Account Takeover Methodology
Application Level DoS
Authentication Bypass
Broken-Link Hijacking
Broken Auth And Session Management
Finding CVEs
Web Page Source Code Review
EXIF Geo Data Not Stripped
File Upload Bypass
Find Origin IP
GraphQL
HTTP Desync Attack
Host-Header Attack
HTML-Injection
IDOR
JWT ATTACK
OAuth
SSTI
Sign Up Functionality
Tabnabbing
Weak Password Policy
Recon Workflow

Recon workflow

  1. 1.
    IP space discovery
  2. 2.
    TLDs, Acquisitions, & Relations
  3. 3.
    Subdomain Enum
  4. 4.
    Fingerpirnting
  5. 5.
    Dorking
  6. 6.
    Content Discovery
  7. 7.
    Parameter Discovery

ASN Discovery

ASN Discovery of Target:
​https://bgp.he.net​
ASN using whois:
whois -h whois.cymru.com $(dig +short example.com)
NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.
Using Nmap & ASN for discoverying IP related to the targetted ASN
nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>
Gathering Company intel using AMASS
amass intel -org <Organisation name(not domain)>
ARIN for ASN:
Site: IPINFO for ASN
​https://ipinfo.io​
Subdomains using ASNs using AMASS:
amass intel -asn <ASN_number>

Discovering Brands

-Looking for acquisition or related orgs to target
  • wikipedia
  • Crunchbase
  • Owler
  • Accquiredby
  • LinkedIn
  • ReverseWhois using amass intel module
    amass intel -d [domain.com](http://domain.com) -whois
  • BuiltWith
​BuiltWith​
  • Google dork:
intext:"copyright ©️ org_name"
  • Shodan Dork using HTTP favicon hashes
http.favicon.hash:<hash>
Favicon hash can be found using favfreak​

Author

​Mr._fr3qu3n533​