bmt 0.1.1 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,452 @@
1
+ {
2
+ "metadata": {
3
+ "title": "iOS",
4
+ "release_date": "2022-01-10T00:00:00+00:00",
5
+ "description": "Bugcrowd iOS testing methodology",
6
+ "vrt_version": "10.0.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "architecture_design_and_threat_modelling",
12
+ "title": "Architecture, design and threat modelling",
13
+ "description": "",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "all_app_components_are_identified_and_known_to_be_needed",
18
+ "title": "All app components are identified and known to be needed",
19
+ "description": "",
20
+ "caption": ""
21
+ },
22
+ {
23
+ "key": "security_controls_client_side",
24
+ "title": "Security controls are never enforced only on the client side, but on the respective remote endpoints.",
25
+ "description": "",
26
+ "caption": ""
27
+ },
28
+ {
29
+ "key": "high_level_architecture_for_mobile_app",
30
+ "title": "A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture.",
31
+ "description": "",
32
+ "caption": ""
33
+ },
34
+ {
35
+ "key": "sensitive_identified_data",
36
+ "title": "Data considered sensitive in the context of the mobile app is clearly identified.",
37
+ "description": "",
38
+ "caption": ""
39
+ },
40
+ {
41
+ "key": "business_and_security_functions",
42
+ "title": "All app components are defined in terms of the business functions and/or security functions they provide.",
43
+ "description": "",
44
+ "caption": ""
45
+ },
46
+ {
47
+ "key": "threat_model_for_mobile_app",
48
+ "title": "A threat model for the mobile app and the associated remote services has been produced that identifies potential threats and countermeasures.",
49
+ "description": "",
50
+ "caption": ""
51
+ },
52
+ {
53
+ "key": "security_controls",
54
+ "title": "All security controls have a centralized implementation.",
55
+ "description": "",
56
+ "caption": ""
57
+ },
58
+ {
59
+ "key": "cryptographic_key_policy",
60
+ "title": "There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.",
61
+ "description": "",
62
+ "caption": ""
63
+ },
64
+ {
65
+ "key": "enforce_mobile_app_updates",
66
+ "title": "A mechanism for enforcing updates of the mobile app exists.",
67
+ "description": "",
68
+ "caption": ""
69
+ },
70
+ {
71
+ "key": "address_security",
72
+ "title": "Security is addressed within all parts of the software development lifecycle.",
73
+ "description": "",
74
+ "caption": ""
75
+ }
76
+ ]
77
+ },
78
+ {
79
+ "key": "data_storage_and_privacy",
80
+ "title": "Data Storage and Privacy",
81
+ "description": "",
82
+ "type": "checklist",
83
+ "items": [
84
+ {
85
+ "key": "system_creentials_storage_facilities",
86
+ "title": "System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.",
87
+ "description": "",
88
+ "caption": ""
89
+ },
90
+ {
91
+ "key": "sensitive_data_storage",
92
+ "title": "No sensitive data should be stored outside of the app container or system credential storage facilities.",
93
+ "description": "",
94
+ "caption": ""
95
+ },
96
+ {
97
+ "key": "sensitive_data_in_logs",
98
+ "title": "No sensitive data is written to application logs.",
99
+ "description": "",
100
+ "caption": ""
101
+ },
102
+ {
103
+ "key": "sensitive_data_sharing_with_third_party",
104
+ "title": "No sensitive data is shared with third parties unless it is a necessary part of the architecture.",
105
+ "description": "",
106
+ "caption": ""
107
+ },
108
+ {
109
+ "key": "keyboard_cache_disabling",
110
+ "title": "The keyboard cache is disabled on text inputs that process sensitive data.",
111
+ "description": "",
112
+ "caption": ""
113
+ },
114
+ {
115
+ "key": "sensitive_data_ipc_mechanism",
116
+ "title": "No sensitive data is exposed via IPC mechanisms.",
117
+ "description": "",
118
+ "caption": ""
119
+ },
120
+ {
121
+ "key": "sensitive_data_exposure_via_ui",
122
+ "title": "No sensitive data, such as passwords or pins, is exposed through the user interface.",
123
+ "description": "",
124
+ "caption": ""
125
+ },
126
+ {
127
+ "key": "sensitive_data_exposure_via_backup",
128
+ "title": "No sensitive data is included in backups generated by the mobile operating system.",
129
+ "description": "",
130
+ "caption": ""
131
+ },
132
+ {
133
+ "key": "sensitive_data_removal_on_backgrounded",
