bmt 0.7.0 → 0.8.0

data/lib/data/0.1/methodologies/api_testing.json

@@ -1,7 +1,7 @@
 {
   "metadata": {
     "title": "API Testing",
-    "release_date": "2023-03-31T00:00:00+00:00",
+    "release_date": "2025-04-29T00:00:00+00:00",
     "description": "Bugcrowd api methodology testing",
     "vrt_version": "10.0.1"
   },
@@ -20,9 +20,9 @@
             "caption": ""
           },
           {
-            "key": "check_wsdl_files",
-            "title": "Check for .wsdl files",
-            "description": "Check for web service description language (.wsdl) files for SOAP APIs.",
+            "key": "check_api_schema_files",
+            "title": "Check for .wsdl, .wadl, and swagger files",
+            "description": "Check for web service description language (.wsdl/.wadl) and swagger files for SOAP/REST APIs.",
             "tools": "Burp Proxy, FFUF, WFuzz, Gobuster",
             "caption": ""
           },
@@ -30,14 +30,21 @@
             "key": "check_graphql_introspection",
             "title": "Check for GraphQL Introspection",
             "description": "Check for enabled Introspection using GraphQL query.",
-            "tools": "Burp Proxy + GraphQL Raider (BAPP)",
+            "tools": "Burp Proxy + GraphQL Raider (BAPP), InQL (BurpSuite extension)",
+            "caption": ""
+          },
+          {
+            "key": "check_graphql_field_suggestions",
+            "title": "Check for GraphQL Field Suggestions",
+            "description": "Check for GraphQL Field Suggestions if Introspection Disabled.",
+            "tools": "Clairvoyance",
             "caption": ""
           },
           {
             "key": "search_leaked_api_keys",
             "title": "Search for leaked API Keys",
             "description": "Black box only - Search for leaked online API keys on Github, Gitlab etc.",
-            "tools": "TruffleHog",
+            "tools": "TruffleHog, Gitleaks",
             "caption": ""
           },
           {
@@ -52,7 +59,7 @@
             "key": "webserver_metafiles",
             "title": "Review Webserver Metafiles for Information Leakage",
             "caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
-            "description": "Analyze robots.txt and identify <META> Tags from website.",
+            "description": "Analyze robots.txt, .env, .git, metrics and identify <META> Tags from website.",
             "tools": "Browser, curl, wget"
           },
           {
@@ -238,6 +245,13 @@
             "caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
             "description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
             "tools": "Browser"
+          },
+          {
+            "key": "jwt_misconfigurations",
+            "title": "Testing for misconfigured JWT (Json Web Token)",
+            "caption": "OWASP API Security Top 10 - 2023",
+            "description": "Identify JWT flaws like allowing the None algorithm, algorithm confusion, weak secret keys, missing signature validation, etc.",
+            "tools": "jwt_tool"
           }
         ]
       },
@@ -279,14 +293,6 @@
             "tools": "Burp Proxy, curl, swagger-ui, mitmproxy, Hackverter",
             "vrt_category": "broken_access_control"
           },
-          {
-            "key": "directory_traversal_and_file_include",
-            "title": "Testing Directory traversal/file include",
-            "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
-            "description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
-            "tools": "Burp Proxy, ZAP, Wfuzz",
-            "vrt_category": "server_side_injection"
-          },
           {
             "key": "privilege_escalation",
             "title": "Testing for Privilege Escalation",
@@ -438,7 +444,7 @@
             "key": "nosql_injection",
             "title": "Testing for NoSQL injection",
             "caption": "",
-            "description": "dentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.",
+            "description": "Identify NoSQL databases, Pass special characters (' \" \\ ; { } ), and attack with reserved variable names and operators.",
             "tools": "NoSQLMap"
           },
           {
@@ -511,6 +517,30 @@
             "description": "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\n%3Bcat%20/etc/passwd\ntest.pdf+|+Dir C:\\ ",
             "tools": "Burp Proxy, ZAP, Commix",
             "vrt_category": "server_side_injection"
+          },
+          {
+            "key": "ssrf",
+            "title": "Testing for Server-Side Request Forgery",
+            "caption": "OWASP API Security Top 10 - 2023",
+            "description": "Test whether the API allows sending arbitrary or internal requests to unauthorized systems.\nUse crafted URLs to target internal IP ranges, cloud metadata endpoint (e.g., http://169.254.169.254/)",
+            "tools": "Burp Collaborator, SSRFmap",
+            "vrt_category": "server_security_misconfiguration"
+          },
+          {
