URL: https://portswigger.net/web-security/all-materials/detailed
-
Client-side prototype pollution
- JavaScript prototypes and inheritance
- What is prototype pollution?
- Finding client-side prototype pollution vulnerabilities
- Prototype pollution via browser APIs
- Preventing prototype pollution
- JavaScript prototypes and inheritance
- What is an object in JavaScript?
- What is a prototype in JavaScript?
- How does object inheritance work in JavaScript?
- The prototype chain
- Accessing an object's prototype using proto
- Modifying prototypes
- What is prototype pollution?
- How do prototype pollution vulnerabilities arise?
- Prototype pollution sources
- Prototype pollution via the URL
- Prototype pollution via JSON input
- Prototype pollution sinks
- Prototype pollution gadgets
- Example of a prototype pollution gadget
- Finding prototype pollution vulnerabilities
- Finding prototype pollution sources manually
- Finding prototype pollution sources using DOM Invader
- Finding prototype pollution gadgets manually
- Finding prototype pollution gadgets using DOM Invader
- Prototype pollution via the constructor
- Prototype pollution in external libraries
- Prototype pollution via browser APIs
- Prototype pollution via fetch()
- Prototype pollution via Object.defineProperty()
- How to prevent prototype pollution vulnerabilities
- Sanitize property keys
- Prevent changes to global prototypes
- Prevent an object from inheriting properties
- Use safer alternatives where possible
-
JWT attacks
- What are JWTs?
- JWT format
- JWT signature
- JWT vs JWS vs JWE
- What are JWT attacks?
- What is the impact of JWT attacks?
- How do vulnerabilities to JWT attacks arise?
- How to work with JWTs in Burp Suite
- Exploiting flawed JWT signature verification
- Accepting arbitrary signatures
- Accepting tokens with no signature
- Brute-forcing secret keys
- Brute-forcing secret keys using hashcat
- JWT header parameter injections
- Injecting self-signed JWTs via the jwk parameter
- Injecting self-signed JWTs via the jku parameter
- Injecting self-signed JWTs via the kid parameter
- Other interesting JWT header parameters
- JWT algorithm confusion
- How to prevent JWT attacks
- Additional best practice for JWT handling
- Working with JWTs in Burp Suite
- Viewing the contents of JWTs
- Editing the contents of JWTs
- Adding new signing keys
- Signing JWTs
- Algorithm confusion attacks
- Symmetric vs asymmetric algorithms
- How do algorithm confusion vulnerabilities arise?
- Performing an algorithm confusion attack
- Step 1 - Obtain the server's public key
- Step 2 - Convert the public key to a suitable format
- Step 3 - Modify your JWT
- Step 4 - Sign the JWT using the public key
- Deriving public keys from existing tokens
- What are JWTs?
-
File upload vulnerabilities
- What are file upload vulnerabilities?
- What is the impact of file upload vulnerabilities?
- How do file upload vulnerabilities arise?
- How do web servers handle requests for static files?
- Exploiting unrestricted file uploads to deploy a web shell
- Exploiting flawed validation of file uploads
- Flawed file type validation
- Preventing file execution in user-accessible directories
- Insufficient blacklisting of dangerous file types
- Overriding the server configuration
- Obfuscating file extensions
- Flawed validation of the file's contents
- Exploiting file upload race conditions
- Race conditions in URL-based file uploads
- Exploiting file upload vulnerabilities without remote code execution
- Uploading malicious client-side scripts
- Exploiting vulnerabilities in the parsing of uploaded files
- Uploading files using PUT
- How to prevent file upload vulnerabilities
-
OAuth 2.0 authentication vulnerabilities
- What is OAuth?
- How does OAuth 2.0 work?
- OAuth authentication
- How do OAuth authentication vulnerabilities arise?
