Skip to main content

Simple Web Pentest Checklist

By

 

- Fuzz the Application 
- Use testssl.sh to look for SSL issues and Vulnerabilities 
- Run Nikto & Nuclei, Dirsearch.py, BlackWidow on the target
- Check if the appliation using AngularJS 
	- Look for the version and its vulnerabilities 
- Check for Content Security Policy 
- Check for Cross Origin Resource Sharing 
	- Change the Origin header domain and see if its reflected on the response or not
		- Origin: somerandomdomain.com 
	- Add Multiple Origin Headers and see the response 
	- Add Port, Special chars, null strings to it and observe the changes 
- Look for Host Header Injection Attacks
	- Add extra host header 
	- Add X-Forwarded-For: somerandomdomain.com header and see if its being reflected or not
- Look for Cached responses (Filter tfor the keyword "Cache" in Burp HTTP history), Web Cache Poisoning might be possible possible 
- Check if httonly and Secure flags are added in the cookie or not & HSTS
- Check if .git exists and see if you can use https://github.com/arthaud/git-dumper
- Brute force credentials using burp or ffuf (Add the keyword "FUZZ" where ever you want to fuzz). you can add 1 or more fuzz parameters 
	- ffuf -request req.txt -request-proto http wordlist.txt 
	- ffuf -request req.txt -request-proto http -mode clusterbomb -w user.txt:FUZZUSER -w pass.txt:FUZZPASS  
- if MFA is enabled try to bypass it
	- by removing the otp parameter
	- by removing the function 
	- Check OTP timeout 
	- check duplicate OTP access
	- brute forcing otp 
	- OTP Attempts 
	- Check if one MFA code can be used to another account 
- If there is any payment involved --> Try to perform Race conditions
- Login as Admin and LowPriv user and check BAC & IDOR using ZAP/Burp 
- on Burp Filter by Input Parameter status 
	- try to send all special characters as input and observe the response
	- if a page saves input, try XXS 
	- SQL injection is possible all on parameters & headers - even Cookie, Referer
- If there are any passwords or credit cards in displayed as aestrix("*")
	- look the responses in developer tools
	- Look at Client data - Json files for plain text data
- Check for JWT tokens 
	- decode the JWT and Change the Alg to null 
	- Change the content in the JWT token and see if it's being validated properly or not
	- Use Burp JSON Web Tokens Extension 
	- use https://github.com/aress31/jwtcat to see if they are using a weak key
- Check Session Vulnerabilities 
	- Take the sessionID of the user and logout --> return using the same sessionID 
- Check Password Reset Link --> req email and go to the link --> see if there are any external urls being used inside the webpage --> check the referer of the domain --> see if the Password reset token is available in the Referrer header. 
- Check Parameter Pollution --> Add same parameters twice with different varaiable/ID 
- `AutoComplete=off` --> Credit card Processing/Password --> Check if the browser cached the card info or not after updaing the info on the website. It should not store the Card info 
	- Inspect the form and see if AutoComplete=off is added in the form or not. 
- Go to Developer Tools --> Application --> storage --> Session Storage --> try updating the values and observe the difference. 
- Look for any available docs on the website and extract metadata using exiftool -a file.doc 
- Check if the application parses or uses urls 
	- Try to update the url in the parameter
	- try http://127.0.0.1 to make it into SSRF 
- Buffer Overflow the parameter 
	- check if it gives any useful error messages 
- On Password update or payment pages - check if CSRF is possible 
- check for SSTO using TPLMAP
- Look for obfuscated JS - decode it using de4js | JavaScript Deobfuscator and Unpacker
    python tplmap.py -u 'http://www.target.com/page?name=John'
- Check Google Dorks
		- site:hackingdream.net AND intitle:"index of"
		- site:hackingdream.net AND ("mysql error with query" OR "mysqli_query" OR "mysqli_query" OR "pdo_mysql")
		- site:hackingdream.net AND ("[MICROSOFT]["ODBC SQL" OR "[SQL SERVER]")
		- site:hackingdream.net AND ("PostgreSQL server: FATAL" OR "not a valid PostgreSQL result")
		- site:hackingdream.net AND ("ORA-00933" OR "ORA-00921" OR "ORA-00936" OR "ORA-12541" OR "[ODBC SQL]")
		More dorks here https://www.boxpiper.com/posts/google-dork-list-error-messages
		- site:hackingdream.net AND (ext:"backup" OR ext:"bak" OR ext:"old")
		- site:hackingdream.net AND intitle:"500"
		- site:hackingdream.net AND (inurl:"api" OR inurl:"key" OR inurl:"apikey")
		- site:hackingdream.net AND -inurl:"https"
		- 
Books
Book of Tips
Zseano's Methodology
Bug Bounty Playbook
Bug Bounty Playbook 2





Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more