Files

T

Antigravity Agent 21ac3ed255 [G1-Sync] Manual knowledge update

2026-05-09 22:47:42 +09:00

9.3 KiB

Raw Blame History

id, title, category, status, source_trust_level, verification_status, created_at, updated_at, tags, tech_stack, applied_in, aliases

title

Pen Testing

의도적 attack — 보안 약점 발견. Internal team / external firm / bug bounty. OWASP methodology + Burp Suite + 자동 + manual.

📖 핵심 개념

Recon: 정보 수집.
Scanning: vulnerability 자동 검색.
Exploitation: 실제 attack.
Reporting: severity + remediation.

💻 코드 패턴

OWASP Testing Guide

1. Information gathering
2. Configuration / deployment
3. Identity management
4. Authentication
5. Authorization
6. Session management
7. Input validation
8. Error handling
9. Cryptography
10. Business logic
11. Client-side
12. API testing

→ Systematic checklist.

Burp Suite (가장 인기)

Free / Pro version.

Features:
- Proxy (HTTPS intercept)
- Scanner (auto vulnerabilities)
- Repeater (manual replay)
- Intruder (fuzz / brute)
- Decoder
- Comparer
- Extensions (마켓플레이스)

Workflow:
1. Configure browser → Burp proxy
2. Browse app — Burp 가 capture
3. Send request to Repeater — 수정 + replay
4. Active scan — 자동 vulnerability

OWASP ZAP (free alternative)

# Quick scan
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com

# Full scan
docker run -v $(pwd):/zap/wrk owasp/zap2docker-stable \
  zap-full-scan.py -t https://example.com -r report.html

→ DevSec_DAST_SAST.

Recon tools

# Subdomain enum
subfinder -d example.com
amass enum -d example.com

# Port scan
nmap -sV -sC example.com

# Web tech
whatweb https://example.com
wappalyzer (browser ext)

# Wayback
gau example.com
waybackurls example.com

Hidden endpoints (fuzz)

ffuf -w wordlist.txt -u https://example.com/FUZZ

# 또는 dirsearch / gobuster
dirsearch -u https://example.com -e php,html,js

# JSON API
ffuf -w wordlist.txt -u https://api.example.com/v1/FUZZ -mc 200,201

Authentication test

- Default credentials (admin/admin)
- Weak password policy
- Brute force (lockout?)
- Account enumeration (다른 응답 — exists / not)
- Password reset (token guessable?)
- 2FA bypass
- Session fixation
- JWT 문제 (alg=none, secret weak)

# Brute force test
hydra -L users.txt -P passwords.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# JWT
jwt-cracker -t $JWT

Authorization (IDOR / privilege escalation)

- /api/users/123 — User 1 가 User 2 의 data 봄?
- Admin endpoint — regular user 가 호출?
- Forced browsing
- 다른 HTTP verb (DELETE 가 차단 X?)

# Burp — response 비교
# Request 1: User A 의 data
# Request 2: 같은 endpoint, User B 의 token
# 같은 응답 = IDOR

Input validation (SQLi, XSS, etc)

# SQLi
sqlmap -u "https://example.com/products?id=1" --dbs

# XSS
# Burp Intruder 가 payload list

# Command injection
; ls
&& cat /etc/passwd
| whoami
$(id)

XSS payload

<script>alert(1)</script>
<img src=x onerror=alert(1)>
javascript:alert(1)
<svg/onload=alert(1)>

# Bypass filter
<ScRiPt>...
<scr<script>ipt>...
&#60;script&#62;...

CSRF test

1. CSRF token check 안 됨? (cross-origin form 가능?)
2. SameSite cookie ok?
3. Sensitive action GET 으로 호출?

<!-- Test form -->
<form action="https://target.com/api/transfer" method="POST">
  <input name="to" value="attacker">
  <input name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>

Business logic

자동 tool 가 못 잡음:
- 결제 음수 금액?
- Coupon 무한 적용?
- Rate limit 우회?
- Time-based race?
- 다른 user 의 cart 변경?
- Premium feature 무료?

→ 사람 이해 + creative test.

API testing

# Schema (OpenAPI / GraphQL introspection)
curl https://api.example.com/openapi.json
# 또는 GraphQL
curl -X POST https://api.example.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name}}}"}'

# Auth bypass
- No auth header
- Empty / null token
- Expired token
- Other user's token (steal session)

Fuzzing

# wfuzz
wfuzz -c -z file,users.txt -d "user=FUZZ&pass=admin" https://example.com/login

# Boofuzz, AFL — protocol fuzz

→ Testing_Fuzzing_Patterns.

Race condition

# Race coupon
# 1. Tab 10 같은 coupon submit
# 2. Server 가 race 처리?

# Tools: 
# - Burp Suite Turbo Intruder
# - Race the Web

# Turbo Intruder
def queueRequests(target):
    engine = RequestEngine(target.endpoint, concurrentConnections=30)
    for _ in range(30):
        engine.queue(target.req)

def handleResponse(req, _):
    table.add(req)

SSRF

사용자 가 URL 보냄:
- http://localhost (internal service)
- http://169.254.169.254/ (AWS metadata)
- file:///etc/passwd (file scheme)
- gopher://... (other protocols)

Defense: allowlist + private IP block.

