Web App Pentest

Kom i gang. Det er Gratis
eller tilmeld med din email adresse
Web App Pentest af Mind Map: Web App Pentest

1. Insecure Deserialization

1.1. Blogs

1.1.1. Blog 1

1.1.2. Blog 2

1.1.3. Blog 3

1.1.4. Blog 4

1.2. Tools

1.2.1. Python pickle

1.2.2. gadgetinspector

1.2.3. ysoserial

1.3. Burp Extensions

1.3.1. Java-Deserialization-Scanner

1.3.2. JavaSerialKiller

1.3.3. burp-ysoserial

1.3.4. SuperSerial

1.3.5. SuperSerial-Active

2. Clickjacking

2.1. Tools and burp extensions

2.1.1. Clickbandit

3. Command Injection

3.1. Payloads

3.1.1. Set 1

3.1.2. Set 2

3.2. Tools

3.2.1. commix

3.2.2. Practice labs

3.3. Burp Extensions

3.3.1. Command Injection Attacker

4. Cross-site scripting (XSS)

4.1. Types

4.1.1. Stored-XSS

4.1.2. Refelected-XSS

4.1.3. DOM-XSS

4.1.4. Blind-XSS

4.1.4.1. XSS Hunter (The Best tool for Blind XSS)

4.1.4.2. ezXSS (Has 2FA, email reports, share reports feature)

4.1.4.3. bXSS (Has slack/SMS notification feature)

4.1.4.4. Knoxss (has email feature & plugin)

4.1.4.5. Burp Collaborator

4.2. Payloads

4.2.1. WAF Bypass

4.2.1.1. Kona WAF (Akamai) Bypass

4.2.1.1.1. \');confirm(1);//

4.2.1.2. ModSecurity WAF Bypass

4.2.1.2.1. <img src=x onerror=prompt(document.cookie) onerror=prompt(document.domain) onerror=prompt(document.domain)>

4.2.1.3. Incapsula WAF Bypasses

4.2.1.3.1. <iframe/onload='this["src"]="javas cript:al"+"ert""';> <img/src=q onerror='new Function`al\ert\`1\"'>

4.2.1.4. Wordfence XSS Bypasses

4.2.1.4.1. <meter onmouseover="alert(1)"

4.2.1.4.2. '">><div><meter onmouseover="alert(1)"</div>"

4.2.1.4.3. >><marquee loop=1 width=0 onfinish=alert(1)>

4.2.2. XSS via file upload

4.2.2.1. XSS in file name

4.2.2.1.1. "><img src=v onerror=prompt(xss);>.jpeg

4.2.2.2. Metadata (exit tool)

4.2.2.2.1. exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg

4.2.2.3. SVG content XSS

4.2.2.3.1. <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

4.2.2.4. Gif extension XSS

4.2.2.4.1. GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

4.2.2.5. Html extension

4.2.2.5.1. <!DOCTYPE html> <html> <head> <title>XSS</title> </head> <body> <script type="text/javascript">alert(document.cookie)</script> <script>prompt(1);</script> </body> </html>

4.2.3. Set 1

5. SQL Injection

5.1. Types

5.1.1. Union-based SQLi

5.1.2. Error-based SQLi

5.1.3. Blind SQLi

5.1.3.1. Boolean-based (content-based) Blind SQLi

5.1.3.2. Time-based Blind SQLi

5.1.4. Second-order SQL injection

5.1.4.1. end the query with "#" or "--"

5.1.5. Login SQLi

5.1.5.1. Login bypass payloads

5.1.5.1.1. SQL Query 1) SELECT * FROM users WHERE name='tom' and password='tom' 2) SELECT * FROM users WHERE name='tom' and password='' or '1'='1' 3) SELECT * FROM users WHERE name='tom' and password='' or 1='1' 4) SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -' 5) SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1' 6) SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1' 7) SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah'

5.2. Tools& extensions

5.2.1. Online tools

5.2.1.1. sql-injection-scanner-online

5.2.2. Offline tools

5.2.2.1. SQLmap

5.2.2.1.1. Basic usage: sqlmap.py -u xyz.com/vuln.php?id=1*

5.2.2.1.2. Adv usage: sqlmap.py -u xyz.com/vuln.php?id=1* --level 3 --risk 3

5.2.2.2. NoSQLMap

5.3. References

5.3.1. sqlwiki

5.3.2. pentest-tools

6. Web cache poisoning

7. HTTP request smuggling

7.1. Blogs

7.1.1. Blog 1

7.1.2. Blog 2

7.1.3. Blog 3

7.1.4. Blog 4

7.2. Concept

7.2.1. TE:CE

7.2.2. CE:TE

7.2.3. TE:TE

7.3. Tools

7.3.1. smuggler.py

7.4. Burp extensions

7.4.1. http-request-smuggler

8. CRLF Injection (%0d%0a)

8.1. Payloads

9. Unristricted file upload

9.1. Tools

9.1.1. fuxploider

9.1.2. Burp extensions

9.1.2.1. Upload Scanner

9.2. Blogs

9.2.1. Blog 1

9.2.2. Blog 2

9.3. Payloads

9.3.1. Set 1

9.3.2. Set 2

9.3.3. Set 3

10. Template Injection

10.1. Tools

10.1.1. tplmap

10.2. Types

10.2.1. Twig

10.2.1.1. Payload: {{7*'7'}}

10.2.2. Jinja

10.2.2.1. Payload: {{7*'7'}}

10.2.3. Ruby

10.2.3.1. Payload: <%= 7 * 7 %>

10.3. Payloads & References

10.3.1. Set 1

10.3.2. Blog 1

11. Reporting Tool

11.1. Serpico

11.2. dradisframework

11.3. bountyplz

11.4. template-generator

12. Response manipulation

12.1. References

12.1.1. Ref 1

13. Git Recon

13.1. Tools

13.1.1. gitGraber

13.1.2. Gitrob

13.1.3. truffleHog

13.1.4. github-search

14. Race Condition

14.1. Blog 1

14.2. Blog 2

14.3. Blog 3

14.4. Blog 4

15. Google dorks

15.1. References

15.1.1. GHDB

15.1.2. Bugbounty dorks

15.1.3. Blog 1

15.1.4. Blog 2

15.1.5. google_Dorks_list

16. Web Cache Deception Attack

17. Email spoofing vulnerabilities

17.1. Mxtoolbox

17.2. Mail spoofer

18. Subdomain enumeration & takeover

18.1. Blogs

18.1.1. POC

18.1.1.1. Subdomain Take-over poc's github -https://hackerone.com/reports/363778 aws - https://hackerone.com/reports/186766 zendesk https://hackerone.com/reports/759454 Azure - https://hackerone.com/reports/665398 Uptime Robot - https://hackerone.com/reports/781614 fly.io - https://hackerone.com/reports/576857 icn.bg - https://hackerone.com/hacker_dashboard/overview Azure Traffic Manager - https://hackerone.com/reports/570651 tilda.cc - https://hackerone.com/reports/720992 Netlify - https://hackerone.com/reports/197489 Mashery service - https://hackerone.com/reports/275714 fastly - https://hackerone.com/reports/154425 Heroku - https://hackerone.com/reports/365853 UnbouncePages - https://hackerone.com/reports/209004 Tumblr - https://hackerone.com/reports/221631 Shopify -https://hackerone.com/reports/416474 ghost.io https://hackerone.com/reports/368119 CloudFront(CF Origin) - https://hackerone.com/reports/145224 legacy - https://hackerone.com/reports/389783 WordPress - https://hackerone.com/reports/274336 Desk - https://hackerone.com/reports/201796

18.1.2. Edoverflow

18.1.3. patrik

18.2. Tools

18.2.1. Online tools

18.2.1.1. Cyberint

18.2.1.2. Hackking

18.2.1.3. Sub enumeration

18.2.1.4. Virustotal

18.2.2. Offline tools

18.2.2.1. Amass

18.2.2.1.1. Basic-usage: [amass enum -d example.com]

18.2.2.2. Aquatone

18.2.2.2.1. Basic-usage: [cat targets.txt | aquatone {or} type targets.txt | aquatone]

18.2.2.3. Massdns

18.2.2.3.1. Basic-usage: [./bin/massdns {options} {domainlist}]

18.2.2.4. Findomain

18.2.2.4.1. Basic-usage: [findomain -t example.com]

18.2.2.5. Assestfinder

18.2.3. Automation

18.2.3.1. Link 1

18.2.3.2. Link 2

19. SAML/SSO

19.1. Blogs

19.1.1. https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ https://github.com/kelbyludwig/saml-attack-surface http://secretsofappsecurity.blogspot.com/2017/01/saml-security-xml-external-entity-attack.html https://seanmelia.wordpress.com/2016/01/09/xxe-via-saml/ https://hackerone.com/reports/136169

