️♂️ The Complete Beginner’s Guide to Bug Bounty Reconnaissance: Live Hunting on PayPal
quality 7/10 · good
0 net
🕵️♂️ The Complete Beginner's Guide to Bug Bounty Reconnaissance: Live Hunting on PayPal | by Krishna Kumar - Freedium
Milestone: 20GB Reached
We’ve reached 20GB of stored data — thank you for helping us grow!
Patreon
Ko-fi
Liberapay
Close
< Go to the original
🕵️♂️ The Complete Beginner's Guide to Bug Bounty Reconnaissance: Live Hunting on PayPal
Based on "Live bug bounty hunting on Hackerone | Live Recon | part 2" by The Cyberboy
Krishna Kumar
Follow
~10 min read
·
April 1, 2026 (Updated: April 1, 2026)
·
Free: No
TL;DR: Bug bounty reconnaissance is the systematic process of discovering attack surfaces before hunting for vulnerabilities. This guide walks through the complete workflow — from checking program scope on HackerOne, to using tools like subfinder, assetfinder, and ffuf for subdomain discovery, to verifying live domains with httpx, and finally using Google dorking and web archives to find hidden gems. The key is methodical enumeration: more surfaces you find, more chances you have to discover bugs.
🚀 Introduction: Why Reconnaissance Matters
Picture yourself as a treasure hunter standing before a massive castle. You can't just walk through the front door — it's locked tight and heavily guarded.
But what if the castle has dozens of side entrances, forgotten windows, or crumbling walls? Your job is to map every single opening before anyone else finds them.
This is exactly what reconnaissance (or "recon" for short) means in bug bounty hunting. It's the art of discovering as many web addresses, endpoints, and attack surfaces as possible for your target company.
The Cyberboy demonstrates this beautifully in his live hunt on PayPal's bug bounty program. By the end of this article, you'll understand every tool and technique he uses, and you'll be ready to apply them to your own targets.
📋 Step 1: Know Your Scope (HackerOne)
Before you point a single tool at a target, you need to understand what's in scope . In bug bounty programs, companies specify exactly which domains, apps, and assets they're willing to accept vulnerability reports for.
The Cyberboy opens HackerOne and navigates to PayPal's bug bounty program. The scope section reveals critical information about what's fair game for hunting.
For PayPal specifically, the scope includes assets marked as "Critical" severity, which means finding vulnerabilities here could earn significant bounties. Understanding scope prevents you from wasting time on assets that won't qualify for rewards.
🔍 Step 2: Technology Reconnaissance with Censys
Once you know your target domains, it's time to understand what technologies they use. This is like figuring out what materials a castle is built from — knowing it's made of stone versus wood changes your approach entirely.
The Cyberboy uses Censys , a powerful internet search engine that aggregates data about publicly accessible hosts. When you search for "paypal.com", Censys returns a wealth of information including IP addresses, subdomains, running services, and software versions.
You can see things like:
Which servers are running Apache versus nginx
What operating systems are in use (Ubuntu, OpenBSD)
Open ports and services (HTTP, SSH, SMTP)
Associated subdomains discovered through various sources
This information helps you tailor your hunting approach. If you see PHP is in use, you know to look for PHP-specific vulnerabilities. If nginx appears frequently, that's your area of focus.
🌐 Step 3: Subdomain Discovery
The Foundation of Recon
This is where the real fun begins. Subdomains are like all the different doors and windows around your castle — each one represents a potential entry point.
Certificate Transparency Logs (crt.sh)
The Cyberboy first visits crt.sh, a website that logs SSL/TLS certificates. Whenever a company creates a new subdomain with HTTPS, it often generates a certificate that's publicly recorded.
Searching for "paydiant.com" reveals numerous subdomains that might not appear anywhere else. This is completely passive reconnaissance — you're not touching the target's servers at all.
VirusTotal Passive DNS
Next comes VirusTotal, which maintains a massive database of passive DNS records. The Cyberboy finds over 6,700 subdomains for paydiant.com through this single source!
VirusTotal also categorizes domains by business type and provides popularity rankings, helping you understand which subdomains might be most valuable to investigate.
ProjectDiscovery Chaos
ProjectDiscovery offers a free Chaos dataset that aggregates subdomain data from numerous sources. The Cyberboy navigates to projectdiscovery.io/chaos and finds that PayPal has 16,246 subdomains documented.
Even better, you can download this data as a zip file directly. This gives you a massive head start on your enumeration efforts without running a single scanner.
Automated Subdomain Enumeration: Subfinder
Now it's time to use command-line tools that automate the entire process. Subfinder is one of the most popular subdomain discovery tools, and it queries dozens of passive sources simultaneously.
The Cyberboy runs: sudo subfinder -d paydiant.com -all > domain1.txt
The results are impressive: 4,445 subdomains discovered in just over 2 minutes. The "-all" flag tells subfinder to use every available data source, maximizing your results.
