SKILL: Recon and Methodology — Expert Bug Bounty Playbook AI LOAD INSTRUCTION : Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads. --- 1. RECON HIERARCHY --- 2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP) Passive (no DNS queries to target) Active (DNS brute force + resolution) Virtual Host Discovery --- 3. SERVICE AND PORT DISCOVERY --- 4. WEB…

| httpx -mc 200 | xargs -I{} curl -s {} | \\\n grep -oE '\"/[a-zA-Z0-9/_-]+\"' | sort -u\n\n# LinkFinder:\npython3 linkfinder.py -i https://target.com -d -o output.html\n\n# GetAllURLs (gau):\ngau target.com | sort -u > all_urls.txt\n\n# Wayback URLs:\nwaybackurls target.com | sort -u > wayback_urls.txt\n```\n\n### API Endpoint Discovery\n```bash\n# Common API paths:\nffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt\n\n# Swagger/OpenAPI:\ntest: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/\n\n# GraphQL:\ntest: /graphql /gql /v1/graphql /api/graphql\n```\n\n---\n\n## 6. SOURCE CODE RECON\n\n### GitHub / GitLab Exposure\n```bash\n# trufflehog (secret scanner in git history):\ntrufflehog git https://github.com/target-org/target-repo\n\n# gitleaks:\ngitleaks detect --source /path/to/cloned/repo\n\n# Manual GitHub search:\n# site:github.com \"target.com\" \"api_key\" OR \"secret\" OR \"password\"\n# site:github.com \"target.com\" \".env\" OR \"config.php\" OR \"db_password\"\n\n# GitHub dorks:\n# \"target.com\" extension:env\n# \"target.com\" filename:*.config password\n# org:target-org secret OR password OR apikey\n```\n\n### Exposed Environment Files\n```\n# Check common paths:\nhttps://target.com/.env\nhttps://target.com/.git/config\nhttps://target.com/config.json\nhttps://target.com/config.yaml\nhttps://target.com/credentials.json\nhttps://target.com/secrets.json\nhttps://target.com/wp-config.php\nhttps://target.com/backup.sql\nhttps://target.com/backup.zip\n```\n\n---\n\n## 7. ZSEANO'S TESTING METHODOLOGY\n\n### Core Philosophy\n1. **Go deep on one program** rather than spread across many — learn the application thoroughly\n2. **Build a profile of the company** — tech stack, developers, processes\n3. **Look where others don't** — check error pages, admin paths, old versions, mobile API\n4. **Follow the filter** — if input is filtered somewhere, that functionality exists and may be bypassed\n\n### Testing Sequence (One Page / Feature)\n```\nFor each input point:\n1. Non-malicious HTML tags (\u003ch2>, \u003cimg>) → are they reflected?\n2. Incomplete tags → what happens? (\u003ciframe src=//evil.com )\n3. Encoding tests → %0d, %0a, %09, \u003c%00\n4. Observe the OUTPUT too (not just response) — where does your input appear?\n5. Test same input in ALL similarly-structured pages (shared code → shared vuln)\n6. Check if the same parameter exists in mobile/API endpoint (less protected)\n```\n\n### Parameter Insights\n```\n- Each parameter tells a story: \"what does this do server-side?\"\n- Filename → OS interaction → Path Traversal / CMDi\n- URL/location → HTTP fetch → SSRF\n- Template/HTML parameter → render function → SSTI\n- XML field → parser → XXE\n- SQL filter → query → SQLi\n- User-content → storage → Stored XSS\n```\n\n---\n\n## 8. BUG BOUNTY PROGRAM TRIAGE (WHERE TO SPEND TIME)\n\n### High-Value Target Selection\n```\n✓ Programs with large scope (*.target.com)\n✓ Programs that pay for P2/P3 (not just RCE)\n✓ Programs with recent tech changes (migrations = new bugs)\n✓ Programs with active development (new features = new attack surface)\n× Avoid: frozen/old codebases with well-known CVEs (already claimed)\n× Avoid: strict programs with narrow scope (less surface)\n```\n\n### High-Value Feature Focus (by bug probability)\n```\nPriority 1: Authentication, password reset, 2FA → account takeover\nPriority 2: File upload, profile edit, API endpoints → stored XSS, IDOR\nPriority 3: Admin panels, user management → BFLA, privilege escalation\nPriority 4: Payment flows, subscription → business logic\nPriority 5: Import/export, template rendering → XXE, SSTI\n```\n\n---\n\n## 9. NUCLEI TEMPLATES (AUTOMATED SCANNING)\n\n```bash\n# Run all on target:\nnuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt\n\n# Specific categories:\nnuclei -u https://target.com -t cves/ -severity critical,high\nnuclei -u https://target.com -t exposures/\nnuclei -u https://target.com -t misconfiguration/\n\n# On subdomain list:\ncat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt\n```\n\n---\n\n## 10. COMMON MISCONFIGURATIONS (QUICK WINS)\n\n```\n□ CORS: Access-Control-Allow-Origin: * with credentials → CSRF + data theft\n□ S3 bucket public: curl https://target.s3.amazonaws.com/\n□ Directory listing: response contains \"Index of /\"\n□ .git exposed: curl https://target.com/.git/config\n□ .env exposed: curl https://target.com/.env\n□ Debug mode: stack traces in production (source code exposure)\n□ Default credentials: admin:admin, admin:password on admin panels\n□ phpinfo.php: curl https://target.com/phpinfo.php\n□ Backup files: config.bak, database.sql.gz, app.zip\n□ GraphQL introspection enabled: POST /graphql {\"query\":\"{__schema{types{name}}}\"}\n□ Admin panels: /admin /manager /console /phpmyadmin /wp-admin\n```\n\n---\n\n## 11. QUICK REFERENCE TOOLS\n\n| Category | Tool |\n|---|---|\n| Subdomain enum | subfinder, amass, massdns |\n| Port scan | nmap, masscan |\n| HTTP probe | httpx |\n| Dir brute | ffuf, feroxbuster, gobuster |\n| JS mining | LinkFinder, gau, waybackurls |\n| Secret scan | trufflehog, gitleaks |\n| Parameter fuzz | arjun, x8 |\n| Vuln scan | nuclei |\n| Proxy/intercept | Burp Suite Pro |\n| JWT attacks | jwt_tool |\n| SQLi | sqlmap |\n| XSS | dalfox, XSStrike |\n| SSRF | SSRFmap, Gopherus |\n\n---\n\n## 12. JAVA MIDDLEWARE FINGERPRINT MATRIX\n\n| Middleware | Detection Path | Key Indicators |\n|---|---|---|\n| Apache Tomcat | `/manager/html`, `/manager/status` | Default creds: `tomcat:tomcat`, `admin:admin` |\n| JBoss / WildFly | `/jmx-console/`, `/web-console/` | JMX MBean access, WAR deployment |\n| WebLogic | `/console/`, `/wls-wsat/` | T3 protocol on 7001/7002, IIOP |\n| Spring Boot Actuator | `/actuator/`, `/actuator/env`, `/actuator/heapdump` | JSON endpoint listing, heap dump contains secrets |\n| Spring Boot (alt paths) | `/actuator/jolokia`, `/actuator/gateway/routes` | Jolokia JMX bridge, Gateway route injection |\n| Jenkins | `/script`, `/manage` | Groovy console, API token in cookie |\n| GlassFish | `/common/`, `/theme/` | Admin on 4848, default empty password |\n| Jetty | `/jolokia/` | JMX access |\n| Resin | `/resin-admin/` | Admin panel |\n\n### Spring Boot Actuator Exploitation Priority\n\n```\n/actuator/env → Leak environment variables (DB creds, API keys)\n/actuator/heapdump → Download JVM heap → search for passwords in memory\n/actuator/jolokia → JMX → possible RCE via MBean manipulation\n/actuator/gateway/routes → Spring Cloud Gateway → SpEL injection (CVE-2022-22947)\n/actuator/configprops → All configuration properties\n/actuator/mappings → All URL mappings (hidden endpoints)\n/actuator/beans → All Spring beans\n/actuator/shutdown → POST to shutdown application (DoS)\n```\n\n---\n\n## 13. INFORMATION LEAK DETECTION CHECKLIST\n\n### Version Control & Backup Leaks\n\n```\n/.git/HEAD → Git repository exposed\n/.svn/entries → SVN metadata\n/.svn/wc.db → SVN SQLite database\n/.hg/requires → Mercurial\n/.bzr/README → Bazaar\n/.DS_Store → macOS directory listing\n```\n\n### Backup File Patterns\n\n```\n/backup.zip /backup.tar.gz /backup.sql\n/wwwroot.rar /www.zip /web.zip\n/db.sql /database.sql /dump.sql\n/config.php.bak /config.php~ /config.php.swp\n/.config.php.swp /wp-config.php.bak\n/.env /.env.bak /.env.production\n```\n\n### API Documentation & Debug\n\n```\n/swagger-ui.html → Swagger/OpenAPI\n/swagger-ui/ → Swagger UI\n/api-docs → API documentation\n/graphql → GraphQL playground\n/graphiql → GraphQL IDE\n/debug/ → Debug endpoints\n/phpinfo.php → PHP configuration\n/server-status → Apache status\n/server-info → Apache info\n/nginx_status → Nginx status\n```\n\n### Cloud & Infrastructure\n\n```\n/.aws/credentials → AWS credentials\n/.docker/config.json → Docker registry auth\n/robots.txt → Disallowed paths (hint list)\n/sitemap.xml → Full URL listing\n/crossdomain.xml → Flash cross-domain policy\n/.well-known/ → Various well-known URIs\n```\n---","attachment_filenames":[],"attachments":[],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: Recon and Methodology — Expert Bug Bounty Playbook","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads.","type":"text"}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. RECON HIERARCHY","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Target Selection\n└── Scope Definition (in-scope assets)\n └── Asset Discovery (subdomains, IPs, domains)\n └── Tech Fingerprinting (what's running)\n └── Endpoint Discovery (attack surface)\n └── Vulnerability Testing (per vulnerability type)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Passive (no DNS queries to target)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Subfinder (aggregates multiple sources):\nsubfinder -d target.com -o subdomains.txt\n\n# Amass passive:\namass enum -passive -d target.com\n\n# Certsh (certificate transparency):\ncurl -s \"https://crt.sh/?q=%.target.com&output=json\" | jq -r '.