$50-$500 worth Information Disclosure Bug Automation

Uncover Hidden/Secret methods to find Sensitive Information Disclosures

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

It4chis3c

Bug Bounty Hunting Series

View list

28 stories

Credit: DALL-E

Why Information Disclosure Matters

Information disclosure vulnerabilities expose sensitive data such as hidden directories, server versions, backup files, or misconfigured permissions. These leaks are goldmines for attackers (and bug hunters!) because they often lead to more critical vulnerabilities like SSRF, RCE, or authentication bypasses.

In this guide, you’ll learn how to weaponize tools like DirBuster, FFUF, Gobuster, Nmap, and Nikto with advanced real-world tactics. We’ll also share secret tips used by top hunters to bypass defenses and maximize results.

Advanced Wordlist Tactics

A. Hybrid Attacks

Combine directory and file wordlists for maximum coverage:

# Merge wordlists  
cat directory-list.txt file-list.txt > combined.txt  

# FFUF with parallel scanning  
ffuf -w combined.txt -u https://target.com/FUZZ -t 100

B. Mutation Rules

Use rules to modify words (e.g., admin → Admin, ADMIN, admin123):

# FFUF with rule-based mutations  
ffuf -w wordlist.txt -u https://target.com/FUZZ -e .php -maf rules/dynamic-script.rule

Rules Example:

append:123  
prepend:test  
uppercase

C. Target-Specific Customization

• For PHP Sites: Prioritize .php, .inc, .phtml.
• For Java Apps: Fuzz .jsp, .do, .action.
• For APIs: Test /v1, /v2, /graphql, /swagger-ui.

Directory Enumeration

FFUF & Gobuster (General Web Apps)

Wordlist: directory-list-2.3-medium.txt (SecLists)

Why: Balanced coverage of common directories (e.g., /admin, /backup) without excessive bloat.

Download:

git clone https://github.com/danielmiessler/SecLists.git  

• Path: SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
• Advanced Tip: Combine with dynamic rules for depth:

# FFUF: Append extensions while fuzzing  
ffuf -w directory-list-2.3-medium.txt -u https://target.com/FUZZ -e .php,.bak,.old  

# Gobuster: Specify extensions  
gobuster dir -u https://target.com -w directory-list-2.3-medium.txt -x php,bak,old  

API/Modern Web Apps

Wordlist: api-wordlist.txt (Custom)

Why: Targets routes like /v1/users, /graphql, or /swagger.json.

Build Your Own:

1. Extract endpoints from JS files using LinkFinder.
2. Scrape GitHub for the target’s API docs (search site:github.com "target.com/api").
3. Merge with raft-medium-words.txt (SecLists).

• Sample Command:

ffuf -w api-wordlist.txt -u https://target.com/FUZZ -mc 200 -H "Content-Type: application/json"  

File Enumeration

Common Files (Backups, Configs, Logs)

Wordlist: raft-large-files.txt (SecLists)

• Why: Covers backup.zip, .env, config.php, and more.
• Path: SecLists/Discovery/Web-Content/raft-large-files.tx

Pro Tip: For FUZZING FILENAMES WITH TIMESTAMPS (e.g., backup_20231001.tar):

# Generate date-based wordlists  
for i in {2020..2023}; do echo "backup_${i}"; done > dates.txt  
ffuf -w dates.txt -u https://target.com/FUZZ.tar  

Sensitive File Extensions

Wordlist: Custom list for high-value extensions:

.env  
.git  
.svn  
.htaccess  
.bak  
.swp  
.tar.gz  

Usage:

# FFUF  
ffuf -w extensions.txt -u https://target.com/indexFUZZ  

# Gobuster  
gobuster dir -u https://target.com -w extensions.txt -s 200,301 -x env,git,bak  

Cloud-Specific Enumeration

AWS S3/GCP Buckets

Wordlist: bucket-names.txt (Custom)

• Why: Cloud buckets often use names like prod-target-assets or target-backup.
• Build Strategy:
• Use the target’s name/abbreviations (e.g., target-prod, tgts3).
• Merge with cloud-buckets.txt from SecLists.

