====== Mapping ======

===== Mapping Tips: =====
  * Google
  // Smart// Directory Brute Forcing
  * RAFT lists (included in Seclists)
  * SVN Digger (included in Seclists)
  * Git Digger
  * Platform Identification:
  * Wapplyzer (Chrome)
  * Builtwith (Chrome)
  * retire.js (cmd-line or Burp)
  * Check CVE's
  * Auxiliary
  * WPScan
  * CMSmap

===== Directory Bruteforce Workflow =====
After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.

Example:

<code>
GET http://www.acme.com - 200
GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - 401 hmm.. ok
GET http://www.acme.com/controlpanel/[bruteforce here now]
</code>

===== Mapping/Vuln Discovery using OSINT =====
Find previous/existing problem:
  * Xssed.com
  * Reddit XSS - /r/xss
  * Punkspider
  * xss.cx
  * xssposed.org
  * twitter searching

Issues might already reported but use the flaw area and injection type to guide you to further injections or filter bypass

===== New Project: Maps =====
New OSINT/Mapping project
  * 250+ bounty programs
  * Crawl
  * DNS info + bruteforce
  * Bounty metadata (links, rewards, scope)
  * API -> Intrigue

https://github.com/bugcrowdlabs/maps

==== Using the Maps Project: Crawling ====
Using + Ruby + Anemone + JSON + Grep

<code>
$cat test_target_json.txt | grep redirect

https://test_target/redirect/?url=http://twitter.com
https://test_target/redirect/?url=http://facebook.com/...
https://test_target/redirect/?url=http://pinterest.com/...
</code>

===== New Tool: Intrigue =====
OSINT framework, simple to integrate. Features like:
  * DNS Subdomain Brute force
  * Web Spider
  * Nmap Scan
  * etc
Code @ http://github.com/intrigueio/intrigue-core