⚠️ Note: This information is only meant for educational and ethical vulnerability research purposes. Author not responsible for any actions! You are advised to ethically report any vulnerability found to it's respective BBP/VDP Program.

1️⃣ Unique Phrase Recon leading to targeted subdomains

"You are accessing a" site:nasa.gov
"Employee Login" site:nasa.gov
"Employee" "Forgot password" site:nasa.gov
inurl:servlet/sm.web.Fetch site:nasa.gov
None

Sort by latest for newly indexed results.

None

2️⃣ Parameter Hunt via FOFA Dorking

domain="example.com" && body="new URLSearchParams"
domain="example.com" && body="params.get"
None
None

Quick Reference for beginners

None
https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams/get

3️⃣ API Documentation Hunting

site:nasa.gov "Swagger UI"
site:nasa.gov "JSON REST API"
site:nasa.gov "DELETE /" "/users" "PATCH /"
None

Some endpoints won't be documented, but it leads to PII leak.

Example directly visiting endpoint like /users , /allusers , /all_users

Sometimes you need not fuzz, it can be a guesswork as well 🤘

4️⃣ Github Source Code Recon

org:example "@app.route"
org:example "@app.get("
org:example "@app.post("
org:example "router.get("
org:example "router.post("
None

Find old API version

org:example "/api/" "/v1/"
org:example "/api/" "/v2/"

Admin Endpoints

org:example "/api/" "/admin/"
None

Websockets

org:example "new WebSocket("

Issues Hunt (Goldmine 😈)

None

Pull Requests

None

This is not directly related to this target, but in general tips & tricks.

First learn secure coding in various programming languages, then make a dictionary of patterns/ keyword that you can mass hunt everywhere.

None
None
Github Pull Request analysis for XSS prevention

Always ask 3 things

  1. What was the vulnerability reported ?
  2. How the developer patched the vulnerability ?
  3. Okay, now can we bypass it?

Hunting Niche: Bypassing already fixed vulnerabilities (fixed insecurely)

How it is possible to bypass ?

Even if the developer uses the strongest library / framework, they need to implement it the right way to prevent all edge case scenarios. Half knowledge is dangerous :)

That's the end for today! Want more deep recon techniques ? Check below 😎

Finding Hidden Assets — Deep Recon

Favicon Recon for Bug Hunters

cybersecuritywriteups.com

UrlScan Dorks for endpoints hiding behind ASN and Subnet

Hidden endpoint discovery techniques via Urlscan.io

medium.com

Shodan Recon Tips

Shodan Recon Tips Helpful shodan commands for pentesters and bug hunters Initialize Shodan with your API Key shodan…

meetcyber.net

Make sure you are enjoying the stuff to auto-unlock new potential 🤘

None
GIF by ARZZiO from GIPHY