+            "key": "graphql_misconfigurations",
+            "title": "Testing for GraphQL Misconfigurations",
+            "caption": "WSTG - v4.2",
+            "description": "Test GraphQL endpoint for batched abuse and alias overloading, and recursion depth limits, etc.",
+            "tools": "GraphQL Raider, BurpSuite",
+            "vrt_category": "server_security_misconfiguration"
+          },
+          {
+            "key": "directory_traversal_and_file_include",
+            "title": "Testing Directory traversal/file include",
+            "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
+            "description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
+            "tools": "Burp Proxy, ZAP, Wfuzz",
+            "vrt_category": "server_side_injection"
           }
         ]
       },
@@ -572,7 +602,7 @@
             "key": "data_validation",
             "title": "Test Business Logic Data Validation",
             "caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
-            "description": "Looking for data entry points or hand off points between systems or software.\nOnce found try to insert logically invalid data into the application/system.",
+            "description": "Identify data entry points or hand off points between systems or software.\nOnce identified, insert logically invalid data into the application/system.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "broken_access_control"
           },
@@ -580,7 +610,7 @@
             "key": "forge_requests",
             "title": "Test Ability to Forge Requests",
             "caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
-            "description": "Looking for guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
+            "description": "Identify guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "server_side_injection"
           },
@@ -588,7 +618,7 @@
             "key": "integrity_check",
             "title": "Test Integrity Checks",
             "caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
-            "description": "Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the business logic workflow.",
+            "description": "Identify parts of the application/system (components, for example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that should not be allowed per the business logic workflow.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "broken_access_control"
           },
@@ -596,7 +626,7 @@
             "key": "process_timing",
             "title": "Test for Process Timing",
             "caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
-            "description": "Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
+            "description": "Identify application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "server_side_injection"
           },
@@ -604,7 +634,7 @@
             "key": "usage_limits",
             "title": "Test Number of Times a Function Can be Used Limits",
             "caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
-            "description": "Looking for functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
+            "description": "Identify functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "broken_access_control"
           },
@@ -612,7 +642,7 @@
             "key": "workflow_circumvention",
             "title": "Testing for the Circumvention of Work Flows",
             "caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
-            "description": "Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
+            "description": "Identify methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
             "tools": "Burp Proxy, ZAP",
             "vrt_category": "broken_access_control"
           },
@@ -655,5 +685,3 @@
     ]
   }
 }
-
-

data/lib/data/0.1/methodologies/hardware_testing.json

@@ -0,0 +1,216 @@
+{
+  "metadata": {
+    "title": "Hardware",
+    "release_date": "2025-08-29T00:00:00+00:00",
+    "description": "Bugcrowd Hardware Testing Methodology",
+    "vrt_version": "1.17"
+  },
+  "content": {
+    "steps": [
+       {
+        "key": "passive_recon",
+        "title": "Passive Recon",
+        "description": "Information gathering before turning off or opening the device",
+        "type": "checklist",
+        "items": [
+          { 
+            "key": "open_source_intelligence",
+            "title": "Open Source Intelligence",
+            "caption": "",
+            "description": "Gathering information using search engines to find publicly available information about the device",
+            "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components",
+            "vrt_category": "sensitive_data_exposure"
+          },
+          {
+            "key": "network_scanning",
+            "title": "Network Scanning",
+            "caption": "",
+            "description": "Scan the network for devices to find the one being tested, identify wireless protocols in use",
