You're reading for free via It4chis3c's Friend Link. Become a member to access the best of Medium.
Member-only story
Uncover Hidden/Secret methods to find Sensitive Information Disclosures
Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Why Information Disclosure Matters
Information disclosure vulnerabilities expose sensitive data such as hidden directories, server versions, backup files, or misconfigured permissions. These leaks are goldmines for attackers (and bug hunters!) because they often lead to more critical vulnerabilities like SSRF, RCE, or authentication bypasses.
In this guide, you’ll learn how to weaponize tools like DirBuster, FFUF, Gobuster, Nmap, and Nikto with advanced real-world tactics. We’ll also share secret tips used by top hunters to bypass defenses and maximize results.
Advanced Wordlist Tactics
A. Hybrid Attacks
Combine directory and file wordlists for maximum coverage:
# Merge wordlists
cat directory-list.txt file-list.txt > combined.txt
# FFUF with parallel scanning
ffuf -w combined.txt -u https://target.com/FUZZ -t 100
B. Mutation Rules
Use rules to modify words (e.g., admin → Admin, ADMIN, admin123
):
# FFUF with rule-based mutations
ffuf -w wordlist.txt -u https://target.com/FUZZ -e .php -maf rules/dynamic-script.rule
Rules Example:
append:123
prepend:test
uppercase
C. Target-Specific Customization
- For PHP Sites: Prioritize
.php
,.inc
,.phtml
. - For Java Apps: Fuzz
.jsp
,.do
,.action
. - For APIs: Test
/v1
,/v2
,/graphql
,/swagger-ui.
Directory Enumeration
FFUF & Gobuster (General Web Apps)
Wordlist: directory-list-2.3-medium.txt
(SecLists)
Why: Balanced coverage of common directories (e.g., /admin
, /backup
) without excessive bloat.
Download:
git clone https://github.com/danielmiessler/SecLists.git
- Path:
SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
- Advanced Tip: Combine with dynamic rules for depth:
# FFUF: Append extensions while fuzzing
ffuf -w directory-list-2.3-medium.txt -u https://target.com/FUZZ -e .php,.bak,.old
# Gobuster: Specify extensions
gobuster dir -u https://target.com -w directory-list-2.3-medium.txt -x php,bak,old
API/Modern Web Apps
Wordlist: api-wordlist.txt
(Custom)
Why: Targets routes like /v1/users
, /graphql
, or /swagger.json
.
Build Your Own:
- Extract endpoints from JS files using LinkFinder.
- Scrape GitHub for the target’s API docs (search
site:github.com "target.com/api"
). - Merge with
raft-medium-words.txt
(SecLists).
- Sample Command:
ffuf -w api-wordlist.txt -u https://target.com/FUZZ -mc 200 -H "Content-Type: application/json"
File Enumeration
Common Files (Backups, Configs, Logs)
Wordlist: raft-large-files.txt
(SecLists)
- Why: Covers
backup.zip
,.env
,config.php
, and more. - Path:
SecLists/Discovery/Web-Content/raft-large-files.tx
Pro Tip: For FUZZING FILENAMES WITH TIMESTAMPS (e.g., backup_20231001.tar
):
# Generate date-based wordlists
for i in {2020..2023}; do echo "backup_${i}"; done > dates.txt
ffuf -w dates.txt -u https://target.com/FUZZ.tar
Sensitive File Extensions
Wordlist: Custom list for high-value extensions:
.env
.git
.svn
.htaccess
.bak
.swp
.tar.gz
Usage:
# FFUF
ffuf -w extensions.txt -u https://target.com/indexFUZZ
# Gobuster
gobuster dir -u https://target.com -w extensions.txt -s 200,301 -x env,git,bak
Cloud-Specific Enumeration
AWS S3/GCP Buckets
Wordlist: bucket-names.txt
(Custom)
- Why: Cloud buckets often use names like
prod-target-assets
ortarget-backup
. - Build Strategy:
- Use the target’s name/abbreviations (e.g.,
target-prod
,tgts3
). - Merge with
cloud-buckets.txt
from SecLists.
Command:
ffuf -w bucket-names.txt -u https://FUZZ.s3.amazonaws.com -mc 200 -fs 0
Kubernetes/Internal Paths
Wordlist: kubernetes.txt
(Custom)
- Include Paths:
/k8s/
/kubernetes/
/api/v1/namespaces
/metrics
/healthz
- Download: Use
Discovery/Web-Content/raft-large-directories.txt
(SecLists) as a base.
Server Headers & Misconfigurations
Tool 1: Nmap
Why Use It?
Nmap identifies server versions, open ports, and HTTP misconfigurations.
Basic Command:
nmap -sV --script=http-headers,http-title -p 80,443 target.com
-sV
: Service version detection--script
: Run specific NSE scripts
Advanced Tactics:
- Check Dangerous HTTP Methods:
nmap -p 80,443 --script http-methods --script-args http-methods.url-path='/admin' target.com
- Look for
PUT
,DELETE
, orTRACE
methods enabled.
2. Find Directory Listings:
nmap --script http-enum -p 80 target.com
Secret Trick: Use http-shellshock
script to test for Shellshock vulns in CGI endpoints.
Tool 2: Nikto
Why Use It?
Nikto automates checks for 6,000+ vulnerabilities, including outdated servers and insecure headers.
Basic Command:
nikto -h https://target.com
Advanced Flags:
- Evade Detection:
nikto -h target.com -Tuning 1 -evasion 8
-Tuning 1
: Scan only “interesting” files-evasion 8
: URL-encode requests
- Check Specific Issues:
nikto -h target.com -Plugins "apache_expect_xss"
Pro Tip: Parse Nikto’s output for:
X-Powered-By
headers (e.g., PHP 5.2.4 → exploit!)Server: Apache/2.4.7 (Ubuntu)
→ Check for CVEs.
Secret Tips from Real-World Hunts
- The .git/.svn Heist:
Found a.git
directory? Usegit-dumper
to download the entire repo and check for API keys/hardcoded secrets. - Backup File Extensions:
Always testwww.zip
,backup.tar
, orindex.php~
(common editor backups). - Header Hacking:
- Use
curl -I https://target.com
to quickly check headers. - Hunt for
X-Debug-Token
(exposes debug pages) orX-AspNet-Version
.
4. Proxy Everything:
Route traffic through Burp Suite to manually inspect interesting responses.
Automation & Reporting
- Bash Scripting:
Automate scans and save outputs for reports:
#!/bin/bash
ffuf -w wordlist.txt -u https://target.com/FUZZ -o ffuf.json
nmap -sV -p 80,443 target.com -oN nmap.txt
nikto -h target.com -output nikto.html
2. Critical Findings for Reports:
- Exposed admin panels (e.g.,
/admin
with default creds) - Server versions linked to CVEs
- Directory listings leaking credentials
I look forward to sharing what I’ve learned while exploring the ever-evolving world of cybersecurity and bug bounties. Let’s hunt some bugs!
Thank you for reading the blog!!! Do Follow and Comment on what specific type of write-up you want the next??
You can also follow me on Twitter & LinkedIn for more such tips & tricks.
Follow & subscribe for daily write-up updates via mail on Medium
