Zseanos Methodology

Side Notes
1. The trend is your friend
2. Spending months on the same program with the intention of diving as deep as possible
3. When there is a filter there is usually a bypass
Before Hacking
1. Testing publicly disclosed bugs give an insight into the types of issues to look out for
2. bypass old disclosed bugs
3. Search
  1. https://www.google.com/?q=domain.com+vulnerability
  2. https://www.hackerone.com/hacktivity
  3. https://www.openbugbounty.org/
4. Build a treasure map of the target endpoints from notes
Recon
1. Subdomains
  1. amass
    1. amass enum -brute -active -d domain.com -o amass-output.txt
  2. httprobe
    1. cat amass-output.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 50 | tee online-domains.txt
  3. anew
    1. cat new-output.txt | anew old-output.txt | httprobe
  4. dnsgen
    1. cat amass-output.txt | dnsgen - | httprobe
  5. aquatone
    1. cat domains-endpoints.txt | aquatone
2. Content Discovery
  1. wordlists
    1. https://github.com/danielmiessler/SecLists
  2. ffuf
    1. ffuf -ac -v -u https://domain/FUZZ -w wordlist.txt
  3. wayback machine & waybackurls
    1. /index
    2. /robots.txt
    3. .js files
  4. LinkFinder
    1. scrape URLs from javascript files
  5. Parameters
    1. parameth
  6. AnyChanges
    1. looks for new links (via <a href>)
Test Features
1. Registration
  1. Dorks
    1. site:example.com inurl:join inurl:&
    2. site:example.com inurl:signup inurl:&
    3. site:example.com inurl:register inurl:&
  2. What's required to sign up and where is it reflected ?
    1. Uploading a photo
      1. determine file type
      2. change extension
    2. name & description
      1. allowed characters
      2. only XSS prevention?
      3. test he mobile app
  3. Can I register with my social media account?
    1. via Oauth?
    2. allowed accounts ?
    3. trusted info?
  4. What characters are allowed? Is <> “ ' allowed in my name?
    1. XSS
      1. unicode, %00, %0d
    2. test he mobile app
  5. Can I sign up using @target.com or is it blacklisted?
  6. What happens if I revisit the register page after signing up?
    1. redirect parameter?
    2. re-sign up as an authenticated user
  7. Used parameters
  8. Hunting in .js files
    1. https://www.youtube.com/watch?v=0jM8dDVifaI
2. Login
  1. Is there a redirect parameter used?
    1. returnUrl, goto, return_url, returnUri, cancelUrl, back, returnTo
  2. What happens if I try login with myemail%00@email.com ?
    1. If yes, try signup with my%00email@email.com and try for an account takeover
  3. Can I login with my social media account?
    1. via Oauth?
    2. allowed accounts ?
    3. same for all countries?
  4. Mobile login flow differ from desktop?
  5. Reset Password
    1. used parameters?
      1. IDOR
      2. Host header injection
      3. Rate Limiting
3. Updating account information
  1. Is there any CSRF protection?
    1. try to send a blank CSRF token, or a token with the same length
  2. Any second confirmation for changing your email/password?
    1. If no, chain this with XSS for account takeover
  3. How do they handle basic < > “ ' characters and where are they reflected?
  4. If I can input my own URL on my profile, what filtering is in place to prevent something such as javascript:alert(0)?
  5. Is it a different process on the mobile app?
  6. How do they handle photo/video uploads (if available)?
  7. What information is actually available on my public profile that I can control?
    1. what I can control and how and where it’s reflected
4. The main feature
  1. Go for the feature the business is built around and see how it works
  2. Map features starting from the top
    1. notice all requests & same parameters used
  3. See if there features are only available on mobile apps and NOT desktop
    1. test country tlds
  4. What features are actually available to me
    1. Do multiple features all use the same data source?
  5. Can I pay for any upgraded features?
    1. If yes, test with a paid vs free account
  6. What are the oldest features?
    1. Dork -> Old code files = bugs
  7. What new features do they plan on releasing?
    1. Stay up to date with what the company is working on
    2. https://www.jonbottarini.com/2019/06/17/using-burp-suite-match-and-replace-settings-to-escalate-your-user-privileges-and-find-hidden-features/
  8. Do features offer a privacy setting / account level permissions?
    1. Levels
      1. admin, moderator, user, guest
      2. test the various levels of permissions
    2. Setting
      1. private & public
5. Payment
  1. What features are available if I upgrade my account?
    1. access without paying?
    2. upgrade from non-paying to paying unlocks more features
  2. Try to chain XSS to leak payment information for higher impact
  3. What payment options are available for different countries?
    1. switch location, may be sandbox details weren’t blocked
    2. bypass verification mechanisms
  4. Test numbers
    1. http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html
    2. https://www.paypalobjects.com/en_GB/vhelp/paypalmanager_help/credit_card_numbers.htm
6. Developer tools
  1. Do they host it themselves or is it hosted on AWS?
  2. What tools are available for developers?
  3. Can I actually see the response on any tools?
  4. Can I create my own application and do the permissions work correctly?
  5. After creating an application, how does the login flow actually work?
    1. when I “disconnect” the application from my profile, Is the token invalidated?
  6. Check wiki/help/API docs
  7. Is the filtering the same as updating my account information or is it using a different codebase?
  8. Can I create a separate account on the developer site or does it share the same session from the main domain?
Expanding our attack surface
1. Dorking
  1. Google
    1. use “-keyword” to remove certain endpoints
    2. 💡Note: check the results with a mobile user-agent
    3. Functions
      1. login, register, upload, contact, feedback, join, signup, profile, user, comment, api, developer, affiliate, careers, upload, mobile, upgrade, passwordreset
    4. https://exposingtheinvisible.org/guides/google-dorking/
    5. ext
      1. php, aspx, jsp, txt, xml, bak
  2. GitHub
    1. “domain.com” api_secret, api_key, apiKey, apiSecret, password, admin_password
2. Notes
  1. Certain Subdomains
    1. “dev”, “prod”, “qa”
    2. Is it a third party
  2. Scan /robots.txt
  3. Use Burp Intruder “Grep - Match” feature
  4. Create a custom wordlist
  5. Interesting endpoints
    1. /admin, /server-status
  6. Writing down
    1. vulnerable parameters
    2. define the position on /endpoint
    3. The more you look, the more you learn
    4. test GET.POST
Repeat
1. Scanning for subdomains, files, directories & leaks
  1. https://github.com/nahamsec/lazyrecon
  2. CertSpotter
2. Changes on a website
  1. check for any new functionality & features
3. Stay up to date with new programs & program updates
  1. https://twitter.com/disclosedh1
Resources
1. Find other sites hosted
  1. https://www.yougetsignal.com/tools/web-sites-on-web-server/
2. Payloads & Bypass
  1. https://github.com/swisskyrepo/PayloadsAllTheThings
3. Subdomains
  1. https://certspotter.com/api/v0/certs?domain=domain.com
4. URL Encoding
  1. http://www.degraeve.com/reference/urlencoding.php
5. .APK scan
  1. https://apkscan.nviso.be/
6. Search keyword
  1. https://publicwww.com/
7. XSS bypass
  1. https://d3adend.org/xss/ghettoBypass
  2. https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-C
8. Writeups
  1. https://medium.com/bugbountywriteup
  2. https://pentester.land/
9. Open Redirect
  1. https://github.com/cujanovic/Open-Redirect-Payloads/blob/master/Open-Redirect-payloads.txt
10. Sandbox
  1. https://www.jsfiddle.net/
  2. https://www.jsbin.com/