Penetration-Testing/BBHF.txt at main · web-cipher-007/Penetration-Testing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
Bug Bounty Hunting Flow


1. Reconnaissance

   Gather as much information as possible about the target.

   Tools and Techniques:

   - Subdomain Enumeration:

     Use tools like subfinder, amass, assetfinder, and shuffledns.

     Example command:

       subfinder -d target.com -o subdomains.txt

   - DNS Enumeration:

     Use tools like dnsx to resolve subdomains.

     Example command:

       dnsx -l subdomains.txt -resp -o resolved.txt

   - Port Scanning:

     Use tools like nmap, masscan, and naabu.

     Example command:

       nmap -sV -Pn -T4 -iL resolved.txt

   - Web Asset Discovery:

     Use tools like gau, waybackurls, and katana.

     Example commands:

       gau target.com | tee urls.txt

       katana -u target.com -o endpoints.txt

   - Technology Fingerprinting:

     Use tools like whatweb and Wappalyzer.


2. Asset Analysis

   Focus on identifying unique characteristics of the target's endpoints or domains.


   Analyze:

   - Endpoints: Look for API endpoints, subdomains, and web pages.

   - Headers: Inspect security headers like CSP and HSTS using commands like curl -I <url>.

   - Source Code: Analyze for hardcoded keys, tokens, or sensitive information.


3. Vulnerability Hunting

   Systematically search for vulnerabilities based on the target's functionality.


   Common Vulnerabilities:

   - Injection Flaws:

     SQL Injection: Use tools like sqlmap to test for vulnerabilities.

     Command Injection: Look for unsanitized user input.

   - Authentication Issues:

     - Default Credentials: Check if common default passwords are in use.

     - Password Policy Weaknesses: Test for short, weak, or guessable passwords.

     - Session Fixation: Ensure session tokens are renewed after login.

   - Cross-Site Scripting (XSS):

     - Reflected XSS: Inject payloads in URL parameters or forms.

     - Stored XSS: Identify locations where input is stored and reflected to other users.

     - DOM-Based XSS: Test for unsafe client-side JavaScript code execution.

   - File Upload Vulnerabilities:

     - MIME Type Validation: Check if file uploads are restricted by MIME type only.

     - File Path Traversal: Exploit directory traversal in file uploads (e.g., ../../shell.php).

   - Insecure Direct Object References (IDOR):

     Test if changing parameters like user_id=123 exposes other users' data.

   - Directory Traversal:

     Test for access to unauthorized directories using payloads like ../../etc/passwd.

   - Information Disclosure:

     - Sensitive Files: Identify exposed files like .env, .git, or backup files.

     - Verbose Error Messages: Inspect responses for stack traces or sensitive information.

   - Weak Security Configurations:

     - Missing HTTPS: Check if sensitive data is transmitted over plain HTTP.

     - Misconfigured Security Headers: Analyze CSP, HSTS, X-Frame-Options, etc.

   - Weak Rate Limiting:

     Test for endpoints vulnerable to brute force or abuse.


   Tools:

   - Burp Suite: For intercepting requests and testing payloads.

   - Ffuf or Dirb: For directory and file brute-forcing.

   - Nuclei: For automating scans with vulnerability templates.


4. Advanced Vulnerability Testing

   Explore deeper vulnerabilities using specialized techniques.


   Techniques:

   - CORS Misconfigurations:

     Check for headers like Access-Control-Allow-Origin: *.

   - XXE Injection:

     Exploit XML parsers to access sensitive files like /etc/passwd.

   - Subdomain Takeover:

     Detect unclaimed subdomains using tools like subjack or tko-subs.

   - SSRF (Server-Side Request Forgery):

     Test for callbacks using Burp Collaborator or Interactsh.

   - WAF Bypass:

     Experiment with encodings, payload modifications, or malformed requests.

   - HTTP Request Smuggling:

     Identify vulnerabilities in backend server communication by crafting malformed HTTP headers.

   - OAuth Misconfigurations:

     Exploit issues in OAuth flows, such as redirect URI validation.

   - JSON Web Token (JWT) Attacks:

     Test for weak signing algorithms, lack of signature validation, or token manipulation.

   - Race Conditions:

     Exploit simultaneous requests to access or modify resources improperly.

   - GraphQL Exploitation:

     Use introspection queries to map schemas and test for injection or data leakage vulnerabilities.

   - Cache Poisoning:

     Manipulate cache behavior to deliver malicious content to users.

   - Deserialization Attacks:

     Identify and exploit insecure deserialization of untrusted data in applications.

   - Email Spoofing:

     Test for improper SPF, DKIM, and DMARC configurations to send spoofed emails.

   - LDAP Injection:

     Manipulate LDAP queries to bypass authentication or retrieve sensitive information.

   - DOM-Based XSS:

     Analyze client-side scripts for unsafe handling of input, leading to XSS.


5. Post-Exploitation

   If a vulnerability is found, assess its full impact.


   Validate:

   - Data Exposure: Check for sensitive files or database entries.

   - Privilege Escalation: Test for unauthorized access to higher privileges.

   - System Control: Verify command execution or lateral movement.


6. Reporting

   Prepare a clear and detailed report for submission.


   Components of a Good Report:

   - Title: Concise summary of the issue (e.g., Reflected XSS on Login Page).

   - Description: Explain the vulnerability, its impact, and affected components.

   - Steps to Reproduce: Include clear instructions and payloads.

   - Impact Assessment: Quantify the risk (e.g., data leakage, account takeover).

   - Recommendations: Suggest fixes or mitigations.

   - Proof of Concept (PoC): Provide screenshots, logs, or video demos.


7. Staying Updated

   Keep up with the latest techniques and tools.


   Tips:

   - Read bug bounty reports on platforms like HackerOne, Bugcrowd, or Medium.

   - Follow researchers and attend conferences for new insights.

   - Practice on labs like PortSwigger Academy, HackTheBox, or TryHackMe.


8. Automation

   Automate repetitive tasks to save time and increase efficiency.


   Tools:

   - LazyRecon: Automates subdomain and vulnerability discovery.

   - BugBountyAutomation: Chains tools like subfinder, httpx, and nuclei.


9. Ethics and Rules

   Always follow ethical guidelines and program rules of engagement.

   - Test only within scope.

   - Avoid causing harm to systems or users.


Happy Bug Hunting!