Environment Setup

This page lists down the commands for setting up the environment for Web Security Assessment

Create a Amazon Linux instance.

bashrc config

# Assessment Exports
export GOROOT=/usr/local/go  
export GOPATH=$HOME/go  
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

# Update
sudo yum update

# Docker
sudo yum search docker
sudo yum info docker
sudo yum install docker
sudo usermod -a -G docker ec2-user
newgrp docker
sudo systemctl enable docker.service
sudo systemctl start docker.service
sudo systemctl status docker.service

# Docker Compose
# Download latest release from: https://github.com/docker/compose/releases/
mkdir -p ~/.docker/cli-plugins/
curl -SL https://github.com/docker/compose/releases/download/v2.24.4/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose
docker compose version


# Install golang
wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.6.linux-amd64.tar.gz
rm go1.21.6.linux-amd64.tar.gz

Out of Bound Testing

We will use interact.sh for the testing

# Install interactsh server and client
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latest
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

# Generate certificates
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

# Run interact-sh server
sudo ~/go/bin/interactsh-server -d <domain> -cert domain.crt -privkey domain.key -t <token> -wc -hd ./payloads &

# Accessing the server (CLI)
interactsh-client -s <domain> -t <token>

# Accessing the server (Web)
docker pull projectdiscovery/interactsh-web
docker run -it -p 3000:3000 projectdiscovery/interactsh-web

# Kill the interactsh server
killall interactsh-server

Reference

https://ott3rly.medium.com/mass-blind-server-side-testing-setup-for-bug-bounty-fa03213b1ec9

PreviousChecklist

Last updated 1 year ago