Go To ReconDock

Here’s a clear, step by step breakdown of commands, tools, and objectives for each section in your Web Security Testing Guide (WSTG). Each test includes easy to follow commands, explanations, and examples where applicable.

Here’s a clear, step-by-step breakdown of commands, tools, and objectives for each section in your Web Security Testing Guide (WSTG). Each test includes easy-to-follow commands, explanations, and examples where applicable.

🛡️ Information Gathering

WSTG-INFO-01: Conduct Search Engine Discovery Reconnaissance for Information Leakage

Objective: Find sensitive design/configuration information on public-facing search engines.

  • Commands:

    site:example.com filetype:pdf
site:example.com inurl:admin
site:example.com intitle:index.of

  • Tool: Google Dorks

  • Explanation: These commands search for exposed PDFs, admin panels, or directory listings.

WSTG-INFO-02: Fingerprint Web Server

Objective: Identify the web server type/version.

  • Commands:

    curl -I http://example.com
whatweb example.com
nmap -p80 --script=http-server-header example.com

  • Tools: curl, WhatWeb, nmap

  • Explanation: curl shows server headers, WhatWeb fingerprints technologies, and nmap probes server details.

WSTG-INFO-03: Review Webserver Metafiles for Information Leakage

Objective: Look for hidden paths, metadata files.

  • Commands:

    curl http://example.com/robots.txt
curl http://example.com/sitemap.xml

  • Tools: curl, dirb, gobuster

  • Explanation: robots.txt and sitemap.xml may reveal sensitive paths.

WSTG-INFO-04: Enumerate Applications on Webserver

Objective: Identify applications running on the server.

  • Commands:

    nmap -p80,443 --script=http-enum example.com

  • Tools: nmap

  • Explanation: Scans for common web applications.

WSTG-INFO-05: Review Web Page Content for Information Leakage

Objective: Analyze page comments, metadata, and JavaScript.

  • Commands:

    wget --mirror --no-parent http://example.com

  • Tools: wget, browser Inspect Element

  • Explanation: Review source code and comments.

WSTG-INFO-06: Identify Application Entry Points

Objective: Map potential entry points.

  • Commands: Use Burp Suite or OWASP ZAP

  • Tools: Burp Suite, ZAP

  • Explanation: Analyze requests and responses.

🛠️ Configuration and Deployment Management Testing

WSTG-CONF-01: Test Network Infrastructure Configuration

Objective: Validate secure configurations.

  • Commands:

    nmap -sV -p- example.com

  • Tools: nmap

  • Explanation: Scans all open ports and services.

WSTG-CONF-02: Test Application Platform Configuration

Objective: Ensure default files and debug code are removed.

  • Commands:

    dirb http://example.com
gobuster dir -u http://example.com -w /path/to/wordlist.txt

  • Tools: dirb, gobuster

  • Explanation: Looks for common default files and debug endpoints.

WSTG-CONF-03: Test File Extensions Handling for Sensitive Information

Objective: Look for exposed sensitive files.

  • Commands:

    curl -I http://example.com/config.php

  • Tools: curl, ffuf

  • Explanation: Check sensitive file extensions.

🔑 Identity Management Testing

WSTG-IDNT-01: Test Role Definitions

Objective: Assess role-based access controls.

  • Commands: Use Burp Suite for manual testing.

  • Tools: Burp Suite

  • Explanation: Try role switching via intercepted requests.

WSTG-IDNT-04: Testing for Account Enumeration and Guessable User Account

Objective: Detect account enumeration vulnerabilities.

  • Commands:

    hydra -L user_list.txt -P pass_list.txt example.com -V

  • Tools: hydra

  • Explanation: Test account enumeration via brute-force techniques.

🔐 Authentication Testing

WSTG-ATHN-02: Testing for Default Credentials

Objective: Test if default passwords exist.

  • Commands:

    hydra -L admin -P passwords.txt example.com -V

  • Tools: hydra

  • Explanation: Test common admin credentials.

WSTG-ATHN-03: Testing for Weak Lock Out Mechanism

Objective: Test account lockout after failed attempts.

  • Tools: Burp Suite Intruder

  • Explanation: Simulate brute-force attacks and monitor lockout behavior.

🧾 Session Management Testing

WSTG-SESS-01: Testing for Session Management Schema

Objective: Check session token randomness and security.

