Techniques and tools:

Reconnaissance

• Subdomain enumeration

• SSL certificate analysis

  • check the cname
  • crt.sh
  • useful if you can't guess the tricky subdomain name

• Favicon analysis

  • find every single favicon on the internet, md5 hash favicon, and check with servers hold that favicon (to identify owner of server)

• Cloud providers

  • github, bitbucket,
  • search for passwords, credentials

• WHOIS records

  • Tool: RISKIQ (https://community.riskiq.com) - reverse whois

• AWS

  • S3 buckets, used to hold web assets (js, images, css, etc)
  • can be abused through misconfiguration

Discovery:

• Get to know your target app:
  • use the app, make multiple accounts, see how the request parameters change
  • interact with the app using proxy server
  • think what's happening in the back-end