Full Syllabus:

General Topics

• Project tracking for Large scope assessments (Red Team and Bounty)
• Mental Health in Offensive Security
• Templating and Reporting
• Testing Env
• Providers
• Tools
  

Recon Topics

Recon Concepts

• Introduction to Recon

Recon Techniques:

• Acquisitions and Domains
• Shodan
• ASN Analysis
• Crunchbase ++
• SSL Recon
• ReconGTP
• Reverse WHOIS
• Reverse DNS
• Reverse IP
• DMARC Analysis
• Add and Analytics Relationships
• Supply chain investigation and SaaS
• Google-fu (trademark & Priv Pol)
• TLDs Scanning
• 0365 Enumeration for Apex Domains
• Subdomain Scraping (all the best sources and why to use them)
• Sources
• Brute force
• Wildcards
• Permutation Scanning
• Linked Discovery
• Wordlists
• Advantageous Subs (WAF bypass - Origins)
• Favicon analysis
• Sub sub domains
• Port Scanning
• Screenshotting
• Esoteric techniques
• Service Bruteforce

Application Analysis Topics

Best resources to follow to stay sharp

• print resources
• trainings
• podcasts and youtube
• labs

Recon Adjacent Vulnerability Analysis

• CVE scanners vs Dynamic Analysis
• Subtakover
• S3 buckets
• Quick Hits (swagger, .git, configs, panel analysis)

Analysis Concepts

• Indented usage (not holistic, contextual)
• Analysis Layers
• Application Layers as related to success.
• Tech profiling
• The Big Questions
• Change monitoring

Vulnerability Automation

• More on CVE and Dynamic Scanners
• Dependencies
• Early running so you can focus on manual.
• Secrets of automation kings

Content Discovery

• Intro to CD (walking, brute/fuzz, historical, JS, spider, mobile, params)
• Importance of walking the app
• Bruteforce Tooling
• Bruteforce Tooling Lists:
• based on tech
• make your own (from-install, dockerhub, trials, from word analysis)
• best base wordlists
• quick configs
• API lists
• Bruteforce Tooling Tips: Recursion
• Bruteforce Tooling Tips: sub as path
• Bruteforce Tooling Tips: 403 bypass
• Historical Content Discovery
• Spidering
• Mobile Content Discovery
• Parameter Content Discovery

JavaScript

• Cheatsheets (BETA)
• Raw Analysis
• Inline JS
• Obfuscated JS
• Lazy Loaded JS
• Minified JS
• Mobile JS Analysis
• Advanced tooling and tips for all the above

The Big Questions

• How does the app pass data?
• How/where does the app talk about users?
• Does the site have multi-tenancy or user levels?
• Does the site have a unique threat model?
• Has there been past security research & vulns?
• How does the app handle common vuln classes?
• Where does the app store data?

Application Heat Mapping

• Common Issue Place: Upload functions
• Common Issue Place: Content type multipart-form
• Common Issue Place: Content type XML / JSON
• Common Issue Place: Account section and integrations
• Common Issue Place: Errors
• Common Issue Place: Paths/URLs passed in parameters
• Common Issues Place: Chatbots

Web Fuzzing & Analyzing Fuzzing Results

• Parameters and Paths (generic fuzzing)
• Reducing Similar URLs
• Dynamic only fuzzing
• Fuzzing resources SSWLR - "Sensitive Secrets Were Leaked Recently”
• Backslash powered Scanner

XSS Tips and Tricks

• Stored and Reflected
• Polyglots
• Blind
• DOM Tools
• Common Parameters
• Automation and Tools

IDOR Tips and Tricks

• IDOR, Access, Authorization, MLAC, Direct browsing Business logic, parameter manipulation
• Numeric IDOR
• Identifying user tokens GUID IDOR
• Common Parameters
• Resources

SSRF Tips and Tricks

• SSRF intro
• Schemas
• Alternate IP encoding
• Common Parameters
• Resources

XXE

• Common areas of exploitation
• Payloads
• Common Parameters
• Resources

File Upload Vulnerabilities Tips and Tricks

• Common bypasses
• Common Parameters
• Resources

SQL Injection Tips and Tricks

• SQLmap tamper
• ghauri
• Resources
• Common Parameters

Bypass of Security Controls

• Sec control types (CDN, Server, Code-level)
• Block Triggers
• Bypass techniques

Dependency Confusion

• How it works
• Where and what to looks for
• Resources

‍