Bug Bounty Training

 Bug Bounty Training

Ethical Hacking Tuition Center

By Satish Tiwary

Recond and Wild card Domain:



[ ] Run amass

 [ ] Run subfinder 

[ ] Run assetfinder 

[ ] Run dnsgen

 [ ] Run massdns

 [ ] Use httprobe 

[ ] Run aquatone (screenshot for alive host)


Single Domain

Scanning

 [ ] Nmap scan 

[ ] Burp crawler

 [ ] ffuf (directory and file fuzzing) 

[ ] hakrawler/gau/paramspider

 [ ] Linkfinder 

[ ] Url with Android application

Manual checking 

[ ] Shodan 

[ ] Censys 

[ ] Google dorks

 [ ] Pastebin 

[ ] Github [ ] OSINT 


Information Gathering

[ ] Manually explore the site
 [ ] Spider/crawl for missed or hidden content 
[ ] Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store 
[ ] Check the caches of major search engines for publicly accessible sites
 [ ] Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) 
[ ] Perform Web Application Fingerprinting 
[ ] Identify technologies used
 [ ] Identify user roles 
[ ] Identify application entry points 
[ ] Identify client-side code 
[ ] Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
 [ ] Identify co-hosted and related applications 
[ ] Identify all hostnames and ports
 [ ] Identify third-party hosted content
[ ] Identify Debug parameters 


Configuration Management:

[ ] Check for commonly used application and administrative URLs
 [ ] Check for old, backup and unreferenced files
 [ ] Check HTTP methods supported and Cross Site Tracing (XST)
 [ ] Test file extensions handling 
[ ] Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) 
[ ] Test for policies (e.g. Flash, Silverlight, robots) 
[ ] Test for non-production data in live environment, and vice-versa
 [ ] Check for sensitive data in client-side code (e.g. API keys, credentials)



Secure Tramsmission:


[ ] Check SSL Version, Algorithms, Key length

 [ ] Check for Digital Certificate Validity (Duration, Signature and CN)

 [ ] Check credentials only delivered over HTTPS

 [ ] Check that the login form is delivered over HTTPS 

[ ] Check session tokens only delivered over HTTPS 

[ ] Check if HTTP Strict Transport Security (HSTS) in use


Authentication:


[ ] Test for user enumeration 

[ ] Test for authentication bypass 

[ ] Test for bruteforce protection

 [ ] Test password quality rules 

[ ] Test remember me functionality 

[ ] Test for autocomplete on password forms/input 

[ ] Test password reset and/or recovery 

[ ] Test password change process

 [ ] Test CAPTCHA [ ] Test multi factor authentication 

[ ] Test for logout functionality presence 

[ ] Test for cache management on HTTP (eg Pragma, Expires, Max-age)

 [ ] Test for default logins

[ ] Test for user-accessible authentication history
 [ ] Test for out-of channel notification of account lockouts and successful password changes
 [ ] Test for consistent authentication across applications with shared authentication schema / SSO


Session Management:


[ ] Establish how session management is handled in the application (eg, tokens in cookies, token in URL)

 [ ] Check session tokens for cookie flags (httpOnly and secure) 

[ ] Check session cookie scope (path and domain)

 [ ] Check session cookie duration (expires and max-age)

 [ ] Check session termination after a maximum lifetime

 [ ] Check session termination after relative timeout 

[ ] Check session termination after logout 

[ ] Test to see if users can have multiple simultaneous sessions

 [ ] Test session cookies for randomness

 [ ] Confirm that new session tokens are issued on login, role change and logout 

[ ] Test for consistent session management across applications with shared session management 

[ ] Test for session puzzling

 [ ] Test for CSRF and clickjacking 


Authorization:


[ ] Test for path traversal

 [ ] Test for bypassing authorization schema

 [ ] Test for vertical Access control problems (a.k.a. Privilege Escalation) 

[ ] Test for horizontal Access control problems (between two users at the same privilege level)

 [ ] Test for missing authorization 



Data Validation


[ ] Test for Reflected Cross Site Scripting 

[ ] Test for Stored Cross Site Scripting 

[ ] Test for DOM based Cross Site Scripting 

[ ] Test for Cross Site Flashing 

[ ] Test for HTML Injection 

[ ] Test for SQL Injection

[ ] Test for LDAP Injection 
[ ] Test for ORM Injection 
[ ] Test for XML Injection 
[ ] Test for XXE Injection 
[ ] Test for SSI Injection
 [ ] Test for XPath Injection
 [ ] Test for XQuery Injection
 [ ] Test for IMAP/SMTP Injection
 [ ] Test for Code Injection 
[ ] Test for Expression Language Injection
 [ ] Test for Command Injection 
[ ] Test for Overflow (Stack, Heap and Integer)
 [ ] Test for Format String 
[ ] Test for incubated vulnerabilities 
[ ] Test for HTTP Splitting/Smuggling 
[ ] Test for HTTP Verb Tampering 
[ ] Test for Open Redirection
 [ ] Test for Local File Inclusion
 [ ] Test for Remote File Inclusion 
[ ] Compare client-side and server-side validation rules
 [ ] Test for NoSQL injection
 [ ] Test for HTTP parameter pollution
 [ ] Test for auto-binding 
[ ] Test for Mass Assignment 
[ ] Test for NULL/Invalid Session Cookie


DOS

[ ] Test for anti-automation 

[ ] Test for account lockout 

[ ] Test for HTTP protocol DoS

 [ ] Test for SQL wildcard DoS


Business Logic

[ ] Test for feature misuse

[ ] Test for lack of non-repudiation 
[ ] Test for trust relationships
 [ ] Test for integrity of data 
[ ] Test segregation of duties


Cryptography

[ ] Check if data which should be encrypted is not 

[ ] Check for wrong algorithms usage depending on context

 [ ] Check for weak algorithms usage 

[ ] Check for proper use of salting 

[ ] Check for randomness functions


Risk Management

[ ] Test that acceptable file types are whitelisted 
[ ] Test that file size limits, upload frequency and total file counts are defined and are enforced 
[ ] Test that file contents match the defined file type
 [ ] Test that all file uploads have Anti-Virus scanning in-place. 
[ ] Test that unsafe filenames are sanitised
 [ ] Test that uploaded files are not directly accessible within the web root 
[ ] Test that uploaded files are not served on the same hostname/port
 [ ] Test that files and other media are integrated with the authentication and authorisation schemas
[ ] Test for known vulnerabilities and configuration issues on Web Server and Web Application
 [ ] Test for default or guessable password
 [ ] Test for non-production data in live environment, and vice-versa 
[ ] Test for Injection vulnerabilities
 [ ] Test for Buffer Overflows 
[ ] Test for Insecure Cryptographic Storage 
[ ] Test for Insufficient Transport Layer Protection
 [ ] Test for Improper Error Handling 
[ ] Test for all vulnerabilities with a CVSS v2 score > 4.0 
[ ] Test for Authentication and Authorization issues
 [ ] Test for CSRF

0 coment�rios:

Post a Comment

Subscribe to: Posts (Atom)

100 Web Vulnerabilities you should know as a Web application Penetration Tester

100 Web Vulnerabilities you should know as a Web application Penetration Tester If you are working as web application penetration testing en...