134
+ "title": "The app removes sensitive data from views when backgrounded.",
135
+ "description": "",
136
+ "caption": ""
137
+ },
138
+ {
139
+ "key": "sensitive_data_holding_in_memory",
140
+ "title": "The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.",
141
+ "description": "",
142
+ "caption": ""
143
+ },
144
+ {
145
+ "key": "minimum_device_access_security_policy",
146
+ "title": "The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.",
147
+ "description": "",
148
+ "caption": ""
149
+ },
150
+ {
151
+ "key": "personal_identifiable_information_identification",
152
+ "title": "The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.",
153
+ "description": "",
154
+ "caption": ""
155
+ }
156
+ ]
157
+ },
158
+ {
159
+ "key": "cryptography",
160
+ "title": "Cryptography",
161
+ "description": "",
162
+ "type": "checklist",
163
+ "items": [
164
+ {
165
+ "key": "symmetric_cryptography_with_hardcoded_keys",
166
+ "title": "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.",
167
+ "description": "",
168
+ "caption": ""
169
+ },
170
+ {
171
+ "key": "proven_cryptographic_primitives",
172
+ "title": "The app uses proven implementations of cryptographic primitives.",
173
+ "description": "",
174
+ "caption": ""
175
+ },
176
+ {
177
+ "key": "cryptographic_primitive_for_particular_use_case",
178
+ "title": "The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices.",
179
+ "description": "",
180
+ "caption": ""
181
+ },
182
+ {
183
+ "key": "depricated_cryptography_protocols",
184
+ "title": "The app does not use cryptographic protocols or algorithms that are widely considered depreciated for security purposes.",
185
+ "description": "",
186
+ "caption": ""
187
+ },
188
+ {
189
+ "key": "reuse_same_cryptographic_key",
190
+ "title": "The app doesnt re-use the same cryptographic key for multiple purposes.",
191
+ "description": "",
192
+ "caption": ""
193
+ },
194
+ {
195
+ "key": "secure_random_number_generator",
196
+ "title": "All random values are generated using a sufficiently secure random number generator.",
197
+ "description": "",
198
+ "caption": ""
199
+ }
200
+ ]
201
+ },
202
+ {
203
+ "key": "authentication_and_session_management",
204
+ "title": "Authentication and Session Management",
205
+ "description": "",
206
+ "type": "checklist",
207
+ "items": [
208
+ {
209
+ "key": "remote_service_authentication",
210
+ "title": "If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.",
211
+ "description": "",
212
+ "caption": ""
213
+ },
214
+ {
215
+ "key": "stateful_session_management_authentication",
216
+ "title": "If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the users credentials.",
217
+ "description": "",
218
+ "caption": ""
219
+ },
220
+ {
221
+ "key": "stateless_token_based_management_authentication",
222
+ "title": "If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.",
223
+ "description": "",
224
+ "caption": ""
225
+ },
226
+ {
227
+ "key": "remote_endpoint_terminate",
228
+ "title": "The remote endpoint terminates the existing session when the user logs out.",
229
+ "description": "",
230
+ "caption": ""
231
+ },
232
+ {
233
+ "key": "password_policy_exists",
234
+ "title": "A password policy exists and is enforced at the remote endpoint.",
235
+ "description": "",
236
+ "caption": ""
237
+ },
238
+ {
239
+ "key": "remote_endpoint_implementation_mechanism",
240
+ "title": "The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.",
241
+ "description": "",
242
+ "caption": ""
243
+ },
244
+ {
245
+ "key": "session_invalidated_at_remote_endpoint",
246
+ "title": "Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.",
247
+ "description": "",
248
+ "caption": ""
249
+ },
250
+ {
251
+ "key": "biometric_authentication",
252
+ "title": "Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns true or false). Instead, it is based on unlocking the keychain/keystore.",
253
+ "description": "",
254
+ "caption": ""
255
+ },
256
+ {
257
+ "key": "second_factor_authentication",
258
+ "title": "A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.",
259
+ "description": "",
260
+ "caption": ""
261
+ },
262
+ {
263
+ "key": "sensitive_transaction_setup_authentication",
264
+ "title": "Sensitive transactions require step-up authentication.",
