The Bug Hunter’s Recon
Methodology
By: Tushar Verma
Slide 2
Slide 2 text
Whoami
Application Security Engineer
Synack Red Team Member
Bug Bounty Hunter
Infosec Trainer & Speaker
Slide 3
Slide 3 text
Agenda
Scope
Review for
any
program
Before
Recon
After Recon
Scope-
based
Recon
Basic
Methodolog
y
Tools and
Automation
frameworks
Slide 4
Slide 4 text
Scope review for
any program
• Assets
• No of reports resolved
• Payout
• Time to triage and Time to
Bounty
Slide 5
Slide 5 text
Before
Recon
• Company name
• Available scope
• Overview about the company
business
• Information from program page
related to security purposes
Slide 6
Slide 6 text
After
recon
• Service info
• Backend technology used
• Interesting Endpoints
• Juicy links which may be vulnerable
• More and more
Slide 7
Slide 7 text
Scope based
recon
• Small Scope Target-Single URL like
domain and subdomain(Ex. evil.com ,
info.evil.com
• Medium Scope Target-Lists of
subdomains(Ex. *.evil.com)
• Large Scope Target-All website related
to company is in scope
Slide 8
Slide 8 text
Basic Methodology
Target : *.evil.com
Slide 9
Slide 9 text
Tools and Automation
Framework
ReconF
TW
Project
Bheem
Osmed
eus
Slide 10
Slide 10 text
Get in
touch at
• Twitter: @e11i0t_4lders0n
• LinkedIn: /in/tushars25
• Instagram: @e11i0t_4lders0n__
• Email: [email protected]