[G1-Sync] Manual knowledge update

2026-05-09 22:47:42 +09:00
parent 93ec7e9056
commit 21ac3ed255
56 changed files with 22043 additions and 43 deletions
@@ -0,0 +1,486 @@
+---
+id: security-pen-testing
+title: Pen Testing — Manual / Tool / Bug Bounty
+category: Coding
+status: draft
+source_trust_level: B
+verification_status: conceptual
+created_at: 2026-05-09
+updated_at: 2026-05-09
+tags: [security, pen-testing, bug-bounty, vibe-coding]
+tech_stack: { language: "Various", applicable_to: ["Security"] }
+applied_in: []
+aliases: [pen testing, penetration testing, bug bounty, OWASP, Burp Suite, recon]
+---
+
+# Pen Testing
+
+> 의도적 attack — 보안 약점 발견. **Internal team / external firm / bug bounty**. OWASP methodology + Burp Suite + 자동 + manual.
+
+## 📖 핵심 개념
+- Recon: 정보 수집.
+- Scanning: vulnerability 자동 검색.
+- Exploitation: 실제 attack.
+- Reporting: severity + remediation.
+
+## 💻 코드 패턴
+
+### OWASP Testing Guide
+```
+1. Information gathering
+2. Configuration / deployment
+3. Identity management
+4. Authentication
+5. Authorization
+6. Session management
+7. Input validation
+8. Error handling
+9. Cryptography
+10. Business logic
+11. Client-side
+12. API testing
+```
+
+→ Systematic checklist.
+
+### Burp Suite (가장 인기)
+```
+Free / Pro version.
+
+Features:
+- Proxy (HTTPS intercept)
+- Scanner (auto vulnerabilities)
+- Repeater (manual replay)
+- Intruder (fuzz / brute)
+- Decoder
+- Comparer
+- Extensions (마켓플레이스)
+```
+
+```
+Workflow:
+1. Configure browser → Burp proxy
+2. Browse app — Burp 가 capture
+3. Send request to Repeater — 수정 + replay
+4. Active scan — 자동 vulnerability
+```
+
+### OWASP ZAP (free alternative)
+```bash
+# Quick scan
+docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com
+
+# Full scan
+docker run -v $(pwd):/zap/wrk owasp/zap2docker-stable \
+  zap-full-scan.py -t https://example.com -r report.html
+```
+
+→ [[DevSec_DAST_SAST]].
+
+### Recon tools
+```bash
+# Subdomain enum
+subfinder -d example.com
+amass enum -d example.com
+
+# Port scan
+nmap -sV -sC example.com
+
+# Web tech
+whatweb https://example.com
+wappalyzer (browser ext)
+
+# Wayback
+gau example.com
+waybackurls example.com
+```
+
+### Hidden endpoints (fuzz)
+```bash
+ffuf -w wordlist.txt -u https://example.com/FUZZ
+
+# 또는 dirsearch / gobuster
+dirsearch -u https://example.com -e php,html,js
+
+# JSON API
+ffuf -w wordlist.txt -u https://api.example.com/v1/FUZZ -mc 200,201
+```
+
+### Authentication test
+```
+- Default credentials (admin/admin)
+- Weak password policy
+- Brute force (lockout?)
+- Account enumeration (다른 응답 — exists / not)
+- Password reset (token guessable?)
+- 2FA bypass
+- Session fixation
+- JWT 문제 (alg=none, secret weak)
+```
+
+```bash
+# Brute force test
+hydra -L users.txt -P passwords.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
+
+# JWT
+jwt-cracker -t $JWT
+```
+
+### Authorization (IDOR / privilege escalation)
+```
+- /api/users/123 — User 1 가 User 2 의 data 봄?
+- Admin endpoint — regular user 가 호출?
+- Forced browsing
+- 다른 HTTP verb (DELETE 가 차단 X?)
+```
+
+```bash
+# Burp — response 비교
+# Request 1: User A 의 data
+# Request 2: 같은 endpoint, User B 의 token
+# 같은 응답 = IDOR
+```
+
+### Input validation (SQLi, XSS, etc)
+```bash
+# SQLi
+sqlmap -u "https://example.com/products?id=1" --dbs
+
+# XSS
+# Burp Intruder 가 payload list
+
+# Command injection
+; ls
+&& cat /etc/passwd
+| whoami
+$(id)
+```
+
+### XSS payload
+```html
+<script>alert(1)</script>
+<img src=x onerror=alert(1)>
+javascript:alert(1)
+<svg/onload=alert(1)>
+
+# Bypass filter
+<ScRiPt>...
