Web Pentesting Checklist

A raw checklist compiled from day-to-day test cases, Hackerone reports and unusual observations.

Note: The vulnerabilities marked as [Experimental] have not been exploited in all of the checks mentioned but those checks may have a potential risk in future.

1. CVE

2017-10271 Oracle Weblogic RCE [https://hackerone.com/reports/810755]
2017-3506 Oracle Weblogic RCE [https://hackerone.com/reports/810778]

2. Session Fixation

same character length + arbitrary/repetitive sequence
expired cookie value
expired cookie value from another user role

3. XSS

Check in account login/signin ReturnUrl parameter. The payload may be reflected in another page after login[https://hackerone.com/reports/438240]
All functions
All parameters
POST to GET with URL Encoding
Double URL Encoding
UTF-16 Encoding
XSS in caption of image. It is executed when the image is rendered.

4. DOM XSS

Redirect parameter [eg. https://a.net/?redirect=javascript:prompt(document.domain)%2f%2f]

5. CORS

OPTIONS Enabled? [Only required when we send extra headers]
Set Origin Header to null
To send cookies -> withCredentials=true

6. SAML

Message Expiration
Message Replay
Signature missing
Signature validated
Self-Signed Signature
XML Signature Wrapping
XML External Entity
Dupe Key Confusion

7. Unrestricted File Upload

Bypassing Client side protection
.txtD.exe [replace D(44) with 00 in Hex]
Null Byte Injection
Double Extensions [.txt.exe]
ZIP containing EICAR file
Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior - not sure, if it exists for more?)
Check if signature for file upload (so that it is not tampered) is being checked with its file name and not the content inside it.

8. Formula Injection

9. SSL/TLS

Test reneg upto 10-15 times only using openssl

10. Hidden HTML Elements

disabled="disabled"
ng-disabled="data.isViewOnly"

11. Anti-CSRF

Try to re-use one user Anti-CSRF Token on another user account
Try to use the already used token
Try to check whether token is getting validated or not
Try to check that the token validation is based on partial length check or full length check

12. json CSRF

Change Content-Type from application/json to text/plain
Flash CSRF using "spider" (compatibility: firefox 60.0, chrome(all) )

13. CSRF

_method=post in GET parameter to switch put request to post
Checking for any unique token in body of the request
Checking for any unique token in request headers
Checking Content-Type of the request header –> If the request of the body is application/json, we’ll check whether other content types are accepted or not like application/x-www-form-urlencoded and what not.
Checking for any referer checks [missing referrer header if allowed by application - ]

14. Dangerous Request Methods

TRACE

15. Session not invalidated

check if the session is invalidated by sending in-session request
Check using 2 concurrent browsers that if password has been reset for one account, then the same account logged in another browser should automatically logout. [Session Not Invalidated After Password Reset]

16. Time-of-check Time-of-use (TOCTOU) Race Condition

Race condition allows multiple execution of same request[2nd request results in failure but race condition allows it.]
Race condition allows to execute multiple requests for which checks when failed are being raced down eg. use bonus points more than once. [Burp Intruder]
Claim multiple tokens through intruder and block another user from acessing a token if there is a limited pool [https://hackerone.com/reports/488985]

17. Miscellaneous

/wp-content/uploads/file-manager/log.txt
Host header injection password reset email redirection [Host: attacker.com?.mavenlink.com]
Error Page Content Spoofing[.../This URL IS Down, Click on attacker.com]
Removal of Host Header - Internal IP disclosed
Password reset error message response gives profile data eg.security answers
Insufficiently protected credentials/unsecure caching mechanism may expose users credit card details[Payment application relays sensitive information back to client on error input]
User Agent SQL Injection/Cookie values [https://securityonline.info/sql-injection-user-agent-injection-attack/?cn-reloaded=1]
Open URL redirect with different protocol, ftp:// [https://hackerone.com/reports/459286]
URL Redirect warning doesn't show protocol and ports. [ftp://hackerone.com:3313 -> hackerone.com]
On-Site request forgery(OSRF)[https://portswigger.net/blog/on-site-request-forgery]
Padding Oracle Exploit for ASP.NET/Java [Custom error message required][https://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-padding-oracle-vulnerability/]
Files with sensitive information available via HTTP
Check for graphql endpoint in application. [https://hackerone.com/reports/310946]
Error message displayed contains the absolute file path in the stack trace. It is recommended not to return sensitive data in the stack trace.
Delay in update of common settings between different subdomains (check for 5 minutes?)
Same site scripting [https://hackerone.com/reports/772039][https://www.acunetix.com/vulnerabilities/web/same-site-scripting/]
Check for any API endpoint containing user info. It can help in password reset as the user info can contain password reset hash. [https://hackerone.com/reports/842625]
Not a valid email [anyemail$1@anything.com] [https://hackerone.com/reports/823915]

