Methodology

Mapped to PTES (Penetration Testing Execution Standard) + OWASP WSTG 4.2 + OWASP API Security Top 10 (2023).

Phase 1 — Passive reconnaissance

Goal: build an accurate picture of the attack surface without touching production.

• Subdomain enumeration: subfinder, amass enum -passive, crt.sh, DNSDumpster
• WHOIS, ASN, netblocks
• Historical DNS (SecurityTrails-equivalent via amass)
• GitHub dorking (org:corezoid searches for secrets, API keys, internal URLs)
• Public leak check (HaveIBeenPwned-style, GitHub public gists)

Output: recon/subdomains.md, recon/raw/*.json

Phase 2 — Active reconnaissance

• HTTP probing with httpx -tech-detect -title -status-code -tls-grab
• Port scanning with nmap -Pn -sV --top-ports 1000 on primary targets, -p- on edge hosts
• TLS inspection: nmap --script ssl-enum-ciphers,ssl-cert, cert parsing
• Content discovery: ffuf with raft-medium-words.txt (rate-limited, SMART mode)
• Robots.txt, sitemap.xml, security.txt harvest
• Favicon hash match (Shodan-equivalent tech fingerprinting)

Output: recon/ports.md, recon/tech-stack.md

Phase 3 — Authenticated web application testing

Using provided HAR files as authenticated session baselines:

• Authentication & session: cookie flags, JWT parsing, session fixation, logout CSRF
• Authorization: IDOR (increment/decrement tenant IDs, user IDs), vertical privilege escalation (user → admin)
• Input handling: reflected/stored XSS (DOM, JS templates), template injection, HTML injection
• Injection: SQLi (time-based, boolean-based via sqlmap --batch --risk=1 --level=2), NoSQLi, command injection
• Business logic: race conditions on state transitions, parameter tampering, workflow skipping
• File handling: upload path traversal, MIME sniffing, SSRF via URL params
• Client-side: CSP review, subresource integrity, post-message origin checks

Per-target checklist lives in notes/web-checklist-<host>.md

Phase 4 — API testing

Aligned with OWASP API Security Top 10 (2023):

1. BOLA — replay authenticated requests, swap object IDs
2. Broken auth — JWT alg:none, weak secrets, token reuse after logout
3. BOPLA — mass assignment on create/update endpoints
4. Unrestricted resource consumption — rate limit tests (respect RoE: probe, don't exhaust)
5. BFLA — function-level auth bypass (change GET /user/123 to DELETE /user/123 as unprivileged user)
6. Unrestricted access to sensitive business flows — scripted abuse of legitimate endpoints
7. SSRF — URL parameters, webhook targets, import-from-URL features
8. Security misconfig — CORS wildcards, verbose errors, exposed debug endpoints
9. Improper inventory mgmt — v1/v2/v3 endpoint coexistence, staging endpoints in prod
10. Unsafe API consumption — how does Corezoid consume third-party APIs (SSRF-enabling config?)

Output: findings/CRZ-NNN-*.md per issue

Phase 5 — Automated vulnerability templated scanning

• nuclei -severity medium,high,critical -exclude-tags dos,brute-force,intrusive -rate-limit 50
• Target list from Phase 2 live hosts
• Manual verification of every non-info finding before filing

Output: tools-out/nuclei-*.json, filed findings

Phase 6 — Source code audit

For each repo in scope:

1. git clone into repos-src/ (outside the tracked tree, but under the engagement dir)
2. trufflehog git file://<path> --only-verified + full scan
3. gitleaks detect --source <path> --no-git --verbose
4. semgrep --config auto --config p/owasp-top-ten --config p/security-audit <path>
5. Manual review of:
   • Authentication & session code
   • Authorization checks (especially in API handlers)
   • Crypto usage (key generation, signing, TLS config)
   • Deserialization entry points
   • SQL query construction
   • File upload / path handling
   • Environment variable / secret loading
   • CI/CD workflows (.github/workflows/*.yml) — secret exposure in logs, injectable branch names
   • Dependency manifests — known-vulnerable versions

Output: repos/<repo>.md per repo

Phase 7 — IaC & deployment review

• Helm charts: privileged pods, hostNetwork, missing resource limits, default credentials in values.yaml, ingress exposure
• Terraform: public S3 buckets, open security groups (0.0.0.0/0), unencrypted storage, secrets in state files, IAM wildcards
• Ansible: plaintext passwords in playbooks, become without sudoers scoping, insecure shell: usage

Output: repos/helm.md, repos/terraform.md, repos/corezoid_ansible_roles.md

Phase 8 — Edge infrastructure

• VPN fingerprint (OpenVPN/WireGuard/IPsec/SSL-VPN), known CVE match
• Jira version → known CVE search (CVE-2022-26134 OGNL, CVE-2023-22515 etc.)
• Exposed monitoring (Grafana, Prometheus, Kibana) on subdomains
• SSH fingerprint on edge hosts (if exposed)

Phase 9 — Reporting

Three documents:

1. report/technical-report.md — every finding with reproduction steps, evidence, CVSS, remediation
2. report/executive-summary.md — top risks, business impact, 1-page TL;DR
3. report/action-plan.md — prioritized remediation backlog with effort estimates

What makes a "good finding"

A filed finding must include:

• CRZ-NNN ID (sequential)
• Title (actionable, specific)
• Severity (Critical/High/Medium/Low/Info + CVSS vector)
• Affected asset(s)
• Description (what + why it matters)
• Reproduction (exact requests/commands, minimized)
• Evidence (links to evidence/CRZ-NNN-* files)
• Impact (what an attacker can do)
• Remediation (concrete fix)
• References (CWE, OWASP, CVE)

Template: findings/_TEMPLATE.md