/wap

CS632 - Web App Pentesting

Web application penetration test - LABware

A) Server-side Attacks

0x01 - Information disclosure

  • Error messages
  • Debug page
  • Source code disclosure via backup files
  • Authentication bypass via information disclosure
  • Information disclosure in version control history

0x02 - Directory traversal

  • Reading arbitrary files via file path traversal
  • Bypassing preventions
    • Traversal sequences blocked with absolute path bypass
    • Traversal sequences stripped non-recursively
    • Traversal sequences stripped with superfluous URL-decode
    • Validation of start of the path
    • Validation of file extension with null byte bypass

0x03 - Authentication vulnerabilities

  • Password-based login
    • Username enumeration via different responses
    • Username enumeration via subtly different responses
    • Username enumeration via response timing
    • Broken brute-force protection, IP block
    • Username enumeration via account lock
    • Broken brute-force protection, multiple credentials per request
  • Multi-factor authentication
    • 2FA simple bypass
    • 2FA broken logic
    • 2FA bypass using a brute-force attack
  • Other authentication mechanisms
    • Brute-forcing a stay-logged-in cookie
  • Offline password cracking
  • Password reset broken logic
  • Password reset poisoning via middleware
  • Password brute-force via password change

0x04 - Access control vulnerabilities (Privilege esacalation)

  • Unprotected admin functionality
  • Unprotected admin functionality with unpredictable URL
  • User role controlled by request parameter
  • User role can be modified in the user profile
  • URL-based access control can be circumvented
  • Method-based access control can be circumvented
  • User ID controlled by request parameter
  • User ID controlled by request parameter, with unpredictable user IDs
  • User ID controlled by request parameter with data leakage in redirect
  • User ID controlled by request parameter with password disclosure
  • Insecure direct object references (IDOR)
  • Multi-step process with no access control on one step
  • Referer-based access control

0x05 - SQL injection

  • SQL injection UNION attacks
    • determining the number of columns returned by the query
    • finding a column containing text
    • retrieving data from other tables
    • retrieving multiple values in a single column
  • Examining the database in SQL injection attacks
    • querying the database type and version on Oracle
    • querying the database type and version on MySQL and Microsoft
    • listing the database contents on non-Oracle databases
    • listing the database contents on Oracle
  • Blind SQL injection
    • with conditional responses
    • with conditional errors
    • with time delays
    • with time delays and information retrieval
    • with out-of-band interaction
    • with out-of-band data exfiltration
  • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
  • SQL injection vulnerability allowing login bypass

0x06 - OS command injection

  • Simple case
  • Blind OS command injection
    • with time delays
    • with output redirection
    • with out-of-band interaction
    • with out-of-band data exfiltration

0x07 - File upload vulnerabilities

  • Remote code execution via web shell upload
  • Web shell upload via Content-Type restriction bypass
  • Web shell upload via path traversal
  • Web shell upload via extension blacklist bypass
  • Web shell upload via obfuscated file extension
  • Remote code execution via polyglot web shell upload
  • Web shell upload via race condition

0x08 - Server-side request forgery (SSRF)

  • Basic SSRF against the local server
  • Basic SSRF against another back-end system
  • SSRF with blacklist-based input filter
  • SSRF with whitelist-based input filter
  • SSRF with filter bypass via open redirection vulnerability
  • Blind SSRF vulnerabilities
    • Blind SSRF with out-of-band detection
    • Blind SSRF with Shellshock exploitation

0x09 - XXE (XML external entity) injection

  • Exploiting XXE using external entities to retrieve files
  • Exploiting XXE to perform SSRF attacks
  • Blind XXE vulnerabilities
    • Blind XXE with out-of-band interaction
    • Blind XXE with out-of-band interaction via XML parameter entities
    • Exploiting blind XXE to exfiltrate data using a malicious external DTD
    • Exploiting blind XXE to retrieve data via error messages
  • Exploiting XXE to retrieve data by repurposing a local DTD
  • Exploiting XInclude to retrieve files
  • Exploiting XXE via image file upload

0x0A - Business logic vulnerabilities

  • Excessive trust in client-side controls
  • High-level logic vulnerability
  • Low-level logic flaw
  • Inconsistent handling of exceptional input
  • Inconsistent security controls
  • Weak isolation on dual-use endpoint
  • Insufficient workflow validation
  • Authentication bypass via flawed state machine
  • Flawed enforcement of business rules
  • Infinite money logic flaw
  • Authentication bypass via encryption oracle

B) Client-side Attacks

0x0B - Cross-site scripting (XSS)

  • Reflected XSS
    • Reflected XSS into HTML context with nothing encoded
  • Stored XSS
    • Stored XSS into HTML context with nothing encoded
  • DOM-based XSS
    • DOM XSS in document.write sink using source location.search
    • DOM XSS in document.write sink using source location.search inside a select element
    • DOM XSS in innerHTML sink using source location.search
    • DOM XSS in jQuery anchor href attribute sink using location.search source
    • DOM XSS in jQuery selector sink using a hashchange event
    • DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
    • Reflected DOM XSS
    • Stored DOM XSS
  • Exploiting cross-site scripting vulnerabilities
    • Exploiting cross-site scripting to steal cookies
    • Exploiting cross-site scripting to capture passwords
    • Exploiting XSS to perform CSRF
  • Reflected XSS into HTML context with most tags and attributes blocked
  • Reflected XSS into HTML context with all tags blocked except custom ones
  • Reflected XSS with event handlers and href attributes blocked
  • Reflected XSS with some SVG markup allowed
  • Reflected XSS into attribute with angle brackets HTML-encoded
  • Stored XSS into anchor href attribute with double quotes HTML-encoded
  • Reflected XSS in a canonical link tag
  • Reflected XSS into a JavaScript string with single quote and backslash escaped
  • Reflected XSS into a JavaScript string with angle brackets HTML encoded
  • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
  • Reflected XSS in a JavaScript URL with some characters blocked
  • Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
  • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
  • Cross-site scripting contexts
    • Reflected XSS with AngularJS sandbox escape without strings
    • Reflected XSS with AngularJS sandbox escape and CSP
  • Content security policy (CSP)
    • Reflected XSS protected by CSP, with dangling markup attack
  • Dangling markup injection
    • Reflected XSS protected by very strict CSP, with dangling markup attack
    • Reflected XSS protected by CSP, with CSP bypass