- Identifying OAuth authentication
- Recon
- Exploiting OAuth authentication vulnerabilities
- Vulnerabilities in the OAuth client application
- Improper implementation of the implicit grant type
- Flawed CSRF protection
- Leaking authorization codes and access tokens
- Flawed scope validation
- Unverified user registration
- Extending OAuth with OpenID Connect
- Preventing OAuth authentication vulnerabilities
- How to prevent OAuth authentication vulnerabilities
- For OAuth service providers
- For OAuth client applications
- OAuth grant types
- What is an OAuth grant type?
- OAuth scopes
- Authorization code grant type
- Implicit grant type
- OpenID Connect
- What is OpenID Connect?
- How does OpenID Connect work?
- OpenID Connect roles
- OpenID Connect claims and scopes
- ID token
- Identifying OpenID Connect
- OpenID Connect vulnerabilities
- Unprotected dynamic client registration
- Allowing authorization requests by reference
-
HTTP Host header attacks
- What is the HTTP Host header?
- What is the purpose of the HTTP Host header?
- Virtual hosting
- Routing traffic via an intermediary
- How does the HTTP Host header solve this problem?
- What is an HTTP Host header attack?
- How do HTTP Host header vulnerabilities arise?
- Exploiting HTTP Host header vulnerabilities
- How to prevent HTTP Host header attacks
- How to identify and exploit HTTP Host header vulnerabilities
- How to test for vulnerabilities using the HTTP Host header
- Supply an arbitrary Host header
- Check for flawed validation
- Send ambiguous requests
- Inject host override headers
- How to exploit the HTTP Host header
- Password reset poisoning
- Web cache poisoning via the Host header
- Exploiting classic server-side vulnerabilities
- Accessing restricted functionality
- Accessing internal websites with virtual host brute-forcing
- Routing-based SSRF
- Connection state attacks
- SSRF via a malformed request line
- Password reset poisoning
- How does a password reset work?
- How to construct a password reset poisoning attack
- How to test for vulnerabilities using the HTTP Host header
-
SQL injection
- What is SQL injection (SQLi)?
- What is the impact of a successful SQL injection attack?
- SQL injection examples
- Retrieving hidden data
- Subverting application logic
- Retrieving data from other database tables
- Examining the database
- Blind SQL injection vulnerabilities
- How to detect SQL injection vulnerabilities
- SQL injection in different parts of the query
- SQL injection in different contexts
- Second-order SQL injection
- Database-specific factors
- How to prevent SQL injection
- SQL injection UNION attacks
- Determining the number of columns required in an SQL injection UNION attack
- Finding columns with a useful data type in an SQL injection UNION attack
- Using an SQL injection UNION attack to retrieve interesting data
- Retrieving multiple values within a single column
- Examining the database in SQL injection attacks
- Querying the database type and version
- Listing the contents of the database
- Equivalent to information schema on Oracle
- Blind SQL injection
- What is blind SQL injection?
- Exploiting blind SQL injection by triggering conditional responses
- Inducing conditional responses by triggering SQL errors
- Exploiting blind SQL injection by triggering time delays
- Exploiting blind SQL injection using out-of-band (OAST) techniques
- How to prevent blind SQL injection attacks?
- SQL injection cheat sheet
- String concatenation
- Substring
- Comments
- Database version
- Database contents
- Conditional errors
- Batched (or stacked) queries
- Time delays
- Conditional time delays
- DNS lookup
- DNS lookup with data exfiltration
-
Cross-site scripting
- What is cross-site scripting (XSS)?
- How does XSS work?
- XSS proof of concept
- What are the types of XSS attacks?
- Reflected cross-site scripting
- Stored cross-site scripting
- DOM-based cross-site scripting
- What can XSS be used for?
- Impact of XSS vulnerabilities
- How to find and test for XSS vulnerabilities
- Content security policy
- Dangling markup injection
- How to prevent XSS attacks
- Common questions about cross-site scripting
- Reflected XSS
- What is reflected cross-site scripting?
