Bug Bounty Recon Series #1: Discover and Map Hidden Endpoints and Parameters

January 9, 2025

Bug Bounty Recon Series by YesWeHack

Endpoint and parameter discovery are critical first steps in the Bug Bounty reconnaissance process. The real value lies in uncovering hidden endpoints, undocumented parameters and overlooked paths that expand the target’s attack surface.

This guide will teach you practical techniques like parameter fuzzing, forced browsing, and path/parameter discovery, as well as how to use targeted wordlists, parse files and analyse JavaScript in order to find entry points for more rewarding vulnerability hunts.

Initiating reconnaissance: building your baseline

The first step in uncovering hidden endpoints and parameters is to establish a baseline understanding of your target’s exposed surface. Start by configuring Burp Suite for a manual crawl: enable the proxy to capture all traffic, and ensure JavaScript and CSS files are not blocked. Once this manual pass gives you a feel for the application’s structure, complement your findings with an automated Burp crawl.

Scrape the robots.txt and sitemap.xml files for overlooked paths and use Google dorks. Also check out a related article we published recently, Parameter Discovery: A quick guide, to further enhance your parameter discovery process.

You’ll already start to have a clear, comprehensive view of your target.

Why JavaScript files are key for asset discovery

Modern web applications use JavaScript to manage user interactions, fetch data and shape site functionality. As a result, JavaScript files often hold critical insights that are neither visible in HTML nor easily guessable. For example, you may find references to specific API endpoints that a regular user would be unable to access through conventional means. Additionally, parameters that control feature flags or access testing endpoints might appear as variable names, function arguments or URL fragments inside these scripts.

Examining JavaScript source code helps you find undocumented APIs or parameters and understand how endpoints work. This context can enable more strategic testing – revealing which parameters are worth fuzzing, which routes are likely to handle sensitive data, and where misconfigurations might exist.

Top tools for JavaScript analysis

The following tools are invaluable for analysing JavaScript:

Using LinkFinder to find hidden endpoints and parameters

LinkFinder is a Python-based tool that crawls JavaScript files and extracts URLs, paths and parameters that could otherwise remain unnoticed. Running LinkFinder is straightforward:

linkfinder cli example

This command scans the specified JavaScript file and outputs a list of discovered endpoints directly in your terminal. You can then integrate these findings into your fuzzing tools, add them to your wordlists or explore them manually in Burp Suite.

JavaScript bookmarklets: handy, quick recon tools

For fast, on-the-fly endpoint discovery, JavaScript bookmarklets provide a lightweight, browser-native solution. A bookmarklet is simply a snippet of JavaScript code saved as a browser bookmark. When clicked on any webpage, it immediately runs within the browser and extracts valuable information – such as hidden endpoints – without requiring external tools or switching contexts.

This approach is particularly useful when you’re already exploring a target application and want to quickly expand your understanding of its attack surface. Instead of pausing to set up additional scripts or tools, you can instantly run a bookmarklet to uncover new paths or parameters as you navigate.

Here’s a great bookmarklet for extracting endpoints from JavaScript created by Renniepak:

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0–9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

javascript bookmarklet result

How to use this bookmarklet:

  • Add a new bookmark in your browser’s toolbar
  • Replace the bookmark’s URL with the JavaScript code snippet
  • Visit the target page and click the bookmarklet. The script will run in your browser, revealing previously undiscovered endpoints right on the page.

By incorporating bookmarklets into your reconnaissance toolkit, you can seamlessly integrate endpoint discovery into your browsing experience.

Burp Suite extensions for JavaScript analysis

While standalone tools and bookmarklets are powerful, integrating JavaScript analysis directly into your primary testing environment can streamline your workflow. By adding dedicated Burp Suite extensions, you can automatically detect hidden endpoints and parameters as you proxy requests through Burp, keeping all your reconnaissance data in one place.

For example, JSLinkFinder is a popular Burp extension that parses JavaScript files intercepted by Burp. It identifies and reports parameters and endpoints directly in your Burp dashboard.

linkfinder burpsuite extension result

The GAP burp extension, meanwhile, specialises in parsing JavaScript for interesting endpoints and values. GAP can highlight unusual behaviour or sensitive variables within the code.

Finally, JSpector offers a comprehensive approach to JavaScript analysis, revealing endpoints, parameters and potential vulnerabilities.

What Is fuzzing in Bug Bounty recon?

