You're reading for free via It4chis3c's Friend Link. Become a member to access the best of Medium.

Member-only story

$50-$500 worth Information Disclosure Bug Automation

It4chis3c
5 min readFeb 21, 2025

Uncover Hidden/Secret methods to find Sensitive Information Disclosures

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Bug Bounty Hunting Series

28 stories
Credit: DALL-E

Why Information Disclosure Matters

Information disclosure vulnerabilities expose sensitive data such as hidden directories, server versions, backup files, or misconfigured permissions. These leaks are goldmines for attackers (and bug hunters!) because they often lead to more critical vulnerabilities like SSRF, RCE, or authentication bypasses.

In this guide, you’ll learn how to weaponize tools like DirBuster, FFUF, Gobuster, Nmap, and Nikto with advanced real-world tactics. We’ll also share secret tips used by top hunters to bypass defenses and maximize results.

Advanced Wordlist Tactics

A. Hybrid Attacks

Combine directory and file wordlists for maximum coverage:

# FFUF with parallel scanning  
ffuf -w combined.txt -u https://target.com/FUZZ -t 100

B. Mutation Rules

Use rules to modify words (e.g., admin → Admin, ADMIN, admin123):

Rules Example:

C. Target-Specific Customization

  • For PHP Sites: Prioritize .php, .inc, .phtml.
  • For Java Apps: Fuzz .jsp, .do, .action.
  • For APIs: Test /v1, /v2, /graphql, /swagger-ui.

Directory Enumeration

FFUF & Gobuster (General Web Apps)

Wordlist: directory-list-2.3-medium.txt (SecLists)

Why: Balanced coverage of common directories (e.g., /admin, /backup) without excessive bloat.

Download:

  • Path: SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
  • Advanced Tip: Combine with dynamic rules for depth:

API/Modern Web Apps

Wordlist: api-wordlist.txt (Custom)

Why: Targets routes like /v1/users, /graphql, or /swagger.json.

Build Your Own:

  1. Extract endpoints from JS files using LinkFinder.
  2. Scrape GitHub for the target’s API docs (search site:github.com "target.com/api").
  3. Merge with raft-medium-words.txt (SecLists).
  • Sample Command:

File Enumeration

Common Files (Backups, Configs, Logs)

Wordlist: raft-large-files.txt (SecLists)

  • Why: Covers backup.zip, .env, config.php, and more.
  • Path: SecLists/Discovery/Web-Content/raft-large-files.tx

Pro Tip: For FUZZING FILENAMES WITH TIMESTAMPS (e.g., backup_20231001.tar):

Sensitive File Extensions

Wordlist: Custom list for high-value extensions:

Usage:

Cloud-Specific Enumeration

AWS S3/GCP Buckets

Wordlist: bucket-names.txt (Custom)

  • Why: Cloud buckets often use names like prod-target-assets or target-backup.
  • Build Strategy:
  • Use the target’s name/abbreviations (e.g., target-prod, tgts3).
  • Merge with cloud-buckets.txt from SecLists.

Command:

Kubernetes/Internal Paths

Wordlist: kubernetes.txt (Custom)

  • Include Paths:
  • Download: Use Discovery/Web-Content/raft-large-directories.txt (SecLists) as a base.

Server Headers & Misconfigurations

Tool 1: Nmap

Why Use It?
Nmap identifies server versions, open ports, and HTTP misconfigurations.

Basic Command:

  • -sV: Service version detection
  • --script: Run specific NSE scripts

Advanced Tactics:

  1. Check Dangerous HTTP Methods:
  • Look for PUT, DELETE, or TRACE methods enabled.

2. Find Directory Listings:

Secret Trick: Use http-shellshock script to test for Shellshock vulns in CGI endpoints.

Tool 2: Nikto

Why Use It?
Nikto automates checks for 6,000+ vulnerabilities, including outdated servers and insecure headers.

Basic Command:

Advanced Flags:

  1. Evade Detection:
  • -Tuning 1: Scan only “interesting” files
  • -evasion 8: URL-encode requests
  1. Check Specific Issues:

Pro Tip: Parse Nikto’s output for:

  • X-Powered-By headers (e.g., PHP 5.2.4 → exploit!)
  • Server: Apache/2.4.7 (Ubuntu) → Check for CVEs.

Secret Tips from Real-World Hunts

  1. The .git/.svn Heist:
    Found a .git directory? Use git-dumper to download the entire repo and check for API keys/hardcoded secrets.
  2. Backup File Extensions:
    Always test www.zip, backup.tar, or index.php~ (common editor backups).
  3. Header Hacking:
  • Use curl -I https://target.com to quickly check headers.
  • Hunt for X-Debug-Token (exposes debug pages) or X-AspNet-Version.

4. Proxy Everything:
Route traffic through Burp Suite to manually inspect interesting responses.

Automation & Reporting

  1. Bash Scripting:
    Automate scans and save outputs for reports:

2. Critical Findings for Reports:

  • Exposed admin panels (e.g., /admin with default creds)
  • Server versions linked to CVEs
  • Directory listings leaking credentials

I look forward to sharing what I’ve learned while exploring the ever-evolving world of cybersecurity and bug bounties. Let’s hunt some bugs!

Thank you for reading the blog!!! Do Follow and Comment on what specific type of write-up you want the next??

You can also follow me on Twitter & LinkedIn for more such tips & tricks.

Follow & subscribe for daily write-up updates via mail on Medium

Buy Me A Coffee
It4chis3c
It4chis3c

Written by It4chis3c

Security Researcher | Bug Bounties | Tips & Tricks

No responses yet

Write a response