By name: bb-methodology description: Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Bug Bounty Methodology: Workflow + Mindset
Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.
PART 1: MINDSET (How to Think)
Core Principle
Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.
Daily Discipline: Define, Select, Execute
Before touching any tool:
- Define: "Today I target [feature/domain] to achieve [CIA impact]"
- Select: Choose 1-2 vuln classes (IDOR, Race Condition, etc.)
- Execute: Focus ONLY on selected techniques. No wandering.
5 Ultimate Goals (Pick One Per Session)
- Confidentiality -- steal data the attacker shouldn't see
- Integrity -- modify data the attacker shouldn't change
- Availability -- disrupt service (app-level DoS only)
- Account Takeover -- control another user's account
- RCE -- execute commands on the server
4 Thinking Domains
1. Critical Thinking (deep analysis)
Question trust boundaries:
- Frontend control disabled? Send request directly via proxy
user_role=usercookie? Change toadminprice=1000in POST? Change to1<script>blocked? Try<img onerror=...>
Reverse-engineer developer psychology:
- Feature A has auth checks -> Similar feature B (newly added) probably doesn't
- Complex flows (coupon + points + refund) -> Edge cases have bugs
/api/v2/userexists -> Does/api/v1/userstill work with weaker auth?
What-If experiments:
- Skip checkout -> hit
/checkout/successdirectly - Skip 2FA -> navigate to
/dashboard - Send coupon request 10x simultaneously -> Race condition?
- Replace
guid=f8a2...withid=100on sibling endpoint -> IDOR?
2. Multi-Perspective (multiple angles)
| Perspective | What to check |
|---|---|
| Horizontal (same role) | User A's token + User B's ID -> IDOR |
| Vertical (different role) | Regular user -> /admin/deleteUser |
| Data flow (proxy view) | Hidden params in JSON: debug=false, discount_rate |
| Time/State | Race conditions, post-delete session reuse |
| Client environment | Mobile UA -> legacy API with weaker auth |
| Business impact | "What's the $ damage if this breaks?" |
3. Tactical Thinking (pattern detection)
- Naming anomaly:
userIdeverywhere but suddenlyuser_id-> different dev, weaker security - Error diff: Same 403 but different JSON structure -> different backend systems
- 200 but wrong body length/content:
200 OKwith tiny response or "just a moment" text → WAF soft block, not a real response. Runbypass_403.shto confirm and get baseline diff. - Environment diff: Prod vs Dev/Staging -> debug headers, CSP disabled
- Version diff: JS file before/after update -> new endpoints, removed params
- Supply chain: Check framework/library versions for known CVEs
- Third-party integration: Stripe/Auth0/Intercom -> webhook signature missing?
4. Strategic Thinking (big picture)
- Asymmetry: Defender must patch ALL holes. You only need ONE.
- Intuition engineering: Log why something "feels wrong." Verify later. Update mental DB.
- Unknown management: Can't understand something? Add to "investigate later" list. Just-in-Time Learning.
5. AI-Assisted Thinking (model as a second analyst)
Use AI to expand hypotheses, not to declare verdicts. The model is a fast adversarial planner; the browser, proxy, and live requests are the proof layer.
- Decompose the feature: ask for actors, assets, entry points, state transitions, and trust boundaries.
- Generate sibling paths: versioned endpoints, mobile routes, legacy APIs, alternate roles, and admin-only variants.
- Build a role matrix: anonymous, user A, user B, stale session, fresh session, admin, service account.
- Ask for dev shortcuts: "Where would a tired developer skip a check or reuse a helper?"
- Ask for chains: "If this bug is real, what bug B and C sit next to it?"
- Turn ideas into requests: every AI suggestion must become a single reproducible HTTP experiment.
- Kill weak signals fast: if AI cannot point to a concrete request, response diff, or cross-account delta, the idea stays as a hypothesis.
High-signal prompts:
- "Given this endpoint and feature, list the 10 most likely trust-boundary mistakes."
- "What sibling endpoints, methods, or roles should I test next?"
- "Which bug class would a rushed implementation likely miss here?"
- "What does the smallest proof request look like?"
- "What would make this become a real report instead of a scanner hit?"
Amateur vs Pro: 7-Phase Comparison
| Phase | Amateur | Pro |
|---|---|---|
| Recon | Main domain only | Shadow IT, dev environments, all assets |
| Discovery | Look for errors | Look for design contradictions, business logic flaws |
| Exploit | Give up when blocked | Build filter-bypass payloads |
| Escalation | Report the phenomenon only | Chain to real harm (session steal, ATO) |
| Feasibility | Include unrealistic conditions | Minimize attack prerequisites |
| Reporting | State facts only | Quantify business risk |
| Retest | Check if old PoC fails | Analyze fix method, find incomplete patches |
Two Approach Routes
- Route A (Feature-based): "This feature is complex" -> deep-dive its input handling -> find vuln
- Route B (Vuln-based): "I want IDOR" -> find endpoints with sequential IDs -> test access control
Anti-Patterns (Stop Doing These)
- Program hopping: Stick with one target minimum 2 weeks / 30 hours
- Tool-only hunting: Automation finds duplicates. Manual testing finds unique bugs.
