Skip to content

Commit

Permalink
Update owasp-whhb.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@xapax
xapax authored Jan 3, 2019
1 parent 9cc8757 commit c1e5ee2
Showing 1 changed file with 11 additions and 9 deletions.
20 changes: 11 additions & 9 deletions owasp-whhb.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ site:target.com filetype:7z OR filetype:bin OR filetype:bzip2 OR
filetype:egg OR filetype:gzip OR filetype:rar OR filetype:zip OR
filetype:iso OR filetype:dat OR filetype:db OR filetype:sql OR
filetype:indd OR filetype:psd OR filetype:asc OR filetype:csv OR
filetype:docx OR filetype:doc OR filetype:epub
Google limit the number of letters in a query so we need to divide it up in several chunks
Expand Down Expand Up @@ -60,7 +59,7 @@ id: 1.3
* [ ] Review comments and other client side code to find hidden content
* [ ] Sample files, known files
- dirb https://www.address.blab -f -l -R -z 10 -o address.blab.txt
* [ ] Use snallygaster to find sensitive files, https://github.com/hannob/snallygaster
* [ ] Run it targeting the IP address directly

## Discover DNS

Expand All @@ -70,12 +69,6 @@ id: 1.3
* [ ] python sublist3r.py -d example.com
* [ ] Zone-transfer test (fierce -dns target.com)

## Discover Default Content

id: 1.4

* [ ] Run Nikto to discover default content
* [ ] Run it targeting the IP address directly

## Enumerate Identifier-Specified Functions

Expand Down Expand Up @@ -117,7 +110,6 @@ POST, GET, WS?

* [ ] Identify the Technologies Used
* [ ] Client side (cookies, scripts, java applets, flash)
* [ ] Code review of every piece of JS received.
* [ ] Server side (server, scripting lang, platform, backend components)
* [ ] Map the Attack Surface
* [ ] Acertain likely internal structure
Expand All @@ -137,6 +129,15 @@ POST, GET, WS?



# Static analysis of JavaScript


* [ ] Increase attack surface by looking for URL:s and domains
* [ ] Sensitive information (Passwords, API keys, Storage etc)
* [ ] Potentially dangerous areas in code(eval, dangerouslySetInnerHTML etc)
* [ ] Components with known vulnerabilities (Outdated frameworks etc)


## Test Transmission of Data Via the Client

* [ ] Locate hidden fields, cookies and URL parameters
Expand Down Expand Up @@ -425,6 +426,7 @@ id: 11.0

----------------------------------------------------------------------------


# Miscellaneous Checks

id: 12.0
Expand Down

0 comments on commit c1e5ee2

Please sign in to comment.