Assetfinder: Another Powerful Option
Assetfinder is a complementary tool created by Tom Hudson. While subfinder queries external APIs, assetfinder uses a different methodology that often finds subdomains others miss.
The Cyberboy runs: sudo assetfinder -subs-only paydiant.com > domain2.txt
This yields 488 subdomains — a smaller number, but these might be unique finds not discovered by subfinder.
⚡ Step 4: Brute Force Enumeration with FFUF
What if you could guess subdomains that haven't been documented anywhere? That's exactly what brute forcing does. You use wordlists containing common subdomain names and systematically try each one.
FFUF (Fuzz Faster U Fool) is a powerful web fuzzer that excels at this task. The Cyberboy demonstrates: ffuf -u https://FUZZ.paydiant.com -w n0kovo_subdomains/n0kovo_subdomains_medium.txt -o domain3.txt
The "FUZZ" keyword tells ffuf where to substitute words from the wordlist. This particular wordlist contains 500,000 potential subdomain names. While the Cyberboy skips ahead due to time constraints, this technique can discover hidden subdomains that passive enumeration completely misses.
⚠️ Important : Brute forcing generates significant traffic to your target. Always check the bug bounty program's rules about active scanning before proceeding!
📊 Step 5: Combining and Deduplicating Results
After running multiple tools, you'll have several files containing subdomains. Some subdomains will appear in multiple files, and you need to combine them intelligently.
The Cyberboy uses a simple but effective approach: sort -u domain1.txt domain2.txt > domain.txt
The sort command combines the files, and the "-u" flag removes duplicates. This yields 4,545 unique subdomains from the two tools.
✅ Step 6: Finding Live Domains with HTTPX
Having a list of 4,545 subdomains is great, but many of these might point to abandoned servers, deprecated infrastructure, or domains that no longer resolve to anything.
HTTPX solves this problem by testing each subdomain to see if it responds to HTTP/HTTPS requests. Only the "live" domains are worth investigating further.
The Cyberboy runs: cat domain.txt | sudo httpx > live_domains.txt
The results reveal 1,700 domains that actually respond to web requests — still a massive surface area to investigate, but much more manageable than the full list.
HTTPX also categorizes responses, showing which domains return errors, which are vulnerable, and which are protected by web application firewalls.
🔓 Step 7: Subdomain Takeover Detection with Nuclei
One of the most valuable bug categories in bug bounty hunting is subdomain takeover . This vulnerability occurs when a company's subdomain points to a service they've discontinued or forgotten about.
Imagine if PayPal had a subdomain like "old-service.paypal.com" that once pointed to a third-party service. If that third-party service shut down but PayPal forgot to remove the DNS record, an attacker could register that service and hijack the subdomain.
Nuclei is a vulnerability scanner with templates specifically designed to detect subdomain takeovers. The Cyberboy runs: nuclei -l live_domains.txt -t nuclei-templates/detect-all-takeovers.yaml
The templates check for known vulnerable configurations across dozens of services like AWS, GitHub Pages, Heroku, and many others. While the scan didn't find takeovers in this session (which is actually good news for PayPal!), this technique regularly uncovers critical vulnerabilities.
🕸️ Step 8: URL Discovery with Katana
Subdomains give you entry points, but URLs give you the actual pages and endpoints within those subdomains. Finding all URLs is like mapping every room in every building on your castle grounds.
Katana is a web crawler that systematically visits websites and extracts every link, parameter, and endpoint it encounters. The Cyberboy demonstrates: katana -u http://code.paydiant.com -o urls.txt
The crawler discovers numerous URLs including search parameters, file paths, and API endpoints. These URLs often contain the actual vulnerability research goldmine.
After crawling, The Cyberboy uses grep to filter results: cat urls.txt | grep search
This reveals search-related URLs that might be vulnerable to injection attacks or information disclosure.
🛠️ Step 9: Automating Everything with OneForAll
For those who want an all-in-one solution, OneForAll attempts to automate the entire subdomain enumeration pipeline. It combines passive enumeration, brute forcing, and verification into a single command.
The Cyberboy runs: python3 oneforall.py --targets ./live_domains.txt run
While the tool generates warnings about certain domains and requests fail, OneForAll still produces consolidated results that would take hours to compile manually.
🔎 Step 10: Google Dorking
Searching Like a Hunter
Sometimes the most valuable information isn't on the target's servers — it's about the target on other sites. Google dorking uses special search operators to find exposed files, documentation, and vulnerabilities.
Rather than memorizing complex search syntax, The Cyberboy uses the "Search Engine For Bug Bounty Hunters" tool at nitiyadoo.github.io. This website provides pre-built dorks for common vulnerability searches.
What Can You Find with Dorking?