+            "tools": "NMAP, Wireshark, tcpdump"
+          },
+          {
+            "key": "rf_scanning",
+            "title": "Radio Frequency Scanning",
+            "caption": "",
+            "description": "Identify any radio communications, frequencies, modulation the device might be using, identify wireless protocols in use",
+            "tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers",
+            "type": "checklist",
+            "items": [
+                {
+                  "key": "bluetooth_ble",
+                  "title": "Bluetooth and BLE",
+                  "caption": "",
+                  "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext",
+                  "tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)"
+                },
+                {
+                  "key": "zigbee_lora",
+                  "title": "ZigBee and LoRa",
+                  "caption": "",
+                  "description": "For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.",
+                  "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software, Semtech LoRaWAN sniffer, TTN Packet Forwarder, SDR tools supporting LoRa (HackRF, LimeSDR, BladeRF), Universal Radio Hacker (URH)"
+                },
+                {
+                  "key": "near_field_communication",
+                  "title": "NFC Testing",
+                  "caption": "",
+                  "description": "For card readers like access control locks and credit cards, can also be used in mobile testing. Try to read the information on the card, is it encrypted, can it be decrypted, can you forge a request, does the reader allow you to write to it so it will accept forged messages",
+                  "tools": "Flipper (base model is limited, additional hardware can be installed), Proxmark"
+                }
+              ] 
+          }
+        ]
+        },
+        {
+          "key": "active_recon",
+          "title": "Active Recon - Opening up the Device Under Test",
+          "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG). Use tools like screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, multimeter, XRAY, probes, oscilloscope, magnifying glass, and logic analyzer.",
+          "type": "checklist",
+          "items": [
+            {
+              "key": "visual_component_identification",
+              "title": "Visual Component Identification",
+              "caption": "",
+              "description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them",
+              "tools": "magnifying glass, Search Engines"
+            },
+            {
+              "key": "measure_voltage_resistance_continuity",
+              "title": "Measuring Voltage, Resistance, and Continuity",
+              "caption": "",
+              "description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports",
+              "tools": "multimeter"
+            },
+            {
+              "key": "id_debug_ports",
+              "title": "ID Debug Ports",
+              "caption": "",
+              "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them",
+              "tools": "multimeter, logic analyzer, oscilloscope, soldering iron"
+            }
+          ]
+        },
+        {
+          "key": "firmware",
+          "title": "Accessing and Analysing Firmware",
+          "description": "Using info gathered during active and passive recon access and reverse engineer the firmware for the device.",
+          "type": "checklist",
+          "items": [
+            {
+              "key": "dump_download_firmware",
+              "title": "Dump or Download Firmware for Analysis",
+              "caption": "",
+              "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.",
+              "tools": "desoldering station, JTAGulator, Minicom, PuTTy, Bus Pirate, Raspberry Pi Pico"
+            },
+            {
+              "key":"firmware_analysis",
+              "title":"Firmware Analysis",
+              "caption": "",
+              "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.",
+              "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf"
+            }
+          ]
+        },
+        {
+          "key":"testing_device",
+          "title":"Testing the Device",
+          "description":"Using all of the information gathered start testing the device for security vulnerabilities.",
+          "type":"checklist",
+          "items": [
+            { 
+              "key":"replay_attacks",
+              "title":"Replay Attacks",
+              "caption": "",
+              "description":"Using the sniffed traffic, determine if replay attacks are possible. Check if the device accepts modified requests and if you can make changes to the configuration. Verify if the device uses unencrypted communication.",
+              "tools":"Wireshark, HackRF, python"
+            },
+            { 
+              "key":"shared_resources",
+              "title":"Improper Isolation of Shared Resources",
