Bug Hunting Methodology
Passive Recon
- Using Shodan to detect similar app
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
- Search for similar websites using the same favicon: pielco11/fav-up
python3 favUp.py --favicon-file favicon.ico -sc
python3 favUp.py --favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
python3 favUp.py --web domain.behind.cloudflare -s
- Search inside Shortener URLs: shorteners.grayhatwarfare.com, utkusen/urlhunter
-
Search inside Buckets: buckets.grayhatwarfare.com
-
Using The Wayback Machine to detect forgotten endpoints
look for JS files, old links
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix"
- Using laramies/theHarvester
- Look for private information in GitHub repositories with michenriksen/GitRob
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
- Perform Google Dorks search
site: *.example.com -www
intext:"dhcpd.conf" "index of"
intitle:"SSL Network Extender Login" -checkpoint.com
Active Recon
Network Discovery
-
Subdomains enumeration
- Enumerate already found subdomains: projectdiscovery/subfinder, OWASP/Amass
subfinder -d hackerone.com amass enum -passive -dir /tmp/amass_output/ -d example.com -o dir/example.com
- Permutate subdomains: infosec-au/altdns
- Bruteforce subdomains: Josue87/gotator
- Resolve subdomains to IP with blechschmidt/massdns, remember to use a good list of resolvers like trickest/resolvers
- Subdomain takeovers: EdOverflow/can-i-take-over-xyz
-
Network discovery
- Scan IP ranges with
nmap
, robertdavidgraham/masscan and projectdiscovery/naabu - Discover services, version and banners
- Scan IP ranges with
-
Review latest acquisitions
-
ASN enumeration
- projectdiscovery/asnmap:
asnmap -a AS45596 -silent
- asnlookup.com
- projectdiscovery/asnmap:
-
DNS Zone Transfer
host -t ns domain.local
domain.local name server master.domain.local.
host master.domain.local
master.domain.local has address 192.168.1.1
dig axfr domain.local @192.168.1.1
Web Discovery
- Locate
robots.txt
,security.txt
,sitemap.xml
files - Retrieve comments in source code
- Discover URL: tomnomnom/waybackurls, lc/gau
-
Search for
hidden
parameters: PortSwigger/param-miner, s0md3v/Arjun and Sh1Yo/x8 -
List all the subdirectories and files with OJ/gobuster, ffuf/ffuf and bitquark/shortscan
gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/'
ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u 'https://example.com/FUZZ'
- Find backup files with mazen160/bfac
-
Map technologies: Web service enumeration using projectdiscovery/httpx or projectdiscovery/wappalyzergo
- Favicon hash
- JARM fingerprint
- ASN
- Status code
- Services
- Technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
-
Look for WAF with projectdiscovery/cdncheck and identify the real IP with christophetd/CloudFlair
- Crawl through website pages and files: hakluke/hakrawler and projectdiscovery/katana
-
Take screenshots for every websites using sensepost/gowitness
-
Automated vulnerability scanners
- projectdiscovery/nuclei:
nuclei -u https://example.com
- Burp Suite's web vulnerability scanner
- sullo/nikto:
./nikto.pl -h http://www.example.com
- projectdiscovery/nuclei:
-
Manual Testing: Explore the website with a proxy:
Looking for Web Vulnerabilities
- Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
- Test for Business Logic weaknesses
- High or negative numerical values
- Try all the features and click all the buttons
-
The Web Application Hacker's Handbook Checklist copied from http://mdsec.net/wahh/tasks.html
-
Subscribe to the site and pay for the additional functionality to test
-
Inspect Payment functionality - @gwendallecoguic
if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free
From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. " e.g :
Test card numbers and tokens
NUMBER | BRAND | TOKEN |
---|---|---|
4242424242424242 | Visa | tok_visa |
4000056655665556 | Visa (debit) | tok_visa_debit |
5555555555554444 | Mastercard | tok_mastercard |
International test card numbers and tokens
NUMBER | TOKEN | COUNTRY | BRAND |
---|---|---|---|
4000000400000008 | tok_at | Austria (AT) | Visa |
4000000560000004 | tok_be | Belgium (BE) | Visa |
4000002080000001 | tok_dk | Denmark (DK) | Visa |
4000002460000001 | tok_fi | Finland (FI) | Visa |
4000002500000003 | tok_fr | France (FR) | Visa |