Web

OWASP Web Security Testing guide

Enumeration

ChopChop WhatWeb BlindElephant FeroxBuster List of interesting URLs Another sweet set of lists

• robots.txt

• .htaccess

• API endpoints called by javascript/etc

Domains

DNS Dumpster DNS History Domains sharing IP

Sneaky techniky

• Does the server support HTTP PUT?

• Do all API endpoints actually verify authentication?

  • Missing auth parameters?

  • Provided but invalid parameters?

• Does the application use any binary libraries?

• What happens if you remove the Host header?

• What other domains are hosted at the same IP?

Probing payloads

<img src=x onerror=alert(1)> {{1*3}} ${1*3} test
‘“></script>{{2*2}}${2*2}

JWT

Tool

Try setting alg: none or alg: nonE etc. Maybe that's enough.

Public key mixup

Tell me more Tool

If a JWT uses RS256, the backend can be tricked into validating with HS256 instead. A HS256 JWT is signed with the public key, which can perhaps be deduced from a few samples of RS256 JWTs.

Path Traversal

Java applications

Tell me more

HTTP Response Splitting

Tell me more Tool Tool

Unvalidated user input leaks into the early parts of a HTTP response. The attacker can inject CRLF, allowing them to control the rest of the response, including additional headers and content.

HTTP Request Smuggling

Sweet Infographic A proxy in front of the server merges multiple incoming requests into a single connection to the backend server.

A malicious HTTP request has both a short Content-Length header (which is proper) and an additional Transfer-Encoding: Chunked header (which is ignored by the proxy). It is immediately followed by an authenticated request from a legitimate user.

The proxy concatenates the requests and passes them on to the backend server, still via HTTP. The server parses the malicious request as Transfer-Encoding: Chunked and ignores the Content-Length. As a result, the malicious result is parsed short, and the tail end of its data is interpreted by the server as the start of the next request.

As a result, the second request handled by the server is malformed. Malicious control over the HTTP command and headers, but includes the headers of the legitimate request as well. Oops.

40x bypassing

• 4-ZERO-3

• byp4xx

• 403fuzzer

CORS misconfiguration

Tool

WAF

Identification

wafalyzer wafw00f

Bypassing

A Methodology Some tips Unicode shenanigans, because of course

Mess with the HTTP request

Pass two different content-length headers. Maybe the WAF uses one and the target server uses the other?

Set Content-Type: */* if certain filetypes (XXE?) are blocked.

Try a POST instead of a GET. If the filtering is applied to the requested path but the naughty string is in the parameters...

Find the unprotected server

Tell me more DNS history SSL history Subdomains CloudFail for cloudflare-protected sites Lilly (requires a shodan API key)

Maybe dev.target.com points to the actual server behind the WAF? Maybe target.com used to point straight to the server, and the server is still the same?

Bypass blocklists

URL-encode some part of your naughty string. Maybe the filter is applied before decoding?

Try multiple layers of encoding, strange as it may sound.

NoSQL injection

Tool

Exposed SCM data

ayfabtu supports svn, mercurial and git. DVCS Ripper (svm mercurial, git, BZR) GitTools gitjacker git-dumper

CSP

Evasion techniques

LFI

fimap liffy Kadimus Kadabra

Try to use it to get the source of the vulnerable script. That will show you any filtering etc.

PHP has all kinds of funky pseudo-file protocols, and these are valid wherever file paths are. fimap and liffy support some of these tricks.

SSRF

What to do with a blind SSRF

SSTI

Tell me more Tool

Server Side Template Injection

SQLi

SQLite

Use a NULL byte to terminate the query and get rid of stuff you can't comment out. Neat.

XSS

Event handlers by tag Mutation points within an <a> tag