- Rabbit hole: Max 45 min per parameter. Set a timer. If stuck, sleep on it.
- No goal: "Just looking around" = wasted time. Always Define first.
PART 2: WORKFLOW (What to Do)
The 5-Phase Non-Linear Flow
+-------------------------------------------------+
| |
| +----------+ +----------+ +----------+ |
| | 1. RECON |---+| 2. MAP |---+| 3. FIND | |
| +----------+ +-----+----+ +-----+-----+ |
| ^ | | |
| | v v |
| | +----------+ +----------+ |
| +----------| 4. PROVE |---+| 5. REPORT| |
| +----------+ +----------+ |
| |
| Non-linear: stuck at any phase -> go back |
| New API found at phase 3 -> return to phase 2 |
| WAF blocks at phase 4 -> origin IP from phase 1 |
+-------------------------------------------------+
THIS IS NOT LINEAR. Move freely between phases. When stuck, return to a previous phase.
Phase 0: SESSION START (Every Time)
Before touching any tool, answer these:
- Define: "Today I target [feature/domain] to achieve [C/I/A/ATO/RCE]"
- Select: Choose 1-2 vuln classes (IDOR, XSS, SSRF, etc.)
- Execute: Focus ONLY on selected techniques
- Identity: Anonymous or authenticated? If the bugs you're hunting need a
session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment),
load auth once at session start — see
docs/auth-sessions.md. Then every downstream tool (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers) sends those headers automatically and audit log entries are stamped with a stablesession_idhash.
Route selection -- Wide or Deep?
| Signal | Wide (recon sweep) | Deep (focused testing) |
|---|---|---|
| New program, first day | X | |
Wildcard scope *.target.com |
X | |
| Main webapp, been here >3 days | X | |
| Scope update (new domain added) | X | |
| Found interesting subdomain | X | |
| Hunting IDOR / BOLA / auth bugs | X (auth-aware) |
Phase 1: RECON
Goal: Maximize attack surface. Find what others missed.
Wide approach (initial sweep):
Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect
Deep approach (targeted):
Google Dorks -> JS file download -> Hidden param discovery -> API mapping
| What you find | Next action |
|---|---|
| Live subdomains with tech stack | Phase 2 (Mapping) |
| Known software (WordPress, Jira) | Check CVEs + defaults immediately |
| Cloud resources (S3, Firebase) | Test permissions (read/write/list) |
| 403 or 200 + block page on endpoint | tools/bypass_403.sh <url> auto-detects soft blocks (200+block-body). Verdict: bypassed/needs_review/blocked. If all blocked after 5 min, skip |
| Nothing after 5 min on a host | Skip, try next host (5-minute rule) |
Command: /recon target.com
Phase 2: MAPPING & ANALYSIS
Goal: Understand the app like its developer does.
Checklist:
- Map all endpoints (Burp/Caido sitemap + JS analysis)
- Identify auth model (cookie, JWT, OAuth, SAML?)
- Find business-critical flows (payment, registration, password reset, data export)
- Download and analyze JS files for hidden routes, secrets, logic
- Identify roles and permissions (user, admin, API keys)
- Note "weird" behaviors (anomalies in naming, errors, timing)
| What you find | Next action |
|---|---|
| JS files with interesting code | Taint analysis (Sink -> Source) |
| OAuth/SAML authentication | OAuth/SAML checklist |
| API with ID parameters | Phase 3, target IDOR |
| Complex business logic (payment, coupon) | Phase 3, target BizLogic |
| postMessage listeners | DOM analysis, postMessage-tracker |
Phase 3: VULNERABILITY DISCOVERY
Goal: Find the bug. Use Error-based first, then Blind-based.
Decision flow based on what you're testing:
What input are you testing?
+-- ID parameter (user_id, order_id)
| -> IDOR checklist
+-- Search/filter/sort field
| -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
| -> SSRF checklist
+-- Text field reflected in page
| -> XSS (DOM or reflected)
+-- File upload
| -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
| -> Business logic, race conditions
+-- Login / 2FA / password reset
| -> Auth bypass
+-- Profile update API
| -> Mass Assignment
+-- Template / wiki editor
| -> SSTI
+-- Nothing obvious
-> Fuzz with ffuf, try Error-based probing
Error vs Blind decision:
- Try Error-based first (send
',",{{7*7}},${7*7}) -- watch for 500 errors, stack traces - No error? Time-based (
SLEEP(10),; sleep 10;) -- watch response time - No time diff? OOB (
curl attacker.com, interactsh) -- watch for DNS callback - Still nothing? Boolean (
AND 1=1vsAND 1=0) -- watch content-length diff
| What you find | Next action |
|---|---|
| Low-impact behavior (redirect, self-XSS, cookie injection) | Chain it -- find a connector gadget |
| Confirmed vuln (XSS, IDOR, SQLi) | Phase 4 (Prove and Escalate) |
| Blocked by WAF/CSP/403 or soft-block 200 | /bypass-403 <url> → check verdict (not just status) → tools/waf_encoder.py "<payload>" → if upload: tools/multipart_mutator.py → 5 min, kill |
| Known software vuln (CVE) | 1-day speed workflow |
| Nothing after 20 min on this endpoint | Rotate (20-minute rule) |
Phase 4: PROVE & ESCALATE
Goal: Prove maximum business impact. Turn Low into Critical.
