Web Pentesting Checklist

Search…

A raw checklist compiled from day-to-day test cases, Hackerone reports and unusual observations.

1. CVE 
2017-10271 Oracle Weblogic RCE [https://hackerone.com/reports/810755]
2017-3506 Oracle Weblogic RCE [https://hackerone.com/reports/810778]
2. Session Fixation
same character length + arbitrary/repetitive sequence
expired cookie value
expired cookie value from another user role
3. XSS
Check in account login/signin ReturnUrl parameter. The payload may be reflected in another page after login[https://hackerone.com/reports/438240]
All functions
All parameters
POST to GET with URL Encoding
Double URL Encoding
UTF-16 Encoding
XSS in caption of image. It is executed when the image is rendered.
4. DOM XSS
Redirect parameter [eg. https://a.net/?redirect=javascript:prompt(document.domain)%2f%2f]
5. CORS
OPTIONS Enabled?    [Only required when we send extra headers]
Set Origin Header to null
To send cookies -> withCredentials=true
6. SAML
Message Expiration
Message Replay
Signature missing
Signature validated
Self-Signed Signature
XML Signature Wrapping
XML External Entity
Dupe Key Confusion
7. Unrestricted File Upload
Bypassing Client side protection
.txtD.exe [replace D(44) with 00 in Hex]
Null Byte Injection 
Double Extensions [.txt.exe]
ZIP containing EICAR file
Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior - not sure, if it exists for more?)
Check if signature for file upload (so that it is not tampered) is being checked with its file name and not the content inside it.
8. Formula Injection
9. SSL/TLS
Test reneg upto 10-15 times only using openssl
10. Hidden HTML Elements
disabled="disabled"
ng-disabled="data.isViewOnly"
11. Anti-CSRF 
Try to re-use one user Anti-CSRF Token on another user account
Try to use the already used token
Try to check whether token is getting validated or not
Try to check that the token validation is based on partial length check or full length check 
12. json CSRF
Change Content-Type from application/json to text/plain
Flash CSRF using "spider" (compatibility: firefox 60.0, chrome(all) )
13. CSRF
_method=post in GET parameter to switch put request to post
Checking for any unique token in body of the request
Checking for any unique token in request headers
Checking Content-Type of the request header –> If the request of the body is application/json, we’ll check whether other content types are accepted or not like application/x-www-form-urlencoded and what not.
Checking for any referer checks [missing referrer header if allowed by application - ]
14. Dangerous Request Methods
TRACE
15. Session not invalidated
check if the session is invalidated by sending in-session request
Check using 2 concurrent browsers that if password has been reset for one account, then the same account logged in another browser should automatically logout. [Session Not Invalidated After Password Reset]
16. Time-of-check Time-of-use (TOCTOU) Race Condition
Race condition allows multiple execution of same request[2nd request results in failure but race condition allows it.]
Race condition allows to execute multiple requests for which checks when failed are being raced down eg. use bonus points more than once. [Burp Intruder]
Claim multiple tokens through intruder and block another user from acessing a token if there is a limited pool [https://hackerone.com/reports/488985]
17. Miscellaneous
/wp-content/uploads/file-manager/log.txt
Host header injection password reset email redirection [Host: attacker.com?.mavenlink.com]
Error Page Content Spoofing[.../This URL IS Down, Click on attacker.com]
Removal of Host Header - Internal IP disclosed
Password reset error message response gives profile data eg.security answers
Insufficiently protected credentials/unsecure caching mechanism may expose users credit card details[Payment application relays sensitive information back to client on error input]
User Agent SQL Injection/Cookie values [https://securityonline.info/sql-injection-user-agent-injection-attack/?cn-reloaded=1]
Open URL redirect with different protocol, ftp:// [https://hackerone.com/reports/459286]
URL Redirect warning doesn't show protocol and ports. [ftp://hackerone.com:3313 -> hackerone.com]
On-Site request forgery(OSRF)[https://portswigger.net/blog/on-site-request-forgery]
Padding Oracle Exploit for ASP.NET/Java [Custom error message required][https://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-padding-oracle-vulnerability/]
Files with sensitive information available via HTTP
Check for graphql endpoint in application. [https://hackerone.com/reports/310946]
Error message displayed contains the absolute file path in the stack trace. It is recommended not to return sensitive data in the stack trace.
Delay in update of common settings between different subdomains (check for 5 minutes?)
