Skip to content

Bug Hunting Methodology

Passive Recon

  • Using Shodan to detect similar app
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
python3 favUp.py --favicon-file favicon.ico -sc
python3 favUp.py --favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
python3 favUp.py --web domain.behind.cloudflare -s
urlhunter --keywords keywords.txt --date 2020-11-20
look for JS files, old links
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"
python theHarvester.py -b all -d domain.com
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
  • Perform Google Dorks search
site: *.example.com -www
intext:"dhcpd.conf" "index of"
intitle:"SSL Network Extender Login" -checkpoint.com

Active Recon

Network Discovery

host -t ns domain.local
domain.local name server master.domain.local.

host master.domain.local        
master.domain.local has address 192.168.1.1

dig axfr domain.local @192.168.1.1

Web Discovery

gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'
ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'
bfac --url http://example.com/test.php --level 4
bfac --list testing_list.txt
echo www.hackerone.com | cdncheck -resp
www.hackerone.com [waf] [cloudflare]
katana -u https://tesla.com
echo https://google.com | hakrawler

Looking for Web Vulnerabilities

  • Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
  • Test for Business Logic weaknesses
    • High or negative numerical values
    • Try all the features and click all the buttons
  • The Web Application Hacker's Handbook Checklist copied from http://mdsec.net/wahh/tasks.html

  • Subscribe to the site and pay for the additional functionality to test

  • Inspect Payment functionality - @gwendallecoguic

    if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free

From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g :

Test card numbers and tokens

NUMBER BRAND TOKEN
4242424242424242 Visa tok_visa
4000056655665556 Visa (debit) tok_visa_debit
5555555555554444 Mastercard tok_mastercard

International test card numbers and tokens

NUMBER TOKEN COUNTRY BRAND
4000000400000008 tok_at Austria (AT) Visa
4000000560000004 tok_be Belgium (BE) Visa
4000002080000001 tok_dk Denmark (DK) Visa
4000002460000001 tok_fi Finland (FI) Visa
4000002500000003 tok_fr France (FR) Visa

References