2021-06-26 12:03:36 +00:00
# Web Vulnerabilities Methodology
In every pentest web there is **several hidden and obvious places that might be vulnerable** . This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
## Proxies
{% hint style="info" %}
2021-10-18 11:21:18 +00:00
Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies** , those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
2021-06-26 12:03:36 +00:00
{% endhint %}
2022-04-05 22:24:52 +00:00
* [ ] [**Abusing hop-by-hop headers** ](abusing-hop-by-hop-headers.md )
* [ ] [**Cache Poisoning/Cache Deception** ](cache-deception.md )
* [ ] [**HTTP Request Smuggling** ](http-request-smuggling/ )
* [ ] [**H2C Smuggling** ](h2c-smuggling.md )
* [ ] [**Server Side Inclusion/Edge Side Inclusion** ](server-side-inclusion-edge-side-inclusion-injection.md )
* [ ] [**Uncovering Cloudflare** ](../pentesting/pentesting-web/uncovering-cloudflare.md )
* [ ] [**XSLT Server Side Injection** ](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md )
2021-06-26 12:03:36 +00:00
## **User input**
{% hint style="info" %}
2022-04-05 22:24:52 +00:00
Most of the web applications will **allow users to input some data that will be processed later.** \
Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
2021-06-26 12:03:36 +00:00
{% endhint %}
### **Reflected Values**
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
2022-04-05 22:24:52 +00:00
* [ ] [**Client Side Template Injection** ](client-side-template-injection-csti.md )
* [ ] [**Command Injection** ](command-injection.md )
* [ ] [**CRLF** ](crlf-0d-0a.md )
* [ ] [**Dangling Markup** ](dangling-markup-html-scriptless-injection.md )
* [ ] [**File Inclusion/Path Traversal** ](file-inclusion/ )
* [ ] [**Open Redirect** ](open-redirect.md )
* [ ] [**Prototype Pollution to XSS** ](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss )
* [ ] [**Server Side Inclusion/Edge Side Inclusion** ](server-side-inclusion-edge-side-inclusion-injection.md )
* [ ] [**Server Side Request Forgery** ](ssrf-server-side-request-forgery/ )
* [ ] [**Server Side Template Injection** ](ssti-server-side-template-injection/ )
* [ ] [**Reverse Tab Nabbing** ](reverse-tab-nabbing.md )
* [ ] [**XSLT Server Side Injection** ](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md )
* [ ] [**XSS** ](xss-cross-site-scripting/ )
* [ ] [**XSSI** ](xssi-cross-site-script-inclusion.md )
* [ ] [**XS-Search** ](xs-search.md )
2021-06-26 12:03:36 +00:00
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
2021-10-18 11:21:18 +00:00
{% content-ref url="pocs-and-polygloths-cheatsheet/" %}
[pocs-and-polygloths-cheatsheet ](pocs-and-polygloths-cheatsheet/ )
{% endcontent-ref %}
2021-06-26 12:03:36 +00:00
### **Search functionalities**
2021-10-18 11:21:18 +00:00
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
2021-06-26 12:03:36 +00:00
2022-04-05 22:24:52 +00:00
* [ ] [**File Inclusion/Path Traversal** ](file-inclusion/ )
* [ ] [**NoSQL Injection** ](nosql-injection.md )
* [ ] [**LDAP Injection** ](ldap-injection.md )
2021-06-26 12:03:36 +00:00
* [ ] [**ReDoS** ](regular-expression-denial-of-service-redos.md )
2022-04-05 22:24:52 +00:00
* [ ] [**SQL Injection** ](sql-injection/ )
* [ ] [**XAPTH Injection** ](xpath-injection.md )
2021-06-26 12:03:36 +00:00
### **Forms, WebSockets and PostMsgs**
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
2022-04-05 22:24:52 +00:00
* [ ] [**Cross Site Request Forgery** ](csrf-cross-site-request-forgery.md )
* [ ] [**Cross-site WebSocket hijacking (CSWSH)** ](cross-site-websocket-hijacking-cswsh.md )
* [ ] [**PostMessage Vulnerabilities** ](postmessage-vulnerabilities.md )
2021-06-26 12:03:36 +00:00
### **HTTP Headers**
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
2022-04-05 22:24:52 +00:00
* [ ] [**Clickjacking** ](clickjacking.md )
* [ ] [**Content Security Policy bypass** ](content-security-policy-csp-bypass.md )
* [ ] [**Cookies Hacking** ](hacking-with-cookies/ )
* [ ] [**CORS - Misconfigurations & Bypass** ](cors-bypass.md )
2021-06-26 12:03:36 +00:00
### **Bypasses**
There are several specific functionalities were some workarounds might be useful to bypass them
2022-04-05 22:24:52 +00:00
* [ ] [**2FA/OPT Bypass** ](2fa-bypass.md )
* [ ] [**Bypass Payment Process** ](bypass-payment-process.md )
* [ ] [**Captcha Bypass** ](captcha-bypass.md )
* [ ] [**Login Bypass** ](login-bypass/ )
* [ ] [**Race Condition** ](race-condition.md )
* [ ] [**Rate Limit Bypass** ](rate-limit-bypass.md )
* [ ] [**Reset Forgotten Password Bypass** ](reset-password.md )
* [ ] [**Registration Vulnerabilities** ](registration-vulnerabilities.md )
2021-06-26 12:03:36 +00:00
### **Structured objects / Specific functionalities**
2021-10-18 11:21:18 +00:00
Some functionalities will require the **data to be structured on a very specific format** (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.\
2022-04-05 22:24:52 +00:00
Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
2021-06-26 12:03:36 +00:00
2022-04-05 22:24:52 +00:00
* [ ] [**Deserialization** ](deserialization/ )
* [ ] [**Email Header Injection** ](email-header-injection.md )
* [ ] [**JWT Vulnerabilities** ](hacking-jwt-json-web-tokens.md )
* [ ] [**XML External Entity** ](xxe-xee-xml-external-entity.md )
2021-06-26 12:03:36 +00:00
### Files
2021-10-18 11:21:18 +00:00
Functionalities that allow to upload files might be vulnerable to several issues.\
Functionalities that generates files including user input might execute unexpected code.\
2021-06-26 12:03:36 +00:00
Users that open files uploaded by users or automatically generated including user input might be compromised.
2022-04-05 22:24:52 +00:00
* [ ] [**File Upload** ](file-upload/ )
* [ ] [**Formula Injection** ](formula-injection.md )
* [ ] [**PDF Injection** ](xss-cross-site-scripting/pdf-injection.md )
* [ ] [**Server Side XSS** ](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md )
2021-06-26 12:03:36 +00:00
### **External Identity Management**
2022-04-05 22:24:52 +00:00
* [ ] [**OAUTH to Account takeover** ](oauth-to-account-takeover.md )
* [ ] [**SAML Attacks** ](saml-attacks/ )
2021-06-26 12:03:36 +00:00
### **Other Helpful Vulnerabilities**
This vulnerabilities might help to exploit other vulnerabilities.
2022-04-05 22:24:52 +00:00
* [ ] [**Domain/Subdomain takeover** ](domain-subdomain-takeover.md )
* [ ] [**IDOR** ](idor.md )
* [ ] [**Parameter Pollution** ](parameter-pollution.md )
* [ ] [**Unicode Normalization vulnerability** ](unicode-normalization-vulnerability.md )
