Web Pentesting Checklist
A raw checklist compiled from day-to-day test cases, Hackerone reports and unusual observations.
Last updated
Was this helpful?
A raw checklist compiled from day-to-day test cases, Hackerone reports and unusual observations.
Last updated
Was this helpful?
2017-10271 Oracle Weblogic RCE []
2017-3506 Oracle Weblogic RCE []
same character length + arbitrary/repetitive sequence
expired cookie value
expired cookie value from another user role
Check in account login/signin ReturnUrl parameter. The payload may be reflected in another page after login[]
All functions
All parameters
POST to GET with URL Encoding
Double URL Encoding
UTF-16 Encoding
XSS in caption of image. It is executed when the image is rendered.
OPTIONS Enabled? [Only required when we send extra headers]
Set Origin Header to null
To send cookies -> withCredentials=true
Message Expiration
Message Replay
Signature missing
Signature validated
Self-Signed Signature
XML Signature Wrapping
XML External Entity
Dupe Key Confusion
Bypassing Client side protection
.txtD.exe [replace D(44) with 00 in Hex]
Null Byte Injection
Double Extensions [.txt.exe]
ZIP containing EICAR file
Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior - not sure, if it exists for more?)
Check if signature for file upload (so that it is not tampered) is being checked with its file name and not the content inside it.
Test reneg upto 10-15 times only using openssl
disabled="disabled"
ng-disabled="data.isViewOnly"
Try to re-use one user Anti-CSRF Token on another user account
Try to use the already used token
Try to check whether token is getting validated or not
Try to check that the token validation is based on partial length check or full length check
Change Content-Type from application/json to text/plain
Flash CSRF using "spider" (compatibility: firefox 60.0, chrome(all) )
_method=post in GET parameter to switch put request to post
Checking for any unique token in body of the request
Checking for any unique token in request headers
Checking Content-Type of the request header â> If the request of the body is application/json, weâll check whether other content types are accepted or not like application/x-www-form-urlencoded and what not.
Checking for any referer checks [missing referrer header if allowed by application - ]
TRACE
check if the session is invalidated by sending in-session request
Check using 2 concurrent browsers that if password has been reset for one account, then the same account logged in another browser should automatically logout. [Session Not Invalidated After Password Reset]
Race condition allows multiple execution of same request[2nd request results in failure but race condition allows it.]
Race condition allows to execute multiple requests for which checks when failed are being raced down eg. use bonus points more than once. [Burp Intruder]
/wp-content/uploads/file-manager/log.txt
Host header injection password reset email redirection [Host: attacker.com?.mavenlink.com]
Error Page Content Spoofing[.../This URL IS Down, Click on attacker.com]
Removal of Host Header - Internal IP disclosed
Password reset error message response gives profile data eg.security answers
Insufficiently protected credentials/unsecure caching mechanism may expose users credit card details[Payment application relays sensitive information back to client on error input]
URL Redirect warning doesn't show protocol and ports. [ftp://hackerone.com:3313 -> hackerone.com]
Files with sensitive information available via HTTP
Error message displayed contains the absolute file path in the stack trace. It is recommended not to return sensitive data in the stack trace.
Delay in update of common settings between different subdomains (check for 5 minutes?)
Crawl through github to find any links not pointing to application domains.
Changing the reply of OTP validation from server - "false" to "true" and the client(js) sends another subsequent request to server which is performed without remembering that the OTP was denied previously.
Blind XXE through URL Redirect [eg. abc.com?q=attacker_host/mal.xml]
Basic OOB
OOB using Parameter Entities eg. %
Send a blank value in the parameter both from the UI and burp
Completely remove the parameter and its value
Try to login using the different browser, ip to bypass account lockout.
Append URL after / in "abc.com/" to see if it gets reflected in location header.
Disclose of sensitive token[medium vuln.]
Bypass regex using '=%09http:///zeit.co%40google.com'
OSINT search in pastebin for website/keyword
Debug URL eg. xyz.com/debug
AMASS tool from OWASP
Reflected XSS in Error Page
User can change svg-files that browser send to server, and can insert own xlink:href object and : 1.Link to local image files, to fingerprint versions of libraries installed on server 2."Billion laughs" attack, possible DoS attack to converter server 3.Try to change protocol to ftp and connect to ftp-servers 4.Try to exploit vulnerabilities like "Imagetragic", or XXE
CL.TE
TE.CL
TE.TE
Check in language parameter (eg. lang=en)
Currency Parameters (eg. p=aed, p=inr)
Confirm if the IP addresses are internal and not the ones obtained from webhooks of external hosts
URL Encode the file name whose access has been forbidden.
X-HTTP-Method: PUT
X-HTTP-Method-Override:
X-Method-Override:
GET /index HTTP/1.1
Disable javascript to check if reCaptcha can be bypassed
TOCTOU race condition
Posting reviews/voting
set Signature : "None", remove signature but keep the ".". Format - "H.P."
