When conducting a bug bounty assessment on web applications, having a structured approach can significantly improve your findings. Below is a comprehensive checklist categorized by different security aspects to help streamline your testing process.
| Reconnaissance | ||
| 1 | Subdomains | Utilize tools like amass, subfinder, and crt.sh to enumerate subdomains. |
| 2 | Directory & File Bruteforce | Leverage ffuf, dirsearch, or gobuster to discover hidden directories and files. |
| 3 | Find APIs | Use LinkFinder, Burp Suite, and JSParser to extract API endpoints. |
| 4 | Technology Stack Identification | Detect underlying technologies using whatweb and wappalyzer. |
| 5 | Sensitive Files Discovery | Check for exposed files like .git, .env, robots.txt, and backup.zip. |
| Authentication & Session Management | ||
| 6 | Default Credentials | Test for common username/password combinations such as admin:admin. |
| 7 | Rate Limit Bypass | Use X-Forwarded-For headers to evade rate limiting. |
| 8 | JWT Attacks | Check for vulnerabilities like none algorithm abuse and kid injection. |
| 9 | Weak Set-Cookie Flags | Ensure HttpOnly, Secure, and SameSite flags are properly set. |
| Injection Attacks | ||
| 10 | SQL Injection (SQLi) | Test using payloads like ‘ OR ‘1’=’1 and automate with sqlmap. |
| 11 | Cross-Site Scripting (XSS) | Inject <script>alert(1)</script> to test for XSS. |
| 12 | Server-Side Template Injection (SSTI) | Use {{7*7}} or tplmap to check for template engine vulnerabilities. |
| 13 | OS Command Injection | Try commands like ; whoami, | id, $() and leverage Burp Collaborator. |
| IDOR & Privilege Escalation | ||
| 14 | Modify User Identifiers | Change user_id=123 to user_id=124 to check for insecure direct object references (IDOR). |
| 15 | Test Different Encodings | Experiment with UUIDs, Base64, and numeric values. |
| 16 | Privilege Escalation | Manipulate parameters like role=admin and isAdmin=true. |
| File Upload | ||
| 17 | Malicious File Uploads | Attempt to upload files with dangerous extensions like .php, .jsp, .svg. |
| 18 | Bypass Extension Filters | Use .php5, .phtml, or other tricks to evade file validation. |
| 19 | Local File Inclusion (LFI) | Exploit uploaded files using php://filter/resource=file. |
| Server-Side Request Forgery (SSRF) | ||
| 20 | Internal Services Access | Try accessing http://localhost:80. |
| 21 | AWS Metadata Extraction | Query http://169.254.169.254/latest/meta-data/. |
| 22 | Filter Bypass Techniques | Use payloads like //evil.com, @127.0.0.1 to bypass filtering. |
| Cross-Site Request Forgery (CSRF) | ||
| 23 | Token Verification | Identify endpoints missing CSRF protection. |
| 24 | Malicious HTML Forms | Create forms that submit requests on behalf of users. |
| 25 | SameSite Cookie Testing | Verify if SameSite=None allows CSRF exploitation. |
| API & Logic Bugs | ||
| 26 | Brute Force Tokens | Attempt multiple OTPs and authentication tokens. |
| 27 | Replay Attacks | Reuse valid session tokens or API calls to check for authentication flaws. |
| 28 | GraphQL Testing | Use InQL or GraphQLMap to identify vulnerabilities. |
| Open Redirects | ||
| 29 | Basic Redirect Test | Try http://target.com/redirect?url=evil.com. |
| 30 | Bypass Techniques | Use payloads like //evil.com, /%http://2f.evil.com. |
| Security Misconfigurations | ||
| 31 | Missing Security Headers | Check for absent Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options. |
| 32 | Exposed Debug Pages | Look for pages like /phpinfo.php and /debug. |
| 33 | Cloud Storage Misconfigurations | Inspect AWS/GCP buckets for public access. |
| Essential Tools | ||
| 34 | Reconnaissance | amass, httpx, subfinder |
| 35 | Exploitation | Burp Suite, sqlmap, ffuf |
| 36 | Fuzzing | wfuzz, ffuf, dirb |
| 37 | API Testing | Postman, GraphQLMap |
Conclusion
Bug bounty hunting requires a methodical approach and a diverse toolset. By following this checklist, you can systematically assess a target’s security posture and uncover vulnerabilities more efficiently. Always ensure responsible disclosure and follow the program’s rules while testing.
Happy hunting!
