A Newbie’s Guide to Bug Bounty Hunting: Navigating the World of Subdomain Enumeration and URL Discovery

I recently began my thrilling journey of bug bounty hunting and I’m excited to share my experiences with you. I selected HackerOne as my platform of choice and utilized the Project Discovery Chaos website (https://chaos.projectdiscovery.io/#/) to select a program and download a zip file of already enumerated subdomains.

project discovery chaos beta

Are you familiar with Project Discovery Chaos? If not, it’s a website that harnesses the power of internet-wide asset data to accelerate research on DNS changes and provide valuable insights. In simpler terms, it collects and tracks subdomains of various domains for you. Thanks to Project Discovery Chaos, my first stage of recon went smoothly and allowed me to easily analyze various bug bounty platforms and their programs, rewards, and more. As a newbie in this field, I found it challenging to find the right target, but after much contemplation, I decided to focus on a Japanese comic company with a large number of subdomains — I wasn’t sure which ones were active yet, but Project Discovery came to the rescue again the team can’t seize to amaze me with their tools. Next, I’ll be diving into the tool I used, which is programmed in GO programming language, it’s called httpx and you can clone and use it by following the documentation on Github. I’ll show you why I find it so valuable and how it saves time. After all, isn’t that what tools are for? Stick around for a detailed breakdown of how I put this tool to use.

The results will look like this;

https://me.example.com[403]

https://her.example.com[200]

That’s just the tip of what this tool can do let’s explore more

>>>>To specify the content type use the -ct flag

>>https://me.example.com[text/html]

>>>>To specify the content length use the -cl flag

>>https://me.example.com[80054]

The best part of this tool is the ability for it to detect the tech stack of the a particular website using the -td flag

The results should look like this;

https://me.example.com[cloudflare,next.js,hsts]

https://me.example.com[cloudflare,next.js,hsts]

Other tools like httprobe exist but i prefer to use httpx it just fits my use case on several things

After identifying the live domains, I then use another tool called ‘gau’ (short for Get All URLs) to find all the URLs of a given website and its subdomains. I carefully select a subdomain from the large number of live subdomains that I find interesting. To use the ‘gau’ tool, I open my Linux machine and navigate to the directory where I installed the tool from its Github repository. The ‘gau’ tool allows to perform URL enumeration on a website and its subdomains. It helps to discover hidden URLs which might not be discoverable with other tools. It allows to scan for all types of content with the ability to filter them out.

I will be ending this article here to give you some time to digest the information shared. Thank you for following along on my journey as I began my adventure in bug bounty hunting. I look forward to sharing more of my experiences with you in the future.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fortune Edema

Information Security Associate ISO IEC 27001 $Tech Enthusiast||Self Taught InfoSec Researcher||Penetration tester|| Bug bounty hunter#Computer Science Student