Web App Red Team Checklist

• Get ASN for IP ranges (amass, asnlookup, metabigor, bgp)

• Review latest acquisitions

• Get relationships by registrants (viewdns)

• BuiltWith

• Breach Data, leaked credentials

• Pillaging Git - (TruffleHog, GitGot, Wraith, GitLeaks)

• FOIA Dorks (https://search.foia.gov)

• CloudScraper -> VSFP s3 locations

• Censys.io

• Metadata analysis of documents found

• DNS Recon (securitytrails Recon-NG)

• Employee data (LinkedIn, job postings, current employees)

• Look for a public Github/documentation

• dig, Nmap DNS NSE Scripts, DNSRecon, dig, Nmap DNS NSE Scripts, DNSRecon, Farsight Security's DNSDB

• https://sitereport.netcraft.com/

• https://www.exploit-db.com/google-hacking-database

• https://github.com/smicallef/spiderfoot

• https://github.com/blacklanternsecurity/bbot

• crt.sh -> httprobe -> EyeWitness Automated domain screenshotting

• jsendpoints Extract page DOM links

• certSniff Certificate transparency log keyword sniffer

• CloudBrute Cloud infrastructure brute force

• spoofcheck SPF/DMARC record checker

• AWSBucketDump S3 bucket enumeration

• Dismap Asset discovery/identification

• Gitrob GitHub sensitive information scanner

• Enumerate subdomains (amass or subfinder with all available API keys)

• Subdomain bruteforce (puredns with wordlist)

• Permute subdomains (gotator or ripgen with wordlist)

• Identify alive subdomains (httpx)

• Subdomain takeovers (nuclei-takeovers)

• Check for cloud assets (cloudenum)

• Shodan search

• Transfer zone

• Subdomains recursive search

• Take screenshots (gowitness, webscreenshot, aquatone)

• Subdomain Takeover (sublist3r, DNSReaper)

• Identify web server, technologies and database (httpx)

• Try to locate /robots.txt , /crossdomain.xml /clientaccesspolicy.xml /sitemap.xml and /.well-known/

• Review comments on source code (Burp Engagement Tools)

• Directory enumeration

• Web fuzzing (ffuf and wordlist)

• Find leaked ids, emails (pwndb)

• Identify WAF (wafw00f)

• Google dorking

• GitHub dorking/Github tools (githound, gitdorks_go)

• Get urls (gau , waybackurls, gospider)

• Check potential vulnerable urls (gf-patterns)

• Automatic XSS finder (dalfox)

• Locate admin and login panel

• Broken link hijacking (blc)

• Get all JS files (subjs, xnLinkFinder)

• JS hardcoded APIs and secrets (nuclei-tokens)

• JS analysis (subjs, JSA, xnLinkFinder, getjswords, retire.js burp extension)

• Run automated scanner (nuclei)

• Test CORS (CORScanner, corsy)

• Test AJAX by clicking on every button and analyzing in Burp

• If request esus XML data, look for XXE

Find Postman collections of API and lookup swagger. You can import swagger into Postman