Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Code review

General

1
# Guidelines
2
https://rules.sonarsource.com/
3
​
4
# Resource
5
https://vladtoie.gitbook.io/secure-coding/
6
​
7
# Tools
8
https://www.sonarqube.org/downloads/
9
https://deepsource.io/signup/
10
https://github.com/pyupio/safety
11
https://github.com/returntocorp/semgrep
12
https://github.com/WhaleShark-Team/cobra
13
https://github.com/mhaskar/Bughound
14
​
15
# Find interesting strings
16
https://github.com/s0md3v/hardcodes
17
https://github.com/micha3lb3n/SourceWolf
18
https://libraries.io/pypi/detect-secrets
19
​
20
# Tips
21
1.Important functions first
22
2.Follow user input
23
3.Hardcoded secrets and credentials
24
4.Use of dangerous functions and outdated dependencies
25
5.Developer comments, hidden debug functionalities, configuration files, and the .git directory
26
6.Hidden paths, deprecated endpoints, and endpoints in development
27
7.Weak cryptography or hashing algorithms
28
8.Missing security checks on user input and regex strength
29
9.Missing cookie flags
30
10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions
Copied!

JavaScript

1
https://jshint.com/
2
https://github.com/jshint/jshint/
Copied!

NodeJS

1
https://github.com/ajinabraham/nodejsscan
Copied!

Electron

1
https://github.com/doyensec/electronegativity
2
https://github.com/doyensec/awesome-electronjs-hacking
Copied!

Python

1
# bandit
2
https://github.com/PyCQA/bandit
3
# pyt
4
https://github.com/python-security/pyt
5
# atheris
6
https://github.com/google/atheris
7
# aura
8
https://github.com/SourceCode-AI/aura
Copied!

.NET

1
# dnSpy
2
https://github.com/0xd4d/dnSpy
3
​
4
# .NET compilation
5
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
6
​
7
# Cheatsheet
8
https://www.c-sharpcorner.com/UploadFile/ajyadav123/net-penetration-testing-cheat-sheet/
Copied!

PHP

1
# phpvuln
2
https://github.com/ecriminal/phpvuln
Copied!

C/C++

1
# flawfinder
2
https://github.com/david-a-wheeler/flawfinder
Copied!

Java

1
# JD-Gui
2
https://github.com/java-decompiler/jd-gui
3
​
4
# Java compilation step-by-step
5
javac -source 1.8 -target 1.8 test.java
6
mkdir META-INF
7
echo "Main-Class: test" > META-INF/MANIFEST.MF
8
jar cmvf META-INF/MANIFEST.MF test.jar test.class
Copied!
Task
Command
Execute Jar
java -jar [jar]
Unzip Jar
unzip -d [output directory] [jar]
Create Jar
jar -cmf META-INF/MANIFEST.MF [output jar] *
Base64 SHA256
sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64
Remove Signing
rm META-INF/.SF META-INF/.RSA META-INF/*.DSA
Delete from Jar
zip -d [jar] [file to remove]
Decompile class
procyon -o . [path to class]
Decompile Jar
procyon -jar [jar] -o [output directory]
Compile class
javac [path to .java file]
Others - Previous
VirtualBox
Next - Others
Pentesting Web checklist
Last modified 7mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
General
JavaScript
NodeJS
Electron
Python
.NET
PHP
C/C++
Java