hacktricks/pentesting-web/web-vulnerabilities-methodology/README.md

156 lines
8.7 KiB
Markdown
Raw Normal View History

2022-09-12 18:43:22 +00:00
# Web Vulnerabilities Methodology
<details>
2024-01-01 17:15:42 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-09-12 18:43:22 +00:00
2024-01-01 17:15:42 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-12 18:43:22 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-01 17:15:42 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-01 17:15:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-09-12 18:43:22 +00:00
</details>
2022-10-03 07:01:29 +00:00
In every Web Pentest, there are **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.
2022-09-12 18:43:22 +00:00
## Proxies
{% hint style="info" %}
Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
{% endhint %}
* [ ] [**Abusing hop-by-hop headers**](../abusing-hop-by-hop-headers.md)
* [ ] [**Cache Poisoning/Cache Deception**](../cache-deception.md)
* [ ] [**HTTP Request Smuggling**](../http-request-smuggling/)
* [ ] [**H2C Smuggling**](../h2c-smuggling.md)
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
* [ ] [**Uncovering Cloudflare**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
* [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
* [ ] [**Proxy / WAF Protections Bypass**](../proxy-waf-protections-bypass.md)
2022-09-12 18:43:22 +00:00
## **User input**
{% hint style="info" %}
Most of the web applications will **allow users to input some data that will be processed later.**\
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
{% endhint %}
### **Reflected Values**
2022-10-03 07:01:29 +00:00
If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.
2022-09-12 18:43:22 +00:00
* [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md)
* [ ] [**Command Injection**](../command-injection.md)
* [ ] [**CRLF**](../crlf-0d-0a.md)
* [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/)
2022-09-12 18:43:22 +00:00
* [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
* [ ] [**Open Redirect**](../open-redirect.md)
* [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
* [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/)
* [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/)
* [ ] [**Reverse Tab Nabbing**](../reverse-tab-nabbing.md)
* [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
2022-09-12 18:43:22 +00:00
* [ ] [**XSS**](../xss-cross-site-scripting/)
* [ ] [**XSSI**](../xssi-cross-site-script-inclusion.md)
* [ ] [**XS-Search**](../xs-search.md)
2022-10-03 07:01:29 +00:00
Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
2022-09-12 18:43:22 +00:00
{% content-ref url="../pocs-and-polygloths-cheatsheet/" %}
[pocs-and-polygloths-cheatsheet](../pocs-and-polygloths-cheatsheet/)
{% endcontent-ref %}
### **Search functionalities**
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
* [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
* [ ] [**NoSQL Injection**](../nosql-injection.md)
* [ ] [**LDAP Injection**](../ldap-injection.md)
* [ ] [**ReDoS**](../regular-expression-denial-of-service-redos.md)
* [ ] [**SQL Injection**](../sql-injection/)
* [ ] [**XPATH Injection**](../xpath-injection.md)
### **Forms, WebSockets and PostMsgs**
2022-10-03 07:01:29 +00:00
When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise.
2022-09-12 18:43:22 +00:00
* [ ] [**Cross Site Request Forgery**](../csrf-cross-site-request-forgery.md)
* [ ] [**Cross-site WebSocket hijacking (CSWSH)**](../websocket-attacks.md)
2022-10-13 00:56:34 +00:00
* [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/)
2022-09-12 18:43:22 +00:00
### **HTTP Headers**
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
* [ ] [**Clickjacking**](../clickjacking.md)
* [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/)
* [ ] [**Cookies Hacking**](../hacking-with-cookies/)
* [ ] [**CORS - Misconfigurations & Bypass**](../cors-bypass.md)
### **Bypasses**
2022-10-03 07:01:29 +00:00
There are several specific functionalities where some workarounds might be useful to bypass them
2022-09-12 18:43:22 +00:00
* [ ] [**2FA/OTP Bypass**](../2fa-bypass.md)
* [ ] [**Bypass Payment Process**](../bypass-payment-process.md)
* [ ] [**Captcha Bypass**](../captcha-bypass.md)
* [ ] [**Login Bypass**](../login-bypass/)
* [ ] [**Race Condition**](../race-condition.md)
* [ ] [**Rate Limit Bypass**](../rate-limit-bypass.md)
* [ ] [**Reset Forgotten Password Bypass**](../reset-password.md)
* [ ] [**Registration Vulnerabilities**](../registration-vulnerabilities.md)
### **Structured objects / Specific functionalities**
2022-10-03 07:01:29 +00:00
Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
2022-09-12 18:43:22 +00:00
* [ ] [**Deserialization**](../deserialization/)
* [ ] [**Email Header Injection**](../email-injections.md)
* [ ] [**JWT Vulnerabilities**](../hacking-jwt-json-web-tokens.md)
* [ ] [**XML External Entity**](../xxe-xee-xml-external-entity.md)
### Files
2022-10-03 07:01:29 +00:00
Functionalities that allow uploading files might be vulnerable to several issues.\
Functionalities that generate files including user input might execute unexpected code.\
2022-09-12 18:43:22 +00:00
Users that open files uploaded by users or automatically generated including user input might be compromised.
* [ ] [**File Upload**](../file-upload/)
* [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md)
2022-09-12 18:43:22 +00:00
* [ ] [**PDF Injection**](../xss-cross-site-scripting/pdf-injection.md)
* [ ] [**Server Side XSS**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
### **External Identity Management**
2023-02-16 18:26:56 +00:00
* [ ] [**OAUTH to Account takeover**](../oauth-to-account-takeover.md)
2022-09-12 18:43:22 +00:00
* [ ] [**SAML Attacks**](../saml-attacks/)
### **Other Helpful Vulnerabilities**
2022-10-03 07:01:29 +00:00
These vulnerabilities might help to exploit other vulnerabilities.
2022-09-12 18:43:22 +00:00
* [ ] [**Domain/Subdomain takeover**](../domain-subdomain-takeover.md)
* [ ] [**IDOR**](../idor.md)
* [ ] [**Parameter Pollution**](../parameter-pollution.md)
* [ ] [**Unicode Normalization vulnerability**](../unicode-injection/)
<details>
2024-01-01 17:15:42 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-09-12 18:43:22 +00:00
2024-01-01 17:15:42 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-12 18:43:22 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-01 17:15:42 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:38:08 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-01 17:15:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-09-12 18:43:22 +00:00
</details>