18. Cache Poisoning

19. Violation of secure design principles

20. Improper Access Control - Generic

Login page protected by cloudflare, can be bypassed by directly requesting to oauth/login endpoint [https://hackerone.com/reports/507012]
Domain being used in application is on sale [https://hackerone.com/reports/471265]
Account takeover by bruteforcing verification codes on an endpoint [https://hackerone.com/reports/407971]
Account takeover through bruteforce of unlock codes to unlock self-locked account. [https://hackerone.com/reports/410221]
API request signature can be reused with other parameters/data than the original in certain cases like request timestamp. [https://hackerone.com/reports/425314]
New Hire information/Internal presentation/Meetings link[https://hackerone.com/reports/489284]
Making in-application requests without confirming email address [https://hackerone.com/reports/633371]

21. Improper Authentication

An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.[https://hackerone.com/reports/206591]
If a user has an access token to an app, see if that can still be used after the user is removed. [https://hackerone.com/reports/700831]

22. Privilege Escalation

Subdomain Takeover [https://hackerone.com/reports/197489] [https://www.hackerone.com/blog/Guide-Subdomain-Takeovers]
Crawl through github to find any links not pointing to application domains.

23. OTP Bypass

Changing the reply of OTP validation from server - "false" to "true" and the client(js) sends another subsequent request to server which is performed without remembering that the OTP was denied previously.

24. Graphql Injection

https://hackerone.com/reports/435066
username = undefined [https://hackerone.com/reports/473742]
OR and AND - "order_number":". OR francisbeaudoin@wearehackerone.com AND NOT 1005 AND NOT 1035" [https://hackerone.com/reports/1017576]

25. IDOR (Insecure Direct Object Reference)

Password reset functionality sends id as a parameter in request. To further bypass 2FA, check for success message as a respone. Change 'false' to 'true'.[https://steemit.com/cryptocurrency/@mabdullah22/how-i-hacked-a-crypto-exchange-bug-bounty-writeup]
Intercept request to send file over your email and modify ID parameter. Download all files not even assigned to you [https://hackerone.com/reports/429000]

26. XXE

Blind XXE through URL Redirect [eg. abc.com?q=attacker_host/mal.xml]
Basic OOB
OOB using Parameter Entities eg. %

27. Password change does not require current password

Send a blank value in the parameter both from the UI and burp
Completely remove the parameter and its value

28. No Account Lockout Policy

Try to login using the different browser, ip to bypass account lockout.

29. Open URL Redirect

Append URL after / in "abc.com/" to see if it gets reflected in location header.
Disclose of sensitive token[medium vuln.]
https://www.omise.co////bing.com/?www.omise.co/?category=interview&page=2 [%2f%2f%2fbing.com%2f%3fwww.omise.co]
Click interaction (For eg. load the page in french and switch language to land onto external website. https://secure.login.gov/fr?host=portswigger.net) [https://hackerone.com/reports/299835]
Bypass regex using '=%09http:///zeit.co%40google.com'
Bypass '=//facebook.com'[https://hackerone.com/reports/283460]

30. Information Disclosure

Checking if a private image, exchanged between 2 users(victim+attacker), loads, the attacker can predict if a particular visited the website.[https://hackerone.com/reports/329957]
OSINT search in pastebin for website/keyword
Debug URL eg. xyz.com/debug
[?] Set Cookie: 0=1 and a list of all supported cookies will be set in the response [https://hackerone.com/reports/310105]
Email address masked in browser but leaked in HTTPS response [https://hackerone.com/reports/269230]
AMASS tool from OWASP

31. Open ID Connect (OIDC)

32. Oauth [2.0]

Reflected XSS in Error Page
Invalidating oauth2 bearer token hardcoded in the application makes a service unavailable. [https://hackerone.com/reports/210779]
"callback_url" can include path instead of complete URI. Use path which consists of open URL redirect within the application and the oauth token will land on attacker site [https://hackerone.com/reports/110293]
The request that responds with a JWT. Try changing the email value in the final request of Oauth process to get the JWT bound to that email id entered. [https://hackerone.com/reports/729960]

33. SSRF

Using an IPv6 vector ([::]) Reports - https://hackerone.com/reports/386292 https://hackerone.com/reports/381129. Some Slack features like "Integrations / Phabricator" and "Integration / Slash Commands" allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources (loopback, 10.0.0.0/8, 192.168.0.0/24, ...). This blacklist can be bypassed using "[::]" as the hostname. Only services binding all the interfaces and supporting IPv6 can be reached using that vector. :: is the IPv6 "unspecified" address, equivalent to 0.0.0.0 - the [] is notation to separate the address from the port specifier.
User can change svg-files that browser send to server, and can insert own xlink:href object and : 1.Link to local image files, to fingerprint versions of libraries installed on server 2."Billion laughs" attack, possible DoS attack to converter server 3.Try to change protocol to ftp and connect to ftp-servers 4.Try to exploit vulnerabilities like "Imagetragic", or XXE

