Bug Bounty Recon Pipeline
A full reconnaissance pipeline for bug bounty targets, from initial subdomain discovery through to vulnerability scanning. Designed to maximize attack surface coverage while minimizing noise, so you find the bugs other hunters miss.
Subdomain Enumeration
Cast the widest net possible to find every subdomain associated with the target. Use multiple tools and data sources because no single tool finds everything. Combine passive sources (certificate transparency, DNS datasets, search engines) with active brute-forcing using targeted wordlists. The more subdomains you find, the larger your attack surface.
Subfinder
AmassTip: Run Subfinder and Amass in parallel - Subfinder is fast with passive sources while Amass does deeper enumeration including DNS brute-forcing. Merge and deduplicate the results. Configure API keys for Subfinder's data sources (Shodan, Censys, VirusTotal) to get significantly more results.
DNS Resolution and Filtering
Resolve all discovered subdomains to filter out dead entries and identify live hosts. Check for DNS misconfigurations like dangling CNAMEs that could lead to subdomain takeover. Map IP addresses to identify shared hosting and CDN usage. This step reduces your list from potentially thousands of subdomains to the ones that are actually reachable.
Tools for this step
Tip: dnsx resolves domains in bulk at high speed and can check for multiple record types (A, AAAA, CNAME, MX). Pipe your subdomain list directly into it. Look for CNAME records pointing to unclaimed services - these are subdomain takeover candidates. Group results by IP to spot shared infrastructure.
HTTP Probing and Technology Fingerprinting
Probe all resolved hosts on common HTTP/HTTPS ports to find web services. Identify the technology stack, response codes, page titles, and content length for each live host. This tells you what's running where and helps you prioritize targets. A forgotten staging server running an old framework version is often more interesting than the main production site.
Tools for this step
Tip: httpx probes multiple ports by default and extracts page titles, status codes, content length, and technology fingerprints. Use the JSON output for easy parsing and filtering. Sort results by status code and content length to quickly spot interesting outliers like login panels, admin interfaces, and error pages.
URL Collection and Crawling
Gather as many URLs as possible from each live target. Pull historical URLs from the Wayback Machine and other archives, crawl the live application to discover current endpoints, and extract URLs from JavaScript files. Old URLs often reveal endpoints that still exist but are no longer linked from the UI - these are frequently less hardened.
Tools for this step
gau
waybackurlsTip: gau (Get All URLs) pulls from Wayback Machine, Common Crawl, and other archives. Katana is a next-gen crawler that handles JavaScript-rendered pages. waybackurls specifically targets Wayback Machine archives. Combine all three outputs and deduplicate. Look for URLs containing parameters, API endpoints, and file paths.
Parameter Discovery
For each endpoint you've found, discover hidden parameters that aren't visible in the UI. Many vulnerabilities hide behind parameters that the application accepts but doesn't advertise. Brute-force parameter names against each endpoint and mine archived URLs for parameter patterns used elsewhere on the target.
Tools for this step
ParamSpider
Arjun
ffufTip: ParamSpider mines web archives for parameters associated with your target domain. Arjun brute-forces parameters by analyzing response differences. ffuf can fuzz parameters using wordlists at high speed. Focus on endpoints that accept user input - these are where injection vulnerabilities live.
Automated Vulnerability Scanning
Run template-based vulnerability scanners against your collected URLs and endpoints. This catches known CVEs, common misconfigurations, exposed sensitive files, default credentials, and well-known vulnerability patterns. While this won't find complex logic bugs, it efficiently covers thousands of known issues across your entire attack surface.
DalFoxTip: Nuclei with the full template library is the most effective automated scanner for bug bounty. Run it against your full URL list. DalFox specializes in reflected XSS detection and handles parameter analysis well. Use Nuclei's severity filtering to focus on critical and high findings first. Custom templates for your target's specific stack increase hit rate dramatically.
Organize Findings and Report
Triage your results, eliminate false positives, and prepare your bug reports. Each report should include a clear title, step-by-step reproduction instructions, proof of concept, impact assessment, and suggested remediation. Quality reports get paid faster and build reputation on the platform. Screenshot everything and include curl commands for easy reproduction.
Tip: Verify every automated finding manually before reporting. Duplicate findings are the fastest way to tank your reputation on a bug bounty platform. Check the program's disclosed reports to avoid known duplicates. Write your report assuming the reader has no context about your recon pipeline.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.