CSRF:
- Verify token presence on necessary forms (Create, Update, Delete)
- Check server-side token length validation
- Ensure server checks for token parameter
- Test server response to empty parameter and missing CSRF token
- Confirm tokens are not session-bound
JWT:
- Ensure None-signing algorithm is not allowed
- Check for leaked secrets
- Verify server secret checks
- Test secret guessability/brute-force resistance
Open redirect bypass:
- Test various bypass techniques (e.g., evil.com/expected.com, Javascript * openRedirects, hidden link open redirects)
- Experiment with bypass characters (e.g., //, https:evil.com, /, %00, @)
- Examine parameter pollution
BAC:
- Test access controls for all user levels
- Evaluate access using different methods (e.g., authorize, JS Functions via developer console, copy-pasting URLs)
IDOR:
- Test across all tenants
- Check access methods similar to BAC
Captcha bypasses:
- Attempt request method changes
- Remove or modify captcha parameters
LFI:
- Test bypass techniques similar to Open redirect bypass
- Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
- Test for log poisoning or user input storage to achieve code execution through LFI
- Examine the inclusion of configuration files or other sensitive files for information disclosure
RFI:
- Test bypass techniques similar to Open redirect bypass
- Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
- Test for log poisoning or user input storage to achieve code execution through LFI
- Examine the inclusion of configuration files or other sensitive files for information disclosure
SQLi:
- Use special characters (e.g., ' " ) to trigger SQL injection
- Utilize SQLmap for testing
- Use time-based techniques (e.g., SLEEP() in MySQL, WAITFOR DELAY in SQL Server) to extract information if the output is not directly visible (blind SQLi)
- Test for out-of-band techniques (e.g., DNS exfiltration) when other methods are not possible
- Exploit second-order SQLi by injecting payloads that get stored and later executed in another part of the application
XXE:
- Test file formats vulnerable to XXE (e.g., SVG, DOCX/XLSX, SOAP)
- Attempt blind SSRF, file exfiltration, and command execution
- Test different XML parsers (e.g., DOM, SAX) to identify vulnerable endpoints
- Utilize out-of-band techniques (e.g., HTTP callbacks, DNS exfiltration) for blind XXE exploitation
- Experiment with different encoding or obfuscation methods (e.g., using CDATA sections, XML entity expansion) to bypass input filters or security measures
Template injections (CSTI/SST):
- Test basic template injection payloads ${{7*9}}
- Identify templating engine and refer to manuals for potential exploits
- Employ encoding techniques for special characters
- Identify the templating engine in use (e.g., Jinja2, Twig, Mako) and craft payloads specific to the engine
- Use encoding, obfuscation, or other techniques to bypass input filters or security measures Escalate impact by chaining template injection with other vulnerabilities (e.g., XSS, RCE)
XSS:
- Test payload injection into input fields and reflected parameters
- Identify reflection context and craft attack vector accordingly
- Test various encoding and obfuscation techniques
- Check for and attempt to bypass CSP
- Test for DOM-based XSS by analyzing JavaScript code and manipulating variables used in the DOM
- Experiment with different encoding techniques (e.g., HTML entities, URL encoding, Unicode) to bypass * * input filters and WAFs
- Utilize event handlers (e.g., onload, onerror) or other obscure tags to trigger XSS when common vectors are blocked
SSRF:
- Test SSRF against server itself and other servers on the network
- Use alternative URL schemes (e.g., file://, dict://, gopher://) to interact with internal services or to bypass filters
- Test for IPv6 and other address formats (e.g., octal, decimal, hexadecimal) to bypass IP-based filters Chain SSRF with other vulnerabilities (e.g., XXE, open redirects) to escalate impact
Command injection:
- Test every single parameter for command injection vulnerability
- Compile a list of commands and command separators for the target OS
Admin panel bypass:
- Try referer header manipulation
- Test easy username/password combinations
- Perform directory brute-forcing for unprotected pages
Race conditions:
- Identify and test critical functionalities for potential race conditions
- Simulate concurrent requests to assess system stability
API security testing:
- Test API endpoints for vulnerabilities similar to those in web applications
- Evaluate proper use of authentication and authorization mechanisms
- Check for potential data leaks or unauthorized data access
Insecure deserialization:
- Identify potential points of deserialization in the application
- Test for deserialization vulnerabilities that could lead to arbitrary code execution or data tampering
- Test for insecure deserialization by tampering with serialized data formats (e.g., JSON, XML, PHP serialization) and observing application behavior
- Identify and exploit "gadget chains" to escalate impact and achieve arbitrary code execution
- Employ encryption or encoding bypass techniques to manipulate serialized data
Clickjacking:
- Check if the application is vulnerable to clickjacking attacks
- Verify proper implementation of X-Frame-Options header and other defensive mechanisms
Parameter Pollution:
- Test for potential parameter pollution vulnerabilities in all input fields and URL parameters
- Identify and manipulate repeated parameters to observe application behavior
- Check if any application logic relies on single instances of parameters and can be bypassed or exploited using parameter pollution
- Verify that the application handles repeated parameters consistently and securely
Session Management:
- Test for secure implementation of session cookies (e.g., HttpOnly, Secure, SameSite attributes)
- Evaluate the effectiveness of session expiration and session fixation prevention mechanisms
- Assess the randomness and predictability of session IDs
- Verify proper handling of concurrent sessions and logout functionality
Web Application Firewall (WAF) Evasion:
- Attempt to bypass WAF rules using different evasion techniques (e.g., encoding, obfuscation, HTTP Verb Tampering)
- Evaluate the effectiveness of the WAF in detecting and preventing known attack vectors
File Upload Security:
- Test file upload functionality for potential vulnerabilities (e.g., unrestricted file types, size limitations, handling of malicious content)
- Verify proper access controls for uploaded files to prevent unauthorized access or file manipulation
- Check for secure storage of uploaded files and proper handling of metadata
Account Recovery and Password Reset:
- Evaluate the security of account recovery and password reset mechanisms (e.g., secret questions, email-based resets, multi-factor authentication)
- Test for potential bypasses or weaknesses that may allow unauthorized account access
Unconventional Attack Vectors:
- Investigate less commonly tested functionalities, features, or components that might have been overlooked by developers or other testers
- Explore edge cases, uncommon input types, or rare user interactions that might trigger vulnerabilities
Cross-Platform and Cross-Browser Testing:
- Test the application on different platforms (e.g., mobile, desktop) and browsers, as some vulnerabilities may be platform- or browser-specific
Bug Chaining and Impact Amplification:
- Explore chaining multiple bugs or vulnerabilities together to create a higher impact or escalate privileges, which can potentially lead to higher rewards
Misconfigured or Exposed Infrastructure:
- Check for exposed or misconfigured infrastructure components (e.g., open AWS S3 buckets, unsecured cloud storage, publicly accessible admin interfaces)
Remote Code Execution (RCE):
- Investigate the use of environment variables or process control functions for command injection
- Leverage file upload vulnerabilities to upload and execute a malicious payload
- Bypass execution restrictions by utilizing script interpreters (e.g., Python, Ruby, PHP) or built-in OS functionality (e.g., PowerShell, Bash)