2nd/10_Wiki/Topics/Coding/Security_Pen_Testing.md

---
id: security-pen-testing
title: Pen Testing — Manual / Tool / Bug Bounty
category: Coding
status: draft
source_trust_level: B
verification_status: conceptual
created_at: 2026-05-09
updated_at: 2026-05-09
tags: [security, pen-testing, bug-bounty, vibe-coding]
tech_stack: { language: "Various", applicable_to: ["Security"] }
applied_in: []
aliases: [pen testing, penetration testing, bug bounty, OWASP, Burp Suite, recon]
---

# Pen Testing

> 의도적 attack — 보안 약점 발견. **Internal team / external firm / bug bounty**. OWASP methodology + Burp Suite + 자동 + manual.

## 📖 핵심 개념
- Recon: 정보 수집.
- Scanning: vulnerability 자동 검색.
- Exploitation: 실제 attack.
- Reporting: severity + remediation.

## 💻 코드 패턴

### OWASP Testing Guide
```
1. Information gathering
2. Configuration / deployment
3. Identity management
4. Authentication
5. Authorization
6. Session management
7. Input validation
8. Error handling
9. Cryptography
10. Business logic
11. Client-side
12. API testing
```

→ Systematic checklist.

### Burp Suite (가장 인기)
```
Free / Pro version.

Features:
- Proxy (HTTPS intercept)
- Scanner (auto vulnerabilities)
- Repeater (manual replay)
- Intruder (fuzz / brute)
- Decoder
- Comparer
- Extensions (마켓플레이스)
```

```
Workflow:
1. Configure browser → Burp proxy
2. Browse app — Burp 가 capture
3. Send request to Repeater — 수정 + replay
4. Active scan — 자동 vulnerability
```

### OWASP ZAP (free alternative)
```bash
# Quick scan
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com

# Full scan
docker run -v $(pwd):/zap/wrk owasp/zap2docker-stable \
  zap-full-scan.py -t https://example.com -r report.html
```

→ [[DevSec_DAST_SAST]].

### Recon tools
```bash
# Subdomain enum
subfinder -d example.com
amass enum -d example.com

# Port scan
nmap -sV -sC example.com

# Web tech
whatweb https://example.com
wappalyzer (browser ext)

# Wayback
gau example.com
waybackurls example.com
```

### Hidden endpoints (fuzz)
```bash
ffuf -w wordlist.txt -u https://example.com/FUZZ

# 또는 dirsearch / gobuster
dirsearch -u https://example.com -e php,html,js

# JSON API
ffuf -w wordlist.txt -u https://api.example.com/v1/FUZZ -mc 200,201
```

### Authentication test
```
- Default credentials (admin/admin)
- Weak password policy
- Brute force (lockout?)
- Account enumeration (다른 응답 — exists / not)
- Password reset (token guessable?)
- 2FA bypass
- Session fixation
- JWT 문제 (alg=none, secret weak)
```

```bash
# Brute force test
hydra -L users.txt -P passwords.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# JWT
jwt-cracker -t $JWT
```

### Authorization (IDOR / privilege escalation)
```
- /api/users/123 — User 1 가 User 2 의 data 봄?
- Admin endpoint — regular user 가 호출?
- Forced browsing
- 다른 HTTP verb (DELETE 가 차단 X?)
```

```bash
# Burp — response 비교
# Request 1: User A 의 data
# Request 2: 같은 endpoint, User B 의 token
# 같은 응답 = IDOR
```

### Input validation (SQLi, XSS, etc)
```bash
# SQLi
sqlmap -u "https://example.com/products?id=1" --dbs

# XSS
# Burp Intruder 가 payload list

# Command injection
; ls
&& cat /etc/passwd
| whoami
$(id)
```

### XSS payload
```html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
javascript:alert(1)
<svg/onload=alert(1)>

# Bypass filter
<ScRiPt>...
<scr<script>ipt>...
&#60;script&#62;...
```

### CSRF test
```
1. CSRF token check 안 됨? (cross-origin form 가능?)
2. SameSite cookie ok?
3. Sensitive action GET 으로 호출?
```

```html
<!-- Test form -->
<form action="https://target.com/api/transfer" method="POST">
  <input name="to" value="attacker">
  <input name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>
```

### Business logic
```
자동 tool 가 못 잡음:
- 결제 음수 금액?
- Coupon 무한 적용?
- Rate limit 우회?
- Time-based race?
- 다른 user 의 cart 변경?
- Premium feature 무료?
```

→ 사람 이해 + creative test.

### API testing
```bash
# Schema (OpenAPI / GraphQL introspection)
curl https://api.example.com/openapi.json
# 또는 GraphQL
curl -X POST https://api.example.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{__schema{types{name}}}"}'

# Auth bypass
- No auth header
- Empty / null token
- Expired token
- Other user's token (steal session)
```

### Fuzzing
```bash
# wfuzz
wfuzz -c -z file,users.txt -d "user=FUZZ&pass=admin" https://example.com/login

# Boofuzz, AFL — protocol fuzz
```

→ [[Testing_Fuzzing_Patterns]].

