-
Notifications
You must be signed in to change notification settings - Fork 81
/
Copy pathBugBountySigns.txt
113 lines (91 loc) · 2.9 KB
/
BugBountySigns.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
*************
* QUESTIONS *
*************
# Ask yourself these questions for the application
1. What stack/languages are used?
2. What server is running the application?
3. Is there a WAF?
4. What additional libraries are used? Are there known exploits for these libraries? Custom JS Llbraries?
5. Is there Authentication? - Yes, OAuth through Google/Facebook
6. What Objects are used?
7. How is session established?
8. Are there useful comments?
9. How does it handle special characters?
10. Can you trigger any error messages?
11. What common features are present?
12. How is a user identified?
13. Are there multiple user roles?
14. Is there an API?
15. Is there an Content Management System?
16. Is there a Content Security Policy?
17. Is CORS implemented?
18. Is Captcha used?
19. Are WebSockets used?
20. Is the source code publicly available?
# Ask yourself these questions about the server hosting the application
1. What ports are open?
2. What services are running on those ports?
3. Is it hosted in the cloud?
4. Is it hosting multiple apps using VHosting?
5. What is the OS?
6. Can you get the kernel version?
# Ask yourself these questions for EVERY page
1. What part of CRUD?
2. What HTTP request methods can be used? (GET/POST/PUT/DELETE/etc.)
3. What parameters can be used?
# Find Chaining Bugs
1. Open Redirect?
- If yes:
~ Can you redirect to different paths?
~ Can you redirect to different subdomains?
~ Can you redirect to different domains?
2. Reflected user controlled data?
- If yes:
~ HTMLi?
~ XSS?
~ SSTI?
3. CSRF?
- CSRF Tokens do not appear to be invalidated when sent or when the user logs out
If yes:
~ What can we do with this endpoint?
~ Is this endpoint an open redirect?
4. Change HTTP Verb?
If yes:
~ Does the endpoint work the same way when the verb is changed?
~ Are any parameters rejected?
************************
* VULN TESTING DETAILS *
************************
Account Takeover - Burp (manual)
Code Injection - Burp (scans/manual)
HTML Injection - Custom Script (TBD) / Burp (scans/manual)
IDOR - Burp (manual)
Information Disclosure - Custom Script (Github_brute-dork) / Manual Search
Prototype Pollution - Custom Script (Drifting_Embers) / Developer Tools (manual)
RCE - Nuclei (known CVE) / Burp (manual)
SSRF - Burp (manual)
XSS - Custom Script (TBD) / Burp (scans/manual)
SSTI - Custom Script (TBD) / Burp (scans)
CSRF - Burp (manual)
OAuth - Burp (manual)
De-serialization - Burp (manual/scans) / Source Code Analysis
HTTP Request Smuggling - Burp (scans)
WebSockets - Burp (manual)
HTTP Host Header - Burp (manual)
************
* TEMPLATE *
************
REPORT:
TITLE:
PROGRAM:
APP FUNCTION:
ENDPOINT:
CRUD / EXPLOITED FUNCTION:
SUMMARY:
TECHNICAL SKILL REQUIRED:
TAKEAWAYS:
1.
2.
3.
VULN DISCO AUTOMATION:
-----------------------------------------------------------------------