
7$*)&6*$8&:()&;*+%&<*)+ 45$$56
a%U(*,/U/'/&'% = d/+*e
b#6,,+7)#8,9:-#_S)9=#G>@:)9
05,'7?#c&,X
X"J*X5"+@0 V*2%+*.(/)
A'/.(*05".*%)(/&*6%@'*2%$$%5+&*5F*.(/)(.&K
Z.%@(*5+*a()%"2
?"H9FV. = d/+*<
<5>(6B3#d#*'+#*,'&(=
A)@,&#O'(,F>(%,&
D(H5+ i*2%+*.(/)
S/&/+*1#5"$S/&/+ = 758*V;*<:<<
G,X#(,#*'%7?#>&@,F)
0(9)>F#X%(5#OB1-#
D/G%)/G% i*2%+*.(/)
-./'/2*3(2($ = d/+*9f
*'+#G'&(%&+#!"!.#$'7(%DU>@(,9
O'(5)&(%@>(%,&#/3B#*=L>--
S/HU%+J >*2%+*.(/)
-./'/2*3(2($ = 758*<>;*<:<<
B!#*'+#G'&(%&+#d#_ZL7,%(%&+
<,FF,,9?L9)--E
^'7&)9>M%7%(%)-
X"J*X5"+@0 >*2%+*.(/)
D(/)*25.(*F.52*,'(*-./0*1.(/
;)'&'()&7),048&+55