{"id":25911525,"url":"https://github.com/copyleftdev/pen-testing-brown-bag","last_synced_at":"2026-03-08T00:30:56.257Z","repository":{"id":49713403,"uuid":"197048122","full_name":"copyleftdev/Pen-Testing-Brown-Bag","owner":"copyleftdev","description":null,"archived":false,"fork":false,"pushed_at":"2021-06-10T15:51:24.000Z","size":1312,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-12-02T13:44:13.274Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/copyleftdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-07-15T18:03:07.000Z","updated_at":"2023-03-05T01:54:45.000Z","dependencies_parsed_at":"2022-09-14T08:00:28.926Z","dependency_job_id":null,"html_url":"https://github.com/copyleftdev/Pen-Testing-Brown-Bag","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/copyleftdev/Pen-Testing-Brown-Bag","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/copyleftdev%2FPen-Testing-Brown-Bag","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/copyleftdev%2FPen-Testing-Brown-Bag/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/copyleftdev%2FPen-Testing-Brown-Bag/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/copyleftdev%2FPen-Testing-Brown-Bag/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/copyleftdev","download_url":"https://codeload.github.com/copyleftdev/Pen-Testing-Brown-Bag/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/copyleftdev%2FPen-Testing-Brown-Bag/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30238830,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-07T23:52:25.683Z","status":"ssl_error","status_checked_at":"2026-03-07T23:52:25.373Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-03T09:17:46.804Z","updated_at":"2026-03-08T00:30:56.232Z","avatar_url":"https://github.com/copyleftdev.png","language":"Dockerfile","readme":"# Pen Testing 101\n\n\n## Workflow\n\n#### Pre-Login\n\n##### Server scans\n- [ ] [nmap](https://nmap.org/)\n    - `sudo nmap -v -Pn -sV --reason --version-all --top-ports 1000 $URL`\n    - `sudo nmap -v -Pn -p xx,xx,xx http-apache-negotiation,http-apache-server-status,http-aspnet-debug,http-auth,http-auth-finder,http-config-backup,http-cors,http-cross-domain-policy,http-default-accounts,http-enum,http-errors,http-generator,http-iis-short-name-brute,http-iis-webdav-vuln,http-internal-ip-disclosure,http-jsonp-detection,http-mcmp,http-method-tamper,http-methods,http-ntlm-info,http-open-proxy,http-open-redirect,http-passwd,http-php-version,http-phpself-xss,http-trace,http-traceroute,http-vuln-cve2012-1823,http-vuln-cve2015-1635,http-vuln-cve2017-5638 $URL`\n- [ ] [nikto](https://github.com/sullo/nikto)\n\t- `nikto -h $URL [-ssl] -maxtime 15m -Display 1234`\n    - `nikto -config $CONFIGFILE`\n- [ ] [whatweb](https://tools.kali.org/web-applications/whatweb)\n\t- `whatweb $URL --aggression=3 --cookie 'name=value' --verbose`\n- [ ] [gobuster](https://github.com/OJ/gobuster)\n\t- `gobuster -u $URL -w /usr/share/seclists/Discovery/Web-Content/big.txt -s '200,204,301,302,307,403,500' -e`\n- [ ] [photon](https://github.com/s0md3v/Photon/wiki)\n\t- `python photon.py -u $URL --verbose --threads X --level X --cookies 'COOKIE=asd123'`\n- [ ] [dirsearch](https://github.com/maurosoria/dirsearch)\n\t- `python3 dirsearch -u $URL --recursive --threads=X --exclude-status=CODES --cookie=COOKIE --extensions=EXTENSIONS`\n- [ ] [dirhunt](http://docs.nekmo.org/dirhunt/usage.html)\n\t- `Tweak as needed: dirhunt $URL -e $EXT,$EXT -i html,300-500 --threads X`\n- [ ] Look for admin pages with [cangibrina](https://github.com/fnk0c/cangibrina)\n\t- `python cangibrina.py -u $URL -v --nmap`\n- [ ] [snallygaster](https://github.com/hannob/snallygaster)\n\t- `snallygaster -d $URL`\n- TODO: wfuzz\n\n##### SSL/TLS checks\n- [ ] Lacking TLS altogether\n- [ ] sslscan $PRODURL\n- [ ] sslscan $DEVURL\n- [ ] Old TLS versions supported\n- [ ] DES/old ciphers\n- [ ] Expired/mismatched certificate\n- [ ] Lack of PFS support\n\n##### Pre-auth headers\n- [ ] Check 404 page for proper