Skip to content

Latest commit

 

History

History
137 lines (118 loc) · 5.29 KB

hacking-methodology.md

File metadata and controls

137 lines (118 loc) · 5.29 KB
Raw

My Notes from Reading Web Hacking 101,

Web Hacking 101 was written by Peter Yaworski. These are my notes from Ch. 19, "Getting Started".

HIS SUMMARY:

    1. Enumerate all sub domains (if they are in scope) using KnockPy.
    knockpy example.com -w domain/sorted_knock_dnsrecon_fierce_recon-ng.txt

    OR

    knockpy example.com -c -w SecLists/Discovery/DNS/subdomains-top1mil-110000.txt
    1. Jason Haddix's enumall script, which requires Recon-ng. Note that, if you're running Kali Linux, Recon-ng is probably already installed. Also, recon-ng can call altdns. But installing altdns is optional.
    enumall.py example.com -a -w SecLists/Discovery/DNS/sorted_knock_dnsrecon_fierce_recon-ng.txt
    1. whois or IPV4info.com.

  2. Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories

  3. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy

  4. Explore and understand available functionality, noting areas that correspond to vulnerability types

  5. Begin testing functionality mapping vulnerability types to functionality provided

  6. Automate EyeWitness and Nmap scans from the KnockPy and enumall scans

    sudo nmap -sS -A -PN --script=http-title -iL example.com.targets -oA example.com.nmap
    • Note that the example.com.targets file is a sorted, uniq-ed list of hostnames from the subdomain enumeration scans described above.

  7. Review mobile application vulnerabilities

  8. Test the API layer, if available, including otherwise inaccessible functionality

  9. Look for private information in GitHub repos with GitRob

  10. Subscribe to the site and pay for the additional functionality to test

MY SUMMARY:

Enumerate sub domains

Crawl the main site

  • Burp Suite
  • ZAP Proxy

Manually explore the main site to figure out the site's stack

  1. Wappalyzer plug-in
  2. Burp Suite
  3. If it has a front-end JS library which interact with a back-end API
  4. Find out if it has known vulnerabilities
  5. Do API calls return sensitive data which is not rendered?
  6. Check proxy to see:
  7. Where files are being served from
  8. JS files hosted elsewhere?
  9. Calls to 3rd party services?
  10. Look for JSON files
  11. Attempt passing unauthorized file IDs

Map functionality to vulnerability types

  1. Set up accounts OAuth?
  2. 2fA?
  3. Multiple users per account? Complex permissions model?
  4. Inter-user messaging allowed?
  5. Sensitive documents stored or allowed to be uploaded?
  6. Profile pictures allowed?
  7. HTML allowed, or WSISYG editor?
  8. Bulk importer accepting XML/XXE document?

Application testing

  1. Create content, users, teams, etc.
  2. Inject payloads everywhere
  • E.g., <img src=”x” onerror=alert(1)>
  1. Inject exploit code to vulnerable JS framework
  2. How is my content rendered?
  3. Are special characters encoded?
  4. Are attributes stripped? (What does this one mean? URL params?)
  5. Does XSS image payload execute?
  6. Test each area
  7. Analyze HTTP requests and responses
  8. Enumerate or access URLs to sensitive files as anonymous user?
  9. If WYSIWYG, add HTML to POST requests
  10. CSRF tokens present in HTTP requests that change data? Tokens validated? (CSRF)
  11. Can manipulate ID parameters? (Application Logic)
  12. Can repeat requests across two separate user accounts? (Application Logic)
  13. Any XML upload fields (XXE)?
  14. Notice any URL patterns containing record IDs? (Application Logic, HPP)
  15. Any URLs with redirect related parameter? (Open Redirect)
  16. Any requests which echo URL parameters in the response? (CRLF, XSS, Open Redirect)
  17. Server information disclosed? Find unpatched vulnerabilities
  18. Did ZAP discover anything interesting like .htpasswd or config files?
  19. Did Burp discover anything interesting?

Digging deeper

  1. Combine sub-domain lists from KnockPy and enumall scans as input to EyeWitness for screenshots
  2. Accessible web panels?
  3. Continuous integration servers?
  4. Administrative consoles?
  5. Pass KnockPy list of IPs and pass it to nmap:
namp -sSV -oA OUTPUTFILE -T4 -iL IPS.csv
  1. Open ports?
  2. Vulnerable services?

Mobile applications

  1. Proxy your phone traffic through Burp while using the mobile app (if no SSL pinning)
  2. Explore API endpoints
  3. Mobile Security Framework
  4. JD-GUI

APIs (mobile or not)

  1. Review developer documentation looking for abnormalities
  2. Does API sanitize input?

Look for Public Leaks

  1. GitRob
  2. Passwords?
  3. Config files?
  4. Keys?
  5. Google search:
site:example.com .bash_history

Paywalls

  • Explore paid functionality, which most other hackers likely avoid.