6.1 KiB
Bug Hunting Methodology
Summary
-
- Shodan
- Wayback Machine
- The Harvester
- Github OSINT
Passive recon
-
Using Shodan to detect similar app
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse) nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
-
Using The Wayback Machine to detect forgotten endpoints
look for JS files, old links curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"
-
Using The Harvester
python theHarvester.py -b all -d domain.com
-
Look for private information in GitHub repos with GitRob
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
-
Perform Google Dorks search
Active recon
Network discovery
-
Subdomains enumeration
- Enumerate already found subdomains: projectdiscovery/subfinder:
subfinder -d hackerone.com
- Permutate subdomains: infosec-au/altdns
- Bruteforce subdomains: Josue87/gotator
- Subdomain takeovers: EdOverflow/can-i-take-over-xyz
- Enumerate already found subdomains: projectdiscovery/subfinder:
-
Network discovery
- Scan IP ranges with
nmap
, robertdavidgraham/masscan and projectdiscovery/naabu - Discover services, version and banners
- Scan IP ranges with
-
Review latest acquisitions
-
ASN enumeration
- projectdiscovery/asnmap:
asnmap -a AS45596 -silent
- projectdiscovery/asnmap:
-
DNS Zone Transfer
host -t ns domain.local domain.local name server master.domain.local. host master.domain.local master.domain.local has address 192.168.1.1 dig axfr domain.local @192.168.1.1
Web discovery
-
Locate
robots.txt
,security.txt
,sitemap.xml
files -
Retrieve comments in source code
-
Discover URL: tomnomnom/waybackurls
-
Search for
hidden
parameters: PortSwigger/param-miner -
List all the subdirectories and files with
gobuster
orffuf
# gobuster -w wordlist -u URL -t threads ./gobuster -u http://example.com/ -w words.txt -t 10
-
Find backup files with mazen160/bfac
bfac --url http://example.com/test.php --level 4 bfac --list testing_list.txt
-
Map technologies: Web service enumeration using projectdiscovery/httpx or Wappalyzer
- Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
-
Take screenshots for every websites using sensepost/gowitness
-
Automated vulnerability scanners
- projectdiscovery/nuclei:
nuclei -u https://example.com
- Burp Suite's web vulnerability scanner
- sullo/nikto:
./nikto.pl -h http://www.example.com
- projectdiscovery/nuclei:
-
Manual Testing: Explore the website with a proxy:
Looking for Web vulnerabilities
-
Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
-
Test for Business Logic weaknesses
- High or negative numerical values
- Try all the features and click all the buttons
-
The Web Application Hacker's Handbook Checklist copied from http://mdsec.net/wahh/tasks.html
-
Subscribe to the site and pay for the additional functionality to test
-
Inspect Payment functionality - @gwendallecoguic
if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free
From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g :
Test card numbers and tokens
NUMBER BRAND TOKEN 4242424242424242 Visa tok_visa 4000056655665556 Visa (debit) tok_visa_debit 5555555555554444 Mastercard tok_mastercard International test card numbers and tokens
NUMBER TOKEN COUNTRY BRAND 4000000400000008 tok_at Austria (AT) Visa 4000000560000004 tok_be Belgium (BE) Visa 4000002080000001 tok_dk Denmark (DK) Visa 4000002460000001 tok_fi Finland (FI) Visa 4000002500000003 tok_fr France (FR) Visa