A collection of Burpsuite Intruder payloads and fuzz lists and pentesting methodology. To pull down all 3rd party repos, run install.sh in the same directory of the IntruderPayloads folder.

Author: [email protected] https://crowdshield.com

PENTEST METHODOLOGY v2.0

BASIC PASSIVE AND ACTIVE CHECKS:

  • Burpsuite Spider with intelligent form submission
  • Manual crawl of website through Burpsuite proxy and submitting INJECTX payloads for tracking
  • Burpsuite passive scan
  • Burpsuite engagement tools > Search > <form|<input|url=|path=|load=|INJECTX|Found|<!–
  • Burpsuite engagement tools > Find comments
  • Burpsuite engagement tools > Find scripts
  • Burpsuite engagement tools > Find references
  • Burpsuite engagement tools > Analyze target
  • Burpsuite engagement tools > Discover content
  • Burpsuite Intruder > file/directory brute force
  • Burpsuite Intruder > HTTP methods, user agents, etc.
  • Enumerate all software technologies, HTTP methods, and potential attack vectors
  • Understand the function of the site, what types of data is stored or valuable and what sorts of functions to attack, etc.

ENUMERATION:

  • OPERATING SYSTEM
  • WEB SERVER
  • DATABASE SERVERS
  • PROGRAMMING LANGUAGES
  • PLUGINS/VERSIONS
  • OPEN PORTS
  • USERNAMES
  • SERVICES
  • WEB SPIDERING
  • GOOGLE HACKING

VECTORS:

  • INPUT FORMS
  • GET/POST PARAMS
  • URI/REST STRUCTURE
  • COOKIES
  • HEADERS

SEARCH STRINGS:

Just some helpful regex terms to search for passively using Burp Suite or any other web proxy…

QUICK ATTACK STRINGS:

Not a complete list by any means, but when you’re manually testing and walking through sites and need a quick copy/paste, this can come in handy…

OWASP TESTING CHECKLIST:

  • Spiders, Robots and Crawlers IG-001
  • Search Engine Discovery/Reconnaissance IG-002
  • Identify application entry points IG-003
  • Testing for Web Application Fingerprint IG-004
  • Application Discovery IG-005
  • Analysis of Error Codes IG-006
  • SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) – SSL Weakness CM‐001
  • DB Listener Testing – DB Listener weak CM‐002
  • Infrastructure Configuration Management Testing – Infrastructure Configuration management weakness CM‐003
  • Application Configuration Management Testing – Application Configuration management weakness CM‐004
  • Testing for File Extensions Handling – File extensions handling CM‐005
  • Old, backup and unreferenced files – Old, backup and unreferenced files CM‐006
  • Infrastructure and Application Admin Interfaces – Access to Admin interfaces CM‐007
  • Testing for HTTP Methods and XST – HTTP Methods enabled, XST permitted, HTTP Verb CM‐008
  • Credentials transport over an encrypted channel – Credentials transport over an encrypted channel AT-001
  • Testing for user enumeration – User enumeration AT-002
  • Testing for Guessable (Dictionary) User Account – Guessable user account AT-003
  • Brute Force Testing – Credentials Brute forcing AT-004
  • Testing for bypassing authentication schema – Bypassing authentication schema AT-005
  • Testing for vulnerable remember password and pwd reset – Vulnerable remember password, weak pwd reset AT-006
  • Testing for Logout and Browser Cache Management – – Logout function not properly implemented, browser cache weakness AT-007
  • Testing for CAPTCHA – Weak Captcha implementation AT-008
  • Testing Multiple Factors Authentication – Weak Multiple Factors Authentication AT-009
  • Testing for Race Conditions – Race Conditions vulnerability AT-010
  • Testing for Session Management Schema – Bypassing Session Management Schema, Weak Session Token SM-001
  • Testing for Cookies attributes – Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-002
  • Testing for Session Fixation – Session Fixation SM-003
  • Testing for Exposed Session Variables – Exposed sensitive session variables SM-004
  • Testing for CSRF – CSRF SM-005
  • Testing for Path Traversal – Path Traversal AZ-001
  • Testing for bypassing authorization schema – Bypassing authorization schema AZ-002
  • Testing for Privilege Escalation – Privilege Escalation AZ-003
  • Testing for Business Logic – Bypassable business logic BL-001
  • Testing for Reflected Cross Site Scripting – Reflected XSS DV-001
  • Testing for Stored Cross Site Scripting – Stored XSS DV-002
  • Testing for DOM based Cross Site Scripting – DOM XSS DV-003
  • Testing for Cross Site Flashing – Cross Site Flashing DV-004
  • SQL Injection – SQL Injection DV-005
  • LDAP Injection – LDAP Injection DV-006
  • ORM Injection – ORM Injection DV-007
  • XML Injection – XML Injection DV-008
  • SSI Injection – SSI Injection DV-009
  • XPath Injection – XPath Injection DV-010
  • IMAP/SMTP Injection – IMAP/SMTP Injection DV-011
  • Code Injection – Code Injection DV-012
  • OS Commanding – OS Commanding DV-013
  • Buffer overflow – Buffer overflow DV-014
  • Incubated vulnerability – Incubated vulnerability DV-015
  • Testing for HTTP Splitting/Smuggling – HTTP Splitting, Smuggling DV-016
  • Testing for SQL Wildcard Attacks – SQL Wildcard vulnerability DS-001
  • Locking Customer Accounts – Locking Customer Accounts DS-002
  • Testing for DoS Buffer Overflows – Buffer Overflows DS-003
  • User Specified Object Allocation – User Specified Object Allocation DS-004
  • User Input as a Loop Counter – User Input as a Loop Counter DS-005
  • Writing User Provided Data to Disk – Writing User Provided Data to Disk DS-006
  • Failure to Release Resources – Failure to Release Resources DS-007
  • Storing too Much Data in Session – Storing too Much Data in Session DS-008
  • WS Information Gathering – N.A. WS-001
  • Testing WSDL – WSDL Weakness WS-002
  • XML Structural Testing – Weak XML Structure WS-003
  • XML content-level Testing – XML content-level WS-004
  • HTTP GET parameters/REST Testing – WS HTTP GET parameters/REST WS-005
  • Naughty SOAP attachments – WS Naughty SOAP attachments WS-006
  • Replay Testing – WS Replay Testing WS-007
  • AJAX Vulnerabilities – N.A. AJ-001
  • AJAX Testing – AJAX weakness AJ-002