headers, esp. CSP\n- [ ] X-XSS-Protection\n- [ ] Strict-Transport-Security\n- [ ] X-Content-Type-Options\n- [ ] X-Frame-Options\n- [ ] Content-Security-Policy\n\t- [CSP Evaluator](https://csp-evaluator.withgoogle.com/)\n- [ ] Cache-Control\n- [ ] CORS headers\n    - [ ] Add evil.com Origin header\n    - [Comprehending CORS Findings](https://www.trustedsec.com/2018/04/cors-findings/)\n- [ ] System information disclosed\n\n##### Pre-auth cookies\n- [ ] Secure\n- [ ] HttpOnly\n- [ ] Note session cookies for possible session fixation post-auth\n- [ ] Check for liberal cookie domain scope ([WAHH](http://mdsec.net/wahh) p.244, 246)\n\n##### Pre-auth Misc\n- [ ] Find non-existent page/404 to check for custom error page\n- [ ] [Wappalyzer](https://www.wappalyzer.com)\n\n#### Login\n- [ ] Autocomplete=\"off\"\n- [ ] Burp compare login failures with good vs. bad usernames\n- [ ] Username/password harvesting\n\t- If accounts are locked out, a message stating the lockout has occured is a way to enumerate usernames ([WAHH](http://mdsec.net/wahh) p.197)\n- [ ] Displayed passwords\n\t- Assumes passwords not hashed\n- [ ] Parameters are passed in URL string\n- [ ] Reflected username in username field\n- [ ] Password in server response\n- [ ] Secret question displayed\n- [ ] Secret question returned in server response\n- [ ] Secret question bypass\n- [ ] Weak/short secret questions\n- [ ] Check for non-hashed secret questions\n- [ ] Test 2FA bypass ([WAHH](http://mdsec.net/wahh) p.186)\n- [ ] Look at \"remember me\" functionality\n\t- [ ] Predictable tokens to bypass 2FA\n    - [ ] Replay other user's tokens to bypass 2FA\n    - [ ] Check if \"remember me\" replaces username/password and thus removes authentication\n    - [ ] Check for weak obfuscation/encoding/encryption of token/cookie\n    - [ ] Remember multiple users and compare tokens\n    - [ ] Determine if entire token is used or only parts\n    \t- Modify token to find parts that are used, e.g. Burp Intruder char frobber ([WAHH](http://mdsec.net/wahh) p.212)\n- [ ] Login multiple times and verify session token changes each time\n- [ ] Check for SSO\n\t- [ ] Use EsPReSSO and/or SAML Raider extensions\n- [ ] Check for credentials submitted in JSON\n\t- [ ] Check for NoSQL backed with `username=admin\u0026password[$gt]=\u0026submit=login`\n- [ ] Check for bad password lockout\n- [ ] Check for bad secret question lockout\n- [ ] Compare good password response on locked out account with bad password response\n- [ ] Fuzz login parameters ([WAHH](http://mdsec.net/wahh) p.168)\n    - [Arjun parameter fuzzer](https://github.com/s0md3v/Arjun)  \n- [ ] Check that the same secret question is used for each authentication attempt to prevent attackers from \"picking\" a secret question to answer ([WAHH](http://mdsec.net/wahh) p.195)\n- [ ] Check that app is storing which secret question being asked on the server and not on the client ([WAHH](http://mdsec.net/wahh) p.195)\n\n#### Post-Login\n\n##### Pre-navigation\n- [ ] login with low-priv user\n\t- [ ] add to Autorize\n- [ ] switch to high priv user\n- [ ] nikto with cookies/credentials\n\t- [ ] set cookies in $HOME/nikto.conf\n    - [ ] `SET-COOKIES=\"cookiename\"=cookievalue`\n- [ ] dirbuster with cookies/credentials\n    - [ ] `gobuster -u $URL -w /usr/share/seclists/Discovery/Web-Content/big.txt -s '200,204,301,302,307,401,403,500' -e -c 'COOKIES=cookies'`\n- [ ] Check for 200 vs. 302 response on login\n    - [ ] Check `about:cache` for cached data\n- [ ] [Wappalyzer](https://www.wappalyzer.com) again\n\n##### Post-auth headers\n- [ ] Check 404 page for headers, esp. CSP\n- [ ] X-XSS-Protection\n- [ ] Strict-Transport-Security\n- [ ] X-Content-Type-Options\n- [ ] X-Frame-Options\n- [ ] Content-Security-Policy\n\t- [CSP Evaluator](https://csp-evaluator.withgoogle.com/)\n- [ ] Cache-Control\n- [ ] CORS headers\n\t- [ ] Add evil.com Origin header\n\t- [Comprehending CORS Findings](https://www.trustedsec.com/2018/04/cors-findings/) \n- [ ] System infoformation disclosed\n\n##### Post-auth cookies\n- [ ] Session fixation in session cookies ([WAHH](http://mdsec.net/wahh) p.244)\n- [ ] Check if pre- and post-auth cookies are the same\n- [ ] See if bogus but validly formed token is accepted\n- [ ] Secure parameter\n- [ ] HttpOnly parameter\n- [ ] Samesite parameter\n\n##### Post-auth Misc\n- [ ] Check for last login notification\n- [ ] Check for logout button\n- [ ] Verify logout actually ends session by resending old tokens ([WAHH](http://mdsec.net/wahh) p.242)\n\t- [ ] Verify cookie is not simply being unset on the client side\n\n#### Navigation\n- [ ] Browse all pages and use all functionality as admin user\n- [ ] Burp Spider the site\n\t- [ ] *Exclude logout link, password reset link, any other necessary pages from scope to prevent logout issues*\n\t- [ ] *Exclude any delete item links*\n- [ ] Add any cookies/credentials used for the site to Burp Scanner\n- [ ] Run Burp Discover Content\n\n##### Process site mapping results\n- [ ] Run Burp -\u003e site root -\u003e enagagement tools -\u003e analyze site\n- [ ] Determine the site navigation type: application pages or functional paths\n\t- [ ] If functional paths, create path map ([WAHH](http://mdsec.net/wahh) p.95)\n    - [ ] Create functional diagram of application logic. Look for good ways to map this, e.g. OneNote, draw.io, etc.\n- [ ] Find hidden debug parameter names with Intruder Cluster Bomb ([WAHH](http://mdsec.net/wahh) p.97)\n\t- [ ] debug, test, source, hide\n    - [ ] true, yes, on, 1\n- [ ] Identify REST-style URLS\n- [ ] Identify query string parameters\n    - - [Arjun parameter fuzzer](https://github.com/s0md3v/Arjun)   \n- [ ] Identify non-standard query string parameter formats ([WAHH](http://mdsec.net/wahh) p.99)\n- [ ] Run Param Miner extension\n- [ ] Run Web Cache Deception Scanner extension\n- [ ] Recursively gobuster newly-found directories\n\n##### Burp Scan site\n- [ ] Create macro for ensuring logged in session\n- [ ] Add all user credentials to Burp scan config\n- [ ] Use Intruder -\u003e scan defined insertion points for targeted scanning\n\n#### Post-navigation\n\n##### Change password functionality\n- [ ] CSRF token\n- [ ] Password change delay\n- [ ] Password reuse allowed\n- [ ] Password complexity issues\n- [ ] Verify that password change requires current password\n\t- [ ] Check for CSRF if password is not required\n- [ ] Check for password in server response\n- [ ] Check if existing password is verified before new password, enabling password guessing attacks\n- [ ] Check for brute force possibility\n- [ ] Try all combinations of good/bad/mismatched passwords\n- [ ] Check if a username is provided (should never be), and if other usernames can be used/bruteforced ([WAHH](http://mdsec.net/wahh) p.199)\n- [ ] Check for multistage password change functionality ([WAHH](http://mdsec.net/wahh) p.262)\n\t- [ ] See if token/creds are checked at first stage, but not at later stage of process\n\n##### Forgot password functionality\n- [ ] Check for brute force possibility\n- [ ] Username harvesting possibility\n- [ ] Determine if user can set challenge\n- [ ] Examine password reset email token, if applicable\n\n##### File upload issues\n- [ ] Identify file uploads\n- [ ] Test for zip file upload issues with [zip shotgun](https://github.com/jpiechowka/zip-shotgun)\n- [ ] Use Upload Scanner extension\n\t- [ ] Upload file of 100KB+\n\t- [ ] Send to Upload Scanner extension\n\t- [ ] Add file to FlexiInjector if not a normal multipart upload\n\t- [ ] Tweak file extensions based on site stack\n\t- [ ] Enable logging\n\t- [ ] Enable reDownloader\n\t\t- [ ] If sleep RCE found, tweak timeout settings\n\n##### Post-navigation Misc\n- [ ] Compare site maps with low-priv user ([WAHH](http://mdsec.net/wahh) p.268)\n- [ ] Check that password change functionality exists\n- [ ] Check for comments\n- [ ] Run Paramalyzer extension\n- [ ] Identify impersonation functionality ([WAHH](http://mdsec.net/wahh) p.179)\n\t- [ ] Check if admins can be impersonated\n- [ ] Check for account registration\n- [ ] Check for account creation, e.g. as admin\n\t- [ ] Check for predictable usernames ([WAHH](http://mdsec.net/wahh) p.182)\n\t- [ ] Check for predictable initial passwords ([WAHH](http://mdsec.net/wahh) p.183)\n- [ ] Spoof UA with browser extension and Burp ([WAHH](http://mdsec.net/wahh) p.100)\n- [ ] Unsafe configuration\n- [ ] Create malformed requests to generate 4xx and 5xx errors\n- [ ] Unauthenticated help pages\n- [ ] Forced browsing/authentication bypass checks\n\t- [ ] Save all links from Burp scope to file\n\t- [ ] Loop through file, use curl through Burp: curl -sk -x http://127.0.0.1:8080 $url\n\t- [ ] Review results, make sure 302/auth is required\n- [ ] Cross-site tracing (XST)\n\t- [ ] Send OPTIONS request\n- [ ] Sensitive info in GET parameters\n- [ ] Verify that client-side controls are replicated server side ([WAHH](http://mdsec.net/wahh) p.117)\n- [ ] Check for disabled elements and submit them as parameters\n- [ ] Check for missing SRI attributes\n- [ ] Look for hidden params with Param Miner extension\n\n##### Injection issues\n- [ ] SQL injection\n\t- [ ] Export Burp site map and run [SleuthQL](https://github.com/RhinoSecurityLabs/SleuthQL)\n- [ ] OS command injection\n\t- [ ] Use Command Injection Attacker/SHELLING extension\n- [ ] XPath Injection\n- [ ] Server side request forgery\n- [ ] LDAP injection\n- [ ] XML injection (see [MMWPT](https://www.packtpub.com/networking-and-servers/mastering-modern-web-penetration-testing) p.179)\n\t- [ ] look for `application/json` Content-Type header and change to `application/xml`\n- [ ] Blind XML external entity processing\n\t- look for `application/json` Content-Type header and change to `application/xml`\n    - [Playing with Content-Type – XXE on JSON Endpoints](https://blog.netspi.com/playing-content-type-xxe-json-endpoints/)\n- [ ] Server-side template injection\n\t- [tplmap](https://github.com/epinna/tplmap)\n- [ ] Client-side template injection\n\t- [angularjs-csti-scanner](https://github.com/tijme/angularjs-csti-scanner)\n    - AngularJS injection, etc.\n    - x{{1==1}}x\n    - `{ { constructor.constructor(“alert(1)”)() } }\n\n##### Session issues\n- [ ] Determine the sesion token ([WAHH](http://mdsec.net/wahh) p.208)\n\t- [ ] Remove possible tokens on session dependent page until actual session is found.\n- [ ] Test if token is encoded\n\t- [ ] Determine if entire token is used or only parts\n    - [ ] Modify token to find parts that are used, e.g. Burp Intruder char frobber ([WAHH](http://mdsec.net/wahh) p.212)\n- [ ] Session ID exposed in URL\n- [ ] Session ID not invalidated after logout/timeout\n\t- [ ] Replay authenticated action after logout\n- [ ] Predictable session tokens\n\t- [ ] Test randomness with Burp\n- [ ] Expired session displays internal pages\n- [ ] Concurrent sessions\n- [ ] Check if session token in each browser is the same or different.\n- [ ] Improper session time out configuration\n- [ ] Check if any session tokens/other data is encrypted ([WAHH](http://mdsec.net/wahh) p.232)\n\t- [ ] Bitflipping attacks, ECB\n- [ ] Test sessions with Autorize extension\n\n##### XSS\n- [ ] Persistent XSS\n- [ ] Reflected XSS\n\t- `\"'\u003c\u003e();[]{}AbC`\n    -  `\"\u003e\u003cimg src=x onerror=alert(1);\u003e`\n    -  [Polyglot XSS payloads](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)\n    \t- `jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\u003c/stYle/\u003c/titLe/\u003c/teXtarEa/\u003c/scRipt/--!