// Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Bug Bounty Methodology: Workflow + Mindset
Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.
PART 1: MINDSET (How to Think)
Core Principle
Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.
Daily Discipline: Define, Select, Execute
Before touching any tool:
Define: "Today I target [feature/domain] to achieve [CIA impact]"
Identity: Anonymous or authenticated? If the bugs you're hunting need a
session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment),
load auth once at session start — see docs/auth-sessions.md. Then
every downstream tool (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers)
sends those headers automatically and audit log entries are stamped with
a stable session_id hash.
Route selection -- Wide or Deep?
Signal
Wide (recon sweep)
Deep (focused testing)
New program, first day
X
Wildcard scope *.target.com
X
Main webapp, been here >3 days
X
Scope update (new domain added)
X
Found interesting subdomain
X
Hunting IDOR / BOLA / auth bugs
X (auth-aware)
Phase 1: RECON
Goal: Maximize attack surface. Find what others missed.
Wide approach (initial sweep):
Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect
Deep approach (targeted):
Google Dorks -> JS file download -> Hidden param discovery -> API mapping
What you find
Next action
Live subdomains with tech stack
Phase 2 (Mapping)
Known software (WordPress, Jira)
Check CVEs + defaults immediately
Cloud resources (S3, Firebase)
Test permissions (read/write/list)
Nothing after 5 min on a host
Skip, try next host (5-minute rule)
Command: /recon target.com
Phase 2: MAPPING & ANALYSIS
Goal: Understand the app like its developer does.
Checklist:
Map all endpoints (Burp/Caido sitemap + JS analysis)
Identify auth model (cookie, JWT, OAuth, SAML?)
Find business-critical flows (payment, registration, password reset, data export)
Download and analyze JS files for hidden routes, secrets, logic
Identify roles and permissions (user, admin, API keys)
Note "weird" behaviors (anomalies in naming, errors, timing)
What you find
Next action
JS files with interesting code
Taint analysis (Sink -> Source)
OAuth/SAML authentication
OAuth/SAML checklist
API with ID parameters
Phase 3, target IDOR
Complex business logic (payment, coupon)
Phase 3, target BizLogic
postMessage listeners
DOM analysis, postMessage-tracker
Phase 3: VULNERABILITY DISCOVERY
Goal: Find the bug. Use Error-based first, then Blind-based.
Decision flow based on what you're testing:
What input are you testing?
+-- ID parameter (user_id, order_id)
| -> IDOR checklist
+-- Search/filter/sort field
| -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
| -> SSRF checklist
+-- Text field reflected in page
| -> XSS (DOM or reflected)
+-- File upload
| -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
| -> Business logic, race conditions
+-- Login / 2FA / password reset
| -> Auth bypass
+-- Profile update API
| -> Mass Assignment
+-- Template / wiki editor
| -> SSTI
+-- Nothing obvious
-> Fuzz with ffuf, try Error-based probing
Error vs Blind decision:
Try Error-based first (send ', ", {{7*7}}, ${7*7}) -- watch for 500 errors, stack traces
No error? Time-based (SLEEP(10), ; sleep 10;) -- watch response time
No time diff? OOB (curl attacker.com, interactsh) -- watch for DNS callback
Still nothing? Boolean (AND 1=1 vs AND 1=0) -- watch content-length diff
Goal: Prove maximum business impact. Turn Low into Critical.
Escalation decision:
What did you find?
+-- XSS
| +-- Can steal cookie/token? -> Session hijack -> ATO
| +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
| +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
| +-- Can read PII? -> Automate scraping, show scale
| +-- Can change password/email? -> Direct ATO
| +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
| +-- DNS only? -> DON'T REPORT. Try cloud metadata
| +-- Can reach 169.254.169.254? -> Extract keys -> RCE
| +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
| +-- Error-based? -> Extract data (passwords, tokens)
| +-- Can INTO OUTFILE? -> Web shell -> RCE
| +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
| +-- OAuth flow? -> Token theft -> ATO
| +-- javascript: scheme? -> XSS
+-- Blocked by defense
| -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
-> Find connector gadget for chain
After proving impact, check:
Can attack work with 0-1 clicks? (minimize prerequisites)
Does it affect all users or specific role?
What's the business $ impact?
Phase 5: VALIDATE & REPORT
Goal: Get paid. Make triager's job easy.
Pre-report gate:
Run /validate (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run /triage for quick go/no-go
Report:
Run /report
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact
After submission:
While waiting for triage: try to escalate further (A->B signal method)
If fix deployed: re-test for bypass (incomplete patch = new bug)
Record finding with /remember for hunt memory
PART 3: NAVIGATION & TIMING
Non-Linear Navigation Quick Reference
I'm stuck because...
Go to...
Can't find any subdomains
Phase 1: Try different recon sources, Google Dorks
Found subdomain but don't know what to test
Phase 2: Map the app, download JS, understand auth
Testing but nothing works
Phase 3: Switch vuln class (20-min rotation rule)
Found a bug but impact is low
Phase 4: Escalation paths or gadget chaining
WAF/CSP/403 blocking my payload
Bypass techniques, then return to current phase
Been stuck for 45 min on one param
STOP. Rabbit hole. Move to next endpoint.
New API endpoint discovered during testing
Return to Phase 2: map it before attacking
Found one bug
A->B signal: same dev made more mistakes. Hunt 20 min for siblings.
20-Minute Rotation Clock
Every 20 minutes ask yourself: "Am I making progress?"
Yes -> Continue
No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
Been on same target 2+ weeks with no findings? -> Consider switching program
Tool Routing by Phase
Phase
Tools
Why this order
Recon: Subdomains
subfinder -> amass -> puredns -> httpx
Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack
Recon: URLs
gau + waymore -> katana -> uro
Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate
Recon: JS
jsluice + mantra + trufflehog --only-verified
Extract URLs/secrets -> find API keys -> verify keys actually work
Recon: Ports
naabu (wide) -> rustscan (deep)
Fast top-1000 sweep -> full 65535 on interesting targets
Recon: Scan
nuclei -tags cve -> nuclei -tags takeover
Known CVEs first -> then takeover (act immediately)