{âalgâ: âHS256â,âtypâ: âJWTâ}.{âuidâ: â1234567890â,âsessionidâ: âALPHANUMERIC IDâ}.SIGNATURE > {}.{âuidâ: â1234567890â}
JWT secret key to sign for RS256 algo. is present in javascript
Key Confusion Attack [RS to HS]
JWK [CVE-2018-0114 Attack]
CAA rule applied? [dns.google.com RR type - 257]
Search for sensitive keys eg. Cloud API keys
CVE-2022-24112
Enumerate routes in APISIX We can browse the UI of the web application to discover some of the paths to routes. For e.g. https://<domain>/apisix/company/ListAll We could enumerate this ways : /apisix/company/FUZZ
[To-Do] Discovering POST/PUT body parameters for the discovered routes.
For the URL http://www.contoso.com/virdir/page.html/tail, the PathInfo value is /tail.
Redirect parameter [eg. ]
Claim multiple tokens through intruder and block another user from acessing a token if there is a limited pool []
User Agent SQL Injection/Cookie values []
Open URL redirect with different protocol, ftp:// []
On-Site request forgery(OSRF)[]
Padding Oracle Exploit for ASP.NET/Java [Custom error message required][]
Check for graphql endpoint in application. []
Same site scripting []
Check for any API endpoint containing user info. It can help in password reset as the user info can contain password reset hash. []
Not a valid email [anyemail$1@anything.com] []
Web Cache poisoning - [] []
[]
Login page protected by cloudflare, can be bypassed by directly requesting to oauth/login endpoint []
Domain being used in application is on sale []
Account takeover by bruteforcing verification codes on an endpoint []
Account takeover through bruteforce of unlock codes to unlock self-locked account. []
API request signature can be reused with other parameters/data than the original in certain cases like request timestamp. []
New Hire information/Internal presentation/Meetings link[]
Making in-application requests without confirming email address []
An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.[]
If a user has an access token to an app, see if that can still be used after the user is removed. []
Subdomain Takeover [] []
username = undefined []
OR and AND - "order_number":". OR francisbeaudoin@wearehackerone.com AND NOT 1005 AND NOT 1035" []
Password reset functionality sends id as a parameter in request. To further bypass 2FA, check for success message as a respone. Change 'false' to 'true'.[]
Intercept request to send file over your email and modify ID parameter. Download all files not even assigned to you []
[%2f%2f%2fbing.com%2f%3fwww.omise.co]
Click interaction (For eg. load the page in french and switch language to land onto external website. ) []
Bypass '=//facebook.com'[]
Checking if a private image, exchanged between 2 users(victim+attacker), loads, the attacker can predict if a particular visited the website.[]
[?] Set Cookie: 0=1 and a list of all supported cookies will be set in the response []
Email address masked in browser but leaked in HTTPS response []
Invalidating oauth2 bearer token hardcoded in the application makes a service unavailable. []
"callback_url" can include path instead of complete URI. Use path which consists of open URL redirect within the application and the oauth token will land on attacker site []
The request that responds with a JWT. Try changing the email value in the final request of Oauth process to get the JWT bound to that email id entered. []
Using an IPv6 vector ([::]) Reports - . Some Slack features like "Integrations / Phabricator" and "Integration / Slash Commands" allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources (loopback, 10.0.0.0/8, 192.168.0.0/24, ...). This blacklist can be bypassed using "[::]" as the hostname. Only services binding all the interfaces and supporting IPv6 can be reached using that vector. :: is the IPv6 "unspecified" address, equivalent to 0.0.0.0 - the [] is notation to separate the address from the port specifier.
Private javascript snippets with sensitive data mapped to specific ids []
[]
Ticket Booking, Book More tickets than UI, Change Price to lesser than UI, Use previous as a combination together[]
if submitting 0 for a resource is not allowed, try with a few decimal places eg. 0.001, 0.000001 []
Application framework default files left misconfigured can leak sensitive data or allow the user to perform unauthorized actions []
Stacking up heavy resources on a page such that the page takes long enough to load which results in reverse proxy (eg. cloudflare) to disconnect the HTTP session []
jexboss tool []
HTML to PDF converter in signing of legal documents online[]
Image URL's in profile/About me are replaced by internal image proxy URL's. Replace text with hexadecimal as parser doesn't support CSS escape sequences []
Placing URL's in script tags to fingerprint logged-in/logged-out or specific users []
SSO redirect to http:// URL which can result in credential theft[]
Add header "Content-Transfer-Encoding" with value base64 to bypass certain restrictions. []
/heapdump or /env []
http-equiv > http-%00equiv []
Path traversal via Server side template injection. If images are being embed in emails, try sending a local file path. []
.Net has weird functionality that allows URL path components after a mapped legitimate URL to be passed along to the application. This information is exposed in Request.PathInfo. This can be used to bypass 403 restrictions.