About the author

Getting Started in Hacking

Pentesting Methodology

External Recon Methodology

Phishing Methodology

Tunneling and Port Forwarding

Brute Force - CheatSheet

Search Exploits

Shells

Shells (Linux, Windows, MSFVenom)

Linux/Unix

Checklist - Linux Privilege Escalation

Linux Privilege Escalation

Useful Linux Commands

Linux Environment Variables

MacOS

MacOS Security & Privilege Escalation

Windows

Checklist - Local Windows Privilege Escalation

Windows Local Privilege Escalation

Active Directory Methodology

Stealing Credentials

Authentication, Credentials, UAC and EFS

Basic CMD for Pentesters

Basic PowerShell for Pentesters

Mobile Apps Pentesting

Android APK Checklist

Android Applications Pentesting

iOS Pentesting Checklist

Pentesting

Pentesting Network

Pentesting JDWP - Java Debug Wire Protocol

Pentesting Printers

Pentesting Kubernetes

7/tcp/udp - Pentesting Echo

21 - Pentesting FTP

22 - Pentesting SSH/SFTP

23 - Pentesting Telnet

25,465,587 - Pentesting SMTP/s

43 - Pentesting WHOIS

53 - Pentesting DNS

69/UDP TFTP/Bittorrent-tracker

79 - Pentesting Finger

80,443 - Pentesting Web Methodology

88tcp/udp - Pentesting Kerberos

110,995 - Pentesting POP

111/TCP/UDP - Pentesting Portmapper

113 - Pentesting Ident

123/udp - Pentesting NTP

135, 593 - Pentesting MSRPC

137,138,139 - Pentesting NetBios

139,445 - Pentesting SMB

143,993 - Pentesting IMAP

161,162,10161,10162/udp - Pentesting SNMP

194,6667,6660-7000 - Pentesting IRC

264 - Pentesting Check Point FireWall-1

389, 636, 3268, 3269 - Pentesting LDAP

500/udp - Pentesting IPsec/IKE VPN

502 - Pentesting Modbus

512 - Pentesting Rexec

513 - Pentesting Rlogin

514 - Pentesting Rsh

515 - Pentesting Line Printer Daemon (LPD)

548 - Pentesting Apple Filing Protocol (AFP)

554,8554 - Pentesting RTSP

623/UDP/TCP - IPMI

631 - Internet Printing Protocol(IPP)

873 - Pentesting Rsync

1026 - Pentesting Rusersd

1080 - Pentesting Socks

1098/1099/1050 - Pentesting Java RMI - RMI-IIOP

1433 - Pentesting MSSQL - Microsoft SQL Server

1521,1522-1529 - Pentesting Oracle TNS Listener

1723 - Pentesting PPTP

1883 - Pentesting MQTT (Mosquitto)

2049 - Pentesting NFS Service

2301,2381 - Pentesting Compaq/HP Insight Manager

2375, 2376 Pentesting Docker

3128 - Pentesting Squid

3260 - Pentesting ISCSI

3299 - Pentesting SAPRouter

3306 - Pentesting Mysql

3389 - Pentesting RDP

3632 - Pentesting distcc

3690 - Pentesting Subversion (svn server)

4369 - Pentesting Erlang Port Mapper Daemon (epmd)

5000 - Pentesting Docker Registry

5353/UDP Multicast DNS (mDNS)

5432,5433 - Pentesting Postgresql

5601 - Pentesting Kibana

5671,5672 - Pentesting AMQP

5800,5801,5900,5901 - Pentesting VNC

5984,6984 - Pentesting CouchDB

5985,5986 - Pentesting WinRM

6000 - Pentesting X11

6379 - Pentesting Redis

8009 - Pentesting Apache JServ Protocol (AJP)

9000 - Pentesting FastCGI

9001 - Pentesting HSQLDB

9042/9160 - Pentesting Cassandra

9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)

9200 - Pentesting Elasticsearch

10000 - Pentesting Network Data Management Protocol (ndmp)

11211 - Pentesting Memcache

15672 - Pentesting RabbitMQ Management

27017,27018 - Pentesting MongoDB

44818/UDP/TCP - Pentesting EthernetIP

47808/udp - Pentesting BACNet

50030,50060,50070,50075,50090 - Pentesting Hadoop

Pentesting Web

Web Vulnerabilities Methodology

Reflecting Techniques - PoCs and Polygloths CheatSheet

Abusing hop-by-hop headers

Bypass Payment Process

Cache Poisoning and Cache Deception

Client Side Template Injection (CSTI)

Command Injection

Content Security Policy (CSP) Bypass

Cookies Hacking

CORS - Misconfigurations & Bypass

CRLF (%0D%0A) Injection

Cross-site WebSocket hijacking (CSWSH)

CSRF (Cross Site Request Forgery)

Dangling Markup - HTML scriptless injection

Deserialization

Domain/Subdomain takeover

Email Header Injection

File Inclusion/Path traversal

Formula Injection

HTTP Request Smuggling / HTTP Desync Attack

JWT Vulnerabilities (Json Web Tokens)

