Skip to content

Instantly share code, notes, and snippets.

@0xklaue

0xklaue/bug-bounty-checklist.json

Last active November 18, 2023 16:53
Show Gist options
  • Save 0xklaue/8af488579e4754e5431a8b4016ac463a to your computer and use it in GitHub Desktop.
Save 0xklaue/8af488579e4754e5431a8b4016ac463a to your computer and use it in GitHub Desktop.
Download ZIP
Bug bounty checklist for Swiftness (https://github.com/ehrishirajsharma/SwiftnessX)
Raw
bug-bounty-checklist.json
{
"targets": [],
"libraries": [
{
"folders": [
{
"id": "c43bd29e-8ebb-4a72-8cd4-be26d4b96087",
"title": "Reconnaissance",
"checklist": [
{
"id": "8526c4f2-1fe2-4e88-a09a-265be01770fe",
"title": "Subdomain Discovery",
"content": "<p>Find out subdomains using the following tools:</p><p><br /></p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span><strong>assetfinder</strong></p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span><strong>Amass</strong></p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span>Massdns</p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span><strong>Aquatone's discover module</strong></p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span>Project discovery's Chaos</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>Subbrute</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>Altdns</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>Subfinder</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>Shuffledns</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>dnsrecon</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>Knockpy</p>"
},
{
"id": "0fc544a4-2cd1-4133-8b83-638b16206295",
"title": "IP and Port Scanning",
"content": "<p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span>From the list of subdomains obtained, use the same to gather IP and ports on which potential <strong>/admin </strong>functionality is present. Use the following tools:</p><ol><li>NMAP</li><li>Masscan</li></ol><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• </span>Once the services on miscellaneous ports are identified, check exploitation of the same using exploits from Exploit-DB, Searchsploit, etc.</p><p><span class=\"ql-bg-#ffffff\" style=\"color:rgb(66, 66, 66);\">• In some cases, you can find out some known misconfigurations such as default credentials</span></p>"
},
{
"id": "b3a739d0-daed-4e05-8e49-3aaf80490f0d",
"title": "Find out working HTTP / HTTPS&nbsp;",
"content": "<p>Use the following tools:</p><p><br></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Tomnomnom's <strong>httprobe</strong></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Project discovery's <strong>httpx</strong></p>"
},
{
"id": "9c9ce7c0-8e11-486c-9c09-23a3c7520863",
"title": "Take screenshots",
"content": "<p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>aquatone (Golang version)</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>eyewitness</p><p><span style=\"font-family:open-sans;color:rgb(66, 66, 66);\">• </span>gowitness</p>"
},
{
"id": "fe9e5b6e-d54e-4348-a971-123893fc7c78",
"title": "Directories / Files Enumeration",
"content": "<p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Finding directories from <strong>robots.txt</strong></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Finding directories from <strong>sitemap.xml</strong></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Using wordlists and tools such as <strong>dirsearch, ffuf, gobuster</strong></p><p class=\"ql-indent-1\"><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Raft's wordlist</p><p class=\"ql-indent-1\"><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Directory 2.3 Medium</p><p class=\"ql-indent-1\"><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Jason Haddix's wordlist</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Custom wordlist</p>"
},
{
"id": "d28d53aa-99ad-4371-aec3-a18216eba9fc",
"title": "Web server enumeration",
"content": "<p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Use tools such as Nikto to perform basic web server enumeration</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Test for default credentials on certain areas such as default login pages</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Test for virtual hosting misconfigurations</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Test for web server software bugs</p>"
