#@ck3r
  • Welcome
  • Administrator
    • ActiveDirectory
      • Methodology
    • LDAP
    • Kerberos
  • HTB_CTF
    • It's Oops PM
  • 🕸️ Pentesting Web
    • Web Vulnerabilities Methodology
      • Reflecting Techniques - PoCs and Polygloths CheatSheet
        • Web Vulns List
    • 2FA/MFA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning via URL discrepancies
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
      • Cookie Tossing
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
  • Dangling Markup - HTML scriptless injection
  • Dependency Confusion
  • Deserialization
    • NodeJS - __proto__ & prototype Pollution
      • Client Side Prototype Pollution
      • Express Prototype Pollution Gadgets
      • Prototype Pollution to RCE
    • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    • Exploiting __VIEWSTATE without knowing the secrets
    • Python Yaml Deserialization
    • JNDI - Java Naming and Directory Interface & Log4Shell
    • Ruby Class Pollution
  • Page 1
Powered by GitBook
On this page
  • Proxies
  • User input
  1. 🕸️ Pentesting Web

Web Vulnerabilities Methodology

PreviousIt's Oops PMNextReflecting Techniques - PoCs and Polygloths CheatSheet

Last updated 3 months ago

In every Web Pentest, there are several hidden and obvious places that might be vulnerable. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.

Nowadays web applications usually uses some kind of intermediary proxies, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.

Most of the web applications will allow users to input some data that will be processed later. Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.

If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.

Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:

If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.

When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise.

Depending on the HTTP headers given by the web server some vulnerabilities might be present.

There are several specific functionalities where some workarounds might be useful to bypass them

Some functionalities will require the data to be structured in a very specific format (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data. Some specific functionalities may be also vulnerable if a specific format of the input is used (like Email Header Injections).

Functionalities that allow uploading files might be vulnerable to several issues. Functionalities that generate files including user input might execute unexpected code. Users that open files uploaded by users or automatically generated including user input might be compromised.

These vulnerabilities might help to exploit other vulnerabilities.

Proxies
Abusing hop-by-hop headers
Cache Poisoning/Cache Deception
HTTP Request Smuggling
H2C Smuggling
Server Side Inclusion/Edge Side Inclusion
Uncovering Cloudflare
XSLT Server Side Injection
Proxy / WAF Protections Bypass
User input
Reflected Values
Client Side Template Injection
Command Injection
CRLF
Dangling Markup
File Inclusion/Path Traversal
Open Redirect
Prototype Pollution to XSS
Server Side Inclusion/Edge Side Inclusion
Server Side Request Forgery
Server Side Template Injection
Reverse Tab Nabbing
XSLT Server Side Injection
XSS
XSSI
XS-Search
Reflecting Techniques - PoCs and Polygloths CheatSheet
Search functionalities
File Inclusion/Path Traversal
NoSQL Injection
LDAP Injection
ReDoS
SQL Injection
XPATH Injection
Forms, WebSockets and PostMsgs
Cross Site Request Forgery
Cross-site WebSocket hijacking (CSWSH)
PostMessage Vulnerabilities
HTTP Headers
Clickjacking
Content Security Policy bypass
Cookies Hacking
CORS - Misconfigurations & Bypass
Bypasses
2FA/OTP Bypass
Bypass Payment Process
Captcha Bypass
Login Bypass
Race Condition
Rate Limit Bypass
Reset Forgotten Password Bypass
Registration Vulnerabilities
Structured objects / Specific functionalities
Deserialization
Email Header Injection
JWT Vulnerabilities
XML External Entity
Files
File Upload
Formula Injection
PDF Injection
Server Side XSS
External Identity Management
OAUTH to Account takeover
SAML Attacks
Other Helpful Vulnerabilities
Domain/Subdomain takeover
IDOR
Parameter Pollution
Unicode Normalization vulnerability