mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
122 lines
6.5 KiB
Markdown
122 lines
6.5 KiB
Markdown
|
# Web Vulnerabilities Methodology
|
||
|
|
|
||
|
|
In every pentest web there is **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
|
||
|
|
|
||
|
|
## Proxies
|
||
|
|
|
||
|
|
{% hint style="info" %}
|
||
|
|
Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be \(ab\)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
|
||
|
|
{% endhint %}
|
||
|
|
|
||
|
|
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Cache Poisoning/Cache Deception**](cache-deception.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**HTTP Request Smuggling**](http-request-smuggling.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**H2C Smuggling**](h2c-smuggling.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
|
||
|
|
|
||
|
|
## **User input**
|
||
|
|
|
||
|
|
{% hint style="info" %}
|
||
|
|
Most of the web applications will **allow users to input some data that will be processed later.**
|
||
|
|
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
|
||
|
|
{% endhint %}
|
||
|
|
|
||
|
|
### **Reflected Values**
|
||
|
|
|
||
|
|
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
|
||
|
|
|
||
|
|
* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Command Injection**](command-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**CRLF**](crlf-0d-0a.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)\*\*\*\*
|
||
|
|
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
|
||
|
|
* [ ] [**Open Redirect**](open-redirect.md)\*\*\*\*
|
||
|
|
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
|
||
|
|
* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)\*\*\*\*
|
||
|
|
* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)\*\*\*\*
|
||
|
|
* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)\*\*\*\*
|
||
|
|
* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
|
||
|
|
* [ ] [**XSS**](xss-cross-site-scripting/)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**XSSI**](xssi-cross-site-script-inclusion.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**XS-Search**](xs-search.md)\*\*\*\*
|
||
|
|
|
||
|
|
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
|
||
|
|
|
||
|
|
{% page-ref page="pocs-and-polygloths-cheatsheet.md" %}
|
||
|
|
|
||
|
|
### **Search functionalities**
|
||
|
|
|
||
|
|
If the functionality may be used to search some kind of data inside the backend, maybe you can \(ab\)use it to search arbitrary data.
|
||
|
|
|
||
|
|
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**NoSQL Injection**](nosql-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**LDAP Injection**](ldap-injection.md)\*\*\*\*
|
||
|
|
* [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
|
||
|
|
* [ ] [**SQL Injection**](sql-injection/)\*\*\*\*
|
||
|
|
* [ ] [**XAPTH Injection**](xpath-injection.md)\*\*\*\*
|
||
|
|
|
||
|
|
### **Forms, WebSockets and PostMsgs**
|
||
|
|
|
||
|
|
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
|
||
|
|
|
||
|
|
* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)\*\*\*\*
|
||
|
|
* [ ] [**Cross-site WebSocket hijacking \(CSWSH\)**](cross-site-websocket-hijacking-cswsh.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md)\*\*\*\*
|
||
|
|
|
||
|
|
### **HTTP Headers**
|
||
|
|
|
||
|
|
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
|
||
|
|
|
||
|
|
* [ ] [**Clickjacking**](clickjacking.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Content Security Policy bypass**](content-security-policy-csp-bypass.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Cookies Hacking**](hacking-with-cookies.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**CORS - Misconfigurations & Bypass**](cors-bypass.md)\*\*\*\*
|
||
|
|
|
||
|
|
### **Bypasses**
|
||
|
|
|
||
|
|
There are several specific functionalities were some workarounds might be useful to bypass them
|
||
|
|
|
||
|
|
* [ ] \*\*\*\*[**2FA/OPT Bypass**](2fa-bypass.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Bypass Payment Process**](bypass-payment-process.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Captcha Bypass**](captcha-bypass.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Race Condition**](race-condition.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Rate Limit Bypass**](rate-limit-bypass.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Reset Forgotten Password Bypass**](reset-password.md)\*\*\*\*
|
||
|
|
|
||
|
|
### **Structured objects / Specific functionalities**
|
||
|
|
|
||
|
|
Some functionalities will require the **data to be structured on a very specific format** \(like a language serialized object or a XML\). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.
|
||
|
|
Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** \(like Email Header Injections\).
|
||
|
|
|
||
|
|
* [ ] \*\*\*\*[**Deserialization**](deserialization/)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Email Header Injection**](email-header-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)\*\*\*\*
|
||
|
|
* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)\*\*\*\*
|
||
|
|
|
||
|
|
### Files
|
||
|
|
|
||
|
|
Functionalities that allow to upload files might be vulnerable to several issues.
|
||
|
|
Functionalities that generates files including user input might execute unexpected code.
|
||
|
|
Users that open files uploaded by users or automatically generated including user input might be compromised.
|
||
|
|
|
||
|
|
* [ ] [**File Upload**](file-upload/)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Formula Injection**](formula-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)\*\*\*\*
|
||
|
|
|
||
|
|
### **External Identity Management**
|
||
|
|
|
||
|
|
* [ ] \*\*\*\*[**OAUTH to Account takeover**](oauth-to-account-takeover.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**SAML Attacks**](saml-attacks/)\*\*\*\*
|
||
|
|
|
||
|
|
### **Other Helpful Vulnerabilities**
|
||
|
|
|
||
|
|
This vulnerabilities might help to exploit other vulnerabilities.
|
||
|
|
|
||
|
|
* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**IDOR**](idor.md)\*\*\*\*
|
||
|
|
* [ ] [**Parameter Pollution**](parameter-pollution.md)\*\*\*\*
|
||
|
|
* [ ] \*\*\*\*[**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md)\*\*\*\*
|
||
|
|
|