Hello, Hope everyone is doing great. Today I'm gonna share a secret method that helps me to get more than 5000$ in bounties. Lets start.
Virustotal - It Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
Virustotal is a gold mine for bug bounty hunters. This can reveal sensitive endpoint, live password reset tokens, active jwt tokens, invoice links, private docs etc etc.
How we can do this??
-> https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOU_API_KEY&domain=SUB_DOMAIN
Here you can see I've got some live fresh email verification links which leads to ATO and users invoice link which contains users PII information.
This bug was accepted by a private company which I cant disclose. Everyday I do virustotal dorking and see if there is anything new.
You can automate this using various scripts available on internet.
-> https://github.com/orwagodfather/virustotalx
this tool is very nice by -> https://x.com/GodfatherOrwa
But I will suggest to do this manually