hacktricks/pentesting-web/web-vulnerabilities-methodology.md

Web Vulnerabilities Methodology

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Get a hacker's perspective on your web apps, network, and cloud

Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

In every Web Pentest, there are several hidden and obvious places that might be vulnerable. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.

Proxies

{% hint style="info" %} Nowadays web applications usually uses some kind of intermediary proxies, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend. {% endhint %}

• Abusing hop-by-hop headers
• Cache Poisoning/Cache Deception
• HTTP Request Smuggling
• H2C Smuggling
• Server Side Inclusion/Edge Side Inclusion
• Uncovering Cloudflare
• XSLT Server Side Injection
• Proxy / WAF Protections Bypass

User input

{% hint style="info" %} Most of the web applications will allow users to input some data that will be processed later.
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply. {% endhint %}

Reflected Values

If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.

• Client Side Template Injection
• Command Injection
• CRLF
• Dangling Markup
• File Inclusion/Path Traversal
• Open Redirect
• Prototype Pollution to XSS
• Server Side Inclusion/Edge Side Inclusion
• Server Side Request Forgery
• Server Side Template Injection
• Reverse Tab Nabbing
• XSLT Server Side Injection
• XSS
• XSSI
• XS-Search

Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:

{% content-ref url="pocs-and-polygloths-cheatsheet/" %} pocs-and-polygloths-cheatsheet {% endcontent-ref %}

Search functionalities

If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.

• File Inclusion/Path Traversal
• NoSQL Injection
• LDAP Injection
• ReDoS
• SQL Injection
• XPATH Injection

Forms, WebSockets and PostMsgs

When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise.

• Cross Site Request Forgery
• Cross-site WebSocket hijacking (CSWSH)
• PostMessage Vulnerabilities

HTTP Headers

Depending on the HTTP headers given by the web server some vulnerabilities might be present.

• Clickjacking
• Content Security Policy bypass
• Cookies Hacking
• CORS - Misconfigurations & Bypass

Bypasses

There are several specific functionalities where some workarounds might be useful to bypass them

• 2FA/OTP Bypass
• Bypass Payment Process
• Captcha Bypass
• Login Bypass
• Race Condition
• Rate Limit Bypass
• Reset Forgotten Password Bypass
• Registration Vulnerabilities

Structured objects / Specific functionalities

Some functionalities will require the data to be structured in a very specific format (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.
Some specific functionalities may be also vulnerable if a specific format of the input is used (like Email Header Injections).

• Deserialization
• Email Header Injection
• JWT Vulnerabilities
• XML External Entity

Files

Functionalities that allow uploading files might be vulnerable to several issues.
Functionalities that generate files including user input might execute unexpected code.
Users that open files uploaded by users or automatically generated including user input might be compromised.

• File Upload
• Formula Injection
• PDF Injection
• Server Side XSS

External Identity Management

• OAUTH to Account takeover
• SAML Attacks

Other Helpful Vulnerabilities

These vulnerabilities might help to exploit other vulnerabilities.

• Domain/Subdomain takeover
• IDOR
• Parameter Pollution
• Unicode Normalization vulnerability

Get a hacker's perspective on your web apps, network, and cloud

Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}