How I Hack Web Applications (Part 1)

I have never talked about my web hacking experience. So I decided to write a series on it. Here I will share how I approach web applications from a security perspective. In the first part of the series, I will discuss some guides and standards that contain the weaknesses and steps of exploitation. So this article is a theoretical beginning of my hacking style.

Photo by Jefferson Santos on Unsplash

The Bugs That I Look for

As you guys know, there are a variety of security issues that can be found in web applications. Each bug has different types and techniques that come under specific groups. So a security tester must have a comprehensive list of them. I use different sources to track the vulnerabilities of which I conduct security assessments. Although these bugs overlap in several guides. You can make your own curated checklist if the resources below are too overwhelming.

OWASP (https://owasp.org/www-project-web-security-testing-guide/v42/)MITRE (https://cwe.mitre.org/)WASC (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)Bugcrowd’s VRT (https://bugcrowd.com/vulnerability-rating-taxonomy)HackerOne’s Weakness Types (https://docs.hackerone.com/en/articles/8475337-types-of-weaknesses)Cobalt’s Vulnerability Wiki (https://www.cobalt.io/vulnerability-wiki)HackTricks (https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology)PayloadsAllTheThings (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/)Tushar Verma’s WAPT Checklist (https://alike-lantern-72d.notion.site/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6)AllAboutBugBounty (https://github.com/daffainfo/AllAboutBugBounty)

The Pentest Frameworks I Follow

The penetration testing frameworks are industry standards used to assist security professionals in performing security tests. There are several of them.

PTES (http://www.pentest-standard.org/index.php/Main_Page)ISSAF (https://untrustednetwork.net/files/issaf0.2.1.pdf)OSSTMM (https://www.isecom.org/OSSTMM.3.pdf)NIST SP 800–115 (https://csrc.nist.gov/pubs/sp/800/115/final)

Methodologies I Use

The methodology is any guide, checklist, or note that shows how flaws are exploited using various tools and techniques. There is no certain size or format of methodology since different people have different ones. Many people keep their methodology secret while others document or post it publicly. If you search with keywords like “Bug Bounty Methodology” and “Web Penetration Testing Checklist” then you will find many.

https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md

https://www.redteamsecure.com/services/penetration-testing/web-application-penetration-testing/methodology/

https://docs.google.com/spreadsheets/u/0/d/1TxNrvaIMRS_dmupcwjwJmXtaFk_lPGE1LzgxPu_7KqA/htmlview

https://pentestbook.six2dez.com/

https://owasp.org/www-project-web-security-testing-guide/latest/

https://github.com/OWASP/CheatSheetSeries

http://www.pentest-standard.org/index.php/Main_Page

https://www.amanhardikar.com/mindmaps/webapptest.html

https://www.sans.org/top25-software-errors/

http://projects.webappsec.org/w/page/13246978/Threat Classification

https://thehackerish.com/my-bug-bounty-methodology-and-how-i-approach-a-target/

https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html

https://medium.com/@cc1h2e1/bug-bounty-check-list-by-c1-2beb7ae3c116

https://www.excis3.be/bugbounty-checklist/21/

https://gowthams.gitbook.io/bughunter-handbook/

https://gbhackers.com/web-application-penetration-testing-checklist-a-detailed-cheat-sheet/

https://github.com/irsdl/top10webseclist

https://raviramesh.info/mindset.html

https://danielv.com.br/cheatsheets/

https://alike-lantern-72d.notion.site/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6

https://www.mindmeister.com/1470766611/web-app-pentest

https://www.mindmeister.com/1475822242/bug-hunting

https://www.mindmeister.com/49183531/web-application-security

https://www.mindmeister.com/1349784699/web-application-security

https://github.com/1ndianl33t/Bug-Bounty-Roadmaps

https://github.com/heilla/SecurityTesting

https://workbook.securityboat.in/

https://theaveragenz.com/cracking-the-oswe-certification/

https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html

https://blog.p6.is/Web-Security-CheatSheet/

https://mobile.twitter.com/Virdoex_hunter/status/1289185424825491456

https://mobile.twitter.com/KathanP19/status/1481124091268857856

https://chennylmf.medium.com/web-application-penetration-testing-checklist-5fca45f6960d