[].name_value' | sort -u\n\n# SecurityTrails API, Shodan:\n# Web: https://securitytrails.com/list/apex_domain/target.com","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Active (DNS brute force + resolution)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Massdns + wordlist:\nmassdns -r /path/to/resolvers.txt -t A -o S -w output.txt \\\n \u003c(cat wordlist.txt | sed 's/$/.target.com/')\n\n# ffuf for subdomain brute:\nffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com \\\n -mc 200,301,302,403 -H \"Host: FUZZ.target.com\"\n\n# DNSx for bulk resolution:\ncat subdomains.txt | dnsx -a -resp -o resolved.txt\n\n# Recommended wordlist: SecLists/Discovery/DNS/","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Virtual Host Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# ffuf vhost mode:\nffuf -w wordlist.txt -u https://target.com \\\n -H \"Host: FUZZ.target.com\" -mc 200,301,403\n\n# gobuster vhost:\ngobuster vhost -u https://target.com -w wordlist.txt","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. SERVICE AND PORT DISCOVERY","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Fast port scan (common ports):\nnmap -T4 -F target.com -oN ports.txt\n\n# Comprehensive scan on resolved subdomains:\ncat resolved_ips.txt | nmap -iL - --open -p 80,443,8080,8443,8888,3000,5000 -oG scan.txt\n\n# httpx for HTTP probing:\ncat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt\n\n# masscan for speed on large IP ranges:\nmasscan -p 80,443,8080,8443 10.0.0.0/8 --rate=1000","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. WEB TECHNOLOGY FINGERPRINTING","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Wappalyzer (browser extension) or:\nwhatweb https://target.com\n\n# httpx with tech detection:\nhttpx -u https://target.com -tech-detect\n\n# Check headers manually:\ncurl -sI https://target.com | grep -i \"server\\|x-powered-by\\|x-generator\\|cf-ray\"\n\n# Fingerprint from:\n- Server header: nginx/1.18, Apache/2.4, IIS/10.0\n- X-Powered-By: PHP/7.4, ASP.NET\n- Cookies: PHPSESSID (PHP), JSESSIONID (Java), _rails_session (Rails)\n- HTML comments: \u003c!-- Drupal 9 -->\n- Meta generator: \u003cmeta name=\"generator\" content=\"WordPress 6.2\">\n- JS framework files: /static/js/angular.min.js","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. ENDPOINT DISCOVERY","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Directory Brute Force","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# ffuf (fastest):\nffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \\\n -mc 200,301,302,403 -t 50 -o dirs.txt\n\n# Gobuster:\ngobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json\n\n# feroxbuster (recursive):\nferoxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Parameter Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Arjun (hidden parameter finder):\narjun -u https://target.com/api/endpoint\n\n# x8:\nx8 -u https://target.com/api/endpoint -w params-wordlist.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"JavaScript Source Mining","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract endpoints from JS files:\ngau target.com | grep '\\.js

SKILL: Recon and Methodology — Expert Bug Bounty Playbook AI LOAD INSTRUCTION : Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads. --- 1. RECON HIERARCHY --- 2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP) Passive (no DNS queries to target) Active (DNS brute force + resolution) Virtual Host Discovery --- 3. SERVICE AND PORT DISCOVERY --- 4. WEB…

| httpx -mc 200 | xargs -I{} curl -s {} | \\\n grep -oE '\"/[a-zA-Z0-9/_-]+\"' | sort -u\n\n# LinkFinder:\npython3 linkfinder.py -i https://target.com -d -o output.html\n\n# GetAllURLs (gau):\ngau target.com | sort -u > all_urls.txt\n\n# Wayback URLs:\nwaybackurls target.com | sort -u > wayback_urls.