Cloud (AWS / GCP) 특유

S3 bucket misconfigure (public)
IAM role 권한 과도
Metadata service (169.254.169.254)
Lambda env var (secret)

Tools:
- Pacu (AWS)
- ScoutSuite
- Prowler

aws s3 ls s3://target-bucket --no-sign-request
# 401 = OK. 200 = leak.

Bug bounty

HackerOne / Bugcrowd:
- 회사 가 program 등록
- Researcher 가 발견 → report
- Severity 별 reward

Pros:
+ Continuous testing
+ Diverse skills
+ Pay per result

Cons:
- 관리 비용
- Noise (low quality)
- 큰 reward (critical)

Internal vs external

Internal:
+ 도메인 깊이
+ Persistent
+ Cheap (already employed)

External (firm):
+ Fresh eyes
+ Specialized
+ Compliance (SOC 2, etc)
- 비싸 ($10K-100K)

Bug bounty:
+ Crowdsourced
+ Pay per result
- 관리

→ 모든 거 mix.

Schedule

- Quarterly internal pen test
- Annual external firm
- Continuous bug bounty
- Pre-launch security review (모든 큰 feature)

Reporting

# Vulnerability: SQL Injection in /products

**Severity:** Critical (CVSS 9.8)
**Affected:** /products?category=...
**Discovered:** 2026-05-09

## Steps to reproduce
1. Visit /products?category=electronics' OR '1'='1
2. All products returned (filter bypass)
3. /products?category=' UNION SELECT email FROM users -- 
4. User emails leak

## Impact
- Database access
- User data leak
- Possible RCE

## Remediation
1. Use parameterized queries (priority)
2. Input validation (allowlist)
3. WAF rules
4. Audit log

## References
- OWASP A03:2021 — Injection
- CWE-89

CVSS scoring

Critical: 9.0-10.0
High: 7.0-8.9
Medium: 4.0-6.9
Low: 0.1-3.9

Calculator: cvssjs.org

Disclosure

1. Vendor notify (private)
2. Fix window (90 days typical)
3. Public disclosure (after fix)

Coordinated disclosure 권장.

Tools list

Recon: subfinder, amass, gau, waybackurls
Enum: ffuf, dirsearch, gobuster
Proxy: Burp Suite, ZAP, Caido
Scanner: Nessus, Nmap, Nuclei
Web: sqlmap, XSStrike, Commix
Cloud: Pacu, ScoutSuite, Prowler
Mobile: MobSF, Frida, objection
Cred: hydra, hashcat, john
Reverse: Ghidra, IDA, Radare

Nuclei (modern, template-based)

nuclei -u https://example.com -t cves/ -t vulnerabilities/

# 자체 template
nuclei -u target -t my-template.yaml

Compliance pen test

SOC 2:    Annual external pen test
PCI DSS:  Quarterly + annually
ISO 27001: Annual
HIPAA:    Annual + after major changes

→ 회사 보안 + audit.

Methodology

1. Scope agreement (legal contract)
2. Recon (OSINT, scanning)
3. Vulnerability identification (manual + auto)
4. Exploitation (PoC)
5. Post-exploitation (lateral movement, data access)
6. Reporting
7. Remediation verification

Internal pen test team

Dedicated team:
- 1-3 person (큰 organization)
- Continuous
- 깊은 도메인 지식

Or rotation:
- 매 분기 한 명 / 팀
- Skills 분산
- 외부 firm 같이

"Purple team"

Red team (attacker) + Blue team (defender) collaboration.
- Red 가 attack
- Blue 가 detect / respond
- 둘이 review — 어떤 detection 가 작동? 어떤 가 missed?

→ Continuous improvement.

Threat modeling 와 결합

Threat model 가 가능 attack 명시.
Pen test 가 검증.

→ [[DevSec_Threat_Modeling]].

Capture The Flag (CTF)

실전 / 학습:
- HackTheBox
- TryHackMe
- PortSwigger Academy
- PwnTillDawn
- Pwn College

→ Skills 향상.

🤔 의사결정 기준

상황	추천
매 release	Auto scan (DAST)
Quarterly	Internal pen test
Annual / compliance	External firm
Continuous	Bug bounty
Pre-launch	Security review
Incident 후	Targeted pen test

❌ 안티패턴

Production pen test 무 권한: 법적 / 운영.
Auto scan 만: business logic missed.
Report 후 fix 무: pen test 의미 없음.
Same scope 반복: 새 vector 못 찾음.
Public disclosure 즉시: vendor fix 시간 무.
CVSS 없음: priority 모름.

🤖 LLM 활용 힌트

OWASP methodology + Burp / ZAP.
Internal + external + bug bounty 다 mix.
CVSS score + remediation step.
Continuous (매 release / quarterly).

9.3 KiB Raw Blame History