Linux Commands Cheat sheet for Web Application Hacking

Subh Dhungana
2 min readAug 7, 2022
Photo by Ilya Pavlov on Unsplash

Below cheat sheet commands are useful for finding bugs in web application. These are especially used by bug bounty hunters for finding vulnerabilities in web application.

Many cyber security enthusiasts especially relating to bug bounty and penetration testing domain get confused in beginning phase to get started.

These are the commands that I used most often while penetration testing and while doing bug bounties.

So lets get started

Tools Used:

Photo by Stillness InMotion on Unsplash

i) Subfinder

ii) Assetfinder

iii) Amass

iv) Httpx

v) Aquatone

vi) Gau

vii) Waybackurls

viii) GF

ix) ffuf

Commands Used:

> subfinder -d target.com | tee subf.txt (subdomain enumeration 1)

> assetfinder -subs-only target.com | tee ast.txt (subdomain enum 2)

> amass enum — passive -d target.com | tee amass.txt (subdomain enum 3)

> cat subf.txt ast.txt amass.txt | sort -u | tee subdomains.txt (sorting sudomains)

> cat subdomains.txt | httpx | tee liveSubdomains.txt (filtering live subdomains)

> cat liveSubdomains.txt | aquatone (taking screenshot of subdomains)

> cat liveSubdomains.txt | gau | tee gau.txt (fetching urls 1)

> cat liveSubdomains.txt | waybackurls | tee wayback.txt (fetching urls 2)

> cat gau.txt wayback.txt | sort -u | fff | tee urls.txt (sorting)

> cat urls.txt | gf xss | tee xss.txt (xss vulnerable endpoints)

> cat urls.txt | gf ssrf| tee ssrf.txt (ssrf vulnerable endpoints)

> cat urls.txt | gf upload-fields| tee upload-fields.txt (upload-fieldsss vulnerable endpoints)

> cat urls.txt | gf sqli| tee sqli.txt (sqli vulnerable endpoints)

> cat urls.txt | gf rce| tee rce.txt (rce vulnerable endpoints)

> ffuf -u https://target.com/FUZZ -w /root/Desktop/wordlistlocationfile.txt (fuzzing)

Bonus Dorks

i) inurl /bug bounty, inurl:security “reward” — -> for finding bug bounty programs

ii) ssl:“target.com” — -> shodan dorks

iii) [ “target.com” password ], [*.target.com], [“target.com” key], [“target.com” credentials] — -> github dorks for sensitive disclosure

iv) seclists — -> payload

v) Project Discovery — -> For finding bug bounty targets

Thanks.

Shubham Dhungana

Cyber Security Researcher

--

--

Subh Dhungana

Security Analyst, Penetration Tester, Bug Bounty Hunter | Offensive, Red Team, VAPT