Exposed credentials : Searches like "site:paydiant.com password" or "site:paydiant.com api_key"
Configuration files : Looking for ".env" files or "config" directories
Database backups : Finding ".sql" files or "backup" directories
Directory listings : Discovering exposed folders with "index of"
phpinfo files : Server configuration leaks
The Cyberboy tries numerous dorks against paydiant.com:
site:paydiant.com credentials
site:paydiant.com token
site:paydiant.com admin
site:paydiant.com database
site:paydiant.com upload
site:paydiant.com backup
While these specific searches don't return results for PayPal (which makes sense — they're well-protected!), these techniques regularly uncover vulnerabilities on other targets.
⏮️ Step 11: Web Archive
Time Travel for Hackers
The Internet Archive's Wayback Machine (web.archive.org) is like a time machine for websites. It has captured billions of web pages over decades, and sometimes it reveals forgotten pages that still exist but aren't linked anywhere.
The Cyberboy navigates to web.archive.org and explores historical captures of paydiant.com. He finds pages from 2013 that reveal old functionality, forgotten endpoints, and potentially vulnerable features that might still exist somewhere in the system.
By browsing old pages and clicking through links, The Cyberboy discovers URLs like: paydiant.com/component/search/?Itemid=247&catid=126&id=181&format=opensearch
These archived URLs can lead to active endpoints that might still be vulnerable.
💻 Step 12: GitHub Searching
Developers sometimes accidentally commit sensitive information to public GitHub repositories. Searching GitHub for your target's domain can reveal:
Exposed API keys
Hardcoded credentials
Private configuration files
Internal documentation
Source code leaks
The Cyberboy uses the bug bounty search engine to query GitHub for "paydiant.com", finding zero results. This is actually good news for PayPal's security — either their developers are careful, or their repositories are properly private.
However, this technique frequently works for smaller organizations or specific project repositories.
📈 The Complete Recon Workflow
Putting it all together, here's the complete reconnaissance workflow The Cyberboy demonstrates:
Check program scope on HackerOne to understand what's in bounds
Gather technology data with Censys to understand the target's infrastructure
Discover subdomains using passive sources (crt.sh, VirusTotal, Chaos)
Run automated tools like subfinder and assetfinder
Brute force with ffuf for guesses that passive tools miss
Combine and deduplicate results with sort -u
Verify live domains with httpx
Check for takeovers using nuclei templates
Crawl for URLs with katana
Google dork for exposed files and credentials
Explore archives using the Wayback Machine
Search GitHub for leaked information
🎯 Key Takeaways
Reconnaissance is foundational : The more surfaces you discover, the more opportunities you'll find. Great hackers spend more time on recon than actual exploitation.
Multiple tools = better results : Each subdomain enumeration tool has different sources and methods. Combining them gives you the most complete picture.
Not everything will be vulnerable : The Cyberboy didn't find critical bugs in this session, and that's completely normal. Bug hunting is a numbers game.
Tools are just the start : Automated tools find surfaces, but human analysis finds vulnerabilities. Use tools to build your list, then investigate each entry manually.
Stay within scope : Only target assets listed in the bug bounty program's scope. Hunting out-of-scope targets can have legal consequences.
Passive recon is always safe : Tools like crt.sh, VirusTotal, and Censys only use public data. You can't get in trouble for looking at what's already public.
🛠️ Tools Referenced in This Guide
HackerOne : Bug bounty platform where programs list their scope
Censys : Internet scanning database for technology discovery
crt.sh : Certificate transparency log search
VirusTotal : Security data aggregator with Passive DNS
ProjectDiscovery Chaos : Free subdomain dataset
Subfinder : Automated subdomain enumeration tool
Assetfinder : Alternative subdomain discovery tool
FFUF : Web fuzzer for brute force enumeration
HTTPX : HTTP client for verifying live domains
Nuclei : Vulnerability scanner with takeover detection
Katana : Web crawler for URL discovery
OneForAll : All-in-one subdomain enumeration
Wayback Machine : Historical website archive
📚 References
PayPal Bug Bounty Program on HackerOne
Censys Internet Scanner
Certificate Transparency Search
VirusTotal
ProjectDiscovery Chaos
Subfinder on GitHub
Assetfinder on GitHub
FFUF on GitHub
HTTPX on GitHub
Nuclei on GitHub
Katana on GitHub
Internet Archive Wayback Machine
Bug Bounty Search Engine Tool
Remember: Every expert was once a beginner. The Cyberboy's video shows that methodical, patient reconnaissance is the foundation of successful bug hunting.
Start practicing these techniques on legitimate bug bounty targets, and you'll be surprised how much you discover. Happy hunting! 🎯
#bug-bounty #cybersecurity #technology #programming #tech
Reporting a Problem
Sometimes we have problems displaying some Medium posts.
If you have a problem that some images aren't loading - try using VPN. Probably you have problem with
access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).