\u003e\\x3csVg/\u003csVg/oNloAd=alert()//\u003e\\x3e`\n    -  [XSS-Payloads.com](http://www.xss-payloads.com/)\n    - [XSStrike](https://github.com/s0md3v/XSStrike)\n- [ ] DOM-based XSS\n- [ ] Minimal input filtering and/or output encoding\n\t- `\u003ccode\u003e \u003cpre\u003e \u003cplaintext\u003e`\n- [ ] Messages reflect manipulated input\n\n##### CSRF\n- [ ] Predictable CSRF token\n\t- [ ] Use Burp to check token randomness\n- [ ] Transaction replay\n- [ ] CSRF token passed in URL query string\n- [ ] Test tokens between different users\n- [ ] Test tokens between sessions\n- [ ] Check for POST/GET method interchange\n- [ ] Verify CSRF token is checked server-side ([MMWPT](https://www.packtpub.com/networking-and-servers/mastering-modern-web-penetration-testing) p.93):\n\t- [ ] If currently logged in as user A then use the CSRF token of any other user B and check if the request of A is allowed via B's token. Then use this logic to bypass the CSRF protection.\n\t- [ ] Don't delete the anti-CSRF token parameter but put a blank inside its value and see if it works.\n\t- [ ] Put a random string with a similar length to that of the anti-CSRF token. Check to see if that works.\n\t- [ ] Check if the CSRF token is common to all users. If so, then use the token to construct an exploit.\n\n##### Server-side Request Forgery (SSRF)\n- [ ] Look for places to load/render URLs\n\t- [ ] Profile pics, links, etc.\n\t- [ ] Use links like http://localhost/favicon.ico to test for SSRF (THP p.89)\n- [ ] Try to port scan localhost and local network\n- [ ] Make use of private IP disclosure to map internal network\n\n##### File upload/access issues\n- [ ] LFI/RFI\n\t- [ ] Try PychoPATH extension\n- [ ] Unrestricted file upload\n- [ ] File upload destination directory not restricted\n- [ ] Arbitrary file access through directory traversal\n- [ ] Arbitrary file access through parameter manipulation\n\n##### Sensitive/system information disclosure\n\n##### ASP.net issues\n- [ ] Debugging enabled\n- [ ] Unencrypted ViewState\n- [ ] ViewState without MAC enabled (Burp checks for this, [WAHH](http://mdsec.net/wahh) p.127)\n\n#### Misc. issues\n\n##### API testing methodology\n- [ ] List API endpoints\n    - [ ] Get comprehensive list of endpoints\n    - [ ] Use [JSParser](https://github.com/nahamsec/JSParser) on.js files to find endpoints\n- [ ] Test all HTTP methods\n    - [ ] Iterate through all permutations of enpdoint + HTTP methods\n- [ ] Scope-based testing\n    - [ ] Look for issues related to improper scope permissions checking\n- [ ] Role-based testing\n    - [ ] Look for issues related to improper role-based permissions checking\n- [ ] IDOR testing\n\n\n### Burp Extensions\n#### Burp Store\n* .NET Beautifier\n* ActiveScan++\n* Additional Scanner Checks\n* Autorize\n* Backslash Powered Scanner\n* CMS Scanner\n* Collaborator Everywhere\n* Command Injection Attacker (SHELLING)\n* CSP Auditor (Check for issue changing HTTP method)\n* CSRF Scanner (Check for issue changing HTTP method)\n* Decoder Improved\n* Error Message Checks\n* EsPReSSO\n* Flow\n* Freddy, Deserialization Bug Finder\n* Hackvertor\n* Headers Analyzer\n* Heartbleed\n* HTML5 Auditor\n* Identity Crisis\n* J2EEScan\n* Java Deserialization Scanner\n* Java Serial Killer\n* JSON Beautifer\n* JSON Web Tokens\n* Param Miner\n* Paramalyzer\n* ParrotNG\n* PsychoPATH\n* Python Scripter\n* Reflected Parameters\n* Response Clusterer\n* Retire.js\n* SAML Raider\n* Scan Check Builder\n* Scan manual insertion point\n* Session Auth\n* Site Map Fetcher\n* Software Vulnerability Scanner\n* SSL Scanner\n* Upload Scanner\n\n#### Downloaded\n* [Wildcard](https://github.com/hvqzao/burp-wildcard)\n* [Cookie Decrypter](https://github.com/bellma101/cookie-decrypter)\n* [SRI Check](https://github.com/bellma101/sri-check)\n* [tplmap](https://github.com/epinna/tplmap/blob/master/burp_extension/README.md)\n\n#### Awesome List\n* [Awesome Security List](https://github.com/sbilly/awesome-security)\n* [Movies for Hackers](https://github.com/k4m4/movies-for-hackers)\n* [Password List](https://github.com/danielmiessler/SecLists/tree/master/Passwords)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcopyleftdev%2Fpen-testing-brown-bag","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcopyleftdev%2Fpen-testing-brown-bag","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcopyleftdev%2Fpen-testing-brown-bag/lists"}