├── Medical
    └── medical.txt
├── README.md
└── Web
    └── WebRules.txt


/Medical/medical.txt:
--------------------------------------------------------------------------------
 1 | # 802.11 Rules
 2 | 80211 | Ensure that wireless traffic is configured for WPA2 Enterprise
 3 | 80211 | Ensure that encryption is enabled for all wireless traffic.
 4 | Ensure that
 5 | # Bluetooth
 6 | BLUETOOTH | Use bluesniff to evaluate the BT pairing process for the device.
 7 | BLUETOOTH | Capture and analyze the bluetooth traffic on the device for encryption strength.
 8 | BLUETOOTH | Evaluate the bluetooth protocol and ensure it's at the latest version.
 9 | # USB
10 | USB | Fuzz the USB interface for filewriting vulnerabilities upon connection.
11 | USB | Trace the load process that occurs during mounting.
12 | # Custom
13 | CUSTOM | Capture the custom communications protocol using tcpdump and/or Wireshark.
14 | CUSTOM | Determine which portions of the protocol handle connection details as opposed to data.
15 | CUSTOM | Evaluate the data being sent back and forth, and determine if it's sensitive.
16 | CUSTOM | Determine if the data is protected with industry-standard encryption, custom encryption, encoding, etc.
17 | CUSTOM | Determine if the protocol can be fuzzed to produce a crash condition.
18 | # APIs
19 | APIS | Make a full map of all APIs used by the system, including those from mobile applications.
20 | APIS | Test the backend web infrastructure for XSS. 
21 | APIS | Test the backend web infrastructure for SQLi. 
22 | APIS | Test the backend web infrastructure for R/LFI.
23 | APIS | Test the backend web APIs for common API flaws.
24 | APIS | Ensure that restrictions on data retrieval functions are server-side and not client-side.
25 | # Over the Air Updates
26 | OTA | Capture all traffic during a legitimate update.
27 | OTA | Determine the location of the server-side software.
28 | OTA | Determine whether authentication was required to perform the update.
29 | OTA | Determine whether encryption was used to protect update authentication.
30 | OTA | Determine whether encryption was used to protect the software download.
31 | OTA | Determine whether digital signatures were used to validate the software as legitimate.
32 | OTA | Determine whether the remote software location is writable.
33 | # TCP/IP Rules
34 | TCPIP | Capture full PCAP using tcpdump or Wireshark and run it through updated IDS.
35 | TCPIP | Use tshark to identify all hosts communicated with during device operation.
36 | TCPIP | Determine which of these devices are remote vs. local.
37 | TCPIP | Determine if any third-party communication took place.
38 | TCPIP | Determine whether any third-party communication contained sensitive data.
39 | # Firmware testing
40 | FIRM | Run strings on the firmware and explore occurrences of the following strings: username, password, birth, ssn, etc.
41 | FIRM | Unpack the firmware and use firmwalker to find a wide range of vulnerabilities.
42 | FIRM | Determine whether firmware can be modified and still loaded without complaint.
43 | # Mobile Rules
44 | MOBILE | Proxy the mobile app through an HTTP proxy and evaluate traffic for sensitive data being transmitted.
45 | MOBILE | Evaluate the mobile device filesystem for sensitive data.
46 | MOBILE | Map the infrastructure of the mobile application's backend.
47 | MOBILE | Test the backend web infrastructure for XSS. 
48 | MOBILE | Test the backend web infrastructure for SQLi. 
49 | MOBILE | Test the backend web infrastructure for R/LFI.
50 | MOBILE | Test the backend web APIs for common API flaws.
51 | MOBILE | Ensure that restrictions on data retrieval functions are server-side and not client-side.
52 | # Cloud Functionality
53 | CLOUD | Check to see whether the manufacturer advertises any Internet or Cloud functionality, e.g., the ability to monitor the system remotely while traveling.
54 | CLOUD | Determine how such functionality is executed, e.g., passing a port into the network, dialing out and meeting online, etc.