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"API Endpoint Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Common API paths:\nffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt\n\n# Swagger/OpenAPI:\ntest: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/\n\n# GraphQL:\ntest: /graphql /gql /v1/graphql /api/graphql","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. SOURCE CODE RECON","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"GitHub / GitLab Exposure","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# trufflehog (secret scanner in git history):\ntrufflehog git https://github.com/target-org/target-repo\n\n# gitleaks:\ngitleaks detect --source /path/to/cloned/repo\n\n# Manual GitHub search:\n# site:github.com \"target.com\" \"api_key\" OR \"secret\" OR \"password\"\n# site:github.com \"target.com\" \".env\" OR \"config.php\" OR \"db_password\"\n\n# GitHub dorks:\n# \"target.com\" extension:env\n# \"target.com\" filename:*.config password\n# org:target-org secret OR password OR apikey","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Exposed Environment Files","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"# Check common paths:\nhttps://target.com/.env\nhttps://target.com/.git/config\nhttps://target.com/config.json\nhttps://target.com/config.yaml\nhttps://target.com/credentials.json\nhttps://target.com/secrets.json\nhttps://target.com/wp-config.php\nhttps://target.com/backup.sql\nhttps://target.com/backup.zip","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"7. ZSEANO'S TESTING METHODOLOGY","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Core Philosophy","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Go deep on one program","type":"text","marks":[{"type":"strong"}]},{"text":" rather than spread across many — learn the application thoroughly","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Build a profile of the company","type":"text","marks":[{"type":"strong"}]},{"text":" — tech stack, developers, processes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Look where others don't","type":"text","marks":[{"type":"strong"}]},{"text":" — check error pages, admin paths, old versions, mobile API","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Follow the filter","type":"text","marks":[{"type":"strong"}]},{"text":" — if input is filtered somewhere, that functionality exists and may be bypassed","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Testing Sequence (One Page / Feature)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"For each input point:\n1. Non-malicious HTML tags (\u003ch2>, \u003cimg>) → are they reflected?\n2. Incomplete tags → what happens? (\u003ciframe src=//evil.com )\n3. Encoding tests → %0d, %0a, %09, \u003c%00\n4. Observe the OUTPUT too (not just response) — where does your input appear?\n5. Test same input in ALL similarly-structured pages (shared code → shared vuln)\n6. Check if the same parameter exists in mobile/API endpoint (less protected)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Parameter Insights","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"- Each parameter tells a story: \"what does this do server-side?\"\n- Filename → OS interaction → Path Traversal / CMDi\n- URL/location → HTTP fetch → SSRF\n- Template/HTML parameter → render function → SSTI\n- XML field → parser → XXE\n- SQL filter → query → SQLi\n- User-content → storage → Stored XSS","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"8. BUG BOUNTY PROGRAM TRIAGE (WHERE TO SPEND TIME)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"High-Value Target Selection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"✓ Programs with large scope (*.target.com)\n✓ Programs that pay for P2/P3 (not just RCE)\n✓ Programs with recent tech changes (migrations = new bugs)\n✓ Programs with active development (new features = new attack surface)\n× Avoid: frozen/old codebases with well-known CVEs (already claimed)\n× Avoid: strict programs with narrow scope (less surface)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"High-Value Feature Focus (by bug probability)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Priority 1: Authentication, password reset, 2FA → account takeover\nPriority 2: File upload, profile edit, API endpoints → stored XSS, IDOR\nPriority 3: Admin panels, user management → BFLA, privilege escalation\nPriority 4: Payment flows, subscription → business logic\nPriority 5: Import/export, template rendering → XXE, SSTI","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"9. NUCLEI TEMPLATES (AUTOMATED SCANNING)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run all on target:\nnuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt\n\n# Specific categories:\nnuclei -u https://target.com -t cves/ -severity critical,high\nnuclei -u https://target.com -t exposures/\nnuclei -u https://target.com -t misconfiguration/\n\n# On subdomain list:\ncat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"10. COMMON MISCONFIGURATIONS (QUICK WINS)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"□ CORS: Access-Control-Allow-Origin: * with credentials → CSRF + data theft\n□ S3 bucket public: curl https://target.s3.amazonaws.com/\n□ Directory listing: response contains \"Index of /\"\n□ .git exposed: curl https://target.com/.git/config\n□ .env exposed: curl https://target.com/.env\n□ Debug mode: stack traces in production (source code exposure)\n□ Default credentials: admin:admin, admin:password on admin panels\n□ phpinfo.php: curl https://target.com/phpinfo.php\n□ Backup files: config.bak, database.sql.gz, app.zip\n□ GraphQL introspection enabled: POST /graphql {\"query\":\"{__schema{types{name}}}\"}\n□ Admin panels: /admin /manager /console /phpmyadmin /wp-admin","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"11. QUICK REFERENCE TOOLS","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Category","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Subdomain enum","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"subfinder, amass, massdns","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Port scan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nmap, masscan","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HTTP probe","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"httpx","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Dir brute","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ffuf, feroxbuster, gobuster","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JS mining","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LinkFinder, gau, waybackurls","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret scan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"trufflehog, gitleaks","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Parameter fuzz","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"arjun, x8","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Vuln scan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"nuclei","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Proxy/intercept","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Burp Suite Pro","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JWT attacks","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"jwt_tool","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SQLi","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"sqlmap","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"XSS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dalfox, XSStrike","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSRF","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSRFmap, Gopherus","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"12. JAVA MIDDLEWARE FINGERPRINT MATRIX","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Middleware","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detection Path","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key Indicators","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Apache Tomcat","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/manager/html","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/manager/status","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Default creds: ","type":"text"},{"text":"tomcat:tomcat","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"admin:admin","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JBoss / WildFly","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/jmx-console/","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/web-console/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JMX MBean access, WAR deployment","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WebLogic","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/console/","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/wls-wsat/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"T3 protocol on 7001/7002, IIOP","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Spring Boot Actuator","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/actuator/","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/actuator/env","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/actuator/heapdump","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JSON endpoint listing, heap dump contains secrets","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Spring Boot (alt paths)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/actuator/jolokia","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/actuator/gateway/routes","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Jolokia