Bug Boundy Methodology, Tools & Resources

-
Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective.
Use the target as how a normal user would, while browsing keep these questions in mind:

1)How does the app pass data?
2)How/where does the app talk about users?
3)Does the app have multi-tenancy or user levels?
4)Does the app have a unique threat model?
5)Has there been past security research & vulnerabilities?
6)How does the app handle XSS, CSRF, and code injection?

Bug Boundy playlist in my channel:

crt.sh

crt.sh is used in bug bounty to discover subdomains of a target by searching for SSL/TLS certificates issued for the domain, which often reveal assets not listed publicly.


OSINT:  spiderfoot

This package contains an open-source intelligence (OSINT) automation tool.
SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target, or defensively to identify what information.

spiderfoot -l 127.0.0.1:5001
This launches the web server interface accessible at http://127.0.0.1:5001

In the web interface:

  • Click on "New Scan".
  • Enter the target (e.g., domain, IP, email, etc.).
  • Configure the modules to enable specific types of information gathering (e.g., WHOIS lookups, subdomain discovery, or data breaches).
  • Adjust scan options (e.g., depth, threading, API keys for external services).

Seclist (Password List)

SecLists is a comprehensive collection of penetration testing resources, including wordlists for usernames, passwords, URLs, APIs, fuzzing, and more, essential for security assessments.

Nuclei templates 

Nuclei is a fast, customizable, and open-source vulnerability scanner that uses YAML-based templates for detecting security issues. 

haveibeenpwned

Brute force the login endpoints with common passwords found in haveibeenpwned’s Pwned Passwords API

bbr

An open-source tool to aid in command line-driven generation of bug bounty reports based on user-provided templates. Useful for piping reporting from one application to another (such as an automatic submission tool).

APKLeaks

Scanning APK files for URIs, endpoints & secrets.
APKLeaks helps find sensitive data like API keys, passwords, private certificates, and other secrets embedded in Android APK files. 
how to install

python3  apkleaks.py  -f   ~/Downloads/<app-to-test-android.apk >

KeyHacks: validate API keys

KeyHacks shows methods to validate different API keys found on a Bug Bounty Program or a pentest.

nuclei token-spray

update or install nuclei

Test an API key against many API service endpoints

# Running token-spray templates against a single token to test
nuclei -t token-spray/ -var token=random-token-to-test -esc

# Running token-spray templates against a file containing multiple new line delimited tokens
nuclei -t token-spray/ -var token=file_with_tokens.txt

If not working, Enable debugging to understand why no results are being returned:

nuclei -t /opt/token-spray/ -var token=tocken   -esc -debug -vv


apktool

A tool for reverse engineering 3rd party closed binary Android apps.
root@kali:~# apktool   d   <app_file.apk>


MobSF/Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.

Quick setup with docker:


sudo docker pull opensecurity/mobile-security-framework-mobsf:latest
sudo docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest      

# Default username and password: mobsf/mobsf

#Dynamic Analysis 
sudo docker run -it --rm \
    -p 8000:8000 \
    -p 1337:1337 \
    -e MOBSF_ANALYZER_IDENTIFIER=127.0.0.1:6555 \
    opensecurity/mobile-security-framework-mobsf:latest

Before running the command setup Genymotion here




KiteRunner Api scanning

Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications.  

#vedio#
#list all wordlist
kr wordlist list
# Run
kr scan <url> -A <name form wordlist>
kr scan  http://example.com  -A raft-small-words

kr scan http://localhost -A apiroutes-240528 

#save only the hashes and remove duplicates
cat output.txt | grep -oE '[a-zA-Z0-9]{20,}' > hashes.txt


sort hashes.txt | uniq > temp.txt && mv temp.txt hashes.txt

GAU (GetAllUrls)

GAU (GetAllUrls) focuses primarily on historical URLs and subdomains in web applications. It comes pre-installed in Kali Linux.

waymore

 Waymore is to find even more links from the Wayback Machine than other existing tools like gau.

Acunetix crack

Acunetix is an end-to-end web security scanner that offers a 360 view of an organization’s security.

Caido

Caido is a web application security tool like Burp Suite or OWASP ZAP.


Retire.js

Retire.js extension is a popular tool for scanning JavaScript libraries for known vulnerabilities.

Scavenger

Plugin in Burp, a custom wordlist generator.



Burpsuite-Professional crack

Burp Suite Professional is a comprehensive, commercial tool widely used by security professionals, ethical hackers, and bug bounty hunters to test the security of web applications. It is developed by PortSwigger

chmod +x install.sh
./install.sh

change font

Kage

Kage is a Graphical User Interface for Metasploit Meterpreter and Session Handler.

# Download source code
git clone https://github.com/WayzDev/Kage.git

# Install dependencies and run kage
cd Kage
yarn # or npm install
yarn run dev # or npm run dev

# to build project
yarn run build

nip.io (Test SSRF)
nip.io maps 
<anything>[.-]<IPAddress>.nip.io in "dot""dash" or "hexadecimal" notation to the corresponding <IP Address>:
  • dot notation: magic.127.0.0.1.nip.io
  • dash notation: magic-127-0-0-1.nip.io
  • hexadecimal notation: magic-7f000001.nip.io




Comments

Post a Comment

Popular posts from this blog

Install & set up mitmweb or mitmproxy in Linux

-
Image
Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Read more

Day 20: Search in Rotated Sorted Array: Binary Search - leetcode - Python3

-
Image
  There is an integer array   nums   sorted in ascending order (with   distinct   values). Prior to being passed to your function,  nums  is  possibly rotated  at an unknown pivot index  k  ( 1 <= k < nums.length ) such that the resulting array is  [nums[k], nums[k+1], ..., nums[n-1], nums[0], nums[1], ..., nums[k-1]]  ( 0-indexed ). For example,  [0,1,2,4,5,6,7]  might be rotated at pivot index  3  and become  [4,5,6,7,0,1,2] . Given the array  nums   after  the possible rotation and an integer  target , return  the index of  target  if it is in  nums , or  -1  if it is not in  nums . You must write an algorithm with  O(log n)  runtime complexity. Example 1: Input: nums = [4,5,6,7,0,1,2], target = 0 Output: 4 Example 2: Input: nums = [4,5,6,7,0,1,2], target = 3 Output: -1 Example 3: Input: nums = [1], target = 0 Output: -...
Read more