55 | CLOUD | Determine what type of functionality is allowed through the remote interface.
56 | CLOUD | Determine what type of encryption is enabled on the remote traffic.
57 | CLOUD | Evaluate the authentication system used to authenticate to the Cloud interface.
58 | CLOUD | Determine what default credentials exist in the system and/or what credentials are widely available online.
59 | # JTAG Interface
60 | JTAG | Determine whether the device has a JTAG interface.
61 | JTAG | Connect to the JTAG interface and attempt to extract the system's firmware.
62 | # Local Update System
63 | LUS | Determine whether authentication was required to perform the update.
64 | LUS | Determine whether it's possible to redirect the software writing location.
65 | LUS | Determine the permissions that the update process runs as.
66 | # Web Interface
67 | WEB | Map the device's web interface in order to determine all pathing.
68 | WEB | Determine the authentication mechanism for gaining access to the web interface.
69 | WEB | Determine what functions can be performed once authenticated to the web interface.
70 | WEB | Test the encryption of the web interface traffic.
71 | WEB | Evaluate the certificate security of the device with a 10-year lifespan consideration.
72 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Adapting Testing Methodology (ATM)
 2 | 
 3 | The Adaptive Testing Methodology (ATM) project provides context-adjusted security testing methodologies based on factors such as time available to test, platform, technology stack, plugins, modules, and other variables. The goal is to provide the most concise, customized, and accurate testing methodology possible based on available factors.
 4 | 
 5 | ## How it works
 6 | 
 7 | You submit a domain and a time limit, and ATM will return you a customized list of testing steps for that tech stack and time constraint.
 8 | 
 9 | ### Labeling
10 | 
11 | The ATM project is organized at the top level by security testing type, e.g., Web, Mobile, IoT, ERP, Forensics, Mainframe, etc. Under each testing type there will be a series of checks that can be performed as part of a security assessment.
12 | 
13 | Each check will be labeled as part of a foksonomy, meaning that it can have multiple labels assigned to it. As an example, a check for a vulnerable WordPress component might be labeled as WordPress, Web, CMS, etc.
14 | 
15 | ### Methodologies
16 | 
17 | You know how some people are with wine, or cheese, or sailboats? They have to know the different types and kinds and stuff? 
18 | 
19 | Well, I'm like that with web testing methodologies. I'm always looking for new ones--new techniques to help create the ultimate combination.
20 | 
21 | Here are some of the methodologies that went into the initial set of rules for ATM.
22 | 
23 | - OWASP ASVS: A brilliant project that defines checks to be done at three different levels of scrutiny for web apps
24 | - The OWASP Web Testing Guide v4: This is a very comprehensive web testing guide with tons of great content in it
25 | - The Web Application Hacker's Handbook: A phenomenal resource. Recommended for all aspiring web hackers
26 | - The Bug Hunter's Methodology: My buddy Jason's talk and methodology based on his experience and observations as a bug hunter and team leader at BugCrowd
27 | 
28 | #### Credits
29 | 
30 | These credits are for methodology contributions, with special focus on the creators of the initial components listed above:
31 | 
32 | 1. OWASP for the ASVS and Web Testing methodologies
33 | 2. Daf Stuttard and Marcus Pinto for the Web Application Hacker's handbook
34 | 3. Jason Haddix for his Bug Hunter's talk and methodology from 2015
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/Web/WebRules.txt:
--------------------------------------------------------------------------------
  1 | # Setup
  2 | 
  3 | Universal | 1HR | 4HR | 1D | 2D | UL | Updated for OWASP.
  4 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Purchase and install a Burp license if you don’t already have one
  5 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Disable the built-in Burp Collaborator functionality
  6 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Install the SwitchySharp Extension in Google Chrome.
  7 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Configure Chrome’s SwitchySharp Extension to point to Burp on localhost:8080 for all protocols.