265
+ "description": "",
266
+ "caption": ""
267
+ },
268
+ {
269
+ "key": "inform_user_login_activities",
270
+ "title": "The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.",
271
+ "description": "",
272
+ "caption": ""
273
+ }
274
+ ]
275
+ },
276
+ {
277
+ "key": "network_communication",
278
+ "title": "Network Communication",
279
+ "description": "",
280
+ "type": "checklist",
281
+ "items": [
282
+ {
283
+ "key": "data_encryption_on_network",
284
+ "title": "Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.",
285
+ "description": "",
286
+ "caption": ""
287
+ },
288
+ {
289
+ "key": "tls_settings_best_practices",
290
+ "title": "The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.",
291
+ "description": "",
292
+ "caption": ""
293
+ },
294
+ {
295
+ "key": "remote_endpoint_certificate",
296
+ "title": "The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.",
297
+ "description": "",
298
+ "caption": ""
299
+ },
300
+ {
301
+ "key": "app_certification",
302
+ "title": "The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.",
303
+ "description": "",
304
+ "caption": ""
305
+ },
306
+ {
307
+ "key": "insecure_communication_channel",
308
+ "title": "The app doesnt rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.",
309
+ "description": "",
310
+ "caption": ""
311
+ },
312
+ {
313
+ "key": "app_dependency_on_connectivity_and_library",
314
+ "title": "The app only depends on up-to-date connectivity and security libraries.",
315
+ "description": "",
316
+ "caption": ""
317
+ }
318
+ ]
319
+ },
320
+ {
321
+ "key": "platform_interaction",
322
+ "title": "Platform Interaction",
323
+ "description": "",
324
+ "type": "checklist",
325
+ "items": [
326
+ {
327
+ "key": "minimum_set_of_permission",
328
+ "title": "The app only requests the minimum set of permissions necessary.",
329
+ "description": "",
330
+ "caption": ""
331
+ },
332
+ {
333
+ "key": "external_source_input_validation",
334
+ "title": "The app only requests the minimum set of permissions necessary.",
335
+ "description": "",
336
+ "caption": ""
337
+ },
338
+ {
339
+ "key": "sensitive_functionality_via_url_schemes",
340
+ "title": "The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected.",
341
+ "description": "",
342
+ "caption": ""
343
+ },
344
+ {
345
+ "key": "export_sensitive_functionality_through_ipc",
346
+ "title": "The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.",
347
+ "description": "",
348
+ "caption": ""
349
+ },
350
+ {
351
+ "key": "javascript_disabled",
352
+ "title": "JavaScript is disabled in WebViews unless explicitly required.",
353
+ "description": "",
354
+ "caption": ""
355
+ },
356
+ {
357
+ "key": "webview_minimum_set_of_protocol_handlers",
358
+ "title": "WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.",
359
+ "description": "",
360
+ "caption": ""
361
+ },
362
+ {
363
+ "key": "webview_within_app_javascript_render",
364
+ "title": "If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.",
365
+ "description": "",
366
+ "caption": ""
367
+ },
368
+ {
369
+ "key": "object_deserialization",
370
+ "title": "Object deserialization, if any, is implemented using safe serialization APIs.",
371
+ "description": "",
372
+ "caption": ""
373
+ }
374
+ ]
375
+ },
376
+ {
377
+ "key": "code_quality_and_build_settings",
378
+ "title": "Code Quality and Build Settings",
379
+ "description": "",
380
+ "type": "checklist",
381
+ "items": [
382
+ {
383
+ "key": "valid_certificate_sign",
384
+ "title": "The app is signed and provisioned with a valid certificate, of which the private key is properly protected.",
385
+ "description": "",
386
+ "caption": ""
387
+ },
388
+ {
389
+ "key": "built_in_release_mode",
390
+ "title": "The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).",
391
+ "description": "",
392
+ "caption": ""
393
+ },
394
+ {
395
+ "key": "debugging_symbol",
396
+ "title": "Debugging symbols have been removed from native binaries.",
397
+ "description": "",
398
+ "caption": ""
399
+ },
400
+ {
401
+ "key": "debugging_and_verbose_errors",
402
+ "title": "Debugging code has been removed, and the app does not log verbose errors or debugging messages.",
403
+ "description": "",
404
+ "caption": ""
405
+ },
406
+ {
407
+ "key": "third_party_vulnerability_check",