- Impact of reflected XSS attacks
- Reflected XSS in different contexts
- How to find and test for reflected XSS vulnerabilities
- Common questions about reflected cross-site scripting
- Cross-site scripting (XSS) cheat sheet
- Event handlers
- Event handlers that do not require user interaction
- Event handlers that do require user interaction
- Consuming tags
- File upload attacks
- Restricted characters
- Frameworks
- Protocols
- Other useful attributes
- Special tags
- Encoding
- Obfuscation
- Client-side template injection
- VueJS reflected
- AngularJS sandbox escapes reflected
- DOM based AngularJS sandbox escapes
- AngularJS CSP bypasses
- Scriptless attacks
- Dangling markup
- Polyglots
- WAF bypass global objects
- Content types
- Response content types
- Impossible labs
- Prototype pollution
- Classic vectors (XSS crypt)
- Event handlers
- Stored XSS
- What is stored cross-site scripting?
- Impact of stored XSS attacks
- Stored XSS in different contexts
- How to find and test for stored XSS vulnerabilities
- DOM-based XSS
- What is DOM-based cross-site scripting?
- How to test for DOM-based cross-site scripting
- Testing HTML sinks
- Testing JavaScript execution sinks
- Testing for DOM XSS using DOM Invader
- Exploiting DOM XSS with different sources and sinks
- Sources and sinks in third-party dependencies
- DOM XSS in jQuery
- DOM XSS in AngularJS
- DOM XSS combined with reflected and stored data
- Which sinks can lead to DOM-XSS vulnerabilities?
- How to prevent DOM-XSS vulnerabilities
- Exploiting cross-site scripting vulnerabilities
- Exploiting cross-site scripting to steal cookies
- Exploiting cross-site scripting to capture passwords
- Exploiting cross-site scripting to perform CSRF
- Cross-site scripting contexts
- XSS between HTML tags
- XSS in HTML tag attributes
- XSS into JavaScript
- Terminating the existing script
- Breaking out of a JavaScript string
- Making use of HTML-encoding
- XSS in JavaScript template literals
- XSS via client-side template injection
- Client-side template injection
- What is client-side template injection?
- What is the AngularJS sandbox?
- How does the AngularJS sandbox work?
- How does an AngularJS sandbox escape work?
- How does an AngularJS CSP bypass work?
- How to prevent client-side template injection vulnerabilities
- Content security policy
- What is CSP (content security policy)?
- Mitigating XSS attacks using CSP
- Mitigating dangling markup attacks using CSP
- Bypassing CSP with policy injection
- Protecting against clickjacking using CSP
- Dangling markup injection
- What is dangling markup injection?
- How to prevent dangling markup attacks
- How to prevent XSS
- Encode data on output
- Validate input on arrival
- Whitelisting vs blacklisting
- Allowing "safe" HTML
- How to prevent XSS using a template engine
- How to prevent XSS in PHP
- How to prevent XSS client-side in JavaScript
- How to prevent XSS in jQuery
- Mitigating XSS using content security policy (CSP)
-
Cross-site request forgery (CSRF)
- What is CSRF?
- What is the impact of a CSRF attack?
- How does CSRF work?
- How to construct a CSRF attack
- How to deliver a CSRF exploit
- Preventing CSRF attacks
- Common CSRF vulnerabilities
- Validation of CSRF token depends on request method
- Validation of CSRF token depends on token being present
- CSRF token is not tied to the user session
- CSRF token is tied to a non-session cookie
- CSRF token is simply duplicated in a cookie
- Referer-based defenses against CSRF
- Validation of Referer depends on header being present
- Validation of Referer can be circumvented
- Defending against CSRF with SameSite cookies
- XSS vs CSRF
- What is the difference between XSS and CSRF?
- Can CSRF tokens prevent XSS attacks?
- CSRF tokens
- What are CSRF tokens?
- How should CSRF tokens be generated?
- How should CSRF tokens be transmitted?
- How should CSRF tokens be validated?
-
XML external entity (XXE) injection
- What is XML external entity injection?
- How do XXE vulnerabilities arise?
