Skip to main content

Featured

Blue Team Playbook

Bug Bounty Methodology

 

Methodology

Recon

Passive

whois <domain>

Get owner info

nslookup <domain>

Get IP addresses

whois -r <IP> && whois -h whois.cymru.com <IP>

Get more owner information

subfinder -d <domain> && assetfinder -subs-only

Get sub-domains

Eyewitnes.py -f <url’s>

Screen-shot all pages

Active

httpx -ip -sc -tech -l <subs>

Check status code and get IP of every site

gobuser dir -u <url’s> -w <path/to/wordlist> && gobuster dns -d <domain> -w <path/to/wordlist>

Get more subdomains and and directories

nmap -sC -sV <IP’s>

Get all open ports

nuclei -l <url’s>

Get vulnerability information

sqlmap

wpscan

If running wordpress

Manual

Walk the site with burp

Take note of interesting pages and fill up the burp history for future reference.

Check all the 401/403 with way back machine

The site may have been scanned at a time when these pages were exposed, this means you may be able to see the forbidden content.

Make 2 accounts and see how one can affect the other

Try to find unique user information E.g: id in the URL. Use the first account to try and effect or access the other user.

Check Wappalizer on pages

Building a list of all the used tech is a good idea.

AWS Buckets

Check the buckets if there using AWS

Try to find company’s github/gitlab page

Getting access to any code is a win.

See if you can find any employees on linkedin, and find there gituhub/lab pages

If you can find the developers git pages it can give you a lot of information about the code they write.

Attack

Reflected Cross Site Scripting
 Stored Cross Site Scripting
 DOM based Cross Site Scripting
 Cross Site Flashing
 HTML Injection
 SQL Injection
 LDAP Injection
 ORM Injection
 XML Injection
 XXE Injection
 SSI Injection
 XPath Injection
 XQuery Injection
 IMAP/SMTP Injection
 Code Injection
 Expression Language Injection
 Command Injection
 Overflow (Stack, Heap and Integer)
 Format String
 incubated vulnerabilities
 HTTP Splitting/Smuggling
 HTTP Verb Tampering
 Open Redirection
 Local File Inclusion
 Remote File Inclusion Compare client-side and server-side validation rules
 NoSQL injection
 HTTP parameter pollution
 auto-binding
 Mass Assignment
 NULL/Invalid Session Cookie

Comments