How I Do Web Application Hacking, Bug Hunting and Perform VAPT | My Detailed VAPT Methodology

Subh Dhungana
7 min readMay 17, 2023

Web application security testing, also known as VAPT (Vulnerability Assessment and Penetration Testing), plays a crucial role in ensuring the security of online systems. As a web application security enthusiast, I follow a systematic approach that combines various techniques and tools to identify vulnerabilities and potential exploits. In this article, I will share my methodology and techniques for web application hacking and performing VAPT.

Introduction

Welcome to the exciting world of web application hacking and vulnerability assessment and penetration testing (VAPT)! In this article, we will delve into the methodology and approach I adopt when targeting web applications for security testing, drawing insights from real-life experiences and bug bounty notes. Join me on this thrilling journey as we explore the strategies and techniques that can help uncover critical vulnerabilities and strengthen the security posture of web applications.

Steps

1. Reconnaissance

During the reconnaissance phase, the tester gathers information about the target web application. This includes identifying technologies used, discovering subdomains, and assessing the attack surface. For example, tools like Nmap can be used to scan for open ports and determine the operating system of the server hosting the application. Sublist3r can help in discovering subdomains associated with the target application. Google Dorks are specialized search queries used to find vulnerable websites or exposed information.

2. Scanning and Enumeration:

In this phase, the tester scans the target application for open ports, services, and potential vulnerabilities. Tools like Nessus can perform vulnerability scans, Nikto can identify common web server misconfigurations and vulnerabilities, and Burp Suite can intercept and analyze HTTP requests and responses for vulnerabilities. For example, Nessus can scan the target application and provide a report highlighting any discovered vulnerabilities, such as outdated software versions or misconfigurations.

3. Vulnerability Discovery:

After gathering information in the previous phases, the tester aims to discover specific vulnerabilities within the web application. This can be done through manual testing, automated vulnerability scanners, and fuzzing. For example, manual testing involves manually injecting SQL queries or malicious inputs into web forms to test for SQL injection or XSS vulnerabilities. Automated vulnerability scanners like Acunetix or OWASP ZAP can scan the web application for common vulnerabilities based on predefined rules. Fuzzing involves sending a large volume of unexpected inputs to the application to trigger unforeseen behavior or vulnerabilities.

4. Exploitation:

Once vulnerabilities are discovered, the tester proceeds to exploit them to gain unauthorized access, escalate privileges, or execute arbitrary code. This step demonstrates the potential impact of the vulnerabilities and the associated risks. The Metasploit Framework is a commonly used tool for this phase. For example, if a SQL injection vulnerability is discovered, the tester can use Metasploit to execute commands on the underlying database and extract sensitive information.

5. Post-Exploitation and Lateral Movement:

After gaining access to the target system, the tester explores further by performing post-exploitation activities and lateral movement. This involves escalating privileges, pivoting through the network, and gathering additional information. For example, the tester may attempt to gain administrative access or move laterally to other systems within the network to identify potential vulnerabilities or sensitive data.

6. Reporting and Remediation:

Finally, the tester compiles a comprehensive report detailing the vulnerabilities discovered, their potential impact, and actionable recommendations for remediation. The report provides guidance to developers and system administrators to address the identified issues effectively. It should include clear and concise explanations of the vulnerabilities and steps to mitigate them. Additionally, it may prioritize the vulnerabilities based on their severity to help stakeholders allocate resources for remediation effectively.

Initial Recon

The first step in any security testing engagement is conducting initial reconnaissance to gather information about the target. This phase involves finding relevant wordlists and exploring public bug bounty programs and dorks. Here are some resources I commonly use:

Wordlists

Public Bug Bounty Programs List & Dorks

I rely on popular bug bounty platforms like HackerOne, Bug Crowd, Cobalt, Synack, ImmuneFi, HackenProof, Huntr (OSS Bounty), as well as specific programs from companies like Facebook and Google. Additionally, I leverage bug bounty dorks to identify potential targets. Here are some examples:

  • Bug Bounty Popular Public Programs: Vulnerability Lab List of Bug Bounty Programs
  • Bug Bounty Dorks:
  • inurl:/bug bounty
  • inurl:/security
  • inurl:security.txt
  • inurl:security "reward"
  • inurl:/responsible disclosure
  • inurl:/responsible-disclosure/ reward
  • inurl:/responsible-disclosure/ swag
  • inurl:/responsible-disclosure/ bounty
  • inurl:'/responsible disclosure' hoodie
  • responsible disclosure swag r=h:com

Github Recon

Github can be a treasure trove for finding sensitive information and credentials. By utilizing Github dorks, I can discover valuable endpoints and subdomains. Here are some Github dork examples:

  • "company name or domain" client_id
  • "company name or domain" client_secret
  • "company name or domain" gh_token
  • "company name or domain" token
  • "company name or domain" github_token

I also search for sensitive words like passwords, API keys, access keys, and database credentials. Combining these sensitive words with well-known languages, such as JSON, Bash, Shell, or Java, can often yield fruitful results.