Same site scripting [https://hackerone.com/reports/772039][https://www.acunetix.com/vulnerabilities/web/same-site-scripting/]
Check for any API endpoint containing user info. It can help in password reset as the user info can contain password reset hash. [https://hackerone.com/reports/842625]
Not a valid email [[email protected]] [https://hackerone.com/reports/823915]
18. Cache Poisoning
Web Cache poisoning - http://example.com/home.php/nonexistent.css [https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf] [https://hackerone.com/reports/492841]
[https://hackerone.com/reports/394016]
19. Violation of secure design principles
20. Improper Access Control - Generic
Login page protected by cloudflare, can be bypassed by directly requesting to oauth/login endpoint [https://hackerone.com/reports/507012]
Domain being used in application is on sale [https://hackerone.com/reports/471265]
Account takeover by bruteforcing verification codes on an endpoint [https://hackerone.com/reports/407971]
Account takeover through bruteforce of unlock codes to unlock self-locked account. [https://hackerone.com/reports/410221]
API request signature can be reused with other parameters/data than the original in certain cases like request timestamp. [https://hackerone.com/reports/425314]
New Hire information/Internal presentation/Meetings link[https://hackerone.com/reports/489284]
Making in-application requests without confirming email address [https://hackerone.com/reports/633371]
21. Improper Authentication
An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.[https://hackerone.com/reports/206591]
If a user has an access token to an app, see if that can still be used after the user is removed. [https://hackerone.com/reports/700831]
22. Privilege Escalation
Subdomain Takeover [https://hackerone.com/reports/197489] [https://www.hackerone.com/blog/Guide-Subdomain-Takeovers]
Crawl through github to find any links not pointing to application domains.
23. OTP Bypass
Changing the reply of OTP validation from server - "false" to "true" and the client(js) sends another subsequent request to server which is performed without remembering that the OTP was denied previously.
24. Graphql Injection
​https://hackerone.com/reports/435066​
username = undefined [https://hackerone.com/reports/473742]
OR and AND - "order_number":". OR [email protected] AND NOT 1005 AND NOT 1035" [https://hackerone.com/reports/1017576]
25. IDOR (Insecure Direct Object Reference)
Password reset functionality sends id as a parameter in request. To further bypass 2FA, check for success message as a respone. Change 'false' to 'true'.[https://steemit.com/cryptocurrency/@mabdullah22/how-i-hacked-a-crypto-exchange-bug-bounty-writeup]
Intercept request to send file over your email and modify ID parameter. Download all files not even assigned to you [https://hackerone.com/reports/429000]
26. XXE
Blind XXE through URL Redirect [eg. abc.com?q=attacker_host/mal.xml]
Basic OOB
OOB using Parameter Entities eg. %
27. Password change does not require current password
Send a blank value in the parameter both from the UI and burp
Completely remove the parameter and its value
28. No Account Lockout Policy
Try to login using the different browser, ip to bypass account lockout.
29. Open URL Redirect
Append URL after / in "abc.com/" to see if it gets reflected in location header.
Disclose of sensitive token[medium vuln.]
​https://www.omise.co////bing.com/?www.omise.co/?category=interview&page=2 [%2f%2f%2fbing.com%2f%3fwww.omise.co]
Click interaction (For eg. load the page in french and switch language to land onto external website. https://secure.login.gov/fr?host=portswigger.net) [https://hackerone.com/reports/299835]
Bypass regex using '=%09http:///zeit.co%40google.com'
Bypass '=//facebook.com'[https://hackerone.com/reports/283460]
30. Information Disclosure
Checking if a private image, exchanged between 2 users(victim+attacker), loads, the attacker can predict if a particular visited the website.[https://hackerone.com/reports/329957]
OSINT search in pastebin for website/keyword
Debug URL eg. xyz.com/debug
[?] Set Cookie: 0=1 and a list of all supported cookies will be set in the response [https://hackerone.com/reports/310105]
Email address masked in browser but leaked in HTTPS response [https://hackerone.com/reports/269230]
AMASS tool from OWASP
31. Open ID Connect (OIDC)
32. Oauth [2.0]
Reflected XSS in Error Page
Invalidating oauth2 bearer token hardcoded in the application makes a service unavailable. [https://hackerone.com/reports/210779]
"callback_url" can include path instead of complete URI. Use path which consists of open URL redirect within the application and the oauth token will land on attacker site [https://hackerone.com/reports/110293]
The request that responds with a JWT. Try changing the email value in the final request of Oauth process to get the JWT bound to that email id entered. [https://hackerone.com/reports/729960]
33. SSRF
Using an IPv6 vector ([::]) Reports - https://hackerone.com/reports/386292 https://hackerone.com/reports/381129. Some Slack features like "Integrations / Phabricator" and "Integration / Slash Commands" allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources (loopback, 10.0.0.0/8, 192.168.0.0/24, ...). This blacklist can be bypassed using "[::]" as the hostname. Only services binding all the interfaces and supporting IPv6 can be reached using that vector. :: is the IPv6 "unspecified" address, equivalent to 0.0.0.0 - the [] is notation to separate the address from the port specifier.
