Cheat Sheet
# Nmap web scripts for service discovery & vuln detection
nmap -p 80,443,8080 --script "http-*" target.com
# Curl the web server and get headers + response
curl -I http://target.com
# Curl full response (quick check for login pages, CMS, etc.)
curl -s http://target.com | head
# Detect tech stack with WhatWeb
whatweb http://target.com
# Wappalyzer-style scan with Wafw00f
wafw00f http://target.com
# Dirbusting (common dirs/files)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50
# Alt: ffuf for directory/file fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50
# Find virtual hosts
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
# Nikto web vuln scanner (quick and noisy)
nikto -h http://target.com
# Check for HTTP methods enabled
curl -X OPTIONS http://target.com -i
nmap --script http-methods -p 80 target.com
# Check for robots.txt or interesting metadata
curl http://target.com/robots.txt
curl http://target.com/.git/config
curl http://target.com/.env
# Crawl & spider (useful before auth bypass or LFI checks)
feroxbuster -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# Check for default creds/login portals
nmap --script http-default-accounts -p 80 target.com
Every web hack starts the same way: finding doors. Enumeration is the map-making phase — scouring a target’s digital sprawl for the forgotten panels, dusty endpoints, and legacy APIs that shouldn’t still exist but do. If bug bounty hunting is modern-day street fighting, enumeration is your blade. Sharp, patient, and lethal only in skilled hands.
The Philosophy of Enumeration
Rookies dive straight into injection payloads. Veterans spend days on enumeration. Why? Because if you can’t see the attack surface, you don’t even know where to strike. Enumeration isn’t about tools; it’s about discipline. You pull apart the web layer until the company’s blueprint is in your hands.
Think of it like this:
Wide Recon: Map every subdomain, every port, every exposed host.
Deep Recon: Dig into each host until you know its tech stack, hidden directories, forgotten APIs.
Focused Recon: Decide which of those paths actually matter for exploitation.
The trick isn’t finding endpoints. The trick is filtering the noise.
Subdomain Enumeration
The first step in any modern bounty program is subdomains. Companies scale horizontally, spinning up staging sites, forgotten test servers, old marketing campaigns — and they rarely clean them up. That’s where the low-hanging fruit lives.
# Passive enumeration
subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
# Resolve live hosts
cat subs.txt amass.txt | sort -u | httpx -status-code -title -tech-detect -o hosts.txt
Signs of gold:
“staging.” or “dev.” prefixes.
Legacy SaaS providers still linked.
Odd country-specific subdomains with their own codebase.
Pro tip: Always cross-check with asset inventories from JS files. Developers love hardcoding API endpoints that lead to fresh subdomains.
Directory and File Enumeration
Once you’ve got a host, the next move is brute-forcing its web tree. Directory busting reveals hidden panels, admin logins, backup files, and scripts that never should have been left accessible.
# Gobuster
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x php,asp,aspx,js,html
# ffuf — faster, flexible
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -fc 404
Keep an eye out for:
/admin,/backup,/old— cliché, but real..git/,.env,.bakfiles.API docs (
/swagger,/graphql).
These aren’t just directories. They’re attack narratives waiting to happen.
Parameter Enumeration
Most web vulns hide in parameters. Hidden GET or POST parameters can be fuzzed to reveal debugging flags, legacy functionality, or outright injections.
# Harvest params
waybackurls target.com | grep "=" | tee params.txt
# Fuzz them
ffuf -w params.txt:FUZZ -u https://target.com/page?FUZZ=test -fc 404
Once found, you cluster them by function:
IDs → check for IDORs.
Filters → test for SQLi.
Names/values → check for XSS.
JavaScript Enumeration
JS files are treasure maps. They leak endpoints, API keys, version numbers. Parse them ruthlessly.
# Extract endpoints from JS
curl https://target.com/app.js | grep -Eo 'https?://[^\"\\']+'
Don’t just scrape — read. A single api/v1/private/ reference in JS can be a direct hit.
Burp Suite and Manual Enumeration
Automation takes you far, but Burp takes you deeper. Proxy traffic, crawl manually, and watch how the app actually functions. Intruder and Repeater aren’t just payload tools — they’re microscopes for finding weird parameters, hidden headers, and subtle state changes.
Checklist in Burp:
Inspect every request/response header.
Look for verbose error messages.
Watch how cookies evolve between requests.
The Recon Trap: Too Much Data
Here’s the danger: enumeration never ends. You can drown in subdomains, endpoints, and wordlists until you forget the goal. The art is knowing when to stop and strike.
Veterans run automated recon daily, storing results, but only chase anomalies. The key is triage: ignore 99% of noise, focus on the 1% that doesn’t fit. That’s where the bugs live.
Bug Bounty Context
In bug bounty, recon is the battlefield. You’re not the only hunter out there. Thousands of others are running the same tools. What sets you apart isn’t finding admin.php; it’s noticing that admin-qa.php behaves differently.
Your advantage is persistence:
Run recon longer than others.
Chain recon data creatively (link JS leaks with passive subdomain results).
Revisit old recon after scope changes. Yesterday’s 404 can be today’s goldmine.
The Mindset Shift
Web enumeration is less about “finding everything” and more about learning the company through its code. You start to see patterns: naming conventions, dev workflows, forgotten staging pipelines. That’s where vulnerabilities hide.
The mindset: you’re not scanning websites. You’re mapping human laziness, oversight, and the entropy of corporate sprawl.
Summary
Enumeration is where the hunt begins. Subdomains, directories, parameters, JS leaks — these are the raw materials. From there, payloads take shape. Without enumeration, you’re just throwing injections into the void. With it, you’re a surgeon.
Command Recap
# Subdomains
subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
httpx -l subs.txt -status-code -title -tech-detect -o hosts.txt
# Directories
gobuster dir -u https://target.com -w directory-list.txt -x php,asp,js,html
ffuf -u https://target.com/FUZZ -w common.txt -fc 404
# Parameters
waybackurls target.com | grep "=" | tee params.txt
ffuf -w params.txt:FUZZ -u https://target.com/page?FUZZ=test -fc 404
# JavaScript parsing
curl https://target.com/app.js | grep -Eo 'https?://[^\"\\']+'
Final Thoughts
In bug bounty, web enumeration isn’t a step — it’s the foundation. Every bounty story, every payout, every critical vuln starts with the same question: what doors exist here that others don’t see? The hunter who maps the terrain best wins the war.