408
+ "title": "All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.",
409
+ "description": "",
410
+ "caption": ""
411
+ },
412
+ {
413
+ "key": "exception_handling",
414
+ "title": "The app catches and handles possible exceptions.",
415
+ "description": "",
416
+ "caption": ""
417
+ },
418
+ {
419
+ "key": "security_controls_error_handling",
420
+ "title": "Error handling logic in security controls denies access by default",
421
+ "description": "",
422
+ "caption": ""
423
+ },
424
+ {
425
+ "key": "memory_allocation",
426
+ "title": "In unmanaged code, memory is allocated, freed and used securely.",
427
+ "description": "",
428
+ "caption": ""
429
+ },
430
+ {
431
+ "key": "free_security_features_offered_by_toolchain",
432
+ "title": "Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.",
433
+ "description": "",
434
+ "caption": ""
435
+ }
436
+ ]
437
+ },
438
+ {
439
+ "key": "upload_logs",
440
+ "title": "Upload logs",
441
+ "description": "This should include all associated traffic associated to the in-scope targets.",
442
+ "type": "large_upload"
443
+ },
444
+ {
445
+ "key": "executive_summary",
446
+ "title": "Executive summary",
447
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
448
+ "type": "executive_summary"
449
+ }
450
+ ]
451
+ }
452
+ }
@@ -0,0 +1,207 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Network",
4
+ "release_date": "2022-01-10T00:00:00+00:00",
5
+ "description": "Bugcrowd network testing methodology",
6
+ "vrt_version": "10.0.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "information",
12
+ "title": "Information Gathering / Recon",
13
+ "description": "",
14
+ "type": "checklist",
15
+ "caption": "Please include any valuable pieces of information found; and the source of said information",
16
+ "items": [
17
+ {
18
+ "key": "credentials_leaked",
19
+ "title": "Credentials or keys leaked on Github, Pastebin, etc.",
20
+ "caption": "",
21
+ "description": ""
22
+ },
23
+ {
24
+ "key": "leaked_as_part_of_past_breaches",
25
+ "title": "Usernames, emails, passwords, and other information leaked as part of past breaches.",
26
+ "caption": "",
27
+ "description": ""
28
+ },
29
+ {
30
+ "key": "internal_subdomain",
31
+ "title": "Internal subdomains, known software, etc.",
32
+ "caption": "",
33
+ "description": ""
34
+ },
35
+ {
36
+ "key": "zone_transfer_in_scope_ip",
37
+ "title": "Check for the ability to perform a zone transfer on the in-scope IP addresses",
38
+ "caption": "",
39
+ "description": ""
40
+ }
41
+ ]
42
+ },
43
+ {
44
+ "key": "scanning",
45
+ "title": "Scanning",
46
+ "description": "",
47
+ "type": "checklist",
48
+ "caption": "Please include your full nmap scan output + banner information in a single file. Similarly, include all other tooling outputs.",
49
+ "items": [
50
+ {
51
+ "key": "scan_in_scope_targets",
52
+ "title": "Fully scan the range of in-scope targets (all 65,535 TCP and UDP ports).",
53
+ "caption": "",
54
+ "description": ""
55
+ },
56
+ {
57
+ "key": "ensure_host_scan",
58
+ "title": "Ensure that hosts are still scanned, even if they are not responsive to a ping sweep.",
59
+ "caption": "",
60
+ "description": ""
61
+ },
62
+ {
63
+ "key": "in_scope_services_and_version_numbers",
64
+ "title": "Enumerate and document all in-scope services and version numbers.",
65
+ "caption": "",
66
+ "description": ""
67
+ },
68
+ {
69
+ "key": "document_services_that_communicate_insecurely",
70
+ "title": "Document services that communicate insecurely (e.g. telnet, http).",
71
+ "caption": "",
72
+ "description": ""
73
+ },
74
+ {
75
+ "key": "subdomain_takeovers",
76
+ "title": "Document any services with misconfigured DNS records allowing for subdomain takeovers.",
77
+ "caption": "",
78
+ "description": ""
79
+ },
80
+ {
81
+ "key": "leverage_available_services",
82
+ "title": "Review results and leverage any available services to obtain more information around the targets or users. Examples are RPC, SMB, SMTP, SNMP, etc.",
83
+ "caption": "",
84
+ "description": ""
85
+ }
86
+ ]
87
+ },
88
+ {
89
+ "key": "exploitation",
90
+ "title": "Exploitation",
91
+ "description": "",
92
+ "type": "checklist",
93
+ "caption": "Include any screenshots as proof of successful exploitation. For unsuccessful attacks, please document the commands/tools executed.",