Fuzzing involves systematically sending varied, often unexpected inputs – such as paths, parameters or HTTP headers – to an application’s endpoints. Unlike conventional scanners that stick to known routes and values, fuzzing deliberately explores the unknown. By experimenting with large sets of inputs, you can trigger edge cases, uncover functionality never intended for public use, and reveal subtle weaknesses in the application’s logic.

One form of fuzzing, forced browsing, discovers hidden directories, backup files and development endpoints that developers never intended to expose. While forced browsing targets the structure of an application’s environment, fuzzing can apply the same testing principles to parameters, headers and more complex areas of the application.

In the context of Bug Bounty reconnaissance, fuzzing isn’t simply guesswork. It involves leveraging well-crafted wordlists, selecting the right tools (such as ffuf or dirb), and using structured approaches offered by platforms such as Burp Intruder. This informed methodology ensures efficiency and precision, broadening your search for hidden directories, parameters and routes that could lead straight to overlooked vulnerabilities.

Other types of fuzzing:

  • Path fuzzing: probing unlisted directories, files or endpoints to reveal backups, test areas or deprecated components.
  • Parameter fuzzing: By testing for undocumented or unexpected parameters in application requests, researchers can uncover weaknesses in how applications handle input. Parameter fuzzing serves two key purposes: discovering new parameters that the application processes, such as hidden or undocumented GET and POST parameters, and exploring the potential values of these parameters to identify vulnerabilities like injection attacks, logic bypasses or insecure data handling. This dual approach makes parameter fuzzing a versatile and powerful technique in bug bounty reconnaissance.
  • Header fuzzing: Tweaking HTTP headers to discover server misconfigurations, debugging information or services running behind the scenes. This provides intelligence that can shape your subsequent attack strategies.

Why Is fuzzing crucial for asset discovery?

Fuzzing significantly expands the scope of your reconnaissance. Instead of limiting yourself to known pages or documented endpoints discovered previously, you cast a wider net over the target’s infrastructure, looking for anything that responds in an unexpected way. This broader perspective increases your chances of uncovering meaningful, hitherto undiscovered bugs. More specifically, fuzzing enables you to:

  • Discover hidden or secret endpoints: Many web applications and APIs contain paths not linked in the user interface – like old admin panels, forgotten test endpoints or development scripts. Fuzzing systematically tests for these, catching assets that would be invisible through traditional navigation.
  • Identify misconfigurations or access control issues: Sometimes, unexpected responses like HTTP status codes (eg, a 200 OK on a directory that should be restricted) signal a configuration slip-up. Fuzzing makes spotting these anomalies straightforward.
  • Automate the exploration of application behaviour: Checking each path or parameter by hand is impossible. Fuzzing tools let you run through extensive wordlists and payload sets automatically. This accelerates your workflow, ensuring you don’t miss critical targets that might yield valuable information.
  • Gain a deeper understanding of how the target application functions: By watching how the app reacts to unfamiliar input, you gain insights into its underlying logic, error-handling routines and fallback mechanisms. These findings can guide more targeted attacks later, making your overall testing strategy smarter and more efficient.

With fuzzing, you’re doing more than just ‘poking around’ in a scattergun fashion. You’re methodically mapping the application’s structure to expand and understand its potential attack surface. Done properly, this process significantly increases your chances of discovering impactful vulnerabilities that could earn you juicy bounties.

How to perform fuzzing effectively

Establish your baseline: Start with endpoints you’ve already discovered through manual crawling, JavaScript analysis and forced browsing. Make a list of these URLs and note any parameters or query strings that might be worth exploring. Having a well-defined baseline ensures you focus on meaningful targets rather than blindly testing the entire application.

Forced browsing: Even well-protected applications sometimes rely on predictable naming conventions, leftover backup files or default directories that developers assume won’t be found. Taking advantage of these assumptions, forced browsing involves systematically guessing file paths, directories and extensions to access hidden or restricted resources. Rather than relying solely on automated tools with arbitrary wordlists, you can apply informed intuition – trying out common paths like /admin, testing for backup files by appending .bak, or looking for file dumps like db_dump.sql in known directories.

Uncovering hidden files and backups: After you’ve identified core files – like settings.php – consider probing for backup versions. For example, try appending common backup extensions or variations:

  • settings.php.bak
  • settings.bak
  • settings.php.old
  • settings.old
  • settings_old.php
  • settings.php~
  • etc...

Sometimes these leftover files contain sensitive data, such as database credentials, API keys or configuration details. Combine this approach with your previous discovery methods: if JavaScript hinted at a config directory, test variations like config_old/ or config_bak/ while following the same logic.

