RatSec Blog

Web App Checklist

- Posted in Bug bounties by

enter image description here


  • Verify token presence on necessary forms (Create, Update, Delete)
  • Check server-side token length validation
  • Ensure server checks for token parameter
  • Test server response to empty parameter and missing CSRF token
  • Confirm tokens are not session-bound


  • Ensure None-signing algorithm is not allowed
  • Check for leaked secrets
  • Verify server secret checks
  • Test secret guessability/brute-force resistance

Open redirect bypass:

  • Test various bypass techniques (e.g., evil.com/expected.com, Javascript * openRedirects, hidden link open redirects)
  • Experiment with bypass characters (e.g., //, https:evil.com, /, %00, @)
  • Examine parameter pollution


  • Test access controls for all user levels
  • Evaluate access using different methods (e.g., authorize, JS Functions via developer console, copy-pasting URLs)


  • Test across all tenants
  • Check access methods similar to BAC

Captcha bypasses:

  • Attempt request method changes
  • Remove or modify captcha parameters


  • Test bypass techniques similar to Open redirect bypass
  • Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
  • Test for log poisoning or user input storage to achieve code execution through LFI
  • Examine the inclusion of configuration files or other sensitive files for information disclosure


  • Test bypass techniques similar to Open redirect bypass
  • Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
  • Test for log poisoning or user input storage to achieve code execution through LFI
  • Examine the inclusion of configuration files or other sensitive files for information disclosure


  • Use special characters (e.g., ' " ) to trigger SQL injection
  • Utilize SQLmap for testing
  • Use time-based techniques (e.g., SLEEP() in MySQL, WAITFOR DELAY in SQL Server) to extract information if the output is not directly visible (blind SQLi)
  • Test for out-of-band techniques (e.g., DNS exfiltration) when other methods are not possible
  • Exploit second-order SQLi by injecting payloads that get stored and later executed in another part of the application


  • Test file formats vulnerable to XXE (e.g., SVG, DOCX/XLSX, SOAP)
  • Attempt blind SSRF, file exfiltration, and command execution
  • Test different XML parsers (e.g., DOM, SAX) to identify vulnerable endpoints
  • Utilize out-of-band techniques (e.g., HTTP callbacks, DNS exfiltration) for blind XXE exploitation
  • Experiment with different encoding or obfuscation methods (e.g., using CDATA sections, XML entity expansion) to bypass input filters or security measures

Template injections (CSTI/SST):

  • Test basic template injection payloads ${{7*9}}
  • Identify templating engine and refer to manuals for potential exploits
  • Employ encoding techniques for special characters
  • Identify the templating engine in use (e.g., Jinja2, Twig, Mako) and craft payloads specific to the engine
  • Use encoding, obfuscation, or other techniques to bypass input filters or security measures Escalate impact by chaining template injection with other vulnerabilities (e.g., XSS, RCE)


  • Test payload injection into input fields and reflected parameters
  • Identify reflection context and craft attack vector accordingly
  • Test various encoding and obfuscation techniques
  • Check for and attempt to bypass CSP
  • Test for DOM-based XSS by analyzing JavaScript code and manipulating variables used in the DOM
  • Experiment with different encoding techniques (e.g., HTML entities, URL encoding, Unicode) to bypass * * input filters and WAFs
  • Utilize event handlers (e.g., onload, onerror) or other obscure tags to trigger XSS when common vectors are blocked


  • Test SSRF against server itself and other servers on the network
  • Use alternative URL schemes (e.g., file://, dict://, gopher://) to interact with internal services or to bypass filters
  • Test for IPv6 and other address formats (e.g., octal, decimal, hexadecimal) to bypass IP-based filters Chain SSRF with other vulnerabilities (e.g., XXE, open redirects) to escalate impact

Command injection:

  • Test every single parameter for command injection vulnerability
  • Compile a list of commands and command separators for the target OS

Admin panel bypass:

  • Try referer header manipulation
  • Test easy username/password combinations
  • Perform directory brute-forcing for unprotected pages

Race conditions:

  • Identify and test critical functionalities for potential race conditions
  • Simulate concurrent requests to assess system stability

API security testing:

  • Test API endpoints for vulnerabilities similar to those in web applications
  • Evaluate proper use of authentication and authorization mechanisms
  • Check for potential data leaks or unauthorized data access

Insecure deserialization:

  • Identify potential points of deserialization in the application
  • Test for deserialization vulnerabilities that could lead to arbitrary code execution or data tampering
  • Test for insecure deserialization by tampering with serialized data formats (e.g., JSON, XML, PHP serialization) and observing application behavior
  • Identify and exploit "gadget chains" to escalate impact and achieve arbitrary code execution
  • Employ encryption or encoding bypass techniques to manipulate serialized data


  • Check if the application is vulnerable to clickjacking attacks
  • Verify proper implementation of X-Frame-Options header and other defensive mechanisms

Parameter Pollution:

  • Test for potential parameter pollution vulnerabilities in all input fields and URL parameters
  • Identify and manipulate repeated parameters to observe application behavior
  • Check if any application logic relies on single instances of parameters and can be bypassed or exploited using parameter pollution
  • Verify that the application handles repeated parameters consistently and securely

Session Management:

  • Test for secure implementation of session cookies (e.g., HttpOnly, Secure, SameSite attributes)
  • Evaluate the effectiveness of session expiration and session fixation prevention mechanisms
  • Assess the randomness and predictability of session IDs
  • Verify proper handling of concurrent sessions and logout functionality

Web Application Firewall (WAF) Evasion:

  • Attempt to bypass WAF rules using different evasion techniques (e.g., encoding, obfuscation, HTTP Verb Tampering)
  • Evaluate the effectiveness of the WAF in detecting and preventing known attack vectors

File Upload Security:

  • Test file upload functionality for potential vulnerabilities (e.g., unrestricted file types, size limitations, handling of malicious content)
  • Verify proper access controls for uploaded files to prevent unauthorized access or file manipulation
  • Check for secure storage of uploaded files and proper handling of metadata

Account Recovery and Password Reset:

  • Evaluate the security of account recovery and password reset mechanisms (e.g., secret questions, email-based resets, multi-factor authentication)
  • Test for potential bypasses or weaknesses that may allow unauthorized account access

Unconventional Attack Vectors:

  • Investigate less commonly tested functionalities, features, or components that might have been overlooked by developers or other testers
  • Explore edge cases, uncommon input types, or rare user interactions that might trigger vulnerabilities

Cross-Platform and Cross-Browser Testing:

  • Test the application on different platforms (e.g., mobile, desktop) and browsers, as some vulnerabilities may be platform- or browser-specific

Bug Chaining and Impact Amplification:

  • Explore chaining multiple bugs or vulnerabilities together to create a higher impact or escalate privileges, which can potentially lead to higher rewards

Misconfigured or Exposed Infrastructure:

  • Check for exposed or misconfigured infrastructure components (e.g., open AWS S3 buckets, unsecured cloud storage, publicly accessible admin interfaces)

Remote Code Execution (RCE):

  • Investigate the use of environment variables or process control functions for command injection
  • Leverage file upload vulnerabilities to upload and execute a malicious payload
  • Bypass execution restrictions by utilizing script interpreters (e.g., Python, Ruby, PHP) or built-in OS functionality (e.g., PowerShell, Bash)