All notes
Pentest checklists
Web pentest
-
XSS:
- DOM based:
- Check if front-end JS code is readable
- Look for XSS sources (e.g. window.location)
- Reflected:
- Check GET / POST / PUT / PATCH params (keys and values!)
- Check what you get in the response
- Stored:
- Check DB inputs (creating or updating objects, logs)
- Check what is obtained from DB
- Maybe PUT / PATCH has different validation than POST?
- DOM based via postMessage()
- Check if there is an event listener 'message' added with none or wrong origin validation, keywords:
postMessage(
,addEventListener('message'
,.on('message'
. - Create malicious website with
window.open('http://victim.com)
and send an malicious message to it:victim.postMessage({data: 'xss'}, '*')
- It might be needed to bypass origin restrictions
- Browser extensions to sniff messages:
Posta
,MessPostage
- Check if there is an event listener 'message' added with none or wrong origin validation, keywords:
- Stored DOM based:
- DOM based:
-
Content-Type incorrectly stated:
- The goal is to see "executable" Content-Type in a controlled response
- Potentially dangerous MIME Content-Types
- Try to force server with "Accept: content/type" header in a request
-
CRLF injection:
- HTTP header injection:
URL?p=1\r\nHeader=New-Value\r\n
URL?p=1%0d%0aHeader=New-Value%0d%0a
- HTTP reponse splitting (content injection):
URL?p=1\r\n\r\n<script>alert(1)</script
- HTTP header injection:
-
SQL injection:
-
SQL injection (second order):
-
SSTI:
- Is this app MPA?
-
CSRF:
-
On-site Request Forgery
-
SSRF:
-
XXE:
-
IDOR:
- Find out how current object is obtained
- Look for fields like: id, uuid, uid, pk, index
- Check GET params, e.g. /?bill_id=123
- Check path params, e.g. /path/to/bill/123
- Check POST data
- Check custom HTTP headers
- Try to add your field to an object creation request
- Try to add your field to the path as GET param
- Check HTTP parameter pollution (many values for the same param)
- UUID most often is enough:
- Most often it's passed in URL (is stored in logs, history etc.)
- Leakage of URL with UUID == leakage of information
-
Authorization bypass:
-
Cryptographic failures:
-
Dangerous deserialization:
-
Open redirection:
-
CORS errors:
-
CSV injection:
-
DNS rebinding:
-
Session fixation:
-
Host header poisoning:
-
Prototype pollution
-
HTTP parameter pollution:
-
HTTP Verb Tempering:
-
Time-based enumeration:
-
Brute-force prevention bypass:
- Login attempts counter might be reset by successfully logging in
- X-Forworded-For bypass (IP spoofing)
- Proxy IP rotation bypass (changing IP)
-
Reverse Proxy Bypass
- Check in URL:
/..;/..;/
,/path//
,/path../
,/path/#/../
,@path/
- Check in URL:
-
TRACE method
-
Arbitrary file upload:
-
Clickjacking
-
Denial of Service (DoS):
- Try to send long password (hashing process) to exhaust CPU resources
-
ReDoS - DoS with regex
-
HTTP request smuggling
-
Web cache poisoning
Privelege escalation
- Check
sudo -ll
- Check
cat /etc/shells
- Check
env
command - Check history files in home directory
find . -type f -name ".*history"
- Find all SUID files
find <dir> -perm /u=s 2>/dev/null
Some interesting:- doas - config: /usr/local/etc/doas.conf
- Check CRON
- Check processes and daemons:
ps -u root
ps aux
- Unprivileged Linux process snooping (by reading /proc/ filesystem data)
pspy
- Check
/opt
directory - Check
/tmp
directory - Check Nginx / DNS / proxy settings.
- Check netstat ports.
If you stuck
- Enumerate TCP server services
- Check out exploits for services
- Enumarate directories
- Enumerate files
- Enumerate subdomains (DNS and brute-force)
- Check out exploits for web components / assets / libraries
- Check out website cookies, local storage, network tab, etc.
- Enumerate UDP server services
- Check input and GET parameters:
- SQL injection
- Command injection
- Path traversal & LFI
- Template injection
- Check if somewhere credentials are reused