- What are the types of XXE attacks?
- Exploiting XXE to retrieve files
- Exploiting XXE to perform SSRF attacks
- Blind XXE vulnerabilities
- Finding hidden attack surface for XXE injection
- XInclude attacks
- XXE attacks via file upload
- XXE attacks via modified content type
- How to find and test for XXE vulnerabilities
- How to prevent XXE vulnerabilities
- XML entities
- What is XML?
- What are XML entities?
- What is document type definition?
- What are XML custom entities?
- What are XML external entities?
- Finding and exploiting blind XXE vulnerabilities
- What is blind XXE?
- Detecting blind XXE using out-of-band (OAST) techniques
- Exploiting blind XXE to exfiltrate data out-of-band
- Exploiting blind XXE to retrieve data via error messages
- Exploiting blind XXE by repurposing a local DTD
- Locating an existing DTD file to repurpose
-
Clickjacking (UI redressing)
- What is clickjacking?
- How to construct a basic clickjacking attack
- Clickbandit
- Clickjacking with prefilled form input
- Frame busting scripts
- Combining clickjacking with a DOM XSS attack
- Multistep clickjacking
- How to prevent clickjacking attacks
- X-Frame-Options
- Content Security Policy (CSP)
-
Cross-origin resource sharing (CORS)
- What is CORS (cross-origin resource sharing)?
- Same-origin policy
- Relaxation of the same-origin policy
- Vulnerabilities arising from CORS configuration issues
- Server-generated ACAO header from client-specified Origin header
- Errors parsing Origin headers
- Whitelisted null origin value
- Exploiting XSS via CORS trust relationships
- Breaking TLS with poorly configured CORS
- Intranets and CORS without credentials
- How to prevent CORS-based attacks
- Proper configuration of cross-origin requests
- Only allow trusted sites
- Avoid whitelisting null
- Avoid wildcards in internal networks
- CORS is not a substitute for server-side security policies
- Same-origin policy (SOP)
- What is the same-origin policy?
- Why is the same-origin policy necessary?
- How is the same-origin policy implemented?
- CORS and the Access-Control-Allow-Origin response header
- What is the Access-Control-Allow-Origin response header?
- Implementing simple cross-origin resource sharing
- Handling cross-origin resource requests with credentials
- Relaxation of CORS specifications with wildcards
- Pre-flight checks
- Does CORS protect against CSRF?
-
Server-side request forgery (SSRF)
- What is SSRF?
- What is the impact of SSRF attacks?
- Common SSRF attacks
- SSRF attacks against the server itself
- SSRF attacks against other back-end systems
- Circumventing common SSRF defenses
- SSRF with blacklist-based input filters
- SSRF with whitelist-based input filters
- Bypassing SSRF filters via open redirection
- Blind SSRF vulnerabilities
- Finding hidden attack surface for SSRF vulnerabilities
- Partial URLs in requests
- URLs within data formats
- SSRF via the Referer header
- Blind SSRF vulnerabilities
- What is blind SSRF?
- What is the impact of blind SSRF vulnerabilities?
- How to find and exploit blind SSRF vulnerabilities
-
HTTP request smuggling
- What is HTTP request smuggling?
- What happens in an HTTP request smuggling attack?
- How do HTTP request smuggling vulnerabilities arise?