0x0C - Cross-site request forgery (CSRF)

  • CSRF vulnerability with no defenses
  • CSRF where token validation depends on the request method
  • CSRF where token validation depends on token being present
  • CSRF where the token is not tied to user session
  • CSRF where token is tied to non-session cookie
  • CSRF where token is duplicated in cookie
  • CSRF where Referer validation depends on header being present
  • CSRF with broken Referer validation

0x0D - Cross-origin resource sharing (CORS)

  • CORS vulnerability with basic origin reflection
  • CORS vulnerability with the trusted null origin
  • CORS vulnerability with trusted insecure protocols
  • CORS vulnerability with internal network pivot attack

0x0E - Clickjacking (UI redressing)

  • Basic clickjacking with CSRF token protection
  • Clickjacking with form input data prefilled from a URL parameter
  • Clickjacking with a frame buster script
  • Exploiting clickjacking vulnerability to trigger DOM-based XSS
  • Multistep clickjacking

0x0F - DOM-based vulnerabilities

  • DOM XSS using web messages
  • DOM XSS using web messages and a JavaScript URL
  • DOM XSS using web messages and JSON.parse
  • DOM-based open redirection
  • DOM-based cookie manipulation
  • Exploiting DOM clobbering to enable XSS
  • Clobbering DOM attributes to bypass HTML filters

0x10 - WebSockets vulnerabilities

  • Manipulating WebSocket messages to exploit vulnerabilities
  • Manipulating the WebSocket handshake to exploit vulnerabilities
  • Cross-site WebSocket hijacking

C) Advanced Attacks

0x11 - Insecure deserialization

  • Modifying serialized objects
  • Modifying serialized data types
  • Using application functionality to exploit insecure deserialization
  • Arbitrary object injection in PHP
  • Exploiting Java deserialization with Apache Commons
  • Exploiting PHP deserialization with a pre-built gadget chain
  • Exploiting Ruby deserialization using a documented gadget chain
  • Developing a custom gadget chain for Java deserialization
  • Developing a custom gadget chain for PHP deserialization
  • Using PHAR deserialization to deploy a custom gadget ch

0x12 - Server-side template injection

  • Basic server-side template injection
  • Basic server-side template injection (code context)
  • Server-side template injection using documentation
  • Server-side template injection in an unknown language with a documented exploit
  • Server-side template injection with information disclosure via user-supplied objects
  • Server-side template injection in a sandboxed environment
  • Server-side template injection with a custom exploit

0x13 - Web cache poisoning

  • Web cache poisoning with an unkeyed header
  • Web cache poisoning with an unkeyed cookie
  • Web cache poisoning with multiple headers
  • Targeted web cache poisoning using an unknown header
  • Web cache poisoning to exploit a DOM vulnerability via a cache with strict cache-ability criteria
  • Combining web cache poisoning vulnerabilities
  • Web cache poisoning via an unkeyed query string
  • Web cache poisoning via an unkeyed query parameter
  • Parameter cloaking
  • Web cache poisoning via a fat GET request
  • URL normalization
  • Cache key injection
  • Internal cache poisoning

0x14 - HTTP Host header attacks

  • Basic password reset poisoning
  • Password reset poisoning via dangling markup
  • Web cache poisoning via ambiguous requests
  • Host header authentication bypass
  • Routing-based SSRF
  • SSRF via flawed request parsing

0x15 - HTTP request smuggling

  • HTTP request smuggling, basic CL.TE vulnerability
  • HTTP request smuggling, basic TE.CL vulnerability
  • HTTP request smuggling, obfuscating the TE header
  • HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
  • HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
  • Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
  • Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
  • Exploiting HTTP request smuggling to reveal front-end request rewriting
  • Exploiting HTTP request smuggling to capture other users' requests
  • Exploiting HTTP request smuggling to deliver reflected XSS
  • Exploiting HTTP request smuggling to perform web cache poisoning
  • Exploiting HTTP request smuggling to perform web cache deception
  • Response queue poisoning via H2.TE request smuggling
  • Bypassing access controls via HTTP/2 request tunneling
  • Web cache poisoning via HTTP/2 request tunneling
  • H2.CL request smuggling
  • HTTP/2 request smuggling via CRLF injection
  • HTTP/2 request splitting via CRLF injection

0x16 - OAuth 2.0 authentication vulnerabilities

  • Authentication bypass via OAuth implicit flow
  • Forced OAuth profile linking
  • OAuth account hijacking via redirect_uri
  • Stealing OAuth access tokens via an open redirect
  • Stealing OAuth access tokens via a proxy page
  • SSRF via OpenID dynamic client registration

Reference

  • Augmenting your manual testing with Burp Scanner
  • Obfuscating attacks using encodings