},
{
"id": "7c72800f-a1be-48e1-aee1-68d838a22e8c",
"title": "WAF Enumeration",
"content": "<p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Usage of tools such as <strong>wafwoof</strong></p>"
},
{
"id": "3de5522c-0440-4656-8198-ff502cad499d",
"title": "Finding parameters",
"content": "<p>To find parameters on working HTTP / HTTPS endpoints found, use the following tools:</p><p><br></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>paramspider</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Burp or OWASP ZAP crawler</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>param-miner</p>"
},
{
"id": "a62d93fc-5a77-424f-9cfa-f0cec7ba42dd",
"title": "CMS Identification",
"content": "<p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Fingerprint CMS running using browser extensions such as <strong>Wappalyzer</strong></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>Tools such as <strong>WPScan, Joomscan, Joomlavs, Droopescan </strong>help in finding out vulnerabilities for a specific version of CMS such as WordPress, Joomla, Drupal.</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>For other CMS, such as Kentico, or CMS based on Java / .NET, look for common exploits available on Exploit-DB</p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• </span>To develop your own exploit, review the changes done in CMS on GitHub and drill down the exact endpoint for exploitation</p>"
}
]
},
{
"id": "81bdfa4b-1c3b-4b68-9c17-e4f4feeb2754",
"title": "Testing client - side controls",
"checklist": [
{
"id": "43f87a92-8185-4e04-8c67-9663e0c87304",
"title": "Testing client - side controls",
"content": "<p>To perform testing of client - side controls, the following actions can be taken for the same:</p><p><br></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing of data transmission via the client</span></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing of client side controls over user input</span></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing of thick-client components</span></p>"
}
]
},
{
"id": "937924f4-c3d7-439a-8fbf-fe32e853aa07",
"title": "Testing access controls",
"checklist": [
{
"id": "f8accc67-4f5d-4bb7-a02b-741994ea16ba",
"title": "Testing access controls",
"content": "<p>To test access controls for application in scope:</p><p><br></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Understanding access controls requirements</span></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing with multiple accounts to check access control of user A over user B</span></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing with limited access to review if functions that can only be accessed using authenticated controls are being accessed or not.</span></p><p><span style=\"font-family: open-sans; color: rgb(66, 66, 66);\">• Testing for insecure access control</span></p>"
}
]
},
{
"id": "34c0b64e-00cb-472f-ab8a-8bde6085a8fe",
"title": "Testing authentication mechanisms",
"checklist": [
{
"id": "7178f101-8be3-4307-a4dc-4221dbe1d29f",
"title": "Understanding the mechanism",
"content": ""
},
{
"id": "995ddf5d-1e5a-40cf-a83d-8e39d6b07e3d",
"title": "Test password quality",
"content": ""
},
{
"id": "9a75239d-cd17-44ca-b6bd-e67c3e666df6",
"title": "Test for username enumeration",
"content": "<ol><li>Forgot password</li><li class=\"ql-indent-1\">Message output</li><li class=\"ql-indent-1\">Timing request</li><li>Signup page</li><li>Change username</li></ol>"
},
{
"id": "452b7f48-ce92-4cde-9502-8c15e1cb6724",
"title": "Testing resilience to password guessing",
"content": ""
},
{
"id": "87e3a80e-c9b5-428a-ac6a-3eef57744114",
"title": "Testing account recovery function",
"content": ""
},
{
"id": "e578b01b-ec34-4f6f-a05b-657a4b985d2f",
"title": "Test remember me function",
"content": ""
},
{
"id": "555bb1fe-574c-48c2-b526-b6abf2242ba1",
"title": "Test impersonation functions",
"content": ""
},
{
"id": "162d1c00-a04a-41fd-a4c3-f76dca252c65",
"title": "Test username uniqueness",
"content": "<p>&nbsp;Test company internal domains</p>"
},
{
"id": "c10c8110-0e57-404b-8ee5-f714d1ffd901",
"title": "Check predictability of auto-generated credentials",
"content": ""
},
{
"id": "12ff2720-ec59-487b-9cdd-fbd436a38078",
"title": "Test unsafe transmission of credentials",
