Scribd Logo
Upload

Welcome to Scribd!

  • CheckBox Bug Hunting Sheet1

    Uploaded by

    xixiy
    27 views1 page
    bug hunting sheet

    Original Title

    CheckBox-Bug-Hunting-Sheet1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    bug hunting sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views1 page

    CheckBox Bug Hunting Sheet1

    Uploaded by

    xixiy
    bug hunting sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    CHECKLISTS For Mapping

    Sr No. REQUESTS
    1 Identify where GETs are used and where POSTs are used.
    2 Identify all parameters used in a POST request (these are in the body of the request).
    Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields
    (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren't
    3
    seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of
    access can all be different depending on the value of the hidden parameter(s).
    4 Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
    Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that
    5 many parameters can be in one query string such as separated by a &, ~, :, or any other special character or
    encoding.
    A special note when it comes to identifying multiple parameters in one string or within a POST request is that some
    or all of the parameters will be needed to execute the attacks. The tester needs to identify all of the parameters
    6
    (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide
    will identify how to test these parameters. At this point, just make sure each one of them is identified.
    7 Also pay attention to any additional or custom type headers not typically seen (such as debug=False).

    RESPONSES
    1 Identify where new cookies are set (Set-Cookie header), modified, or added to.
    Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500
    2
    internal server errors during normal responses (i.e., unmodified requests).
    Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load
    3 balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to
    make multiple requests to access the vulnerable server, depending on the type of load balancing used.

    You might also like