Command:

ffuf -w bucket-names.txt -u https://FUZZ.s3.amazonaws.com -mc 200 -fs 0  

Kubernetes/Internal Paths

Wordlist: kubernetes.txt (Custom)

• Include Paths:

/k8s/  
/kubernetes/  
/api/v1/namespaces  
/metrics  
/healthz  

• Download: Use Discovery/Web-Content/raft-large-directories.txt (SecLists) as a base.

Server Headers & Misconfigurations

Tool 1: Nmap

Why Use It?
Nmap identifies server versions, open ports, and HTTP misconfigurations.

Basic Command:

nmap -sV --script=http-headers,http-title -p 80,443 target.com  

• -sV: Service version detection
• --script: Run specific NSE scripts

Advanced Tactics:

1. Check Dangerous HTTP Methods:

nmap -p 80,443 --script http-methods --script-args http-methods.url-path='/admin' target.com  

• Look for PUT, DELETE, or TRACE methods enabled.

2. Find Directory Listings:

nmap --script http-enum -p 80 target.com  

Secret Trick: Use http-shellshock script to test for Shellshock vulns in CGI endpoints.

Tool 2: Nikto

Why Use It?
Nikto automates checks for 6,000+ vulnerabilities, including outdated servers and insecure headers.

Basic Command:

nikto -h https://target.com  

Advanced Flags:

1. Evade Detection:

nikto -h target.com -Tuning 1 -evasion 8  

• -Tuning 1: Scan only “interesting” files
• -evasion 8: URL-encode requests

1. Check Specific Issues:

nikto -h target.com -Plugins "apache_expect_xss"  

Pro Tip: Parse Nikto’s output for:

• X-Powered-By headers (e.g., PHP 5.2.4 → exploit!)
• Server: Apache/2.4.7 (Ubuntu) → Check for CVEs.

Secret Tips from Real-World Hunts

1. The .git/.svn Heist:
   Found a .git directory? Use git-dumper to download the entire repo and check for API keys/hardcoded secrets.
2. Backup File Extensions:
   Always test www.zip, backup.tar, or index.php~ (common editor backups).
3. Header Hacking:

• Use curl -I https://target.com to quickly check headers.
• Hunt for X-Debug-Token (exposes debug pages) or X-AspNet-Version.

4. Proxy Everything:
Route traffic through Burp Suite to manually inspect interesting responses.

Automation & Reporting

1. Bash Scripting:
   Automate scans and save outputs for reports:

#!/bin/bash 
ffuf -w wordlist.txt -u https://target.com/FUZZ -o ffuf.json 
nmap -sV -p 80,443 target.com -oN nmap.txt 
nikto -h target.com -output nikto.html

2. Critical Findings for Reports:

• Exposed admin panels (e.g., /admin with default creds)
• Server versions linked to CVEs
• Directory listings leaking credentials

$100 worth Open Redirect Automation

$50-$100 P5 & P4 Bug Automation with Nuclei

$50–$200 Low Hanging Bugs/Fruit Automation | Bug Automation Part 1

$200 Easy Bounty: Improper Rate Limiting Exploit

Ever Found a Valid Bug/Leaks in JavaScript Files in Bug Bounties?

Choosing Your First Program in Bug Bounties: A Beginner’s Guide

I look forward to sharing what I’ve learned while exploring the ever-evolving world of cybersecurity and bug bounties. Let’s hunt some bugs!

Thank you for reading the blog!!! Do Follow and Comment on what specific type of write-up you want the next??

You can also follow me on Twitter & LinkedIn for more such tips & tricks.

Follow & subscribe for daily write-up updates via mail on Medium

Buy Me A Coffee