A Newbie’s Guide to Bug Bounty Hunting: Navigating the World of Subdomain Enumeration and URL Discovery
I recently began my thrilling journey of bug bounty hunting and I’m excited to share my experiences with you. I selected HackerOne as my platform of choice and utilized the Project Discovery Chaos website (https://chaos.projectdiscovery.io/#/) to select a program and download a zip file of already enumerated subdomains.
Are you familiar with Project Discovery Chaos? If not, it’s a website that harnesses the power of internet-wide asset data to accelerate research on DNS changes and provide valuable insights. In simpler terms, it collects and tracks subdomains of various domains for you. Thanks to Project Discovery Chaos, my first stage of recon went smoothly and allowed me to easily analyze various bug bounty platforms and their programs, rewards, and more. As a newbie in this field, I found it challenging to find the right target, but after much contemplation, I decided to focus on a Japanese comic company with a large number of subdomains — I wasn’t sure which ones were active yet, but Project Discovery came to the rescue again the team can’t seize to amaze me with their tools. Next, I’ll be diving into the tool I used, which is programmed in GO programming language, it’s called httpx and you can clone and use it by following the documentation on Github. I’ll show you why I find it so valuable and how it saves time. After all, isn’t that what tools are for? Stick around for a detailed breakdown of how I put this tool to use.
- I navigated to the directory where I saved the subdomains I wanted to check using the Linux command ‘cd’ on my machine.
- I then used the command ‘cat sub.txt | httpx -sc’ which allows me to read the contents of the file ‘sub.txt’ and pass it as input to the tool ‘httpx’ The ‘cat’ command is used to concatenate and display the contents of a file. The ‘|’ symbol is used for ‘pipe’ which is used to send the output of one command as input to another command, in this case the output of ‘cat sub.txt’ is being passed as input to ‘httpx -sc’ command.
- Confused what the ‘-sc’ means, it’s telling the tool to specify the status code e.g 200 ok, 403 forbidden e.t.c. in it’s output
The results will look like this;
That’s just the tip of what this tool can do let’s explore more
>>>>To specify the content type use the -ct flag
>>https://me.example.com[text/html]
>>>>To specify the content length use the -cl flag
>>https://me.example.com[80054]
The best part of this tool is the ability for it to detect the tech stack of the a particular website using the -td flag
The results should look like this;
https://me.example.com[cloudflare,next.js,hsts]
https://me.example.com[cloudflare,next.js,hsts]
Other tools like httprobe exist but i prefer to use httpx it just fits my use case on several things
After identifying the live domains, I then use another tool called ‘gau’ (short for Get All URLs) to find all the URLs of a given website and its subdomains. I carefully select a subdomain from the large number of live subdomains that I find interesting. To use the ‘gau’ tool, I open my Linux machine and navigate to the directory where I installed the tool from its Github repository. The ‘gau’ tool allows to perform URL enumeration on a website and its subdomains. It helps to discover hidden URLs which might not be discoverable with other tools. It allows to scan for all types of content with the ability to filter them out.
I will be ending this article here to give you some time to digest the information shared. Thank you for following along on my journey as I began my adventure in bug bounty hunting. I look forward to sharing more of my experiences with you in the future.