"content": ""
},
{
"id": "cf32d2bb-b12e-4a77-a11e-c40ea86a0061",
"title": "Test logic flaws",
"content": "<ol><li>Identify key attack surface</li><li>Test multistage process</li><li>Test handling of incomplete input</li><li>Test trust boundaries</li><li>Test transaction logic</li></ol>"
},
{
"id": "c049c55f-0b6a-466c-9acb-fa467858278a",
"title": "Exploit any other known vulnerability to bypass authentication",
"content": ""
}
]
},
{
"id": "a18eaa1f-e12c-49be-82d7-73910aa6123c",
"title": "Testing session management mechanism",
"checklist": [
{
"id": "0963f54c-7714-41da-8387-30dbcd1b9839",
"title": "Understand the mechanism",
"content": ""
},
{
"id": "58cbd93f-f7ff-4e8d-9d52-55655734701e",
"title": "Test token for certain meaning",
"content": ""
},
{
"id": "2d1be1f8-dc27-4eac-887d-b8f4df4010ed",
"title": "Test tokens for predictability",
"content": ""
},
{
"id": "e72d87e1-8dc4-46b7-8c38-c577e49c0de7",
"title": "Test insecure transmission of tokens",
"content": ""
},
{
"id": "d3fb3d2a-03c7-487b-b517-b91cabfec00c",
"title": "Test disclosure of tokens in logs",
"content": ""
},
{
"id": "3ad473e5-4dcb-4503-9e14-2fb0e27e803e",
"title": "Test of tokens to session",
"content": ""
},
{
"id": "c21dc6ba-b8cf-416e-920e-8c0595d1f4c1",
"title": "Test session termination",
"content": ""
},
{
"id": "0711d99d-6cab-4474-a69c-fcaf07e538f9",
"title": "Test session fixation",
"content": ""
},
{
"id": "2196b6c2-d7c3-423b-8907-b9e0bd71bbdc",
"title": "Test CSRF",
"content": ""
},
{
"id": "0a4c416f-c433-4327-8363-ed9cac6895a5",
"title": "Test cookie scope",
"content": ""
}
]
},
{
"id": "3c476a32-f847-4b0b-9e04-685df3d1242d",
"title": "Testing input validation",
"checklist": [
{
"id": "31d971c3-bbc1-4e04-86d8-973c65bfa1f2",
"title": "Test for SQL Injection",
"content": "<p><br /></p>"
},
{
"id": "27f71351-cd51-4dc8-bf68-553088855bcb",
"title": "Test for HTML injection",
"content": ""
},
{
"id": "8a70459d-3086-4e76-bde8-73c857d6e038",
"title": "Test for CSS injection",
"content": ""
},
{
"id": "074d785b-9860-460f-92ee-f7e5a65cf923",
"title": "Test for reflected XSS",
"content": ""
},
{
"id": "c3dcb3a4-e1de-4606-acba-06aad60948d1",
"title": "Test for stored XSS",
"content": ""
},
{
"id": "a1d6f615-6c3a-4423-abbd-534d8bc958b9",
"title": "Test for DOM XSS",
"content": ""
},
{
"id": "02d59599-4cb6-4009-bbad-36e808c9b7dc",
"title": "Test for other DOM based issues",
"content": ""
},
{
"id": "afecf711-1604-4c7c-8cfb-cdc32deca95d",
"title": "Test for path traversal",
"content": ""
},
{
"id": "566ac240-c053-4cb2-ad52-b233465485ed",
"title": "Test for script injection",
"content": ""
},
{
"id": "3477e702-5464-437d-ad56-bbc93c52251b",
"title": "Test for file inclusion",
"content": ""
},
{
"id": "b67b40db-7bda-4eb9-b24a-e4e76f747106",
"title": "Test for file upload",
"content": ""
},
{
"id": "b0108c28-2b7c-4020-8f45-1d5950d1bb5d",
"title": "Test for command injection",
"content": ""
},
{
"id": "cf59ae57-af86-405c-a186-26f2f450429b",
"title": "Test for server side request forgery",
"content": ""
},
{
"id": "b30da113-9de0-47bf-a1ee-6fa0f287cd00",
"title": "Test for XML external entity injection",
"content": "<p>Tools to use:</p><p><br></p><ol><li>XXEInjector</li><li>oxml_xxe</li><li>xxe.sh</li><li>xxer</li></ol>"
},
{
"id": "78cb5a2c-b52a-40a5-874e-e2c1a0dad602",
"title": "Test for open redirect",
"content": "<p>Parameters to keep an eye on:</p><p><br></p><ol><li>go</li><li>return</li><li>url</li><li>redirect</li><li>redirect_url</li><li>redirect_uri</li><li>next</li><li>redir</li></ol>"
},
{
"id": "88316bdf-ccd1-4c43-9722-41f04fb9f926",
"title": "Test for CRLF injection",
"content": ""
},
{
"id": "19d1c199-2e64-4700-a20d-dc743349be73",
"title": "Test for HTTP header injection",
"content": ""
},
{
"id": "8229929c-f3b6-4f0d-9fbf-d22b14785b25",
"title": "Test for HTTP response splitting",
"content": ""
},
{
"id": "1abead28-e654-4b12-804a-089f4fd53138",
"title": "Test for web cache poisoning",
"content": ""
},
{
"id": "44bbc76d-c60f-46b0-a6f2-1aa8f42124dc",
"title": "Test for HTTP requests smuggling",
"content": ""
}
]
},
{
"id": "72e5858f-1b2d-4d17-b05b-117a0585d777",
"title": "New Folder",
"checklist": []
}
],
"id": "1f46ca17-9043-4665-9168-d0bbeaef3c1d",
"title": "Bug Bounty Checklist"
}
],
"templates": [],
"payloads": []
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment