Methodology

For a huge list of things to test check out the OWASP Web Security Testing Guide (WSTG)

The process outlined here does not cover nearly half of what is covered in the WSTG; however, this is a good process to start with. The steps do not need to be performed in the order outlined here; however, I think this is a pretty good flow for me.

Checklist

• Port scan.

• Nmap scripts scan.

  • This may reveal the OS and HTTP server being used.

• Identify the technologies being used.

  • whatweb, webtech, webanalyze, builtwith

  • Any known vulnerabilities in the application stack?

  • Any specialized tools that can be ran against that technology?

    • wpscan, cmsmap, joomscan

• Directory brute forcing

  • gobuster, dirbuster, ffuf

  • Always brute force new directories

  • The quality of your brute force is only as good as the list you use

• Check common file extensions:

  • php, html, asp, aspx, bak, tmp, txt

• Page brute forcing

  • after identifying the extension(s) used, brute force for specific pages in the discovered directories

• Vulnerability scanners

  • nuclei, nikto, Nessus, OpenVAS

• Spider

• Common files

  • robots.txt

  • security.txt

  • sitemap.xml

  • crossdomain.xml

  • clientaccesspolicy.xml

• SSL Certificate

  • Looking for domains, IPs, emails, names

• Identify if there is a web application firewall

  • whatwaf, wafw00f

• Find hidden parameters

  • paramspider

• Brute force parameters

  • Parameters can be in the URL, cookies, body of a post request

  • SQLi

  • Directory Traversal

  • File Inclusion

• Locate entry points that accept user input

  • This is where things can get really complicated as there are a lot of ways user input can be vulnerable.

• Check for PUT and MOVE capability

• Check for WebDav

  • cadaver

• Check for backup files

  • bfac

• Download all JS files

  • subjs, linkfinder

• Look for secrets in the JS files

  • secretfinder

• Analyze JS files for:

  • Relative URLs

  • Endpoints

  • Hard coded credentials

  • Other potential vulnerabilities

  • jshole, JSParser, JSFScan, JSScanner

• Google dorking

• GitHub dorking

  • githound, git-search

    Resources and Other Checklists

    https://six2dez.gitbook.io/pentest-book/others/web-checklist

    https://book.hacktricks.xyz/pentesting/pentesting-web

    https://web.archive.org/web/20200412083010/https://cyberzombie.in/bug-bounty-methodology-techniques-tools-procedures/