LOW SEVERITY:

A list of low severity findings that are likely out of scope for most bug bounty programs but still helpful to reference for normal web penetration tests.

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Click-Jacking and issues only exploitable through click-jacking.
  • CSRF on forms which are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers
  • Security best practices without accompanying Proof-of-Concept exploitation
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Denial of Service Attacks.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on non-sensitive forms.
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Known vulnerable libraries
  • Attacks on Third Party Ad Services
  • Username / email enumeration via Forgot Password or Login page
  • Missing HTTP security headers
  • Strict-Transport-Security Not Enabled For HTTPS
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suites
  • Lack of SPF records (Email Spoofing)
  • Auto-complete enabled on password fields
  • HTTP enabled
  • Session ID or Login Sent Over HTTP
  • Insecure Cookies
  • Cross-Domain.xml Allows All Domains
  • HTML5 Allowed Domains
  • Cross Origin Policy
  • Content Sniffing Not Disabled
  • Password Reset Account Enumeration
  • HTML Form Abuse (Denial of Service)
  • Weak HSTS Age (86,000 or less)
  • Lack of Password Security Policy (Brute Forcable Passwords)
  • Physical Testing
  • Denial of service attacks
  • Resource Exhaustion attacks
  • Issues related to rate limiting
  • Login or Forgot Password page brute force and account lockout not enforced
  • api*.netflix.com listens on port 80
  • Cross-domain access policy scoped to *.netflix.com
  • Username / Email Enumeration
  • via Login Page error message
  • via Forgot Password error message
  • via Registration
  • Weak password
  • Weak Captcha / Captcha bypass
  • Lack of Secure/HTTPOnly flags on cookies
  • Cookie valid after logout
  • Cookie valid after password reset
  • Cookie expiration
  • Forgot password autologin
  • Autologin token reuse
  • Same Site Scripting
  • SSL Issues, e.g.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suites
  • SSL vulnerabilities related to configuration or version
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Missing CSRF protection on non-sensitive functionality
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Incorrect Charset
  • HTML Autocomplete
  • OPTIONS HTTP method enabled
  • TRACE HTTP method enabled
  • Missing HTTP security headers, specifically
  • (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • IE < 9
  • Chrome < 40
  • Firefox < 35
  • Safari < 7
  • Opera < 13
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

Download IntruderPayloads