### Race condition
```bash
# Race coupon
# 1. Tab 10 같은 coupon submit
# 2. Server 가 race 처리?

# Tools: 
# - Burp Suite Turbo Intruder
# - Race the Web
```

```python
# Turbo Intruder
def queueRequests(target):
    engine = RequestEngine(target.endpoint, concurrentConnections=30)
    for _ in range(30):
        engine.queue(target.req)

def handleResponse(req, _):
    table.add(req)
```

### SSRF
```
사용자 가 URL 보냄:
- http://localhost (internal service)
- http://169.254.169.254/ (AWS metadata)
- file:///etc/passwd (file scheme)
- gopher://... (other protocols)

Defense: allowlist + private IP block.
```

### Cloud (AWS / GCP) 특유
```
S3 bucket misconfigure (public)
IAM role 권한 과도
Metadata service (169.254.169.254)
Lambda env var (secret)

Tools:
- Pacu (AWS)
- ScoutSuite
- Prowler
```

```bash
aws s3 ls s3://target-bucket --no-sign-request
# 401 = OK. 200 = leak.
```

### Bug bounty
```
HackerOne / Bugcrowd:
- 회사 가 program 등록
- Researcher 가 발견 → report
- Severity 별 reward

Pros:
+ Continuous testing
+ Diverse skills
+ Pay per result

Cons:
- 관리 비용
- Noise (low quality)
- 큰 reward (critical)
```

### Internal vs external
```
Internal:
+ 도메인 깊이
+ Persistent
+ Cheap (already employed)

External (firm):
+ Fresh eyes
+ Specialized
+ Compliance (SOC 2, etc)
- 비싸 ($10K-100K)

Bug bounty:
+ Crowdsourced
+ Pay per result
- 관리

→ 모든 거 mix.
```

### Schedule
```
- Quarterly internal pen test
- Annual external firm
- Continuous bug bounty
- Pre-launch security review (모든 큰 feature)
```

### Reporting
```markdown
# Vulnerability: SQL Injection in /products

**Severity:** Critical (CVSS 9.8)
**Affected:** /products?category=...
**Discovered:** 2026-05-09

## Steps to reproduce
1. Visit /products?category=electronics' OR '1'='1
2. All products returned (filter bypass)
3. /products?category=' UNION SELECT email FROM users -- 
4. User emails leak

## Impact
- Database access
- User data leak
- Possible RCE

## Remediation
1. Use parameterized queries (priority)
2. Input validation (allowlist)
3. WAF rules
4. Audit log

## References
- OWASP A03:2021 — Injection
- CWE-89
```

### CVSS scoring
```
Critical: 9.0-10.0
High: 7.0-8.9
Medium: 4.0-6.9
Low: 0.1-3.9

Calculator: cvssjs.org
```

### Disclosure
```
1. Vendor notify (private)
2. Fix window (90 days typical)
3. Public disclosure (after fix)

Coordinated disclosure 권장.
```

### Tools list
```
Recon: subfinder, amass, gau, waybackurls
Enum: ffuf, dirsearch, gobuster
Proxy: Burp Suite, ZAP, Caido
Scanner: Nessus, Nmap, Nuclei
Web: sqlmap, XSStrike, Commix
Cloud: Pacu, ScoutSuite, Prowler
Mobile: MobSF, Frida, objection
Cred: hydra, hashcat, john
Reverse: Ghidra, IDA, Radare
```

### Nuclei (modern, template-based)
```bash
nuclei -u https://example.com -t cves/ -t vulnerabilities/

# 자체 template
nuclei -u target -t my-template.yaml
```

### Compliance pen test
```
SOC 2:    Annual external pen test
PCI DSS:  Quarterly + annually
ISO 27001: Annual
HIPAA:    Annual + after major changes

→ 회사 보안 + audit.
```

### Methodology
```
1. Scope agreement (legal contract)
2. Recon (OSINT, scanning)
3. Vulnerability identification (manual + auto)
4. Exploitation (PoC)
5. Post-exploitation (lateral movement, data access)
6. Reporting
7. Remediation verification
```

### Internal pen test team
```
Dedicated team:
- 1-3 person (큰 organization)
- Continuous
- 깊은 도메인 지식

Or rotation:
- 매 분기 한 명 / 팀
- Skills 분산
- 외부 firm 같이
```

### "Purple team"
```
Red team (attacker) + Blue team (defender) collaboration.
- Red 가 attack
- Blue 가 detect / respond
- 둘이 review — 어떤 detection 가 작동? 어떤 가 missed?

→ Continuous improvement.
```

### Threat modeling 와 결합
```
Threat model 가 가능 attack 명시.
Pen test 가 검증.

→ [[DevSec_Threat_Modeling]].
```

### Capture The Flag (CTF)
```
실전 / 학습:
- HackTheBox
- TryHackMe
- PortSwigger Academy
- PwnTillDawn
- Pwn College
```

→ Skills 향상.

## 🤔 의사결정 기준
| 상황 | 추천 |
|---|---|
| 매 release | Auto scan (DAST) |
| Quarterly | Internal pen test |
| Annual / compliance | External firm |
| Continuous | Bug bounty |
| Pre-launch | Security review |
| Incident 후 | Targeted pen test |

## ❌ 안티패턴
- **Production pen test 무 권한**: 법적 / 운영.
- **Auto scan 만**: business logic missed.
- **Report 후 fix 무**: pen test 의미 없음.
- **Same scope 반복**: 새 vector 못 찾음.
- **Public disclosure 즉시**: vendor fix 시간 무.
- **CVSS 없음**: priority 모름.

## 🤖 LLM 활용 힌트
- OWASP methodology + Burp / ZAP.
- Internal + external + bug bounty 다 mix.
- CVSS score + remediation step.
- Continuous (매 release / quarterly).

## 🔗 관련 문서
- [[Security_OWASP_Top_10_Practical]]
- [[DevSec_DAST_SAST]]
- [[DevSec_Threat_Modeling]]