CSRF:
- Check if the token is present on any form it should be
- Server checks if the token length is correct
- Server checks if parameter is there
- Server accepts empty parameter
- Server accepts responds without CSRF token
- Token is not session bound
- Check if the token is present on any form it should be
- Server checks if the token length is correct
- Server checks if parameter is there
- Server accepts empty parameter
- Server accepts responds without CSRF token
- Token is not session bound
JWT:
- None-signing algorithm is allowed
- Secret is leaked somewhere
- Server never checks secret
- Secret is easily guessable or brute-forceable
- None-signing algorithm is allowed
- Secret is leaked somewhere
- Server never checks secret
- Secret is easily guessable or brute-forceable
Open redirect bypass:
- test.com/expected.com
- Javascript openRedirects
- Hidden link open redirects
- Using // to bypass
- https:test.com (browser might correct this, filter might not catch it)
- /\ to bypass
- %00 to bypass (null byte)
- @ to bypass
- test.com/expected.com
- Javascript openRedirects
- Hidden link open redirects
- Using // to bypass
- https:test.com (browser might correct this, filter might not catch it)
- /\ to bypass
- %00 to bypass (null byte)
- @ to bypass
BAC
- Test higher Priv functions should not be able to be executed by lower Priv user
βTest ALL user levels
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
- Test higher Priv functions should not be able to be executed by lower Priv user
βTest ALL user levels
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
IDOR
- Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies)
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
- Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies)
β Test with authorise
β JS Functions via developer console
β Copy and paste of URL
Captcha bypasses
- Try change request method
- Remove the captcha param from the request
- leave param empty
- Fill in random value
- Try change request method
- Remove the captcha param from the request
- leave param empty
- Fill in random value
LFI
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
RFI:
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
RFI:
- Using // to bypass
- /\ to bypass
- \\
- %00 to bypass (null byte)
- @ to bypass
- URL encoding
- double encodings
SQLi:
- ββ to trigger
β SQLmap
XXE:
- SVG files (images), DOCX/XLSX, SOAP, anything XML that renders
- Blind SSRF, file exfiltration, command exec
- ββ to trigger
β SQLmap
XXE:
- SVG files (images), DOCX/XLSX, SOAP, anything XML that renders
- Blind SSRF, file exfiltration, command exec
Template injections (CSTI/SST)
- ${7*7}
- If resolves, what templating engine
- Try exploit by looking at manuals
β URL encode special chars ({}*)
β HTML entities
β Double encodings
- ${7*7}
- If resolves, what templating engine
- Try exploit by looking at manuals
β URL encode special chars ({}*)
β HTML entities
β Double encodings
XSS:
- ββ`><img src=x> into every input field, the moment you register and start using the application
- Enter a random value into every parameter and look for reflection
- See what context reflection is in
- Craft attack vector based on context
JS
HTML
HTML tag attribute
β¦
- ββ`><img src=x> into every input field, the moment you register and start using the application
- Enter a random value into every parameter and look for reflection
- See what context reflection is in
- Craft attack vector based on context
JS
HTML
HTML tag attribute
β¦
β Url encode
β HTML entities
β Capital letters
β BASE64 encode payload
- CSP might be active
β Try bypasses
β See what is active and where script can be gotten from
β Encode them in base64
β Mascarade script as data
β HTML entities
β Capital letters
β BASE64 encode payload
- CSP might be active
β Try bypasses
β See what is active and where script can be gotten from
β Encode them in base64
β Mascarade script as data
SSRF
- SSRF against server itself
- SSRF against other servers on the network
Command injection
- Test every single parameter
- Make a list of commands + command separators for target OS
- SSRF against server itself
- SSRF against other servers on the network
Command injection
- Test every single parameter
- Make a list of commands + command separators for target OS
Admin panel bypass
- Try referr header
- Easy username/pass
- Directory brute forcing for unprotected pages
- Try referr header
- Easy username/pass
- Directory brute forcing for unprotected pages
There are many more but I thought you'd enjoy this as #bugbountytips or #pentesting checklist.
Do take this as a base list you have to add to yourself!
Do take this as a base list you have to add to yourself!
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