  8 | Universal | 4HR | 1D | 2D | UL | Install the Chrome BuiltWith Extension
  9 | Universal | 4HR | 1D | 2D | UL | Configure Burp to save state every 30 minutes to a local directory
 10 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Browse to the site through Chrome and enable auto-forwarding in Burp
 11 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Add your target site(s) to Burp's scope
 12 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Configure Burp to only passively scan in-scope content
 13 | Universal | 1D | 2D | UL | Configure Burp to use a 100ms delay between scan requests (with randomness)
 14 | Universal | 4HR | 1D | 2D | UL | Install the .NET beautifier Burp Extension
 15 | Universal | 4HR | 1D | 2D | UL | Install the Additional Scanner Checks Burp Extension
 16 | Universal | 4HR | 1D | 2D | UL | Install the Authz Burp Extension
 17 | Universal | 4HR | 1D | 2D | UL | Install the Autorize Burp Extension
 18 | Universal | 4HR | 1D | 2D | UL | Install the .NET beautifier Burp Extension
 19 | Universal | 4HR | 1D | 2D | UL | Install the Hackvertor Burp Extension
 20 | Universal | 4HR | 1D | 2D | UL | Install the Identity Crisis Burp Extension
 21 | Universal | 4HR | 1D | 2D | UL | Install the Retire.js Burp Extension
 22 | Universal | 4HR | 1D | 2D | UL | Install the Site Map Fetcher Burp Extension
 23 | Universal | 4HR | 1D | 2D | UL | Install the SQLiPy Burp Extension
 24 | 
 25 | # Familiarity
 26 | 
 27 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Log in to the application and browse site through Burp for 3-5 minutes; navigate as much functionality as possible
 28 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Watch the Burp proxy traffic for every page you visit
 29 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Note the request format (URL structure)
 30 | Universal | 4HR | 1D | 2D | UL | Note the request format (POST structure)
 31 | Universal | 4HR | 1D | 2D | UL | Note the cookies being given by the server and sent by the client
 32 | Universal | 4HR | 1D | 2D | UL | Note the server platform
 33 | Universal | 4HR | 1D | 2D | UL | Note the programming language
 34 | Universal | 4HR | 1D | 2D | UL | Note any frameworks in use
 35 | Universal | 4HR | 1D | 2D | UL | Document all sensitive functionality
 36 | Universal | 4HR | 1D | 2D | UL | List abuse case possibilities for each sensitive function 
 37 | Universal | 4HR | 1D | 2D | UL | Brute force domains (where applicable)
 38 | Universal | 1HR | 4HR | 1D | 2D | UL | Google for sites site:paypal.com
 39 | Universal | 1HR | 4HR | 1D | 2D | UL | Comprehensive nmap scan nmap -sS -A -PN -p- --script=http-title (if in scope)
 40 | Universal | 1HR | 4HR | 1D | 2D | UL | Discover platform using danielmiessler.com/services/checkyourstack
 41 | 
 42 | # Discovery
 43 | 
 44 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Find content using RobotsDisallowed (InterestingDirectories.txt)
 45 | Universal | 4HR | 1D | 2D | UL | Find content using RobotsDisallowed (Top10000-RobotsDisallowed.txt)
 46 | Universal | 1D | 2D | UL | Find content using RobotsDisallowed (Top100000-RobotsDisallowed.txt)
 47 | Universal | 1D | 2D | UL | Perform Shodan search of IP range (assuming it's in scope)
 48 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Disable form submissions in Burp's Spider settings
 49 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Spider the site using Burp's built-in spidering functionality
 50 | Universal | 1HR | 4HR | 1D | 2D | UL | Run Recon-NG's discovery module [ discovery/info_disclosure/interesting_files ]
 51 | Universal | 1HR | 4HR | 1D | 2D | UL | Run Recon-NG's Google Site Web module [ recon/domains-hosts/google_site_web ] 
 52 | 
 53 | # Automation
 54 | 
 55 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | From the root of the domain in Burp's Target tab, start an Active Scan
 56 | Universal | 1HR | 4HR | 1D | 2D | UL | If you have access to another scanner, configure it to the same scope and start it as well
 57 | Universal | 4HR | 1D | 2D | UL | If you have access to a third scanner, run it after at least one of the others has finished (be cautious not to cause session drama with manual or other automated testing)
