crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Files
🤬
a2c07348
ROOT /
Recon /
Scope.md
66 lines | UTF-8 | 2 KB

  • Small Scope

Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.

  •  Directory Enumeration
  •  Technology Fingerprinting
  •  Port Scanning
  •  Parameter Fuzzing
  •  Wayback History
  •  Known Vulnerabilities
  •  Hardcoded Information in JavaScript
  •  Domain Specific GitHub & Google Dorking
  •  Broken Link Hijacking
  •  Data Breach Analysis
  •  Misconfigured Cloud Storage

  • Medium Scope

Usually the scope is wild card scope where all the subdomains are part of scope

  •  Subdomain Enumeration
  •  Subdomain Takeover
  •  Probing & Technology Fingerprinting
  •  Port Scanning
  •  Known Vulnerabilities
  •  Template Based Scanning (Nuclei/Jeales)
  •  Misconfigured Cloud Storage
  •  Broken Link Hijacking
  •  Directory Enumeration
  •  Hardcoded Information in JavaScript
  •  GitHub Reconnaissance
  •  Google Dorking
  •  Data Breach Analysis
  •  Parameter Fuzzing
  •  Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
  •  IP Range Enumeration (If in Scope)
  •  Wayback History
  •  Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
  •  Heartbleed Scanning
  •  General Security Misconfiguration Scanning

  • Large Scope

Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.

  •  Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) ​
  •  Subsidiary & Acquisition Enumeration (Depth – Max)​
  •  Reverse Lookup
  •  ASN & IP Space Enumeration and Service Identification​
  •  Subdomain Enumeration
  •  Subdomain Takeover
  •  Probing & Technology Fingerprinting
  •  Port Scanning
  •  Known Vulnerabilities
  •  Template Based Scanning (Nuclei/Jeales)
  •  Misconfigured Cloud Storage
  •  Broken Link Hijacking
  •  Directory Enumeration
  •  Hardcoded Information in JavaScript
  •  GitHub Reconnaissance
  •  Google Dorking
  •  Data Breach Analysis
  •  Parameter Fuzzing
  •  Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
  •  IP Range Enumeration (If in Scope)
  •  Wayback History
  •  Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
  •  Heartbleed Scanning
  •  General Security Misconfiguration Scanning
  •  And any possible Recon Vector (Network/Web) can be applied.​

Source: Link

Please wait...
Page is in error, reload to recover