Comprehensive Url Enumeration for Bug Bounty — The potential of GAU.
Url Enumeration — Subset of Content Discovery: finding existing endpoints.
Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)
Originally, this article was going to be on GAU but upon research I have found a more efficient replacement, introducing GauPlus. Which boasts to be 8.9x faster. When working with large scopes, lowering time spent on automated tools is crucial to effective recon.
If you haven’t heard of Gau or GauPlus (I may use these interchangeably, despite referring to GauPlus), it is a tool that Gets All Urls, it does this passively (never interacting with the target), and by using third party existing databases, such as Common Crawl, Waybackmachine and AlienVault’s OTX.
Now for why you clicked on this article, the one liner:
Disclaimer: although this will work, you shouldn’t use it. It was made for novelty and there’s a lot of flaws with using it, but there’s still a lot we can learn from it, which I will demonstrate below with less clickbait-y one liners you…