 58 | Universal | 1D | 2D | UL | Set Burp’s scanner settings to Thorough and Minimize False Negatives 
 59 | 
 60 | # OSINT
 61 | 
 62 | Universal | 1HR | 4HR | 1D | 2D | UL | Search Punk spider for your domain to find any existing vulns. [ ReconNG's Punkspider module ]
 63 | Universal | 1HR | 4HR | 1D | 2D | UL | Check Google's blacklist for your domain using Nmap. [ nmap --script http-google-malware $target ]
 64 | Universal | 1HR | 4HR | 1D | 2D | UL | Check the domain for malware using Nmap [ nmap --script http-malware-host $target ]
 65 | Universal | 1D | 2D | UL | Harvest Github repos from company using Recon-NG's github-miner module. [ /recon/companies-multi-github_miner.py ] 
 66 | Universal | 1D | 2D | UL | Run Github Dorks against company repos that look interesting [ https://github.com/techgaun/github-dorks ]
 67 | Universal | 1D | 2D | UL | Run Gitrob against company repos that look interesting [ https://github.com/michenriksen/gitrob ]
 68 | Universal | 1HR | 4HR | 1D | 2D | UL | Run Bluto against the target [ https://github.com/RandomStorm/Bluto ]
 69 | Universal | 4HR | 1D | 2D | UL | Run Recon-NG's brute-hosts module on the domain [ recon/domains-hosts/brute_hosts ]
 70 | Universal | 4HR | 1D | 2D | UL | Run Recon-NG's [ recon/domains-hosts/brute_hosts ] 
 71 | 
 72 | # Authentication
 73 | 
 74 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | User enumeration due to response differentiation; check timing differences between failed auth on real user vs. non-existent user
 75 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (cleartext password sent)
 76 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (guessable token)
 77 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (reusable token)
 78 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (reuse of token doesn’t generate an alert)
 79 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (token doesn’t expire)
 80 | Universal | 1HR | 4HR | 1D | 2D | UL | Password reset mechanism (reusable token)
 81 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | User enum via message on password reset
 82 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | User enum via message on login
 83 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | User enum via message on registration
 84 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Lack of account lockout
 85 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password not required to perform sensitive account actions (email change)
 86 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password not required to perform sensitive account actions (password change)
 87 | Universal | 4HR | 1D | 2D | UL | Password not required to perform sensitive account actions (shipping address change)
 88 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Password not required to perform sensitive account actions (mailing address change)
 89 | Universal | 4HR | 1D | 2D | UL | Email address can be changed for arbitrary users without authorization
 90 | Universal | 4HR | 1D | 2D | UL | Shipping address can be changed for arbitrary users without authorization
 91 | Universal | 1HR | 4HR | 1D | 2D | UL | Sensitive data can be changed within an account without asking for the user’s password
 92 | 
 93 | # Session Management
 94 | 
 95 | Universal | 1HR | 4HR | 1D | 2D | UL | Cookies not invalidated after logout
 96 | Universal | 1HR | 4HR | 1D | 2D | UL | New cookie not given upon login
 97 | Universal | 1HR | 4HR | 1D | 2D | UL | Reversible cookies (base64, etc.)
 98 | Universal | 1HR | 4HR | 1D | 2D | UL | Multiple sessions allowed
 99 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Multiple sessions allowed without notification
100 | Universal | 4HR | 1D | 2D | UL | Sensitive functions do not contain CSRF defenses
101 | Universal | 4HR | 1D | 2D | UL | Determine if access to sensitive resources is being granted due to referer header
102 | Universal | 4HR | 1D | 2D | UL | Use Burp’s Identity Crisis to determine if URLs respond differently based on User Agent strings
103 | Universal | 1HR | 4HR | 1D | 2D | UL | Sensitive pages or actions within one context can be forcefully browsed or executed to by other/lower users, e.g. viewing a profile, viewing a report, viewing messages, etc.
