After Finding Subdomains - Bug Hunting Guide

🛡️ What To Do After Finding Subdomains - Complete Bug Hunting Workflow 🐞
Many beginners often ask:
👉 “I found subdomains… what should I do next?” 🤔

⚠️ Important truth: Subdomain enumeration is just the first step.
The real bug hunting begins after this stage.

Here’s a step-by-step workflow followed by professional bug bounty hunters 👇

1️⃣ Directory Bruteforcing 📂​

Scan all subdomains for directories using tools like:

• ffuf
• dirsearch
• feroxbuster

🎯 Look for:

• Admin panels
• APIs
• Backup folders
• Old or dev directories

ffuf -u https://sub.target.com/FUZZ -w common_dirs.txt

2️⃣ GitHub Dorking 🧑‍💻​

Search for leaked code or secrets on GitHub:

org:target "api_key"
org:target "token"
org:target "password"

🎯 You may find:

• API keys
• Hidden endpoints
• Hardcoded credentials

3️⃣ Google Dorking 🔍​

Use Google to uncover hidden attack surfaces:

site:sub.target.com inurl:?
site:sub.target.com ext:php
site:sub.target.com "error"

🎯 Finds:

• Parameters
• Debug pages
• Forgotten URLs

4️⃣ Parameter FUZZing 🔑​

Many endpoints hide critical parameters. Use:

• ffuf
• ParamSpider
• Arjun

🎯 Hidden parameters often lead to:

• IDOR
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)

5️⃣ Virtual Host FUZZing 🌐​

Some applications run on hidden virtual hosts:

ffuf -H "Host: FUZZ.target.com" -u https://target.com

🎯 May expose:

• Admin portals
• Internal services

6️⃣ Wayback & Historical URLs 🕰️​

Extract old URLs using:

• gau
• waybackurls

🎯 Old endpoints = higher chance of vulnerabilities

7️⃣ JavaScript File Hunting 📜​

Collect JS files from crawling, Wayback, or manual browsing.
🎯 JS files often contain:

• API endpoints
• Tokens & secrets
• Business logic flaws

8️⃣ Subdomain Crawling 🕷️​

Deeply crawl subdomains with:

• GoSpider
• Hakrawler

🎯 Finds:

• Hidden routes
• Internal APIs
• Parameters

9️⃣ Send Crawl Data to Burp Suite 🔁​

Import all results into Burp Suite:

• Analyze requests
• Identify parameters
• Understand app flow

🔟 Send Wayback & GAU URLs to Burp​

Replay old endpoints:

• Many still work
• Some lack proper security checks

1️⃣1️⃣ Send All JS URLs to Burp​

Manually review JS requests:

• Find undocumented APIs
• Modify parameters

1️⃣2️⃣ Parameter Testing in Burp Repeater 🎯​

Test parameters for:

• SQL Injection
• XSS
• Command Injection
• IDOR
• SSTI

1️⃣3️⃣ Parameter Miner (Burp Extension) ⛏️​

Use Param Miner to discover:

• Hidden parameters
• Backend-only endpoints
• HTTP headers

1️⃣4️⃣ Technology-Specific FUZZing 🧪​

If you find: .php, .asp, .aspx, then:

• Fuzz directories
• Use Param Miner in High Intensity mode

Example: something.asp?FUZZ=1

1️⃣5️⃣ 401 / 403 Bypass Testing 🚪​

Test restricted pages using:

• Path traversal: ..;, %2e%2e/
• Header manipulation

🎯 High impact bugs often live here

1️⃣6️⃣ Intruder Scan When Stuck ⚔️​

If parameters are found but no bug yet:

• Send request to Intruder
• Select parameter → right-click → Scan insertion point

1️⃣7️⃣ Active Scanning with Extensions 🚀​

Use Burp extensions like:

• Active Scan++
• Scanner++
• Autorize

🎯 Helps find:

• Logic bugs
• Missing authorization
• Injection issues

1️⃣8️⃣ Found Directory but No Bug? 🔄​

Don’t give up:

• Google dork that directory
• GitHub dork again
• Search parameters related to it

1️⃣9️⃣ JavaScript Secrets Review 🔐​

Manually analyze JS files for:

• API keys
• Tokens & AWS keys
• Internal endpoints

🎯 JS analysis alone can lead to critical bugs

🔥 Final Tip​

Bug hunting isn’t about tools - it’s about patience, curiosity, and deep analysis.
📌 Subdomains don’t give bugs - your mindset does. 🧠