NoSQL injection

OAuth to Account takeover

Parameter Pollution

PostMessage Vulnerabilities

Rate Limit Bypass

Registration Vulnerabilities

Regular expression Denial of Service - ReDoS

Reset/Forgotten Password Bypass

Server Side Inclusion/Edge Side Inclusion Injection

SSRF (Server Side Request Forgery)

SSTI (Server Side Template Injection)

Reverse Tab Nabbing

Unicode Normalization vulnerability

Web Tool - WFuzz

XPATH injection

XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)

XXE - XEE - XML External Entity

XSS (Cross Site Scripting)

XSSI (Cross-Site Script Inclusion)

Forensics

Basic Forensic Methodology

A.I. Exploiting

BRA.I.NSMASHER Presentation

Courses and Certifications Reviews

INE Courses and eLearnSecurity Certifications Reviews

Cloud Security

Cloud security review

Physical attacks

Physical Attacks

Escaping from KIOSKs

Reversing

Common API used in Malware

Reversing Tools

Cryptographic/Compression Algorithms

Exploiting

Linux Exploiting (Basic) (SPA)

Exploiting Tools

Windows Exploiting (Basic Guide - OSCP lvl)

Crypto

Cipher Block Chaining CBC-MAC

Crypto CTFs Tricks

Electronic Code Book (ECB)

Hash Length Extension Attack

RC4 - Encrypt&Decrypt

BACKDOORS

Stego

Esoteric languages

MISC

Other Big References

TODO

Other Web Tricks

Interesting HTTP

Emails Vulnerabilities

Android Forensics

6881/udp - Pentesting BitTorrent

1911 - Pentesting fox

Online Platforms with API

Stealing Sensitive Information Disclosure from a Web

Powered by GitBook

Web Vulnerabilities Methodology

In every pentest web there is several hidden and obvious places that might be vulnerable. This post is meant to be a checklist to confirma that you have searched vulnerabilities in all the posible places.
Proxies
Nowadays web applications usually uses some kind of intermediary proxies, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also  need some extra vulnerability in the backend.
​Abusing hop-by-hop headers​
​Cache Poisoning/Cache Deception​
​HTTP Request Smuggling​
​H2C Smuggling​
​Server Side Inclusion/Edge Side Inclusion​
​Uncovering Cloudflare​
​XSLT Server Side Injection​
User input
 Most of the web applications will allow users to input some data that will be processed later.
Depending on the structure of the data the server is expecting some vulnerabilities  may or may not apply.
Reflected Values
If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues.
​Client Side Template Injection​
​Command Injection​
​CRLF​
​Dangling Markup​
​File Inclusion/Path Traversal​
​Open Redirect​
​Prototype Pollution to XSS​
​Server Side Inclusion/Edge Side Inclusion​
​Server Side Request Forgery​
​Server Side Template Injection​
​Reverse Tab Nabbing​
​XSLT Server Side Injection​
​XSS​
​XSSI​
​XS-Search​
Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
Reflecting Techniques - PoCs and Polygloths CheatSheet
/pentesting-web/pocs-and-polygloths-cheatsheet
Search functionalities
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
​File Inclusion/Path Traversal​
​NoSQL Injection​
​LDAP Injection​
​ReDoS​
​SQL Injection​
​XAPTH Injection​
Forms, WebSockets and PostMsgs
When websocket, post message or a form allows user to perform actions vulnerabilities may arise.
​Cross Site Request Forgery​
​Cross-site WebSocket hijacking (CSWSH)​
​PostMessage Vulnerabilities​
HTTP Headers
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
​Clickjacking​
​Content Security Policy bypass​
​Cookies Hacking​
​CORS - Misconfigurations & Bypass​
Bypasses
There are several specific functionalities were some workarounds might be useful to bypass them
​2FA/OPT Bypass​
​Bypass Payment Process​
​Captcha Bypass​
​Login Bypass​
​Race Condition​
​Rate Limit Bypass​
​Reset Forgotten Password Bypass​
​Registration Vulnerabilities​
Structured objects / Specific functionalities
Some functionalities will require the data to be structured on a very specific format (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.
Some specific functionalities my be also vulnerable if a specific format of the input is used (like Email Header Injections). 
​Deserialization​
​Email Header Injection​
​JWT Vulnerabilities​
​XML External Entity​
Files
Functionalities that allow to upload files might be vulnerable to several issues.
Functionalities that generates files including user input might execute unexpected code.
Users that open files uploaded by users or automatically generated including user input might be compromised.
​File Upload​
​Formula Injection​
​PDF Injection​
​Server Side XSS​
External Identity Management
​OAUTH to Account takeover​
​SAML Attacks​
Other Helpful Vulnerabilities
This vulnerabilities might help to exploit other vulnerabilities.
​Domain/Subdomain takeover​
​IDOR​
​Parameter Pollution​
​Unicode Normalization vulnerability​

Pentesting - Previous

50030,50060,50070,50075,50090 - Pentesting Hadoop

Next - Pentesting Web

Reflecting Techniques - PoCs and Polygloths CheatSheet

Last updated 1 week ago

Contents

Reflected Values

Search functionalities

Forms, WebSockets and PostMsgs

Structured objects / Specific functionalities

External Identity Management

Other Helpful Vulnerabilities