Jason Haddix Methodology-Application Analysis.xmind

Pre-manual Test & Automation
1. Open Ports and services
  1. Default creds on services
  2. Service level exploits
  3. TOOLS
    1. Naabu (simple)
    2. RustScan (fast)
2. Web Hosting software
  1. default creds & web exploits
  2. web server misconfigurations
  3. TOOLS
    1. Nuclei
    2. Jaeles
    3. TweetDeck
3. Application
  1. Libraries
  2. Framework
  3. Custom code or CTOS
  4. TOOLS
    1. Wappalyzer & whatruns
    2. webanlayze CL tool
4. Content Discovery
  1. Technology Wordlists
    1. IIS / MFS
      1. httparchive_aspx_asp_cfm_svc_ashx_asmx_...
    2. PHP & CGI
      1. httparchive_php_...
      2. httparchive_cgi_pl_...
    3. GenralAPI
      1. httparchive_apiroutes_..
      2. swagger-wordlist.txt
      3. SecLists/../.../../api-endpoints.txt
    4. Java
      1. httparchive_jasp_jspa_do_action_...
    5. Generic
      1. httparchive_directories_1m_...
      2. OneListForAll
      3. Raft
      4. jhaddix/content_discovery_all.txt
    6. Historical
      1. waymore tool
  2. Custom wordlists
    1. Scavenger tool
  3. Source code
    1. Source2URL tool
  4. TOOLS
    1. FeroxBuster
    2. Ffuf
    3. Wfuzz
    4. dirsearch
    5. gobuster
Application Analysis
1. THE BIG 6 QUESTIONS
  1. How the app passes data.
  2. Where the app talks about users (e.g.cookie / api as a part of parameter / UID / Email / uuid / username).
  3. If sites have user levels / Multi-tenancy (e.g.Admin / Account Admin / Account User / Account Viewer / unauth funcs).
  4. If site has a unique threat model (e.g. primary stream key should be private in twitch).
  5. If there has been security research & vulns.
  6. How the app handles vulnerabilities (e.g.XSS / Sqli).
Spidering
1. TOOLS
  1. Burp & Zap
  2. CL
    1. GoSpider
    2. Hakrawler
JS Parsing
1. TOOLS
  1. GAP Burp extension
  2. CL
    1. xnLinkFinder
  3. Js Beautifier "online"
Parameter Anlysis
1. TOOLS
  1. run GF tool with a Pattern file
  2. Burp Bounty pro
Heat Mapping