JMX bridge, Gateway route injection","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Jenkins","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/script","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/manage","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Groovy console, API token in cookie","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GlassFish","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/common/","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"/theme/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Admin on 4848, default empty password","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Jetty","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/jolokia/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"JMX access","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Resin","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/resin-admin/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Admin panel","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Spring Boot Actuator Exploitation Priority","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"/actuator/env → Leak environment variables (DB creds, API keys)\n/actuator/heapdump → Download JVM heap → search for passwords in memory\n/actuator/jolokia → JMX → possible RCE via MBean manipulation\n/actuator/gateway/routes → Spring Cloud Gateway → SpEL injection (CVE-2022-22947)\n/actuator/configprops → All configuration properties\n/actuator/mappings → All URL mappings (hidden endpoints)\n/actuator/beans → All Spring beans\n/actuator/shutdown → POST to shutdown application (DoS)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"13. INFORMATION LEAK DETECTION CHECKLIST","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Version Control & Backup Leaks","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"/.git/HEAD → Git repository exposed\n/.svn/entries → SVN metadata\n/.svn/wc.db → SVN SQLite database\n/.hg/requires → Mercurial\n/.bzr/README → Bazaar\n/.DS_Store → macOS directory listing","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Backup File Patterns","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"/backup.zip /backup.tar.gz /backup.sql\n/wwwroot.rar /www.zip /web.zip\n/db.sql /database.sql /dump.sql\n/config.php.bak /config.php~ /config.php.swp\n/.config.php.swp /wp-config.php.bak\n/.env /.env.bak /.env.production","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"API Documentation & Debug","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"/swagger-ui.html → Swagger/OpenAPI\n/swagger-ui/ → Swagger UI\n/api-docs → API documentation\n/graphql → GraphQL playground\n/graphiql → GraphQL IDE\n/debug/ → Debug endpoints\n/phpinfo.php → PHP configuration\n/server-status → Apache status\n/server-info → Apache info\n/nginx_status → Nginx status","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Cloud & Infrastructure","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"/.aws/credentials → AWS credentials\n/.docker/config.json → Docker registry auth\n/robots.txt → Disallowed paths (hint list)\n/sitemap.xml → Full URL listing\n/crossdomain.xml → Flash cross-domain policy\n/.well-known/ → Various well-known URIs","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"recon-and-methodology","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/recon-and-methodology/SKILL.md","repo_owner":"yaklang","body_sha256":"54c352b9ee0ca913feb5146525c38709226745b23f321634c8a9c85d8e5fda61","cluster_key":"2278a7911693494f8df8c40e9c06ad8429f3a00943edd0d165b2773ab8ebd71a","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/recon-and-methodology/SKILL.md","bundle_sha256":"d01ac4c20b3ee3799cf9f34e887bae080e0332168dc0fd8c613822624c2c596c","attachment_count":0,"text_attachments":0,"binary_attachments":0},"cluster_size":1,"skill_md_path":"skills/recon-and-methodology/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"testing-qa","category_label":"Testing"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"testing-qa","import_tag":"clean-skills-v1","description":"Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target."}},"renderedAt":1782981308220}

SKILL: Recon and Methodology — Expert Bug Bounty Playbook AI LOAD INSTRUCTION : Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads. --- 1. RECON HIERARCHY --- 2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP) Passive (no DNS queries to target) Active (DNS brute force + resolution) Virtual Host Discovery --- 3. SERVICE AND PORT DISCOVERY --- 4. WEB…