  • Tools: Burp Suite, OWASP ZAP

  • Explanation: Analyze session cookies and tokens for predictability.

WSTG-SESS-05: Testing for Cross Site Request Forgery (CSRF)

Objective: Check if CSRF protection is enabled.

  • Tools: Burp Suite

  • Explanation: Remove CSRF token in intercepted requests and test.

🧠 Business Logic Testing

WSTG-BUSL-01: Test Business Logic Data Validation

Objective: Identify bypassable validation points.

  • Tools: Burp Suite, Postman

  • Explanation: Modify payloads manually and observe application behavior.

📦 API Testing

WSTG-APIT-01: API Reconnaissance

Objective: Identify API endpoints and parameters.

  • Commands:

    gau example.com | httpx -mc 200

  • Tools: gau, httpx

  • Explanation: Gather URLs and validate them.

WSTG-APIT-99: Testing GraphQL

Objective: Identify GraphQL vulnerabilities.

  • Commands:

    curl -X POST http://example.com/graphql -d '{"query":"{__schema{types{name}}}"}'

  • Tools: GraphQLmap

  • Explanation: Probe for introspection queries.

🚀 Common Tools for All Tests

  • Recon: nmap, WhatWeb, dirb, gobuster

  • Scanning: Nikto, OWASP ZAP, Burp Suite

  • Exploitation: SQLMap, Metasploit

  • API Testing: Postman, GraphQLmap

  • Validation: httpx, ffuf

Custom Script 1

Here's a one-of-a-kind Bash script tailored for bug hunters. It automates reconnaissance, scanning, and enumeration tasks from the WSTG list, validates tools, and provides a menu-driven interface to let you choose the specific test you want to run.

🐚 BugHunterPro.sh – The Ultimate Bug Hunting Toolkit

🚀 Key Features:

  1. Interactive Menu: Choose specific WSTG tasks easily.

  2. Target Input Validation: Ensures user provides a valid target.

  3. Tool Auto-Installer: Checks and installs missing tools.

  4. Automation Ready: Executes tailored commands for each task.

  5. Easy Setup: Supports one-time setup.

📜 The Script

Copy this script into a file named BugHunterPro.sh:

#!/bin/bash

# 🛠️ BugHunterPro.sh - The Ultimate Bug Hunting Toolkit
# Author: Your Name
# Version: 1.0

# =========================
# 🌟 Color Codes
# =========================
RED="\e[31m"
GREEN="\e[32m"
BLUE="\e[34m"
YELLOW="\e[33m"
NC="\e[0m"

# =========================
# 🛠️ Tool Check & Install
# =========================
declare -A tools
tools=(
    ["nmap"]="sudo apt install nmap -y"
    ["curl"]="sudo apt install curl -y"
    ["whatweb"]="sudo apt install whatweb -y"
    ["dirb"]="sudo apt install dirb -y"
    ["gobuster"]="sudo apt install gobuster -y"
    ["hydra"]="sudo apt install hydra -y"
    ["httpx"]="go install github.com/projectdiscovery/httpx/cmd/httpx@latest"
    ["gau"]="go install github.com/lc/gau/v2/cmd/gau@latest"
)

check_tools() {
    echo -e "${YELLOW}🔍 Checking for required tools...${NC}"
    for tool in "${!tools[@]}"; do
        if ! command -v $tool &>/dev/null; then
            echo -e "${RED}❌ $tool is missing. Installing...${NC}"
            ${tools[$tool]}
        else
            echo -e "${GREEN}✅ $tool is installed.${NC}"
        fi
    done
}

# =========================
# 📥 Get Target
# =========================
get_target() {
    read -p "Enter the target (e.g., example.com or IP): " TARGET
    if [[ -z "$TARGET" ]]; then
        echo -e "${RED}❌ Target cannot be empty. Try again.${NC}"
        get_target
    fi
    echo -e "${GREEN}🎯 Target set to: $TARGET${NC}"
}