19.2. Burp Extensions

19.2.1. SAMLRaider

20. Directory enumeration

20.1. Wordlist

20.1.1. jhaddix

20.1.2. SecLists

20.2. Tools

20.2.1. Meg

20.2.2. ffuf

20.2.2.1. Basic-usgae: [ffuf -w /path/to/wordlist -u https://target/FUZZ]

20.2.2.1.1. Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c

20.2.3. Dirsearch

20.2.3.1. Basic-usage: [python3 dirsearch.py -u <URL> -e <EXTENSION>]

20.2.3.1.1. Options: -h, --help show this help message and exit Mandatory: -u URL, --url=URL URL target -L URLLIST, --url-list=URLLIST URL list target -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by comma (Example: php,asp) -E, --extensions-list Use predefined list of common extensions Dictionary Settings: -w WORDLIST, --wordlist=WORDLIST -l, --lowercase -f, --force-extensions Force extensions for every wordlist entry (like in DirBuster) General Settings: -s DELAY, --delay=DELAY Delay between requests (float number) -r, --recursive Bruteforce recursively -R RECURSIVE_LEVEL_MAX, --recursive-level-max=RECURSIVE_LEVEL_MAX Max recursion level (subdirs) (Default: 1 [only rootdir + 1 dir]) --suppress-empty, --suppress-empty --scan-subdir=SCANSUBDIRS, --scan-subdirs=SCANSUBDIRS Scan subdirectories of the given -u|--url (separated by comma) --exclude-subdir=EXCLUDESUBDIRS, --exclude-subdirs=EXCLUDESUBDIRS Exclude the following subdirectories during recursive scan (separated by comma) -t THREADSCOUNT, --threads=THREADSCOUNT Number of Threads -x EXCLUDESTATUSCODES, --exclude-status=EXCLUDESTATUSCODES Exclude status code, separated by comma (example: 301, 500) --exclude-texts=EXCLUDETEXTS Exclude responses by texts, separated by comma (example: "Not found", "Error") --exclude-regexps=EXCLUDEREGEXPS Exclude responses by regexps, separated by comma (example: "Not foun[a-z]{1}", "^Error$") -c COOKIE, --cookie=COOKIE --ua=USERAGENT, --user-agent=USERAGENT -F, --follow-redirects -H HEADERS, --header=HEADERS Headers to add (example: --header "Referer: example.com" --header "User-Agent: IE" --random-agents, --random-user-agents Connection Settings: --timeout=TIMEOUT Connection timeout --ip=IP Resolve name to IP address --proxy=HTTPPROXY, --http-proxy=HTTPPROXY Http Proxy (example: localhost:8080 --http-method=HTTPMETHOD Method to use, default: GET, possible also: HEAD;POST --max-retries=MAXRETRIES -b, --request-by-hostname By default dirsearch will request by IP for speed. This forces requests by hostname Reports: --simple-report=SIMPLEOUTPUTFILE Only found paths --plain-text-report=PLAINTEXTOUTPUTFILE Found paths with status codes --json-report=JSONOUTPUTFILE

20.2.4. wfuzz

21. SSRF

21.1. Online tools

21.1.1. ssrftest

21.1.2. postb.in

21.2. Github tools

21.2.1. httprebind

21.2.2. ssrftest

21.2.3. Ground control

21.2.4. SSRF map

21.3. Blogs & Payloads

21.3.1. https://github.com/jdonsec/AllThingsSSRF https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0

22. CSRF

22.1. CSRF Bypass

22.1.1. Replacing value of same length

22.1.2. Removing the CSRF token from requests entirely

22.1.3. Decoding CSRF tokens

22.1.4. Extracting token via HTML injection

22.1.5. Using only the static parts of the token

22.1.6. Changing request method

22.1.7. Try to remove the referer header

22.2. Burp extension

22.2.1. EasyCSRF

22.3. JSON-Based CSRF

22.3.1. Blog 1

23. File Inclusion

23.1. RFI

23.2. LFI

23.3. GitHub References & Tools

23.3.1. LFISuite

23.3.2. liffy

23.3.3. fimap

23.4. Payloads

23.4.1. Set 1

23.4.2. Set 2

23.4.3. Set 3

23.4.4. Burp Intruder list

24. IDOR

24.1. Burp Extensions

24.1.1. Authz

24.1.2. AuthMatrix

24.1.3. Authorize

24.2. Blogs

24.2.1. Blog 1

24.2.2. Blog 2

24.2.3. Blog 3

25. XXE

25.1. Online tools

25.1.1. XXE.SH

25.2. Types

25.2.1. Inbound-Xml Inj

25.2.2. OOB-Xml Inj

25.2.3. Error based Xml Inj

25.3. Github tools

25.3.1. oxml_xxe

25.3.2. XXEinjector

25.4. Blogs

25.4.1. https://0xatul.me/posts/2020/02/external-xml-entity-via-file-upload-svg/ https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/ https://www.corben.io/XSS-to-XXE-in-Prince/ https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33

26. Some Git repo's, Burp extensions...etc

26.1. Git repos

26.1.1. AWS offensive/defensive

26.1.2. Key hacks

26.1.3. Github Monitoring

26.1.4. Pentest-tools

26.2. Shodan monitoring

26.3. Burp extensions

26.3.1. HUNT

26.4. Blogs

26.4.1. pentester.land

27. Redirect

27.1. Online tools

27.1.1. Hackking

27.2. Blogs

27.2.1. Blog 1

28. VPS

28.1. Automated-Scanner

28.2. lazyrecon

28.3. Osmedeus

28.4. Sn1per

29. Practice Labs

29.1. Owasp broken web app

29.2. portswigger labs

29.3. SQl injection

29.4. XSS Labs

30. Browser Extensions

30.1. Tracy

30.2. Knoxss

30.3. Wappalyzer

30.4. d3coder

30.5. FoxyProxy

30.6. EditThisCookie

30.7. HTTP Headers

30.8. Postman Interceptor