check-lists

Check-lists*

*Note: Check-lists and cheat-sheets :)

Index

• General checklists
• Toolset
• Testing layers
• Recon
• Penetration Testing cycle
• Bug Bounty Hunting
  • Top vulnerabilities to always look for
  • Multiple targets
  • Single target

General checklists

• SMB-Checklist
• Win32 Offensive Cheatsheet
• Regexp Security Cheatsheet
• Cheat-Sheet - Active-Directory
• Security Testing of Thick Client Application
• OWASP Cheat Sheet Series
• OSSTMM
• MindMaps

Toolset

• EasyG and all the connected tools
• Burp Suite and all the extensions
• Kali Linux + install.sh since it has everything you need

Testing layers

See The Bug Hunter's Methodology v4.0 - Recon Edition by @jhaddix #NahamCon2020!

• Integrations
• Application Libraries (usually JavaScript)
• Application: Custom Code or COTS
• Application Framework
• Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
• Open Ports and Services (Default creds on services, service level exploits)

Recon

• Identify technologies
  • Look for response headers, use curl -I www.domain.com
  • Use WappaLyzer, WhatWeb, BuilWith
    • Check for CVEs
  • Portscanning: use nmap, also for possible hidden web ports
    • SMB: nmap -vvv -p 139,445 --script=smb*
  • Check errors / cause an error - Search for possible disclosures in the responses - Try to cause an error with a wrong / non-existent HTTP method
  • Search for .js files, they may reveal infos about libraries and / or plugin used
• Check available HTTP methods
  • Use OPTIONS and HEAD
  • Pay attention if dangerous methods are enabled, like PUT, DELETE, CONNECT and TRACE
  • HTTP verb tampering
• Test for SSL
  • Check ciphers
    • testssl.sh
    • nmap -sV --script ssl-enum-ciphers -p 443
    • SSL Server Test (Powered by Qualys SSL Labs)
  • Check if HTST is set
    • Strict-Transport-Security
    • sslstrip
• Metafiles Leakage
  • Look for infos in robots.txt, .svn, .DS_STORE, README.md, .env
• Enumerate inputs and functionalities
  • Be sure to have noted every possible input, especially the riskier ones
• Look at the source code
  • Search for interesting content, like comments
• Directory Research
  • Check for possible backup files .old, log files, and other files like .php or .asp, even for source disclosure
  • Search for possible hidden / supposed-to-be protected paths
  • Use various lists
    • SecLists, FuzzDB, PayloadAllTheThings
    • Custom: cewl
• Dorking
  • Google, GitHub, Shodan

Penetration Testing cycle

1. Defining the Scope
   • Check if the target is valid
   • Setup the environment
2. Information gathering
   • Passive Information Gathering (OSINT)
   • Active Information Gathering
3. Service enumeration
4. Cicle
   • Penetration
   • Initial Foothold
   • Privilege Escalation
   • Lateral Movement
   • Maintaining access (Trojans)
5. House keeping
   • Cleaning up rootkits
   • Covering tracks
   • See: Post Exploitation - The Penetration Testing Execution Standard
6. Results
   • Reporting / Analysis
   • Lessons Learned / Remediation

Bug Bounty Hunting

Top vulnerabilities to always look for

• XSS
• CSRF
• Authorization issues
• IDOR

Multiple targets

• Run EasyG assetenum
• Select the interesting targets
  • Pass the subdomains to Burp Suite
  • Open them in Firefox
• Check for mobile/desktop applications
  • If there are any other non-web application, use Apkleak and Source2Url (even if OoS)
• If every asset is in scope
  • bgp.he.net
  • Crunchbase
  • OCCRP Aleph
  • duckduckgo/tracker-radar/entities
• If IPs are in scope: cat ip.txt | dnsx -ptr -resp-only

Single target

• Recon
  • Explore the app, test every functionality (eventually, search for documentation)
  • Crawl with Burp Suite
  • Collect endpoints with BurpJSLinkFinder
  • Content Discovery, use tools, Google Dorking and GitHub Dorking
  • Check the Testing layers
  • See the technologies, search for CVEs
• Look for PII Disclosure
  • If you find documents redacted
    • Try to copy and paste the obscured text
    • Try to convert the PDF, for example with pdftotext
• Parameters
  • Look for reflections
  • Use ParamSpider
    • rXSS
  • Redirection
    • Check for Open Redirects
• Authentication
  • See Authentication vulnerabilities
  • Account Section
    • Profile
      • Stored or Blind XSS
    • App Custom Fields
    • Integrations
      • SSRF, XSS
  • HTTP Request Smuggling in login panels
  • CSRF for every auth user action
  • Password Reset Broken Logic / Poisoning
• Upload Functions
• Email functions, check if you can send emails from the target
  • Spoofing
  • HTML Injection
  • XSS
• Feedback functions
  • Look for Blind XSS
• Broken Access Control, IDOR & co
  • IDOR Checklist
• Content Types
  • Look for multipart-forms
  • Look for content type XML
  • Look for content type json
• APIs
  • Methods
  • API Security Checklist
• Errors
  • Change POST to GET
• OWASP Cheat Sheet Series, check also
  • OWASP Testing Guide
  • OWASP Web Application Penetration Checklist
• Look at the index of this repo and see if you've missed anything interesting