User can change svg-files that browser send to server, and can insert own xlink:href object and : 1.Link to local image files, to fingerprint versions of libraries installed on server 2."Billion laughs" attack, possible DoS attack to converter server 3.Try to change protocol to ftp and connect to ftp-servers 4.Try to exploit vulnerabilities like "Imagetragic", or XXE
34. XSSI (Cross Site Script Inclusion)
Private javascript snippets with sensitive data mapped to specific ids [https://hackerone.com/reports/348443]
[https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9]
35. HTTP Request Smuggling attack
CL.TE
TE.CL
TE.TE
36. XPath Injection (Normal/Blind)
Check in language parameter (eg. lang=en)
Currency Parameters (eg. p=aed, p=inr)
37. XSPA (Cross-Site Port Attack)
Confirm if the IP addresses are internal and not the ones obtained from webhooks of external hosts
38. Server-Side Template Injection
39. Directory Traversal
URL Encode the file name whose access has been forbidden.
40. Verb Tunneling [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41]
X-HTTP-Method: PUT
X-HTTP-Method-Override:
X-Method-Override:
41. Apache multiviews attack
GET /index HTTP/1.1
42. Business Logic flaw
Ticket Booking, Book More tickets than UI, Change Price to lesser than UI, Use previous as a combination together[https://hackerone.com/reports/422331]
43. Application Misconfiguration
if submitting 0 for a resource is not allowed, try with a few decimal places eg. 0.001, 0.000001 [https://hackerone.com/reports/125587]
Application framework default files left misconfigured can leak sensitive data or allow the user to perform unauthorized actions [https://hackerone.com/reports/723118]
44. DoS (Denial of Service)
Stacking up heavy resources on a page such that the page takes long enough to load which results in reverse proxy (eg. cloudflare) to disconnect the HTTP session [https://hackerone.com/reports/125587]
45. RCE (Remote Code Execution)
jexboss tool [https://hackerone.com/reports/502758]
HTML to PDF converter in signing of legal documents online[https://ysamm.com/?p=280]
46. reCaptcha
Disable javascript to check if reCaptcha can be bypassed
TOCTOU race condition
Posting reviews/voting
47. JWT (JSON Web Tokens)
set Signature : "None", remove signature but keep the ".". Format - "H.P."
{“alg”: “HS256”,“typ”: “JWT”}.{“uid”: “1234567890”,“sessionid”: “ALPHANUMERIC ID”}.SIGNATURE > {}.{“uid”: “1234567890”}
JWT secret key to sign for RS256 algo. is present in javascript
Key Confusion Attack [RS to HS]
JWK [CVE-2018-0114 Attack]
48. Cryptographic Issues
CAA rule applied? [dns.google.com RR type - 257]
49. CSS Escape sequences
Image URL's in profile/About me are replaced by internal image proxy URL's. Replace text with hexadecimal as parser doesn't support CSS escape sequences [https://hackerone.com/reports/745953]
50. Cross-Site Information leak
Placing URL's in script tags to fingerprint logged-in/logged-out or specific users [https://hackerone.com/reports/723175]
51. SSO
SSO redirect to http:// URL which can result in credential theft[https://hackerone.com/reports/703759]
52. Github
Search for sensitive keys eg. Cloud API keys
53. Cross site web socket hijacking (CSWSH)
54. SMTP injection
Add header "Content-Transfer-Encoding" with value base64 to bypass certain restrictions. [https://hackerone.com/reports/347439]
55. Spring Boot Actuator
/heapdump or /env [https://hackerone.com/reports/862589]
56. Cloudflare bypass
http-equiv > http-%00equiv [https://hackerone.com/reports/978680]
57. 2020 Top portswigger research
Path traversal via Server side template injection. If images are being embed in emails, try sending a local file path. [https://medium.com/@maxime.escourbiac/write-up-of-path-traversal-on-gravitee-io-8835941be69f]