+<scr<script>ipt>...
+&#60;script&#62;...
+```
+
+### CSRF test
+```
+1. CSRF token check 안 됨? (cross-origin form 가능?)
+2. SameSite cookie ok?
+3. Sensitive action GET 으로 호출?
+```
+
+```html
+<!-- Test form -->
+<form action="https://target.com/api/transfer" method="POST">
+  <input name="to" value="attacker">
+  <input name="amount" value="1000">
+</form>
+<script>document.forms[0].submit();</script>
+```
+
+### Business logic
+```
+자동 tool 가 못 잡음:
+- 결제 음수 금액?
+- Coupon 무한 적용?
+- Rate limit 우회?
+- Time-based race?
+- 다른 user 의 cart 변경?
+- Premium feature 무료?
+```
+
+→ 사람 이해 + creative test.
+
+### API testing
+```bash
+# Schema (OpenAPI / GraphQL introspection)
+curl https://api.example.com/openapi.json
+# 또는 GraphQL
+curl -X POST https://api.example.com/graphql \
+  -H "Content-Type: application/json" \
+  -d '{"query":"{__schema{types{name}}}"}'
+
+# Auth bypass
+- No auth header
+- Empty / null token
+- Expired token
+- Other user's token (steal session)
+```
+
+### Fuzzing
+```bash
+# wfuzz
+wfuzz -c -z file,users.txt -d "user=FUZZ&pass=admin" https://example.com/login
+
+# Boofuzz, AFL — protocol fuzz
+```
+
+→ [[Testing_Fuzzing_Patterns]].
+
+### Race condition
+```bash
+# Race coupon
+# 1. Tab 10 같은 coupon submit
+# 2. Server 가 race 처리?
+
+# Tools: 
+# - Burp Suite Turbo Intruder
+# - Race the Web
+```
+
+```python
+# Turbo Intruder
+def queueRequests(target):
+    engine = RequestEngine(target.endpoint, concurrentConnections=30)
+    for _ in range(30):
+        engine.queue(target.req)
+
+def handleResponse(req, _):
+    table.add(req)
+```
+
+### SSRF
+```
+사용자 가 URL 보냄:
+- http://localhost (internal service)
+- http://169.254.169.254/ (AWS metadata)
+- file:///etc/passwd (file scheme)
+- gopher://... (other protocols)
+
+Defense: allowlist + private IP block.
+```
+
+### Cloud (AWS / GCP) 특유
+```
+S3 bucket misconfigure (public)
+IAM role 권한 과도
+Metadata service (169.254.169.254)
+Lambda env var (secret)
+
+Tools:
+- Pacu (AWS)
+- ScoutSuite
+- Prowler
+```
+
+```bash
+aws s3 ls s3://target-bucket --no-sign-request
+# 401 = OK. 200 = leak.
+```
+
+### Bug bounty
+```
+HackerOne / Bugcrowd:
+- 회사 가 program 등록
+- Researcher 가 발견 → report
+- Severity 별 reward
+
+Pros:
+ Continuous testing
+ Diverse skills
+ Pay per result
+
+Cons:
+- 관리 비용
+- Noise (low quality)
+- 큰 reward (critical)
+```
+
+### Internal vs external
+```
+Internal:
+ 도메인 깊이
+ Persistent
+ Cheap (already employed)
+
+External (firm):
+ Fresh eyes
+ Specialized
+ Compliance (SOC 2, etc)
+- 비싸 ($10K-100K)
+
+Bug bounty:
+ Crowdsourced
+ Pay per result
+- 관리
+
+→ 모든 거 mix.
+```
+
+### Schedule
+```
+- Quarterly internal pen test
+- Annual external firm
+- Continuous bug bounty
+- Pre-launch security review (모든 큰 feature)
+```
+
+### Reporting
+```markdown
+# Vulnerability: SQL Injection in /products
+
+**Severity:** Critical (CVSS 9.8)
+**Affected:** /products?category=...
