Metodología para bug bounties v2 de @jhaddix

Jason Haddix (@jhaddix) es un californiano que durante el 2014 y 2015 fue número 1 de los cazadores de bugs de Bugcrowd y actualmente está liderando la parte de seguridad y confianza de la compañía. Tal bagaje es para tener en cuenta, sobretodo cuando comparte una útil y valiosa metodología para bug bounties.

Su primera versión se basa en la charla de la Defcon 23 "How to shot Web: better hacking in 2015" y recientemente y con motivo de la primera Virtual Hacking Conference de Bugcrowd (LevelUp) ha publicado la segunda versión que, de seguro, será una guía a revisar e incluso un referente para muchos pentesters y “bug hunters”:

https://docs.google.com/presentation/d/1p8QiqbGndcEx1gm4_d3ne2fqeTqCTurTC77Lxe82zLY/edit#slide=id.p

Las secciones, actualizadas la mayoría hace cuatro meses, son las siguientes:

• Philosophy 
• Discovery 
• Mapping 
• Authorization and Sessions 
• Tactical fuzzing
• XSS
• SQLi
• File Inclusion
• CSRF
• Privilege, Transport and Logic 
• Web services 
• Mobile vulnerabilities 
• Auxiliary Information

Las herramientas incluidas en la presentación del Bug Hunters Methodology V2 (recopiladas en https://github.com/DaniLabs):

Discovery

• Sublist3r (Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT). 
• Brutesubs (An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose). 
• Cloudflare_enum (Cloudflare DNS Enumeration Tool for Pentesters). 
• Censys.py (Quick and Dirty script to use the Censys API to query subdomains of a target domain). 
• massdns (A high-performance DNS stub resolver). 
• ListSubs.txt (A list with a lot of subs). 
• EyeWitness (EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible). 
• GoBuster (Directory/file & DNS busting tool written in Go). 
• RobotsDisallowed (The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt). 
• Parameth (This tool can be used to brute discover GET and POST parameters).

Web Content

• GroundControl (A collection of scripts that run on my web server). 
• Sleepy-Puppy (Sleepy Puppy XSS Payload Management Framework). 
• XSSHunter (The XSS Hunter service - a portable version of XSSHunter.com). 
• TPLMap (Code and Server-Side Template Injection Detection and Exploitation Tool). 
• PsychoPATH (Hunting file uploads & LFI in the dark). 
• Commix (Automated All-in-One OS command injection and exploitation tool)

Miscellaneous

• AutoSubTakeover (A tool used to check if a CNAME resolves to the scope adress). 
• HostileSubBruteforcer (This app will bruteforce for exisiting subdomains) 
• Tko-Subs (A tool that can help detect and takeover subdomains with dead DNS records). 
• SandCastle (Python script for AWS S3 bucket enumeration). 
• GitRob (Reconnaissance tool for GitHub organizations). 
• TruffleHog (Searches through git repositories for high entropy strings, digging deep into commit history)

Plugins BurpSuite

• VulnersCom: https://github.com/vulnersCom/burp-vulners-scanner 
• BackSlash-powered-scanner: https://github.com/PortSwigger/backslash-powered-scanner 
• Header Checks: https://github.com/eonlight/BurpExtenderHeaderChecks 
• pyschPATH: https://github.com/ewilded/psychopath 
• HUNT Burp Suite Extension: https://github.com/bugcrowd/HUNT

Fuentes:

• GitHub Jhaddix https://github.com/jhaddix/tbhm 
• Bug Bounty Forum https://bugbountyforum.com/tools/ 
• "The Bug Hunter Methodology V2 by @jhaddix" https://docs.google.com/presentation/d/1p8QiqbGndcEx1gm4_d3ne2fqeTqCTurTC77Lxe82zLY