Escalation decision:
What did you find?
+-- XSS
| +-- Can steal cookie/token? -> Session hijack -> ATO
| +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
| +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
| +-- Can read PII? -> Automate scraping, show scale
| +-- Can change password/email? -> Direct ATO
| +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
| +-- DNS only? -> DON'T REPORT. Try cloud metadata
| +-- Can reach 169.254.169.254? -> Extract keys -> RCE
| +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
| +-- Error-based? -> Extract data (passwords, tokens)
| +-- Can INTO OUTFILE? -> Web shell -> RCE
| +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
| +-- OAuth flow? -> Token theft -> ATO
| +-- javascript: scheme? -> XSS
+-- Blocked by defense
| -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
-> Find connector gadget for chain
After proving impact, check:
- Can attack work with 0-1 clicks? (minimize prerequisites)
- Does it affect all users or specific role?
- What's the business $ impact?
Phase 5: VALIDATE & REPORT
Goal: Get paid. Make triager's job easy.
Pre-report gate:
Run /validate (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run /triage for quick go/no-go
Report:
Run /report
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact
After submission:
- While waiting for triage: try to escalate further (A->B signal method)
- If fix deployed: re-test for bypass (incomplete patch = new bug)
- Record finding with
/rememberfor hunt memory
PART 3: NAVIGATION & TIMING
Non-Linear Navigation Quick Reference
| I'm stuck because... | Go to... |
|---|---|
| Can't find any subdomains | Phase 1: Try different recon sources, Google Dorks |
| Found subdomain but don't know what to test | Phase 2: Map the app, download JS, understand auth |
| Testing but nothing works | Phase 3: Switch vuln class (20-min rotation rule) |
| Found a bug but impact is low | Phase 4: Escalation paths or gadget chaining |
| WAF/CSP/403 blocking my payload | /bypass-403 → fingerprint WAF → waf_encoder.py variants → kill if 5 min spent (403 even after /bypass-403 + WAF fingerprint + waf_encoder.py variants) |
| Been stuck for 45 min on one param | STOP. Rabbit hole. Move to next endpoint. |
| New API endpoint discovered during testing | Return to Phase 2: map it before attacking |
| Found one bug | A->B signal: same dev made more mistakes. Hunt 20 min for siblings. |
20-Minute Rotation Clock
Every 20 minutes ask yourself: "Am I making progress?"
- Yes -> Continue
- No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
- Been on same target 2+ weeks with no findings? -> Consider switching program
Tool Routing by Phase
| Phase | Tools | Why this order |
|---|---|---|
| Recon: Subdomains | subfinder -> amass -> puredns -> httpx |
Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack |
| Recon: URLs | gau + waymore -> katana -> uro |
Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate |
| Recon: JS | jsluice + mantra + trufflehog --only-verified |
Extract URLs/secrets -> find API keys -> verify keys actually work |
| Recon: Ports | naabu (wide) -> rustscan (deep) |
Fast top-1000 sweep -> full 65535 on interesting targets |
| Recon: Scan | nuclei -tags cve -> nuclei -tags takeover |
Known CVEs first -> then takeover (act immediately) |
| Mapping: Params | arjun + paramspider + ParamMiner |
Brute-force hidden params + mine archives + cache headers |
| Mapping: JS code | Download -> jsluice -> VS Code/Cursor grep |
Extract -> static analysis -> AI-assisted taint analysis |
| Mapping: Dorks | Manual Google Dorks | Custom per-target queries find what automation misses |
| Discovery: Fuzz | ffuf -ac + cewl custom wordlist |
Auto-calibrate filtering + target-specific words beat generic lists |
| Discovery: XSS | kxss -> dalfox |
Filter (which params reflect?) -> scan (only reflective params) |
| Discovery: SQLi | ghauri |
Modern blind SQLi on ID-like parameters |
| Discovery: SSRF | interactsh-client |
Self-hosted OOB listener for blind SSRF/XXE/RCE |
| Discovery: WAF | wafw00f -> whatwaf |
Identify WAF vendor -> test bypass techniques |
| Exploit: 403 | byp4xx or nomore403 |
20+ bypass techniques automated |
| Exploit: Takeover | subzy |
Checks CNAME against 70+ vulnerable services |
| Exploit: Cloud | s3scanner + aws CLI |
Scan bucket permissions -> extract metadata credentials |
| Exploit: Secrets | trufflehog --only-verified |
Only verified working keys (no false positives) |
Session End Checklist
- Save all Burp/Caido project files
- Record any "weird but not yet exploitable" behaviors (future gadgets)
- Update notes with failed attempts (don't re-test with same techniques)
- Log findings with
/remember