- How to perform an HTTP request smuggling attack
- CL.TE vulnerabilities
- TE.CL vulnerabilities
- TE.TE behavior: obfuscating the TE header
- How to identify HTTP request smuggling vulnerabilities
- How to exploit HTTP request smuggling vulnerabilities
- Advanced HTTP request smuggling
- Browser-powered request smuggling
- How to prevent HTTP request smuggling vulnerabilities
- Finding HTTP request smuggling vulnerabilities
- Finding HTTP request smuggling vulnerabilities using timing techniques
- Finding CL.TE vulnerabilities using timing techniques
- Finding TE.CL vulnerabilities using timing techniques
- Confirming HTTP request smuggling vulnerabilities using differential responses
- Confirming CL.TE vulnerabilities using differential responses
- Confirming TE.CL vulnerabilities using differential responses
- Finding HTTP request smuggling vulnerabilities using timing techniques
- Exploiting HTTP request smuggling vulnerabilities
- Using HTTP request smuggling to bypass front-end security controls
- Revealing front-end request rewriting
- Bypassing client authentication
- Capturing other users' requests
- Using HTTP request smuggling to exploit reflected XSS
- Using HTTP request smuggling to turn an on-site redirect into an open redirect
- Turning root-relative redirects into open redirects
- Using HTTP request smuggling to perform web cache poisoning
- Using HTTP request smuggling to perform web cache deception
- Advanced request smuggling
- HTTP/2 request smuggling
- HTTP/2 message length
- HTTP/2 downgrading
- H2.CL vulnerabilities
- H2.TE vulnerabilities
- Response queue poisoning
- Request smuggling via CRLF injection
- HTTP/2 request splitting
- Accounting for front-end rewriting
- HTTP request tunnelling
- Response queue poisoning
- What is the impact of response queue poisoning?
- How to construct a response queue poisoning attack
- Understanding the aftermath of request smuggling
- Smuggling a complete request
- Desynchronizing the response queue
- Stealing other users' responses
- HTTP request tunnelling
- Request tunnelling with HTTP/2
- Leaking internal headers via HTTP/2 request tunnelling
- Blind request tunnelling
- Non-blind request tunnelling using HEAD
- Web cache poisoning via HTTP/2 request tunnelling
- HTTP/2 downgrading
- What risks are associated with HTTP/2 downgrading?
- HTTP/2-exclusive vectors
- Injecting via header names
- Injecting via pseudo-headers
- Supplying an ambiguous host
- Supplying an ambiguous path
- Injecting a full request line
- Injecting a URL prefix
- Injecting newlines into pseudo-headers
- HTTP/2 request smuggling
- Browser-powered request smuggling
- CL.0 request smuggling
- Client-side desync
- Pause-based desync
- CL.0 request smuggling
- Testing for CL.0 vulnerabilities
- Eliciting CL.0 behavior
- Exploiting CL.0 vulnerabilities
- H2.0 vulnerabilities
- How to prevent CL.0 vulnerabilities
- Client-side desync
- What is a client-side desync?
- Testing for client-side desync vulnerabilities
- Probing for client-side desync vectors
- Confirming the desync vector in Burp
- Building a proof of concept in a browser
- Handling redirects
- Exploiting client-side desync vulnerabilities
- Client-side variations of classic attacks
- Client-side cache poisoning
- Poisoning the cache with a redirect
- Triggering the resource import
- Delivering a payload
- Pivoting attacks against internal infrastructure
- How to prevent client-side desync vulnerabilities
- Pause-based desync
- Server-side pause-based desync
- Testing for pause-based CL.0 vulnerabilities
- Client-side pause-based desync
- How to prevent pause-based desync vulnerabilities
- Server-side pause-based desync
-
OS command injection
- What is OS command injection?
- Executing arbitrary commands
- Useful commands
- Blind OS command injection vulnerabilities
- Detecting blind OS command injection using time delays
- Exploiting blind OS command injection by redirecting output
- Exploiting blind OS command injection using out-of-band (OAST) techniques
- Ways of injecting OS commands
- How to prevent OS command injection attacks
-
Server-side template injection
- What is server-side template injection?
- What is the impact of server-side template injection?
- How do server-side template injection vulnerabilities arise?
- Constructing a server-side template injection attack
- Detect
- Identify
- Exploit
- How to prevent server-side template injection vulnerabilities
- Exploiting server-side template injection vulnerabilities
- Read
- Learn the basic template syntax
- Read about the security implications
- Look for known exploits
- Explore
- Developer-supplied objects
- Create a custom attack
- Constructing a custom exploit using an object chain
- Constructing a custom exploit using developer-supplied objects
- Read
-
Insecure deserialization
- What is serialization?
