Print3M
's Hub
HomeBlogNotesSecuriTree
All notes

Pentest checklists

Web pentest

  • XSS:

    • DOM based:
      • Check if front-end JS code is readable
      • Look for XSS sources (e.g. window.location)
    • Reflected:
      • Check GET / POST / PUT / PATCH params (keys and values!)
      • Check what you get in the response
    • Stored:
      • Check DB inputs (creating or updating objects, logs)
      • Check what is obtained from DB
      • Maybe PUT / PATCH has different validation than POST?
    • DOM based via postMessage()
      • Check if there is an event listener 'message' added with none or wrong origin validation, keywords: postMessage(, addEventListener('message', .on('message'.
      • Create malicious website with window.open('http://victim.com) and send an malicious message to it: victim.postMessage({data: 'xss'}, '*')
      • It might be needed to bypass origin restrictions
      • Browser extensions to sniff messages: Posta, MessPostage
    • Stored DOM based:

  • Content-Type incorrectly stated:

  • CRLF injection:

    • HTTP header injection:
      • URL?p=1\r\nHeader=New-Value\r\n
      • URL?p=1%0d%0aHeader=New-Value%0d%0a
    • HTTP reponse splitting (content injection):
      • URL?p=1\r\n\r\n<script>alert(1)</script

  • SQL injection:

  • SQL injection (second order):

  • SSTI:

    • Is this app MPA?

  • CSRF:

  • On-site Request Forgery

  • SSRF:

  • XXE:

  • IDOR:

    • Find out how current object is obtained
    • Look for fields like: id, uuid, uid, pk, index
    • Check GET params, e.g. /?bill_id=123
    • Check path params, e.g. /path/to/bill/123
    • Check POST data
    • Check custom HTTP headers
    • Try to add your field to an object creation request
    • Try to add your field to the path as GET param
    • Check HTTP parameter pollution (many values for the same param)
    • UUID most often is enough:
    • Most often it's passed in URL (is stored in logs, history etc.)
    • Leakage of URL with UUID == leakage of information

  • Authorization bypass:

  • Cryptographic failures:

  • Dangerous deserialization:

  • Open redirection:

  • CORS errors:

  • CSV injection:

  • DNS rebinding:

  • Session fixation:

  • Host header poisoning:

  • Prototype pollution

  • HTTP parameter pollution:

  • HTTP Verb Tempering:

  • Time-based enumeration:

  • Brute-force prevention bypass:

    • Login attempts counter might be reset by successfully logging in
    • X-Forworded-For bypass (IP spoofing)
    • Proxy IP rotation bypass (changing IP)

  • Reverse Proxy Bypass

    • Check in URL: /..;/..;/, /path//, /path../, /path/#/../, @path/

  • TRACE method

  • Arbitrary file upload:

  • Clickjacking

  • Denial of Service (DoS):

    • Try to send long password (hashing process) to exhaust CPU resources

  • ReDoS - DoS with regex

  • HTTP request smuggling

  • Web cache poisoning

Privelege escalation

  • Check sudo -ll
  • Check cat /etc/shells
  • Check env command
  • Check history files in home directory
    • find . -type f -name ".*history"
  • Find all SUID files
    • find <dir> -perm /u=s 2>/dev/null Some interesting:
      • doas - config: /usr/local/etc/doas.conf
  • Check CRON
  • Check processes and daemons:
    • ps -u root
    • ps aux
  • Unprivileged Linux process snooping (by reading /proc/ filesystem data) pspy
  • Check /opt directory
  • Check /tmp directory
  • Check Nginx / DNS / proxy settings.
  • Check netstat ports.

If you stuck

  • Enumerate TCP server services
  • Check out exploits for services
  • Enumarate directories
  • Enumerate files
  • Enumerate subdomains (DNS and brute-force)
  • Check out exploits for web components / assets / libraries
  • Check out website cookies, local storage, network tab, etc.
  • Enumerate UDP server services
  • Check input and GET parameters:
    • SQL injection
    • Command injection
    • Path traversal & LFI
    • Template injection
  • Check if somewhere credentials are reused