STEP 0. Mindset and Scope Definition link h3
Before touching tools, every engagement begins with understanding scope and constraints.
Objectives
- Identify in-scope assets
- Understand program rules and safe harbor
- Define realistic goals per session
Key Actions
- Read the program brief line by line
- Note out-of-scope assets and techniques
- Identify asset types: web apps, APIs, mobile, infrastructure
Output
- Personal scope document
- Asset list with priorities
STEP 1. OSINT and Reconnaissance link h3
OSINT focuses on discovering assets, relationships, and exposure without interacting directly with target systems.
1.1 Domain and Asset Discovery link h5
Purpose
Identify root domains, subdomains, and related infrastructure
Common Tools
- Subfinder
- Assetfinder
- crt.sh
Typical Usage
- Passive enumeration first
- Correlate results across tools
- Deduplicate aggressively
Practice Ideas
- Enumerate all subdomains for a known bug bounty program
- Compare passive vs active results
Output
- Cleaned list of domains and subdomains
1.2 Organization and People OSINT link h5
Purpose
Identify exposed credentials, internal tooling, and technology hints
Common Tools
- GitHub search
- GitLeaks
- Google dorking
Typical Usage
- Search for API keys, internal URLs, configuration files
- Identify technologies used internally
- Notes on technologies, credentials, and internal naming patterns
STEP 2. Information Gathering link h3
Information gathering involves direct interaction with in-scope assets to understand attack surface.
2.1 Technology Fingerprinting link h5
Purpose
- Identify frameworks, servers, languages, and defenses
Common Tools
- Nmap
- Wappalyzer
- WhatWeb
- HTTPX
Typical Usage
- Light scans first
- Focus on versions and unusual configurations
Output
- Technology profile per asset
2.2 Content and Endpoint Discovery link h5
Purpose Discover hidden paths, APIs, and functionality
Common Tools
- FFUF
- Gobuster
- Dirsearch
- Wayback URLs
Typical Usage
- Start with low-noise wordlists
- Separate API and web content discovery
- Practice Ideas
- Find deprecated endpoints using historical URLs
Output
- List of discovered endpoints and parameters
STEP 3. Vulnerability Scanning link h3
Automated scanning helps surface low-hanging issues and guide manual testing.
3.1 Automated Web Scanning link h5
Purpose
- Identify common misconfigurations and known vulnerabilities
Common Tools
- Nuclei
- Nikto
- ZAP (passive)
Typical Usage
- Use curated templates
- Avoid aggressive scans initially
Output
- Preliminary vulnerability list
3.2 Parameter and Input Analysis link h5
Purpose
- Identify user-controlled inputs for manual testing
Common Tools
- Burp Suite
- Caido
- ParamSpider
- Arjun
Typical Usage
- Map parameters to endpoints
- Identify reflected and stored inputs
STEP 4. Transition to Manual Testing link h3
At this stage, automated results are triaged and prioritized for deeper analysis.
Next Steps
- Rank findings by impact and confidence
- Select promising targets for manual exploitation
- Begin vulnerability-specific workflows
STEP 5. Documentation and Reporting link h3
Documentation happens continuously, not at the end.
Best Practices
- Keep structured notes per asset
- Capture proof early
- Reproduce findings cleanly
- Artifacts
- Frequent Screenshots
- Request and response pairs
- Reproduction steps