Exploring common administrative or juicy directories: Administrative panels or promising directories are frequently stored under predictable paths. Test common directory names such as:

  • /admin
  • /control
  • /manage
  • /backend
  • /logs
  • /backup
  • etc...

If you know the target uses a particular technology (eg, WordPress), also try platform-specific directories like /wp-admin/. Discovering these panels can reveal areas with weaker authentication checks or outdated management tools. Once found, you can inspect these endpoints for logic flaws, insecure defaults or old testing interfaces that developers never removed.

Wordlists: your irreplaceable tools for effective recon

Wordlists guide your fuzzing by providing inputs to test against endpoints and parameters. Using the right wordlist will be a game-changer for your recon. Use reputable collections of wordlists for paths, parameters and more such as SecLists. Useful wordlists include:

  • common.txt: General-purpose wordlist for common endpoints.
  • Language-specific wordlists: Tailored to the programming language of your target
  • Framework-specific wordlists: Tailored to specific technologies such as ColdFusion

You can also refine these lists using data gathered in earlier steps – for instance, from JavaScript files, by adding parameter names or endpoint fragments found in the code, or from forced browsing, including any interesting directories or filenames that turned up as partial matches or hinted at backup files.

By customising your wordlists, you align your fuzzing efforts with the target’s unique environment rather than relying solely on generic guesses. You can also generate your own wordlists using tools like CeWL, which extracts keywords from a target’s website.

Fuzzing with command-line tools

Command-line (CLI) tools like ffuf are widely used for fuzzing because they are fast, flexible and easy to configure. For example, you can perform:

  • Directory discovery: Use custom wordlists to brute-force paths and uncover hidden files or folders.
  • Parameter discovery: Identify undocumented GET or POST parameters by using specific parameter-based wordlists.
ffuf cli example

Before you hit ‘Run’, adjust your tool settings to maximise efficiency and relevance:

  • Filtering and match conditions: Limit output to specific status codes or response sizes to highlight unusual findings.
  • Concurrency and rate limits: Set a comfortable number of parallel requests (eg, -t 10 in ffuf) to balance speed and stability.
  • Custom payloads: Use refined wordlists that incorporate insights from previous discovery methods, ensuring that fuzzing inputs are both broad and targeted.

Another useful CLI tool is dirb, which includes built-in wordlists and can quickly identify resources by simply inputting the target URL.

Fuzzing with Burp Intruder

Burp Intruder is super-handy for parameter fuzzing, as you can send multiple payloads to known parameters and analyse how the server responds. You can also script custom fuzzing routines using Python tools or automation frameworks if you need more specialised testing.

In the Intruder section, you can set up custom fuzzing attacks by marking parameters, loading payloads and starting the attack. You can generate your own payloads, such as numeric ranges, character lists or even custom wordlists, directly in Burp.

Practical use case: Intruder is particularly helpful for automating tests for vulnerabilities like IDOR (Insecure Direct Object References).

burpsuite intruder numbers payload

Analysing, iterating and integrating findings

Once you have gathered your results, sort through them to identify promising leads. Incorporate newly discovered endpoints or parameters back into your testing pipeline, for example by:

  • Refining wordlists: Add unique filenames, directories or parameters that emerged.
  • Adjusting payloads: If certain responses hint at SQL injection, XSS or authentication bypass, tailor your next fuzzing round with more specialised payloads.
  • Combining techniques: Feed new findings into other approaches, like forced browsing of different directories or running advanced parameter fuzzing on newly revealed endpoints.

Bonus: exploring header fuzzing techniques

HTTP headers can also expose interesting information about the application, such as:

  • Actively running services
  • Software versions
  • Programming languages

Header fuzzing is essential for gathering intelligence and can sometimes lead to direct exploitation of the application’s HTTP handling. For more details, check out our article on HTTP Header Exploitation.

Conclusion: now you can level up your Bug Bounty recon

If you’ve followed the steps above, you’ve added some serious firepower to your bug bounty reconnaissance toolkit! From forced browsing of hidden directories to parameter fuzzing and refining your wordlists, you’re no longer limited to what’s obvious on the surface.

As you experiment with these methods – tweaking your approach, automating repetitive tasks and blending different techniques – you’ll keep pushing deeper into the target’s environment. With practice, your recon work becomes sharper, more efficient and far more likely to uncover serious and previously undiscovered vulnerabilities.

Ready to put these techniques into practice? Take a look at YesWeHack Public Bug Bounty Programs and start uncovering hidden vulnerabilities today! Happy hunting! đŸ€˜