Bug Bounty Manual Simple Methodology

Once the initial recon is complete, I follow a simple bug bounty methodology to ensure comprehensive testing of web applications. This methodology focuses on manual testing and covers various areas of interest. Here are the steps I typically follow:

  1. Understand the functionality and purpose of the web application.
  2. Manually check all endpoints and test them based on your knowledge. Avoid relying solely on automation.
  3. Create a checklist of key areas to test, such as forgot password functionality, 2FA flow, CSRF on important requests, XSS (input and reflection), file upload functionality, and more.
  4. Look for business logic bugs, such as promoting a user to admin. Test scenarios where you can update a user from a normal account to an admin account and verify

Leveraging Burp Suite for Scope Control:

  • One essential aspect of bug bounty hunting is properly defining the scope of the target. Burp Suite’s Scope Control Regex feature enables hunters to define specific target domains and subdomains effectively. For example, using the regex .*.google.com$ or ..google..$, you can target all subdomains of google.com or any Google-related domain respectively.

Exploring Endpoints and Subdomains with Burp Suite:

  • Sometimes, certain endpoints and subdomains do not show a response in the browser, leading to frustration. In such cases, it is crucial to utilize the Burp Suite’s various tools. The Burp Repeater tab allows hunters to manually check requests and responses. Additionally, the Burp Intruder tab facilitates payload-based testing. The Burp History and Scan tabs also offer valuable insights into the target application.

Bypassing Validation Checks:

  • When encountering validation checks on parameters, it is worth attempting to bypass them by adding additional similar parameters. This technique involves observing any changes in the website’s response, which may indicate a bypass of the validation checks. For example, adding the parameter callback=";alertXSS_POC_BY_SAAJAN_BHUJEL;// to test for potential XSS vulnerabilities.

Bypassing Security Filters:

  • To uncover vulnerabilities like XSS, HTML injection, or SQL injection, it is essential to experiment with different bypass techniques. For instance, using encoded HTML tags such as &lt;h1&gt; instead of <h1> can bypass HTML injection filters. Exploring various methods and payloads can increase the chances of identifying security weaknesses.

Staying Updated and Targeting New Features:

  • To gain an edge in bug bounty hunting, it is crucial to stay informed about the latest developments from prominent companies such as Yahoo, PayPal, Airbnb, Facebook, etc. Following their Twitter pages, blogs, and news can provide insights into new features they are launching. Focusing on testing these new features increases the likelihood of finding bugs and vulnerabilities.

Leveraging Burp Suite and Other Tools:

  • Using Burp Suite in conjunction with the target is crucial for effective bug bounty hunting. Adding targets to scopes, enabling the proxy for recording target endpoints in Burp history, and utilizing tools like Burp Repeater, Extender, and Intruder tabs can significantly enhance the testing process. Crawl the target systematically, utilizing the power of Burp Suite’s features.

Harnessing External Sources for Subdomains and Endpoints:

  • Leverage various external sources to gather subdomains for further endpoint discovery. Tools like crt.sh, threatcrowd.org, hackertarget.com, and certspotter.com can provide valuable information. Combining these sources with web archiving services can reveal hidden and rare subdomains and endpoints.

Extensive Reconnaissance with Basic Checklist:

  • Performing thorough reconnaissance is essential for bug bounty hunting success. Following a basic checklist involving tools like ffuf, assetfinder, subfinder, amass, and waybackurls can aid in discovering subdomains, URLs, and potential vulnerabilities. Utilizing tools like httprobe, aquatone, and gau provides additional insights for testing.

Web application hacking and vulnerability assessment and penetration testing (VAPT) require a systematic and comprehensive approach to identify and address potential security vulnerabilities. By following a well-defined methodology, including initial reconnaissance, scanning and enumeration, vulnerability discovery, exploitation, post-exploitation, and reporting and remediation, security testers can effectively evaluate web applications for weaknesses. The initial reconnaissance phase involves gathering information about the target web application, such as identifying technologies used, discovering subdomains, and assessing the attack surface. Tools like Nmap, Sublist3r, and Google Dorks can assist in this process. Scanning and enumeration help identify open ports, services, and vulnerabilities within the target application. Tools like Nessus, Nikto, and Burp Suite are commonly used for vulnerability scanning, identifying misconfigurations, and analyzing HTTP requests and responses. Vulnerability discovery involves manual testing, automated vulnerability scanners, and fuzzing techniques. Testers inject malicious inputs, perform manual tests, and utilize tools like Acunetix and OWASP ZAP for automated vulnerability scanning. Fuzzing involves sending unexpected inputs to the application to uncover unforeseen vulnerabilities. Once vulnerabilities are discovered, the tester proceeds to exploit them using tools like the Metasploit Framework. This step demonstrates the potential impact of the vulnerabilities and associated risks. Post-exploitation and lateral movement involve further exploration of the target system, including privilege escalation, network pivoting, and gathering additional information.

Finally, a comprehensive report is compiled, highlighting the vulnerabilities discovered, their potential impact, and recommended actions for remediation. The report guides developers and system administrators in addressing the identified issues effectively. Throughout the process, tools like Burp Suite play a crucial role, aiding in scope control, endpoint exploration, and bypassing validation checks and security filters. Staying updated with the latest developments and targeting new features of web applications enhances the chances of finding vulnerabilities.

Additionally, harnessing external sources for subdomains and endpoints, conducting extensive reconnaissance using a basic checklist, and leveraging tools like ffuf, assetfinder, subfinder, amass, and waybackurls contribute to a thorough assessment of web applications. By following this methodology and utilizing the appropriate tools and techniques, web application security testers can uncover critical vulnerabilities and contribute to improving the overall security posture of online systems.

Thank You
Shubham Dhungana,
Security Analyst, Penetration Tester, Bug Bounty Hunter
VAPT, Red Team | Offensive Security

--

--

Subh Dhungana

Security Analyst, Penetration Tester, Bug Bounty Hunter | Offensive, Red Team, VAPT