Bug Bounty Checklist for Web App

---

Recon on wildcard domain

• Run amass
• Run subfinder
• Run assetfinder
• Run dnsgen
• Run massdns
• Use httprobe
• Run aquatone (screenshot for alive host)

Single Domain

Scanning

• Nmap scan
• Burp crawler
• ffuf (directory and file fuzzing)
• hakrawler/gau/paramspider
• Linkfinder
• Url with Android application

Manual checking

• Shodan
• Censys
• Google dorks
• Pastebin
• Github
• OSINT

Information Gathering

• Manually explore the site
• Spider/crawl for missed or hidden content
• Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
• Check the caches of major search engines for publicly accessible sites
• Check for differences in content based on User Agent (e.g., Mobile sites, access as a Search engine Crawler)
• Perform Web Application Fingerprinting
• Identify technologies used
• Identify user roles
• Identify application entry points
• Identify client-side code
• Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
• Identify co-hosted and related applications
• Identify all hostnames and ports
• Identify third-party hosted content
• Identify Debug parameters

Configuration Management

• Check for commonly used application and administrative URLs
• Check for old, backup and unreferenced files
• Check HTTP methods supported and Cross Site Tracing (XST)
• Test file extensions handling
• Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
• Test for policies (e.g. Flash, Silverlight, robots)
• Test for non-production data in live environment, and vice-versa
• Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

• Check SSL Version, Algorithms, Key length
• Check for Digital Certificate Validity (Duration, Signature and CN)
• Check credentials only delivered over HTTPS
• Check that the login form is delivered over HTTPS
• Check session tokens only delivered over HTTPS
• Check if HTTP Strict Transport Security (HSTS) in use

Authentication

• Test for user enumeration
• Test for authentication bypass
• Test for bruteforce protection
• Test password quality rules
• Test remember me functionality
• Test for autocomplete on password forms/input
• Test password reset and/or recovery
• Test password change process
• Test CAPTCHA
• Test multi factor authentication
• Test for logout functionality presence
• Test for cache management on HTTP (e.g Pragma, Expires, Max-age)
• Test for default logins
• Test for user-accessible authentication history
• Test for out-of channel notification of account lockouts and successful password changes
• Test for consistent authentication across applications with shared authentication schema / SSO

Session Management

• Establish how session management is handled in the application (e.g., tokens in cookies, token in URL)
• Check session tokens for cookie flags (httpOnly and secure)
• Check session cookie scope (path and domain)
• Check session cookie duration (expires and max-age)
• Check session termination after a maximum lifetime
• Check session termination after relative timeout
• Check session termination after logout
• Test to see if users can have multiple simultaneous sessions
• Test session cookies for randomness
• Check for token reuse
• Check for weak tokens (e.g., predictable tokens, tokens in URL)

Error Handling

• Test error messages for sensitive information disclosure
• Test application handling for invalid input
• Test error logging mechanisms (e.g., log files, logs in plaintext)
• Test exception handling and error responses
• Test responses to unexpected behavior or edge cases

Authorization

• Test for user role permissions and privilege escalation
• Test unauthorized access to functionality
• Test unauthorized access to API endpoints
• Test unauthorized access to objects and resources
• Test for access control by user (e.g., user A should not access user B's data)
• Test for global access to sensitive functions (e.g., admin panel)
• Test URL parameter manipulation for authorization checks

Data Validation

• Test for proper input validation (e.g., length, type, format)
• Test for proper output encoding (e.g., HTML, JavaScript, URL encoding)
• Test server-side validation
• Test client-side validation
• Test field whitelists and blacklists
• Test input filters (e.g., allowed characters)
• Test for correct data types (e.g., integer vs string)
• Test data length constraints
• Test for data sanitization (e.g., HTML, SQL, XSS sanitization)
• Test data integrity and consistency

Input Validation

• Test for SQL Injection (SQLi)
• Test for Cross-Site Scripting (XSS)
• Test for Remote Code Execution (RCE)
• Test for Local File Inclusion (LFI)
• Test for Remote File Inclusion (RFI)
• Test for Server-Side Request Forgery (SSRF)
• Test for Content Security Policy (CSP) issues
• Test for XML External Entity (XXE) vulnerabilities
• Test for Open Redirect vulnerabilities
• Test for Denial of Service (DoS) vulnerabilities