Print3M
's Hub
HomeBlogNotesSecuriTree
All notes

Pentest checklists

Web pentest

  • XSS:

    • DOM based:
      • Check if front-end JS code is readable
      • Look for XSS sources (e.g. window.location)
    • Reflected:
      • Check GET / POST / PUT / PATCH params (keys and values!)
      • Check what you get in the response
    • Stored:
      • Check DB inputs (creating or updating objects, logs)
      • Check what is obtained from DB
      • Maybe PUT / PATCH has different validation than POST?
    • DOM based via postMessage()
      • Check if there is an event listener 'message' added with none or wrong origin validation, keywords: postMessage(, addEventListener('message', .on('message'.
      • Create malicious website with window.open('http://victim.com) and send an malicious message to it: victim.postMessage({data: 'xss'}, '*')
      • It might be needed to bypass origin restrictions
      • Browser extensions to sniff messages: Posta, MessPostage
    • Stored DOM based:

  • Content-Type incorrectly stated:

  • CRLF injection:

    • HTTP header injection:
      • URL?p=1\r\nHeader=New-Value\r\n
      • URL?p=1%0d%0aHeader=New-Value%0d%0a
    • HTTP reponse splitting (content injection):
      • URL?p=1\r\n\r\n<script>alert(1)</script

  • SQL injection:

  • SQL injection (second order):

  • SSTI:

    • Is this app MPA?

  • CSRF:

  • On-site Request Forgery

  • SSRF:

  • XXE:

  • IDOR:

    • Find out how current object is obtained
    • Look for fields like: id, uuid, uid, pk, index
    • Check GET params, e.g. /?bill_id=123
    • Check path params, e.g. /path/to/bill/123
    • Check POST data
    • Check custom HTTP headers
    • Try to add your field to an object creation request
    • Try to add your field to the path as GET param
    • Check HTTP parameter pollution (many values for the same param)
    • UUID most often is enough:
    • Most often it's passed in URL (is stored in logs, history etc.)
    • Leakage of URL with UUID == leakage of information

  • Authorization bypass:

  • Cryptographic failures:

  • Dangerous deserialization:

  • Open redirection:

  • CORS errors:

  • CSV injection:

  • DNS rebinding:

  • Session fixation:

  • Host header poisoning:

  • Prototype pollution

  • HTTP parameter pollution:

  • HTTP Verb Tempering:

  • Time-based enumeration:

  • Brute-force prevention bypass:

    • Login attempts counter might be reset by successfully logging in
    • X-Forworded-For bypass (IP spoofing)
    • Proxy IP rotation bypass (changing IP)

  • Reverse Proxy Bypass

    • Check in URL: /..;/..;/, /path//, /path../, /path/#/../, @path/

  • TRACE method

  • Arbitrary file upload:

    • Bypass filter:
      • Change extension to non-standard
      • Randomize letter case
    • Upload the same file twice (might cause an interesting error)
    • Try with path traversal in filename (arbitrary file overwrite)

  • Clickjacking

  • Denial of Service (DoS):

    • Try to send long password (hashing process) to exhaust CPU resources

  • ReDoS - DoS with regex

  • HTTP request smuggling

  • Web cache poisoning

Linux Privelege escalation

  • Check sudo -ll
  • Check env
  • Check history files in home directory
    • find . -type f -name ".*history" 2>/dev/null
  • Find backups:
    • find / -name "*.bak*" 2>/dev/null
    • find / -name "*backup*" 2>/dev/null
  • Find all files which belong to an user:
    • find / -user <user> 2>/dev/null
  • If you have a password of another user, switch user:
    • su - <username>
  • Find all SUID files on the system
    • find / -perm /u=s 2>/dev/null Some interesting:
      • doas - config: /usr/local/etc/doas.conf
    • GTFO bins
    • SUID binary PATH hijacking:
      • strings <binary>
      • export PATH=/my/pash:$PATH
  • Check cat .bashrc
  • Check CRON:
    • cat /etc/crontab
    • ls -lah /etc/cron*
  • Check processes and daemons:
    • ps -U root -u root u ww
    • ps aux ww
    • watch -n 1 "ps -aux"
  • Check if /etc/passwd is writable
  • Check networking
    • netstat -tulpn - ports
    • ip a - network interfaces
    • route / routel - cached routes
    • cat /etc/iptables/rules.v4 - iptables
  • Find writable directories:
    • find / -writable -type d 2>/dev/null
  • List all filesystems:
    • cat /etc/fstab
  • List all available disks:
    • lsblk
  • List kernel modules:
    • lsmod
    • /sbin/modinfo $module - read about kernel module.
  • Check git repositories:
    • find / -type d -name ".git" 2>/dev/null
  • Unprivileged Linux process snooping (by reading /proc/ filesystem data) pspy
  • Check cat /etc/shells
  • Check /opt directory
  • Check /tmp directory
  • Check Nginx / Apache / DNS / proxy settings.
  • Check installed packages:
    • dpkg -l
  • Password spraying: try all login-password combinations you have everywhere
  • Check log files
  • Grep for secrets
  • Default service passwords
  • Check kernel exploitation:
    • uname -r
    • arch
    • searchsploit
  • Use automatic scanners:
    • unix-privesc-check
    • linpeas

If you stuck

  • Enumerate TCP server services
  • Check out exploits for services
  • Enumarate directories
  • Enumerate files
  • Enumerate subdomains (DNS and brute-force)
  • Check out exploits for web components / assets / libraries
  • Check out website cookies, local storage, network tab, etc.
  • Enumerate UDP server services
  • Check input and GET parameters:
    • SQL injection
    • Command injection
    • Path traversal & LFI
    • Template injection
  • Check if somewhere credentials are reused