hacktricks/pentesting-web/web-vulnerabilities-methodology.md

159 lines
8.5 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# Web Vulnerabilities Methodology
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
In every pentest web there is **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched vulnerabilities in all the possible places.
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
## Proxies
2021-06-26 12:03:36 +00:00
{% hint style="info" %}
2022-04-19 22:38:50 +00:00
Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
2021-06-26 12:03:36 +00:00
{% endhint %}
2022-04-05 22:24:52 +00:00
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
* [ ] [**Cache Poisoning/Cache Deception**](cache-deception.md)
* [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
* [ ] [**H2C Smuggling**](h2c-smuggling.md)
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
2022-05-01 13:25:53 +00:00
* [ ] [**Uncovering Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
2022-04-05 22:24:52 +00:00
* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
## **User input**
2021-06-26 12:03:36 +00:00
{% hint style="info" %}
2022-04-05 22:24:52 +00:00
Most of the web applications will **allow users to input some data that will be processed later.**\
2022-04-19 22:38:50 +00:00
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
2021-06-26 12:03:36 +00:00
{% endhint %}
2022-05-01 13:25:53 +00:00
### **Reflected Values**
2021-06-26 12:03:36 +00:00
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
2022-04-05 22:24:52 +00:00
* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
* [ ] [**Command Injection**](command-injection.md)
* [ ] [**CRLF**](crlf-0d-0a.md)
2022-05-01 16:04:05 +00:00
* [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection.md)
2022-04-05 22:24:52 +00:00
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
* [ ] [**Open Redirect**](open-redirect.md)
* [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)
* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)
* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)
* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
* [ ] [**XSS**](xss-cross-site-scripting/)
* [ ] [**XSSI**](xssi-cross-site-script-inclusion.md)
2022-06-27 23:34:20 +00:00
* [ ] [**XS-Search**](xs-search.md)
2021-06-26 12:03:36 +00:00
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
{% content-ref url="pocs-and-polygloths-cheatsheet/" %}
[pocs-and-polygloths-cheatsheet](pocs-and-polygloths-cheatsheet/)
{% endcontent-ref %}
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **Search functionalities**
2021-06-26 12:03:36 +00:00
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
2021-06-26 12:03:36 +00:00
2022-04-05 22:24:52 +00:00
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
* [ ] [**NoSQL Injection**](nosql-injection.md)
* [ ] [**LDAP Injection**](ldap-injection.md)
2021-06-26 12:03:36 +00:00
* [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
2022-04-05 22:24:52 +00:00
* [ ] [**SQL Injection**](sql-injection/)
* [ ] [**XPATH Injection**](xpath-injection.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **Forms, WebSockets and PostMsgs**
2021-06-26 12:03:36 +00:00
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
2022-04-05 22:24:52 +00:00
* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)
* [ ] [**Cross-site WebSocket hijacking (CSWSH)**](cross-site-websocket-hijacking-cswsh.md)
* [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **HTTP Headers**
2021-06-26 12:03:36 +00:00
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
2022-04-05 22:24:52 +00:00
* [ ] [**Clickjacking**](clickjacking.md)
2022-04-19 22:38:50 +00:00
* [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/)
2022-04-05 22:24:52 +00:00
* [ ] [**Cookies Hacking**](hacking-with-cookies/)
* [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **Bypasses**
2021-06-26 12:03:36 +00:00
There are several specific functionalities were some workarounds might be useful to bypass them
* [ ] [**2FA/OTP Bypass**](2fa-bypass.md)
2022-04-05 22:24:52 +00:00
* [ ] [**Bypass Payment Process**](bypass-payment-process.md)
* [ ] [**Captcha Bypass**](captcha-bypass.md)
* [ ] [**Login Bypass**](login-bypass/)
* [ ] [**Race Condition**](race-condition.md)
* [ ] [**Rate Limit Bypass**](rate-limit-bypass.md)
* [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
* [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **Structured objects / Specific functionalities**
2021-06-26 12:03:36 +00:00
Some functionalities will require the **data to be structured on a very specific format** (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.\
2022-04-05 22:24:52 +00:00
Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
2021-06-26 12:03:36 +00:00
2022-04-05 22:24:52 +00:00
* [ ] [**Deserialization**](deserialization/)
* [ ] [**Email Header Injection**](email-header-injection.md)
* [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)
* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### Files
2021-06-26 12:03:36 +00:00
Functionalities that allow to upload files might be vulnerable to several issues.\
Functionalities that generates files including user input might execute unexpected code.\
2021-06-26 12:03:36 +00:00
Users that open files uploaded by users or automatically generated including user input might be compromised.
2022-04-05 22:24:52 +00:00
* [ ] [**File Upload**](file-upload/)
2022-07-10 22:26:52 +00:00
* [ ] [**Formula Injection**](formula-doc-latex-injection.md)
2022-04-05 22:24:52 +00:00
* [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
* [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **External Identity Management**
2021-06-26 12:03:36 +00:00
2022-04-05 22:24:52 +00:00
* [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md)
* [ ] [**SAML Attacks**](saml-attacks/)
2021-06-26 12:03:36 +00:00
2022-05-01 13:25:53 +00:00
### **Other Helpful Vulnerabilities**
2021-06-26 12:03:36 +00:00
This vulnerabilities might help to exploit other vulnerabilities.
2022-04-05 22:24:52 +00:00
* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)
* [ ] [**IDOR**](idor.md)
* [ ] [**Parameter Pollution**](parameter-pollution.md)
* [ ] [**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md)
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>