104 | Universal | 4HR | 1D | 2D | UL | Make a list of all sensitive functions on the site, execute each one thoroughly, and analyze all proxy traffic during each of their workflows
105 | Universal | 4HR | 1D | 2D | UL | Explore all numeric values that appear to be identifiers, e.g., UIDs, GUIDs, etc. Rotate those values both within the URL and in POST parameters and see if you can access other contexts
106 | Universal | 4HR | 1D | 2D | UL | Attempt to fall back to HTTP for sensitive functions
107 | 
108 | # Input Validation
109 | 
110 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Set Burp’s scanner settings to enable URL to Body and Body to URL
111 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Perform a Burp active scan against the root of the site. If you receive authentication failures, lower your number of threads and/or increase the delay between requests
112 | Universal | 1HR | 4HR | 1D | 2D | UL | Intruder on key fields using SecLists XSS (look for field markers)
113 | Universal | 1HR | 4HR | 1D | 2D | UL | Intruder on key fields using SecLists SQLi (look for field markers)
114 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Intruder on key fields using SecLists Polyglots (look for field markers)
115 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | For any SQLi discovered, exploit using standalone SQL Map instance
116 | Universal | 4HR | 1D | 2D | UL | Test the target with XSS polyglots [ https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/XSS_Polyglots.txt ] 
117 | Universal | 4HR | 1D | 2D | UL | Test the target with SQLi polyglots [ https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/SQLi_Polyglots.txt ] 
118 | Universal | 4HR | 1D | 2D | UL | Test for RFI manually.
119 | Universal | 4HR | 1D | 2D | UL | Test for LFI manually.
120 | 
121 | # Logic Testing
122 | 
123 | Universal | 1HR | 4HR | 1D | 2D | UL | Test CAPTCHAs for replay attacks
124 | Universal | 1HR | 4HR | 1D | 2D | UL | Test CAPTCHAs for cleartext disclosure in source
125 | Universal | 1HR | 4HR | 1D | 2D | UL | Test CAPTCHAs for removal of CAPTCHA field in request
126 | Universal | 1HR | 4HR | 1D | 2D | UL | Test 2FA for removal of 2FA field in request
127 | Universal | 1HR | 4HR | 1D | 2D | UL | Test 2FA for skip ahead attack
128 | Universal | 1HR | 4HR | 1D | 2D | UL | Test e-Commerce sites for skip ahead attacks (skip payment and move to shipping)
129 | Universal | 1HR | 4HR | 1D | 2D | UL | Test e-Commerce sites for handling of negative numbers
130 | Universal | 4HR | 1D | 2D | UL | Test sensitive functions for addition of repeated parameters that have different values
131 | 
132 | # Platform Testing
133 | 
134 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Full portscan of the system (assuming scope) [ nmap -sUS -p- -A -oA target $target ]
135 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Within the proxy traffic, look for any signs of HTTP fallback
136 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Check the server headers for security-oriented ones [ X-Frame-Options, Strict-Transport-Security, X-XSS-Protection, Content-Security-Policy, X-Content-Security-Policy,  etc. ] [ http://cyh.herokuapp.com/cyh ]
137 | Universal | 30M | 1HR | 4HR | 1D | 2D | UL | Scan for use of insecure HTTP methods
138 | Nginx | 1HR | 4HR | 1D | 2D | UL | Nginx was detected: check Nginx vesion and look for vulnerabilities
139 | Express | 4HR | 1D | 2D | UL | Express was detected. Check for versions and any associated issues
140 | Node | 4HR | 1D | 2D | UL | Node was detected. Check for versions and any associated issues
141 | Apache | 4HR | 1D | 2D | UL | Apache was detected: check Apache version and look for vulnerabilities
142 | Wordpress | 30M | 1HR | 4HR | 1D | 2D | UL | Scan the site with CMSMap
143 | SAP | 4HR | 1D | 2D | UL | Check all sensitive transaction codes.
144 | 


--------------------------------------------------------------------------------