94
+ "items": [
95
+ {
96
+ "key": "lack_of_auth",
97
+ "title": "Check for lack of auth or default creds to any available services. e.g. auth portals, anonymous FTP, SSH, RDP, mail relays, etc.",
98
+ "caption": "",
99
+ "description": ""
100
+ },
101
+ {
102
+ "key": "service_bypass",
103
+ "title": "Check for any auth bypasses on any available services.",
104
+ "caption": "",
105
+ "description": ""
106
+ },
107
+ {
108
+ "key": "cross_reference_software_version",
109
+ "title": "Cross reference software version numbers against known vulnerable versions or exploits (exploit db, CVEs, etc. often facilitated by the use of nessus/nikto/openvas/etc).",
110
+ "caption": "",
111
+ "description": ""
112
+ },
113
+ {
114
+ "key": "attempt_to_exploit_known_vulnerabilities",
115
+ "title": "Configure and attempt to exploit any known vulnerabilities (existing scripts with custom shellcode, metasploit modules, etc).",
116
+ "caption": "",
117
+ "description": ""
118
+ },
119
+ {
120
+ "key": "presence_of_sensitive_information_publicly",
121
+ "title": "Check for the presence of sensitive information that is publicly available on any service (e.g. documents available via anonymous FTP).",
122
+ "caption": "",
123
+ "description": ""
124
+ },
125
+ {
126
+ "key": "server_side_vulnerability_auth_bypass",
127
+ "title": "Test any available webservers for server-side vulnerabilities including Auth bypasses",
128
+ "caption": "",
129
+ "description": ""
130
+ },
131
+ {
132
+ "key": "server_side_vulnerability_default_credentials",
133
+ "title": "Test any available webservers for server-side vulnerabilities including Default credentials",
134
+ "caption": "",
135
+ "description": ""
136
+ },
137
+ {
138
+ "key": "server_side_vulnerability_known_exploits",
139
+ "title": "Test any available webservers for server-side vulnerabilities including Known exploits based on running vulnerable software",
140
+ "caption": "",
141
+ "description": ""
142
+ },
143
+ {
144
+ "key": "server_side_vulnerability_sql_injection",
145
+ "title": "Test any available webservers for server-side vulnerabilities including SQL Injection (SQLi)",
146
+ "caption": "",
147
+ "description": ""
148
+ },
149
+ {
150
+ "key": "server_side_rce",
151
+ "title": "Test any available webservers for server-side vulnerabilities including Remote Code Execution (RCE)",
152
+ "caption": "",
153
+ "description": ""
154
+ },
155
+ {
156
+ "key": "server_side_xxe",
157
+ "title": "Test any available webservers for server-side vulnerabilities including XML Entity Injection (XXE)",
158
+ "caption": "",
159
+ "description": ""
160
+ },
161
+ {
162
+ "key": "server_side_ssrf",
163
+ "title": "Test any available webservers for server-side vulnerabilities including Server Side Request Forgery (SSRF)",
164
+ "caption": "",
165
+ "description": ""
166
+ },
167
+ {
168
+ "key": "server_side_lfi_afi",
169
+ "title": "Test any available webservers for server-side vulnerabilities including Local/Arbitrary File Inclusion (LFI/AFI)",
170
+ "caption": "",
171
+ "description": ""
172
+ },
173
+ {
174
+ "key": "server_side_hidden_directory_pages",
175
+ "title": "Test any available webservers for server-side vulnerabilities including Hidden directories or pages with sensitive information",
176
+ "caption": "",
177
+ "description": ""
178
+ },
179
+ {
180
+ "key": "basic_web_app_scanner",
181
+ "title": "Run a basic web application scanner over the app, and report any valid issues. (nikto, burp, zap, et al)",
182
+ "caption": "",
183
+ "description": ""
184
+ },
185
+ {
186
+ "key": "attempt_bruteforcing",
187
+ "title": "Attempt moderate, informed/educated brute-forcing on available services - based on information gathered earlier in the assessment.",
188
+ "caption": "",
189
+ "description": ""
190
+ }
191
+ ]
192
+ },
193
+ {
194
+ "key": "upload_logs",
195
+ "title": "Upload logs",
196
+ "description": "This should include all associated traffic associated to the in-scope targets.",
197
+ "type": "large_upload"
198
+ },
199
+ {
200
+ "key": "executive_summary",
201
+ "title": "Executive summary",
202
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
203
+ "type": "executive_summary"
204
+ }
205
+ ]
206
+ }
207
+ }