After Finding Subdomains - Bug Hunting Guide

What To Do After Finding Subdomains - Complete Bug Hunting Workflow
Many beginners often ask:
“I found subdomains… what should I do next?”

Important truth: Subdomain enumeration is just the first step.
The real bug hunting begins after this stage.

Here’s a step-by-step workflow followed by professional bug bounty hunters

Directory Bruteforcing ​

Scan all subdomains for directories using tools like:

• ffuf
• dirsearch
• feroxbuster

Look for:

• Admin panels
• APIs
• Backup folders
• Old or dev directories

ffuf -u https://sub.target.com/FUZZ -w common_dirs.txt

GitHub Dorking ​

Search for leaked code or secrets on GitHub:

org:target "api_key"
org:target "token"
org:target "password"

You may find:

• API keys
• Hidden endpoints
• Hardcoded credentials

Google Dorking ​

Use Google to uncover hidden attack surfaces:

site:sub.target.com inurl:?
site:sub.target.com ext:php
site:sub.target.com "error"

Finds:

• Parameters
• Debug pages
• Forgotten URLs

Parameter FUZZing ​

Many endpoints hide critical parameters. Use:

• ffuf
• ParamSpider
• Arjun

Hidden parameters often lead to:

• IDOR
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)

Virtual Host FUZZing ​

Some applications run on hidden virtual hosts:

ffuf -H "Host: FUZZ.target.com" -u https://target.com

May expose:

• Admin portals
• Internal services

Wayback & Historical URLs ​

Extract old URLs using:

• gau
• waybackurls

Old endpoints = higher chance of vulnerabilities

JavaScript File Hunting ​

Collect JS files from crawling, Wayback, or manual browsing.
JS files often contain:

• API endpoints
• Tokens & secrets
• Business logic flaws

Subdomain Crawling ​

Deeply crawl subdomains with:

• GoSpider
• Hakrawler

Finds:

• Hidden routes
• Internal APIs
• Parameters

Send Crawl Data to Burp Suite ​

Import all results into Burp Suite:

• Analyze requests
• Identify parameters
• Understand app flow

Send Wayback & GAU URLs to Burp​

Replay old endpoints:

• Many still work
• Some lack proper security checks

Send All JS URLs to Burp​

Manually review JS requests:

• Find undocumented APIs
• Modify parameters

Parameter Testing in Burp Repeater ​

Test parameters for:

• SQL Injection
• XSS
• Command Injection
• IDOR
• SSTI

Parameter Miner (Burp Extension) ​

Use Param Miner to discover:

• Hidden parameters
• Backend-only endpoints
• HTTP headers

Technology-Specific FUZZing ​

If you find: .php, .asp, .aspx, then:

• Fuzz directories
• Use Param Miner in High Intensity mode

Example: something.asp?FUZZ=1

401 / 403 Bypass Testing ​

Test restricted pages using:

• Path traversal: ..;, %2e%2e/
• Header manipulation

High impact bugs often live here

Intruder Scan When Stuck ​

If parameters are found but no bug yet:

• Send request to Intruder
• Select parameter → right-click → Scan insertion point

Active Scanning with Extensions ​

Use Burp extensions like:

• Active Scan++
• Scanner++
• Autorize

Helps find:

• Logic bugs
• Missing authorization
• Injection issues

Found Directory but No Bug? ​

Don’t give up:

• Google dork that directory
• GitHub dork again
• Search parameters related to it

JavaScript Secrets Review ​

Manually analyze JS files for:

• API keys
• Tokens & AWS keys
• Internal endpoints

JS analysis alone can lead to critical bugs

Final Tip​

Bug hunting isn’t about tools - it’s about patience, curiosity, and deep analysis.
Subdomains don’t give bugs - your mindset does.