Initial push...

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/Course Overview.txt

@@ -0,0 +1,9 @@
+Overview:
+    -- The Principles of a Web Application Penetration Test
+    -- Pre-engagement
+    -- Footprinting
+    -- Attacking User Controls
+    -- Attacking Application Inputs
+    -- Common Attack Methods
+    -- Discovering Logic Flaws
+    -- Reporting

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-1 - The Principles of a Web Application Penetration Test.txt

@@ -0,0 +1,95 @@
+Overview:
+    -- Methodology of Attack
+    -- Structure of Web Applications
+    -- Cookies and Sessions
+    -- Lab Details
+
+
+::  Methodology of Attack  ::
+[  Poke at the Pillars  ]
+   -- Authentication
+   -- Authorization
+   -- Confidentiality
+   -- Integrity
+   -- Availability
+
+(  Map Content  )
+    -- Visible
+    -- Hidden [robots.txt, forced browse]
+    -- Analyze
+
+
+(  User Controls  )
+    -- Authentication
+    -- Access Controls
+    -- Session
+
+(  Attack Inputs  )
+    -- Form Input
+    -- Header
+    -- URL
+    -- Cookies
+    -- Hidden fields
+    -- XSS / Injection
+
+(  Site Logic  )
+    -- Positive security model
+    -- Fail securely
+    -- Principles of least privilege
+    -- Security by obscurity
+    -- Client trust
+    -- Information leakage
+
+
+
+
+::  Structure of Web Applications  ::
+
+(  HTTP Request Headers  )
+       verb       URI        Version
+Ex:    GET   /order/12345    HTTP/1.1
+
+       User-Agent                           Cookies              Referrer
+Ex:    Mozilla/5.0 (Windows NT 6.1; WOW64)  id=klkjuhyjhuty67uy  https://www.google.com
+
+
+(  HTTP Response Headers  )
+
+[  Status Code  ]
+    -- 100 - informational
+    -- 200 - Success
+    -- 300 - Redirection
+    -- 400 - Something wrong (user)
+    -- 500 - Something wrong (server)
+
+      Status Code       Server
+Ex:   HTTP/1.1 200 OK   Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.9.1f
+
+
+(  Structure of URL  )
+<protocol>//<domain name>/:<port if any>?<parameters>a=123Z&b=me
+
+? = parameters
+& = separate parameters
++ or %20 = spaces
+
+(  Symbol Encoding  )
+See  module-1-image-1  image
+
+[  Other  ]
+    -- Unicode
+    -- Hex Encoding
+    -- Base64 Encoding
+
+
+::  Cookies and Sessions  ::
+Cookies store session keys
+Flags:
+    httponly
+    secure
+
+Session data is server side.
+
+
+::  Lab Details  ::
+See  module-1-image-2  image

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-2 - Pre-engagement.txt

@@ -0,0 +1,44 @@
+Overview:
+    -- Black Box / Grey Box / White Box
+    -- Rules of Engagement
+    -- Scoping
+
+
+
+::  Black Box / Grey Box / White Box  ::
+
+"Box" Testing
+
+[  Black Box  ]:  no information or access. Purely blind except for what is publicly accessible.
+                  (crafting inputs and observing responses)
+
+[  White Box  ]:  aka, Crystal box testing, has complete information about, and access to the system being tested.
+                  (user accounts, admin access, documentation, source code, test suits and frameworks, test cases, algorithm descriptions, etc.)
+
+[  Grey Box  ]:   some info is available but not complete
+                  (source code but no user accounts or admin access. Api calls anyone??)
+
+
+
+
+::  Scoping  ::
+(  All about permission  )
+
+Reason for test??
+Applications and IP in scope??
+Applications and IP NOT in scope??
+Live or test environment??
+3rd parties evolved??
+Techniques allowed??
+
+
+
+
+::  Rules of Engagement  ::
+Contact info is important
+Start / end Time
+Whitelist / blacklist
+Blocked
+Test type?
+Test Credentials
+Access to data??

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-3 - Footprinting.txt

@@ -0,0 +1,63 @@
+Overview:
+    -- Spider Application
+    -- Discover Server Information
+    -- Discover Hidden Content
+    -- Automated Scans
+    -- Analyze Results
+
+
+
+::  Spider Application  ::
+
+[  OWASP Zed Attack Proxy (ZAP)  ]
+
+Add site to context
+1. r-click root of context and "Attack" > "Spider" it.
+2. You can force scan additional hidden pages by r-click and "Attack" > "Forced Browse" the directory and children
+
+
+
+
+::  Discover Server Information  ::
+-- Tool(s) --
+    HTTP Print
+    Wappalyzer (FF plugin)  [Helps get technology stack info.]
+
+Can use browser response header info too.
+Information leakage can help too. IE, plugins that display version info, etc
+
+See  module-3-image-1  image for app types
+
+
+
+
+::  Discover Hidden Content  ::
+
+--  Tool(s)  --
+    Foca  (Google foo)
+
+Robots.text
+Forced Browsing:       Common files and folders that are popular for private information  (BURP: Content Discovery)
+Public Information     "Google Hacking"
+Comments               Comments sitting in code  (BURP Suit has a find comments in page feature)
+
+
+
+
+::  Automated Scans  ::
+
+--  Tool(s)  --
+See  module-3-image-2  image
+CMSmap:    attack and review WordPress, Joomla, and Drupal.
+WPScan:    Wordpress
+Joomscan:  Joomla
+SQLmap:    injection tool
+
+SSLlabs:   https://www.ssllabs.com/ssltest/
+SSLscan:   Kali linux tool
+
+
+
+
+::  Analyze Results  ::
+Getting all the data together and reviewing...