+**Discovered:** 2026-05-09
+
+## Steps to reproduce
+1. Visit /products?category=electronics' OR '1'='1
+2. All products returned (filter bypass)
+3. /products?category=' UNION SELECT email FROM users -- 
+4. User emails leak
+
+## Impact
+- Database access
+- User data leak
+- Possible RCE
+
+## Remediation
+1. Use parameterized queries (priority)
+2. Input validation (allowlist)
+3. WAF rules
+4. Audit log
+
+## References
+- OWASP A03:2021 — Injection
+- CWE-89
+```
+
+### CVSS scoring
+```
+Critical: 9.0-10.0
+High: 7.0-8.9
+Medium: 4.0-6.9
+Low: 0.1-3.9
+
+Calculator: cvssjs.org
+```
+
+### Disclosure
+```
+1. Vendor notify (private)
+2. Fix window (90 days typical)
+3. Public disclosure (after fix)
+
+Coordinated disclosure 권장.
+```
+
+### Tools list
+```
+Recon: subfinder, amass, gau, waybackurls
+Enum: ffuf, dirsearch, gobuster
+Proxy: Burp Suite, ZAP, Caido
+Scanner: Nessus, Nmap, Nuclei
+Web: sqlmap, XSStrike, Commix
+Cloud: Pacu, ScoutSuite, Prowler
+Mobile: MobSF, Frida, objection
+Cred: hydra, hashcat, john
+Reverse: Ghidra, IDA, Radare
+```
+
+### Nuclei (modern, template-based)
+```bash
+nuclei -u https://example.com -t cves/ -t vulnerabilities/
+
+# 자체 template
+nuclei -u target -t my-template.yaml
+```
+
+### Compliance pen test
+```
+SOC 2:    Annual external pen test
+PCI DSS:  Quarterly + annually
+ISO 27001: Annual
+HIPAA:    Annual + after major changes
+
+→ 회사 보안 + audit.
+```
+
+### Methodology
+```
+1. Scope agreement (legal contract)
+2. Recon (OSINT, scanning)
+3. Vulnerability identification (manual + auto)
+4. Exploitation (PoC)
+5. Post-exploitation (lateral movement, data access)
+6. Reporting
+7. Remediation verification
+```
+
+### Internal pen test team
+```
+Dedicated team:
+- 1-3 person (큰 organization)
+- Continuous
+- 깊은 도메인 지식
+
+Or rotation:
+- 매 분기 한 명 / 팀
+- Skills 분산
+- 외부 firm 같이
+```
+
+### "Purple team"
+```
+Red team (attacker) + Blue team (defender) collaboration.
+- Red 가 attack
+- Blue 가 detect / respond
+- 둘이 review — 어떤 detection 가 작동? 어떤 가 missed?
+
+→ Continuous improvement.
+```
+
+### Threat modeling 와 결합
+```
+Threat model 가 가능 attack 명시.
+Pen test 가 검증.
+
+→ [[DevSec_Threat_Modeling]].
+```
+
+### Capture The Flag (CTF)
+```
+실전 / 학습:
+- HackTheBox
+- TryHackMe
+- PortSwigger Academy
+- PwnTillDawn
+- Pwn College
+```
+
+→ Skills 향상.
+
+## 🤔 의사결정 기준
+| 상황 | 추천 |
+|---|---|
+| 매 release | Auto scan (DAST) |
+| Quarterly | Internal pen test |
+| Annual / compliance | External firm |
+| Continuous | Bug bounty |
+| Pre-launch | Security review |
+| Incident 후 | Targeted pen test |
+
+## ❌ 안티패턴
+- **Production pen test 무 권한**: 법적 / 운영.
+- **Auto scan 만**: business logic missed.
+- **Report 후 fix 무**: pen test 의미 없음.
+- **Same scope 반복**: 새 vector 못 찾음.
+- **Public disclosure 즉시**: vendor fix 시간 무.
+- **CVSS 없음**: priority 모름.
+
+## 🤖 LLM 활용 힌트
+- OWASP methodology + Burp / ZAP.
+- Internal + external + bug bounty 다 mix.
+- CVSS score + remediation step.
+- Continuous (매 release / quarterly).
+
+## 🔗 관련 문서
+- [[Security_OWASP_Top_10_Practical]]
+- [[DevSec_DAST_SAST]]
+- [[DevSec_Threat_Modeling]]