34. XSSI (Cross Site Script Inclusion)

Private javascript snippets with sensitive data mapped to specific ids [https://hackerone.com/reports/348443]
[https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9]

35. HTTP Request Smuggling attack

CL.TE
TE.CL
TE.TE

36. XPath Injection (Normal/Blind)

Check in language parameter (eg. lang=en)
Currency Parameters (eg. p=aed, p=inr)

37. XSPA (Cross-Site Port Attack)

Confirm if the IP addresses are internal and not the ones obtained from webhooks of external hosts

38. Server-Side Template Injection

39. Directory Traversal

URL Encode the file name whose access has been forbidden.

40. Verb Tunneling [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41]

X-HTTP-Method: PUT
X-HTTP-Method-Override:
X-Method-Override:

41. Apache multiviews attack

GET /index HTTP/1.1

42. Business Logic flaw

Ticket Booking, Book More tickets than UI, Change Price to lesser than UI, Use previous as a combination together[https://hackerone.com/reports/422331]

43. Application Misconfiguration

if submitting 0 for a resource is not allowed, try with a few decimal places eg. 0.001, 0.000001 [https://hackerone.com/reports/125587]
Application framework default files left misconfigured can leak sensitive data or allow the user to perform unauthorized actions [https://hackerone.com/reports/723118]

44. DoS (Denial of Service)

Stacking up heavy resources on a page such that the page takes long enough to load which results in reverse proxy (eg. cloudflare) to disconnect the HTTP session [https://hackerone.com/reports/125587]

45. RCE (Remote Code Execution)

jexboss tool [https://hackerone.com/reports/502758]
HTML to PDF converter in signing of legal documents online[https://ysamm.com/?p=280]

46. reCaptcha

Disable javascript to check if reCaptcha can be bypassed
TOCTOU race condition
Posting reviews/voting

47. JWT (JSON Web Tokens)

set Signature : "None", remove signature but keep the ".". Format - "H.P."
{“alg”: “HS256”,“typ”: “JWT”}.{“uid”: “1234567890”,“sessionid”: “ALPHANUMERIC ID”}.SIGNATURE > {}.{“uid”: “1234567890”}
JWT secret key to sign for RS256 algo. is present in javascript
Key Confusion Attack [RS to HS]
JWK [CVE-2018-0114 Attack]

48. Cryptographic Issues

CAA rule applied? [dns.google.com RR type - 257]

49. CSS Escape sequences

Image URL's in profile/About me are replaced by internal image proxy URL's. Replace text with hexadecimal as parser doesn't support CSS escape sequences [https://hackerone.com/reports/745953]

50. Cross-Site Information leak

Placing URL's in script tags to fingerprint logged-in/logged-out or specific users [https://hackerone.com/reports/723175]

51. SSO

SSO redirect to http:// URL which can result in credential theft[https://hackerone.com/reports/703759]

52. Github

Search for sensitive keys eg. Cloud API keys

53. Cross site web socket hijacking (CSWSH)

54. SMTP injection

Add header "Content-Transfer-Encoding" with value base64 to bypass certain restrictions. [https://hackerone.com/reports/347439]

55. Spring Boot Actuator

/heapdump or /env [https://hackerone.com/reports/862589]

56. Cloudflare bypass

http-equiv > http-%00equiv [https://hackerone.com/reports/978680]

57. 2020 Top portswigger research

Path traversal via Server side template injection. If images are being embed in emails, try sending a local file path. [https://medium.com/@maxime.escourbiac/write-up-of-path-traversal-on-gravitee-io-8835941be69f]

58. Apache APISIX [Experimental]

CVE-2022-24112

Enumerate routes in APISIX We can browse the UI of the web application to discover some of the paths to routes. For e.g. https://<domain>/apisix/company/ListAll We could enumerate this ways : /apisix/company/FUZZ

wfuzz -u https://<URL>/apisix/FUZZ --hc 404 -w <file/directory-list>
# A response in 200/401 indicates a valid route

[To-Do] Discovering POST/PUT body parameters for the discovered routes.

59. .NET

.Net has weird functionality that allows URL path components after a mapped legitimate URL to be passed along to the application. This information is exposed in Request.PathInfo. This can be used to bypass 403 restrictions. [Source]

For the URL http://www.contoso.com/virdir/page.html/tail, the PathInfo value is /tail.

PreviousGood Reads NextInsecure Deserialization

Last updated 2 months ago