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-4 - Attacking User Controls.txt

@@ -0,0 +1,47 @@
+Overview:
+    -- Authentication
+    -- Session
+    -- Access Controls
+
+
+::  Authentication  ::
+
+POST over HTTPS:  Ensure can't get to HTTP side
+
+Pretty much covers standard policies such as Lockout policies, password lengths and strength,
+whether over https with post (the best correct way) and whether any other (the worst wrong way)
+
+Password reset links should be tokenized and live for 5, 10, to 20 minutes. If still alive past 24 hours it's a finding.
+Obviously limit previous password usage to some degree (60 rounds before reuse)
+
+Security question /answer:  Is it limited or infinite in nature?
+
+What is your favorite NBA team?  == about 30 total. Will it let me try all
+thirty or lock out and request I call help line?
+
+
+
+::  Session  ::
+Is the session token meaningful or completely random?? NEVER base64 shit into it!!!
+Determine if content encode.
+
+Try generating multiple tokens. See if any repetition.
+Create multiple accounts.
+Compare tokens against access levels guest/admin
+
+
+--  Predictability and Randomization  --
+See  module-4-image-1  image
+
+
+Protect in transit
+No URL
+Expire
+
+
+
+
+::  Access Controls  ::
+Insecure direct object reference
+NEVER security through obscurity!!
+Unprotected API calls

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-5 - Attacking Application Inputs.txt

@@ -0,0 +1,35 @@
+Overview:
+    -- Proxies
+    -- Vehicles of Data Transfer
+    -- Input Validation
+
+
+::  Proxies  ::
+--  Tool(s)  --
+    ZAP  "Lets us view data between the app n server"
+
+
+::  Vehicles of Data Transfer  ::
+GET/POST parameters & response
+Headers
+Coolies
+
+Forms:
+    -- Text
+    -- Hidden fields  [In BURP:  Proxy > Options > Response Modification (Section) > Unhide Hidden Form Fields]
+
+Buttons
+
+Submits
+
+Scripting languages  (JS)
+
+
+
+
+::  Input Validation  ::
+All input is evil. ~sMichael Howard  XD lololololol
+
+TNO: Trust No One
+
+Length, data types, empty or not, etc...

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-6 - Common Attack Methods.txt

@@ -0,0 +1,53 @@
+Overview:
+    -- Fuzzing
+    -- XSS - Cross-site Scripting
+    -- Injection
+    -- Insecure Direct Object Reference
+    -- Request Forgery
+
+
+
+::  Fuzzing  ::
+--  Tool(s)  --
+    Burp
+    ZAP
+
+
+Unexpected Data
+Abnormal Behavior
+
+Upper bounds
+Letter
+Negative number
+XSS -> <script>alert(1)</script>
+
+
+
+
+::  XSS - Cross-site Scripting   ::
+
+Reflected XSS:  Getting data returned from a submission onto a page somewhere like a rely structure
+Stored XSS:     Set data into db to be returned later
+DOM XSS:        Stays client side and based on JS processing
+
+
+
+
+::  Injection  ::
+--  Tool(s)  --
+    -- OWASP:  Security Shepherd
+
+Parameterize! Nuf said
+
+
+
+
+::  Insecure Direct Object Reference  ::
+Basically, can I get to the data directly and bypass page logic??
+
+
+
+
+::  Request Forgery  ::
+CSRF:  Basically, trying to run command from another "site/location" while user is authenticated in the system.
+Instead of being requested from your site and the user directly it can be masked from another site if not checked against

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-7 - Discovering Logic Flaws.txt

@@ -0,0 +1,54 @@
+Overview:
+    -- Circumvention of Workflow
+    -- Beating Limits
+    -- Process Timing
+    -- Spilling the Secrets
+    -- Parameter Manipulation
+
+
+
+::  Circumvention of Workflow  ::
+Breaking logic/algorithms
+Ex 1:
+See  module-7-image-1  image
+
+Ex 2:
+See  module-7-image-2  image
+
+Ex 3:
+See  module-7-image-3  image
+
+Ex 4:
+See  module-7-image-4  image
+
+
+
+
+::  Beating Limits  ::
+min/max checks?
+Less than 0?
+
+
+
+
+::  Process Timing  ::
+Time of day?
+Time to process?
+Time limits?
+
+Success vs error processing?
+
+
+
+
+::  Spilling the Secrets  ::
+Correlation checks
+Does one process decrypt data that another process could use to decrypt other data?
+
+
+
+
+::  Parameter Manipulation  ::
+Site map changes:  See  module-7-image-5  image
+Click and observe
+Understand what COULD be done?

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-8 - Reporting.txt

@@ -0,0 +1,39 @@
+Overview:
+    -- Layout
+    -- Scoring
+
+
+
+::  Layout  ::
+What does it mean in terms of time, cost, threat, etc?
+How does it work?
+How do you remediate it?
+
+Explain according to user. IE, who is reading it technical or non-technical?
+
+Summery:
+    High
+    Medium
+    Low
+
+Scope of work:
+    Targets
+    Limits
+    Schedule
+    Summary of findings
+
+Findings:
+    Description of issue
+    Location
+    Severity rating
+    Screenshot
+    Remediation advice
+
+
+
+
+::  Scoring  ::
+Vulnerability Severities Metric:
+    (FIRST CVSS) --> Forum of Incident Response and Security Teams Common Vulnerability Scoring System.
+    https://www.first.org/cvss/
+    ** "For web application pentesting, I usually don't go beyond the base scoring system."