# =========================
# 📊 Main Menu
# =========================
main_menu() {
    clear
    echo -e "${BLUE}🛡️ BugHunterPro - Choose a Task 🛡️${NC}"
    echo "1. Conduct Search Engine Reconnaissance"
    echo "2. Fingerprint Web Server"
    echo "3. Review Webserver Metafiles"
    echo "4. Enumerate Applications on Webserver"
    echo "5. Review Web Page Content for Leakage"
    echo "6. Identify Application Entry Points"
    echo "7. Test for Default Credentials"
    echo "8. Test for SQL Injection"
    echo "9. Test for XSS Vulnerabilities"
    echo "10. Run All Tasks"
    echo "0. Exit"
    echo -n "Choose an option: "
    read choice

    case $choice in
        1) recon_search ;;
        2) fingerprint_server ;;
        3) review_metafiles ;;
        4) enumerate_apps ;;
        5) review_page_leakage ;;
        6) identify_entry_points ;;
        7) test_default_credentials ;;
        8) test_sql_injection ;;
        9) test_xss ;;
        10) run_all_tasks ;;
        0) exit 0 ;;
        *) echo -e "${RED}❌ Invalid choice. Try again.${NC}" && sleep 2 && main_menu ;;
    esac
}

# =========================
# 🚀 Task Functions
# =========================

recon_search() {
    echo -e "${BLUE}🔍 Conducting Search Engine Recon...${NC}"
    get_target
    echo "Running Google Dork queries..."
    curl -s "https://www.google.com/search?q=site:$TARGET+filetype:pdf"
    echo -e "${GREEN}✅ Done.${NC}"
}

fingerprint_server() {
    echo -e "${BLUE}🔍 Fingerprinting Web Server...${NC}"
    get_target
    nmap -p80 --script=http-server-header $TARGET
    echo -e "${GREEN}✅ Done.${NC}"
}

review_metafiles() {
    echo -e "${BLUE}🔍 Reviewing Webserver Metafiles...${NC}"
    get_target
    curl http://$TARGET/robots.txt
    curl http://$TARGET/sitemap.xml
    echo -e "${GREEN}✅ Done.${NC}"
}

enumerate_apps() {
    echo -e "${BLUE}🔍 Enumerating Applications on Webserver...${NC}"
    get_target
    nmap -p80,443 --script=http-enum $TARGET
    echo -e "${GREEN}✅ Done.${NC}"
}

review_page_leakage() {
    echo -e "${BLUE}🔍 Reviewing Web Page Content for Leakage...${NC}"
    get_target
    wget --mirror --no-parent http://$TARGET
    echo -e "${GREEN}✅ Done.${NC}"
}

identify_entry_points() {
    echo -e "${BLUE}🔍 Identifying Application Entry Points...${NC}"
    get_target
    echo "Use Burp Suite for manual request/response analysis."
    echo -e "${GREEN}✅ Done.${NC}"
}

test_default_credentials() {
    echo -e "${BLUE}🔍 Testing for Default Credentials...${NC}"
    get_target
    hydra -L admin -P passwords.txt $TARGET
    echo -e "${GREEN}✅ Done.${NC}"
}

test_sql_injection() {
    echo -e "${BLUE}🔍 Testing for SQL Injection...${NC}"
    get_target
    sqlmap -u "http://$TARGET/vulnerable.php?id=1" --batch
    echo -e "${GREEN}✅ Done.${NC}"
}

test_xss() {
    echo -e "${BLUE}🔍 Testing for XSS Vulnerabilities...${NC}"
    get_target
    echo '<script>alert("XSS")</script>' > xss_payload.txt
    curl -X GET "http://$TARGET?search=$(cat xss_payload.txt)"
    echo -e "${GREEN}✅ Done.${NC}"
}

run_all_tasks() {
    recon_search
    fingerprint_server
    review_metafiles
    enumerate_apps
    review_page_leakage
    identify_entry_points
    test_default_credentials
    test_sql_injection
    test_xss
}

# =========================
# 🏁 Main Script Execution
# =========================
if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}❌ This script must be run as root.${NC}"
    exit 1
fi

check_tools
main_menu

🛠️ Setup Instructions

  1. Save the file: nano BugHunterPro.sh

  2. Make it executable:

chmod +x BugHunterPro.sh ```

  1. Run the script:

sudo ./BugHunterPro.sh ```

🚀 Features Overview

  • Target Validation: Ensures proper input.

  • Tool Validation: Installs missing tools.

  • Automation: Executes commands from WSTG efficiently.

  • Expandable: Easily add new tasks or tools.

PreviousChecklistsNextDorks