- Serialization vs deserialization
- What is insecure deserialization?
- How do insecure deserialization vulnerabilities arise?
- What is the impact of insecure deserialization?
- How to exploit insecure deserialization vulnerabilities
- How to prevent insecure deserialization vulnerabilities
- Exploiting insecure deserialization vulnerabilities
- How to identify insecure deserialization
- PHP serialization format
- Java serialization format
- Manipulating serialized objects
- Modifying object attributes
- Modifying data types
- Using application functionality
- Magic methods
- Injecting arbitrary objects
- Gadget chains
- Working with pre-built gadget chains
- Working with documented gadget chains
- Creating your own exploit
- PHAR deserialization
- Exploiting deserialization using memory corruption
- How to identify insecure deserialization
- What is serialization?
-
Directory traversal
- What is directory traversal?
- Reading arbitrary files via directory traversal
- Common obstacles to exploiting file path traversal vulnerabilities
- How to prevent a directory traversal attack
-
Access control vulnerabilities and privilege escalation
- What is access control?
- Vertical access controls
- Horizontal access controls
- Context-dependent access controls
- Examples of broken access controls
- Vertical privilege escalation
- Horizontal privilege escalation
- Horizontal to vertical privilege escalation
- Insecure direct object references
- Access control vulnerabilities in multi-step processes
- Referer-based access control
- Location-based access control
- How to prevent access control vulnerabilities
- Access control security models
- What are access control security models?
- Programmatic access control
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Insecure direct object references (IDOR)
- What are insecure direct object references (IDOR)?
- IDOR examples
- IDOR vulnerability with direct reference to database objects
- IDOR vulnerability with direct reference to static files
- What is access control?
-
Authentication vulnerabilities
- What is authentication?
- What is the difference between authentication and authorization?
- How do authentication vulnerabilities arise?
- What is the impact of vulnerable authentication?
- Vulnerabilities in authentication mechanisms
- Vulnerabilities in third-party authentication mechanisms
- Preventing attacks on your own authentication mechanisms
- Vulnerabilities in password-based login
- Brute-force attacks
- Brute-forcing usernames
- Brute-forcing passwords
- Username enumeration
- Flawed brute-force protection
- Account locking
- User rate limiting
- HTTP basic authentication
- Brute-force attacks
- Vulnerabilities in multi-factor authentication
- Two-factor authentication tokens
- Bypassing two-factor authentication
- Flawed two-factor verification logic
- Brute-forcing 2FA verification codes
- Vulnerabilities in other authentication mechanisms
- Keeping users logged in
- Resetting user passwords
- Sending passwords by email
- Resetting passwords using a URL
- Changing user passwords
- Authentication lab usernames
- Authentication lab passwords
- How to secure your authentication mechanisms
- Take care with user credentials
- Don't count on users for security
- Prevent username enumeration
- Implement robust brute-force protection
- Triple-check your verification logic
- Don't forget supplementary functionality
- Implement proper multi-factor authentication
- What is authentication?
-
Business logic vulnerabilities
- What are business logic vulnerabilities?
- How do business logic vulnerabilities arise?
- What is the impact of business logic vulnerabilities?
- What are some examples of business logic vulnerabilities?
- How to prevent business logic vulnerabilities
- Examples of business logic vulnerabilities
- Excessive trust in client-side controls
- Failing to handle unconventional input
- Making flawed assumptions about user behavior
- Trusted users won't always remain trustworthy
- Users won't always supply mandatory input
- Users won't always follow the intended sequence
- Domain-specific flaws
- Providing an encryption oracle
-
Testing for WebSockets security vulnerabilities
- WebSockets
- Manipulating WebSocket traffic
- Intercepting and modifying WebSocket messages
- Replaying and generating new WebSocket messages
- Manipulating WebSocket connections
- WebSockets security vulnerabilities
- Manipulating WebSocket messages to exploit vulnerabilities
- Manipulating the WebSocket handshake to exploit vulnerabilities
- Using cross-site WebSockets to exploit vulnerabilities
- How to secure a WebSocket connection
- What are WebSockets?
