Bug Bounty Recon: Vertical Correlation (and the secret to succeeding).
Vertical Correlation — The process of finding subdomains from a root domain.
Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)
Example: If our target is domain.com, how do we find subdomains, such as vulnerable.domain.com, secret-dev-org.domain.com, or xadjo1m4ksl325s.superHidden.domain.com ?
NOTE: This is the second step in bug bounty hunting, which follows from the first, Horizontal Correlation:
The first step of effective bug bounty hunting is in-depth reconnaissance; the second step of reconnaissance is Vertical Correlation. The more assets you know about, the more you can attack. By expanding the attack surface, you are more likely to find vulnerabilities.
There are 5 strong methods to find subdomains. and there is one secret tip which will give you the edge over other bug hunters! The methods we will explore are:
- good old fashion Brute Force