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/

https://naglinagli.github.io/BugBounty/

https:/gowsundar.gitbook.io/book-of-bugbounty-tips/

https://medium.com/@mahendrapurbia19/bug-hunting-methodology-for-beginners-20b56f5e7d19

https://www.hackerone.com/top-ten-vulnerabilities

https://hacklido.com/blog/183-web-app-pentesting-checklist

https://github.com/dsopas/assessment-mindset

https://github.com/iamthefrogy/Web-Application-Pentest-Checklist

https://github.com/riramar/Web-Attack-Cheat-Sheet

https://github.com/attacker-codeninja/AllThingsBugHunting

https://github.com/KathanP19/HowToHunt

https://kathan19.gitbook.io/howtohunt/

https://github.com/irsdl/top10webseclist

https://0xn3va.gitbook.io/cheat-sheets/

https://github.com/daffainfo/AllAboutBugBounty

https://github.com/EdOverflow/bugbounty-cheatsheet

https://danielmiessler.com/projects/webappsec_testing_resources/

https://www.notion.so/Bug-Bounty-notes-1ae08b47f3e84aa8adbe4158bd695316

https://www.xmind.net/m/2QyGbx/

https://cheatsheetseries.owasp.org/

https://www.xmind.net/m/2FwJ7D/

https://www.xmind.net/embed/9UTn/

https://book.hacktricks.xyz/

https://github.com/IamLucif3r/Bug-Hunting

https://mobile.twitter.com/fasthm00/status/1268528699382562823

https://erev0s.com/tools/web-application-assessment-check-list/

https://github.com/imran-parray/Mind-Maps

https://github.com/R-s0n/Bug_Bounty_Notes

https://www.getastra.com/blog/security-audit/web-application-security-testing/

https://www.guru99.com/complete-web-application-testing-checklist.html

https://hackercombat.com/web-application-penetration-testing-checklist/

https://github.com/Voorivex/pentest-guide

https://github.com/The-XSS-Rat/SecurityTesting/blob/master/Checklists/webAppSec.md

https://thehackerish.com/my-bug-bounty-methodology-and-how-i-approach-a-target/

https://www.bugcrowd.com/blog/advice-from-a-researcher-how-to-approach-a-target/

https://allabouthack.com/bug-bounty-methodology-how-to-approach-a-target/amp/

https://infosecwriteups.com/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65?gi=597d8b569121

https://infosecsanyam.medium.com/bug-bounty-methodology-ttp-tactics-techniques-and-procedures-v-2-0-2ccd9d7eb2e2

https://aaryanapex.medium.com/bug-bounty-methodology-web-vulnerabilities-checklist-86175dd29987

https://aaryanapex.medium.com/bug-bounty-methodology-bug-hunting-checklist-part-1-3274ad868209

https://aaryanapex.medium.com/bug-bounty-methodology-bug-hunting-checklist-part-2-4e546533245

https://blog.usejournal.com/bug-hunting-methodology-part-1-91295b2d2066

https://github.com/jhaddix/tbhm

https://www.shellinthecity.com/bug-bounty-hunter-methodology/

https://www.notion.so/Web-Application-Penetration-Testing-Checklist-4792d95add7d4ffd85dd50a5f50659c6

http://apps.testinsane.com/mindmaps/uploads/html/INSANE%20Web%20Security%20Testing%20MindMap.html

https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/web-app-hacking/

https://mr-msa.notion.site/mr-msa/Write-ups-Tips-0b10fa38dc64499192dcf8df8ec56da9

https://infosecwriteups.com/bug-hunting-methodology-for-beginners-20b56f5e7d19

https://dev.to/therceman/how-to-start-bug-bounty-hunting-short-intro-1k0e

https://systemweakness.com/how-to-hack-any-website-c08daec978f6

I know the list is too big! Just pick a few ones that you think are exclusive and you are comfortable with. Choose them wisely since all aren’t appropriate in all engagements. Traditional Pen-Test has unlimited scope and the target remains fresh. Then comes Bug Bounty/Responsible Disclosure which is bound with a certain range of scopes. This phase requires comprehensive testing. Surface-level issues are typically addressed during the initial security test in the production environment. That’s why crowdsourced pen-testing is challenging and requires creativity, analytical thinking, and research capacity to discover complex vulnerabilities. In traditional PenTest, you are allowed to run vulnerability scanners to identify and report security issues. Bug bounty requires manual inspection and crosschecking of the assessment done by these tools. In Bug Bounty, don’t rely blindly on someone else’s methodology. Otherwise, you might face duplicate/burnout cause other people(s) follow that too. Develop your methodology by studying others. Change it constantly with new discoveries and experiences from your submissions.