- What is the difference between HTTP and WebSockets?
- How are WebSocket connections established?
- What do WebSocket messages look like?
- Cross-site WebSocket hijacking
- What is cross-site WebSocket hijacking?
- What is the impact of cross-site WebSocket hijacking?
- Performing a cross-site WebSocket hijacking attack
-
DOM-based vulnerabilities
- What is the DOM?
- Taint-flow vulnerabilities
- What is taint flow?
- Common sources
- Which sinks can lead to DOM-based vulnerabilities?
- How to prevent DOM-based taint-flow vulnerabilities
- DOM clobbering
- Controlling the web message source
- What is the impact of DOM-based web message vulnerabilities?
- How to construct an attack using web messages as the source
- Origin verification
- Which sinks can lead to DOM-based web message vulnerabilities?
- DOM-based open redirection
- What is DOM-based open redirection?
- What is the impact of DOM-based open redirection?
- Which sinks can lead to DOM-based open-redirection vulnerabilities?
- How to prevent DOM-based open-redirection vulnerabilities
- DOM-based cookie manipulation
- What is DOM-based cookie manipulation?
- What is the impact of a DOM-based cookie-manipulation attack?
- Which sinks can lead to DOM-based cookie-manipulation vulnerabilities?
- How to prevent DOM-based cookie-manipulation vulnerabilities
- DOM-based JavaScript injection
- What is DOM-based JavaScript injection?
- What is the impact of a DOM-based JavaScript-injection attack?
- Which sinks can lead to DOM-based JavaScript-injection vulnerabilities?
- How to prevent DOM-based JavaScript-injection vulnerabilities
- DOM-based document-domain manipulation
- What is DOM-based document-domain manipulation?
- Which sinks can lead to DOM-based document-domain manipulation vulnerabilities?
- How to prevent DOM-based document-domain manipulation vulnerabilities
- DOM-based WebSocket-URL poisoning
- What is DOM-based WebSocket-URL poisoning?
- What is the impact of WebSocket-URL poisoning?
- Which sinks can lead to WebSocket-URL poisoning vulnerabilities?
- How to prevent DOM-based WebSocket-URL poisoning vulnerabilities
- DOM-based link manipulation
- What is DOM-based link manipulation?
- What is the impact of a DOM-based link-manipulation attack?
- Which sinks can lead to DOM-based link-manipulation vulnerabilities?
- How to prevent DOM-based link-manipulation vulnerabilities
- Web message manipulation
- What is DOM-based web message manipulation?
- Which sinks can lead to DOM-based web-message manipulation vulnerabilities?
- How to prevent DOM-based web message manipulation
- DOM-based Ajax request-header manipulation
- What is DOM-based Ajax request-header manipulation?
- What is the impact of DOM-based Ajax request-header manipulation?
- Which sinks can lead to DOM-based Ajax request-header manipulation vulnerabilities?
- How to prevent DOM-based Ajax request-header manipulation
- DOM-based local file-path manipulation
- What is DOM-based local file-path manipulation?
- What is the impact of DOM-based local file-path manipulation?
- Which sinks can lead to DOM-based local file-path manipulation vulnerabilities?
- How to prevent DOM-based local file-path manipulation vulnerabilities
- DOM-based client-side SQL injection
- What is DOM-based client-side SQL injection?
- What is the impact of DOM-based client-side SQL injection?
- Which sinks can lead to DOM-based client-side SQL-injection vulnerabilities?
- How to prevent DOM-based client-side SQL-injection vulnerabilities
- DOM-based HTML5-storage manipulation
- What is DOM-based HTML5-storage manipulation?
- Which sinks can lead to DOM-based HTML5-storage manipulation vulnerabilities?
