6.2 KiB
Web Vulnerabilities Methodology
In every pentest web there is several hidden and obvious places that might be vulnerable. This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
Proxies
{% hint style="info" %} Nowadays web applications usually uses some kind of intermediary proxies, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend. {% endhint %}
- Abusing hop-by-hop headers
- Cache Poisoning/Cache Deception
- HTTP Request Smuggling
- H2C Smuggling
- Server Side Inclusion/Edge Side Inclusion
- Uncovering Cloudflare
- XSLT Server Side Injection
User input
{% hint style="info" %}
Most of the web applications will allow users to input some data that will be processed later.
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
{% endhint %}
Reflected Values
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
- Client Side Template Injection
- Command Injection
- CRLF
- Dangling Markup
- File Inclusion/Path Traversal
- Open Redirect
- Prototype Pollution to XSS
- Server Side Inclusion/Edge Side Inclusion
- Server Side Request Forgery
- Server Side Template Injection
- Reverse Tab Nabbing
- XSLT Server Side Injection
- XSS
- XSSI
- XS-Search
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
{% content-ref url="pocs-and-polygloths-cheatsheet/" %} pocs-and-polygloths-cheatsheet {% endcontent-ref %}
Search functionalities
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
Forms, WebSockets and PostMsgs
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
HTTP Headers
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
Bypasses
There are several specific functionalities were some workarounds might be useful to bypass them
- 2FA/OPT Bypass
- Bypass Payment Process
- Captcha Bypass
- Login Bypass
- Race Condition
- Rate Limit Bypass
- Reset Forgotten Password Bypass
- Registration Vulnerabilities
Structured objects / Specific functionalities
Some functionalities will require the data to be structured on a very specific format (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.
Some specific functionalities my be also vulnerable if a specific format of the input is used (like Email Header Injections).
Files
Functionalities that allow to upload files might be vulnerable to several issues.
Functionalities that generates files including user input might execute unexpected code.
Users that open files uploaded by users or automatically generated including user input might be compromised.
External Identity Management
Other Helpful Vulnerabilities
This vulnerabilities might help to exploit other vulnerabilities.