+              "caption": "",
+              "description":"A SOC may use pin multiplexing allowing an untrusted agent to access assets/info intended to trusted agents only",
+              "CWE": ["CWE-1189"]
+            },
+            { 
+              "key":"bac_on_chip_debugger",
+              "title":"Broken Access Control for On-Chip Debugger",
+              "caption": "",
+              "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.",
+              "CWE": ["CWE-1191", "CWE-1244"],
+              "tools":"JTAGulator, SOIC-8 clip"
+            },
+            { 
+              "key":"improper_lock_bit_protection",
+              "title":"Improper Lock Bit Protection",
+              "caption": "",
+              "description":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.",
+              "CWE": ["CWE-1231", "CWE-1233"]
+            },
+            { 
+              "key":"cryptographic_implementation",
+              "title":"Cryptographic Implementation",
+              "caption": "",
+              "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.",
+              "CWE": ["CWE-1240"]
+            },
+            {
+              "key": "fault_injection_and_side_channel_attacks",
+              "title": "Fault Injection and Side Channel Attacks",
+              "caption": "",
+              "description": "Test for fault injection and side channel attacks that can bypass security measures to dump firmware, access sensitive information, perform code execution, skip authentication, or escalate privileges.",
+              "CWE": ["CWE-1256", "CWE-1300"],    
+              "tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes"
+            },
+            {
+             "key":"memory_overlap",
+             "title":"Improper Handling of Memory Overlap",
+             "caption": "",
+             "description":"Assess if isolated memory regions and access control policies allow software with low privileges to make changes to overlapping memory also used by software running with higher privileges.",
+             "CWE": ["CWE-1260"]
+            },
+            {
+              "key":"clearing_memory_during_state_transition",
+              "title":"Sensitive Information Uncleared Before State Transition",
+              "caption": "",
+              "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.",
+              "CWE": ["CWE-1272"]
+            },
+            {
+              "key":"volatile_memory_boot_code",
+              "title":"Improper Access Control for Volatile Memory for Boot Code",
+              "caption": "",
+              "description":"Assess if the secure boot process can be bypassed to execute untrusted malicious boot code",
+              "CWE": ["CWE-1274"]
+            },
+            {
+              "key":"firmware_not_updating",
+              "title":"Firmware Not Getting Updates",
+              "caption": "",
+              "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.",
+              "CWE": ["CWE-1277"]
+            },
+            {
+              "key":"root_shell",
+              "title":"Root Shell Access",
+              "caption": "",
+              "description":"Try to gain root shell access on the device using an enabled communication protocol, i.e. telnet or ssh, or using an open debug port to interrupt the boot process.",
+              "tools":"SOIC-8 clip, Burp, Caido, GNU Screen"
+            }
+          ]
+        },    
+        {
+          "key": "upload_logs",
+          "title": "Upload logs",
+          "description": "This should include all associated traffic associated to the in-scope targets.",
+          "type": "large_upload"
+        },
+        {
+          "key": "executive_summary",
+          "title": "Executive summary",
+          "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
+          "type": "executive_summary"
+        }
+      ]
+    }
+  }

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: bmt
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Federico Tagliabue
 - Andy White
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-08-20 00:00:00.000000000 Z
+date: 2025-09-10 00:00:00.000000000 Z
 dependencies: []
-description:
+description: 
 email:
 - federico.tagliabue@bugcrowd.com
 - arcwhite@arcwhite.org
@@ -30,6 +30,7 @@ files:
 - lib/data/0.1/methodologies/ai_llm.json
 - lib/data/0.1/methodologies/api_testing.json
 - lib/data/0.1/methodologies/binaries.json
+- lib/data/0.1/methodologies/hardware_testing.json
 - lib/data/0.1/methodologies/internal_network.json
 - lib/data/0.1/methodologies/mobile_android.json
 - lib/data/0.1/methodologies/mobile_ios.json
@@ -46,7 +47,7 @@ metadata:
   source_code_uri: https://github.com/bugcrowd/bmt-ruby
   bug_tracker_uri: https://github.com/bugcrowd/bmt-ruby/issues
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -61,8 +62,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: Ruby wrapper for Bugcrowd's Methodology Taxonomy
 test_files: []