Muhammad Mater
6 min readMay 1, 2023

Hello Researchers

Today, I would like to discuss a technique that helped me uncover a bug in the Hilton Hotel Bug Bounty program (I will elaborate on the specific scenario later).

When we browse any bug bounty program, we need to read a lot of stuff to check it out before hacking.

Stuff like Policy, Scope , Out-of-scope assets and vulnerabilities

What is these stuff ?


A policy in a bug bounty program refers to the rules and guidelines that govern how the program is conducted, what systems and applications are in scope, what types of vulnerabilities are eligible for rewards, and how rewards will be paid out. The policy is typically established by the bug bounty program or the target organization and is designed to provide clear guidance to bug bounty hunters on how to conduct their testing and report any vulnerabilities they discover.


The scope of a bug bounty program refers to the specific systems, applications, and services (Assets) that are eligible for testing and rewards. The scope is typically defined by the bug bounty program or the target organization and can include specific IP addresses, domains, or other identifiers.

The scope assets of a bug bounty program can vary widely depending on the goals and priorities of the target organization. Some bug bounty programs may have a narrow scope that focuses on specific applications or systems, while others may have a broader scope that includes multiple domains and services.

It is important for bug bounty hunters to carefully review the scope assets of the bug bounty program before starting testing, as testing outside of the defined scope can result in disqualification from the program and may even have legal consequences.


the scope assets of a bug bounty program should include any systems, applications, or services that are considered critical to the security of the target organization.

This may include

web applications, mobile applications, APIs, CIDR, IOT Hardware, Executable

My Bug Was in the CIDR Asset

What is The CIDR?

CIDR stands for Classless Inter-Domain Routing. It is a method used for allocating IP addresses and routing Internet Protocol (IP) packets. CIDR replaced the earlier classful network addressing architecture, which used fixed-length subnet masks to divide IP addresses into network and host portions. CIDR allows for variable-length subnet masks, which enables more efficient use of IP addresses.

CIDR notation is used to represent IP addresses and their associated subnet masks. It is expressed as a combination of an IP address and a prefix length. For example, represents the IP address with a subnet mask of The prefix length specifies the number of bits used for the network portion of the IP address.

CIDR notation is commonly used by network administrators to describe network topology and routing information. It is also used by Internet service providers (ISPs) to allocate IP addresses to their customers.

CIDR Range in Bug Bounty

For example, a bug bounty program may specify that only the IP addresses within a certain CIDR range are in scope for testing. This allows the bug bounty hunter to focus their testing efforts on a specific subset of the target network, rather than attempting to test the entire network.

When conducting testing within a specified CIDR range, the bug bounty hunter needs to respect the rules and limitations set forth by the bug bounty program. Testing outside of the specified scope can result in disqualification from the program and potential legal consequences.

It is also worth noting that some bug bounty programs may not use CIDR notation to specify their target scope, instead relying on other methods such as domain names or specific IP addresses. It is important to carefully review the rules and guidelines of each bug bounty program to ensure that testing is conducted within the specified scope.

Example :

This is the CIDR:

You Can get ips from CIDR RANGE by This Tool mapcidr

You got IPS for the targets.

How To Discover More CIDR Ranges

The first method by ASN

ASN stands for “Autonomous System Number”. It is a unique identifier that is assigned to a network operator (such as an internet service provider or a large organization) that has control over a portion of the internet’s routing infrastructure.

An ASN is used to identify a particular network and its connectivity on the internet. The ASN is used to exchange routing information with other networks, which helps to ensure that data is transmitted efficiently and reliably across the internet.

ASNs are assigned by a global internet registry called the Internet Assigned Numbers Authority (IANA), which is responsible for managing the distribution of IP addresses and ASNs. Once assigned, an ASN is typically used by a network operator to advertise its IP address space and to manage the routing of traffic to and from its network.

In the context of bug bounty programs, ASN information can be useful for identifying the network infrastructure of a target organization and for identifying other networks that may be connected to the target. This information can be used to inform testing strategies and to help identify potential attack vectors.

ASN information can be obtained using a variety of online tools, including WHOIS lookups, BGP routing tables, and ASN lookup services. It is important to note that ASN information should be used in conjunction with other information and should not be relied upon as the sole source of information for bug bounty testing.

This website is useful to search for ASN numbers:

by the target name

I will choose this AS763

whois -h -- '-i origin AS763' | grep -Eo "([0-9.]+){4}/[0-9]+"

There is a tool from Project Discovery called Asnmap.

, ASNMap converts:

  • Organization names to CIDR ranges
  • ASN numbers to CIDR ranges
  • IP addresses to CIDR ranges
  • Domain names to CIDR range

You can Scan all ips

  • Active scanning — Traditional nmap approach. For a large list of hosts, I also recommend Masscan. Active scanning is more time-consuming and can potentially trigger publicly facing IDS. However, you get the most accurate representation of open services.
  • Passive scanning — Relies on data that were gathered from another source. These sources include for instance Shodan or Censys. The downside is that the results might be several days old and some services can be already closed. On the other side, you are not directly connecting to the target network. This “stealth” mode is usually preferred when doing APT simulations. You need to find a balance between freshness and aggressiveness.

Discover subdomains By CIDR

amass intel -cidr



Muhammad Mater

Just a Boy Loves Infosec (REDTEAM, CTI, OSINT, Bug Bounty) And Security Analyst