- How to prevent DOM-based HTML5-storage manipulation vulnerabilities
- DOM-based client-side XPath injection
- What is DOM-based XPath injection?
- What is the impact of DOM-based XPath injection?
- Which sinks can lead to XPath-injection vulnerabilities?
- How to prevent DOM-based XPath-injection vulnerabilities
- DOM-based client-side JSON injection
- What is DOM-based JSON injection?
- What is the impact of a DOM-based JSON-injection attack?
- Which sinks can lead to DOM-based JSON-injection vulnerabilities?
- How to prevent client-side JSON-injection vulnerabilities?
- DOM-data manipulation
- What is DOM-data manipulation?
- What is the impact of DOM-data manipulation?
- Which sinks can lead to DOM-data manipulation vulnerabilities?
- How to prevent DOM-data manipulation vulnerabilities
- DOM-based denial of service
- What is DOM-based denial of service?
- Which sinks can lead to DOM-based denial-of-service vulnerabilities?
- How to prevent DOM-based denial-of-service vulnerabilities
- DOM clobbering
- What is DOM clobbering?
- How to exploit DOM-clobbering vulnerabilities
- How to prevent DOM-clobbering attacks
-
Web cache poisoning
- What is web cache poisoning?
- Web cache poisoning research
- How does a web cache work?
- What is the impact of a web cache poisoning attack?
- Constructing a web cache poisoning attack
- Identify and evaluate unkeyed inputs
- Param Miner
- Elicit a harmful response from the back-end server
- Get the response cached
- Exploiting web cache poisoning vulnerabilities
- How to prevent web cache poisoning vulnerabilities
- Exploiting cache design flaws
- Using web cache poisoning to deliver an XSS attack
- Using web cache poisoning to exploit unsafe handling of resource imports
- Using web cache poisoning to exploit cookie-handling vulnerabilities
- Using multiple headers to exploit web cache poisoning vulnerabilities
- Exploiting responses that expose too much information
- Cache-control directives
- Vary header
- Using web cache poisoning to exploit DOM-based vulnerabilities
- Chaining web cache poisoning vulnerabilities
- Exploiting cache implementation flaws
- Cache key flaws
- Cache probing methodology
- Identify a suitable cache oracle
- Probe key handling
- Identify an exploitable gadget
- Exploiting cache key flaws
- Unkeyed port
- Unkeyed query string
- Unkeyed query parameters
- Cache parameter cloaking
- Normalized cache keys
- Cache key injection
- Poisoning internal caches
- How to identify internal caches
- Testing internal caches safely
- What is web cache poisoning?
-
Information disclosure vulnerabilities
- What is information disclosure?
- How do information disclosure vulnerabilities arise?
- What is the impact of information disclosure vulnerabilities?
- How to assess the severity of information disclosure vulnerabilities
- Exploiting information disclosure
- How to prevent information disclosure vulnerabilities
- How to find and exploit information disclosure vulnerabilities
- How to test for information disclosure vulnerabilities
- Fuzzing
- Using Burp Scanner
- Using Burp's engagement tools
- Engineering informative responses
- Common sources of information disclosure
- Files for web crawlers
- Directory listings
- Developer comments
- Error messages
- Debugging data
- User account pages
- Source code disclosure via backup files
- Information disclosure due to insecure configuration
- Version control history
- How to test for information disclosure vulnerabilities
-
Reference
- Augmenting your manual testing with Burp Scanner
- Scanning a specific request
- Scanning custom insertion points
- Scanning non-standard data structures
- Obfuscating attacks using encodings
- Context-specific decoding
- Decoding discrepancies
- Obfuscation via URL encoding
- Obfuscation via double URL encoding
- Obfuscation via HTML encoding
- Leading zeros
- Obfuscation via XML encoding
- Obfuscation via unicode escaping
- Obfuscation via hex escaping
- Obfuscation via octal escaping
- Obfuscation via multiple encodings
- Obfuscation via the SQL CHAR() function
- Augmenting your manual testing with Burp Scanner