- Quick recon
- Information Disclosure
- Essential Skills
- SQL Injection
- HTTP request smuggling
- Web Cache Poisoning
- Cross-site Scripting - XSS
- CSRF
- Clickjacking
- DOM-based vulnerabilities
- CORS
- XXE
- Prototype Pollution
- SSRF
- OS Command Injection
- Server-Side Template Injection - SSTI
- Path Traversal
- Access Control
- Authentication
- WebSockets
- Insecure Deserialization
- Business Logic
- Host Header attacks
- OAuth authentication
- File upload
- JWT
- GraphQL
- Race conditions
- NoSQL Injection
- API Testing
- Web LLM attacks
- Start an active scan on interesting requests
- Run scans on selected insertion points
- URL parameters
- cookies
- JSON body parameters
- Use the HTTP Request Smuggling Probe
- Use Param Miner to Probe for different vulnerabilities
- Web Cache Poisoning
- Host header injection
- From the "Site map" tab use the "Engagement tools" to gather information
- Follow the information disclosure methodology to find information
- Use the Developer tools to look for event listeners
- Use payloads provided by Portswigger academy and other online resources to speed up the process
- Gather useful information
- Stage 1 or 2
- Start with the easiest step = /robots.txt and build up from there
- Fuzz parameters, directories, HTTP method, etc
- Burp Scanner
- Burp engagement tools: Search, Find comments, Discover content
- Engineering informative responses / Error messages
- Developer tools
- Files for web crawlers: /robots.txt and /sitemap.xml
- Debug page
- Backup Files
- Directory listings
- Developer comments
- Error messages
- Internal headers
- Git history
- Quickly detect potential vulnerabilities
- Any
- Interesting Functionality
- API
- Cookies
- Interesting Functionality
- API
- Cookies
- Extract Information: Username, Passwords, and more
- Subvert application logic: Login function, and more
- Stage 2 or 3
- URL parameters
- Login fields
- Cookies
- JSON body parameters
- Reflected
- Blind
- Conditional responses / error based
- Synchronous execution - time based OR Asynchronous execution: out-of-band based
- Bypass front-end security controls to access resources
- Retrieve other HTTP requests to disclose information: front-end rewriting, other users' cookies, queue poisoning, etc
- Deliver XSS payloads (reflected xss, self-xss, redirect to load a resource from another host, etc)
- Stage 1 or 2
- Determine HTTP method being used, check for issues (Use HTTP Request Smuggler)
- HTTP/1.1
- Bypass front-end security controls - access admin panel
- Bypass front-end request rewriting - access admin panel
- Look for requests that reflect the user's input
- Capturing other users' requests - steal cookies
- Look for requests that could be used to append and reflect other users' requests
- Deliver XSS
- Look for user reflected input (request headers, url parameters, etc)
- TE.TE - Obfuscating the TE header
- Advanced
- HTTP/2 downgrades
- Response queue poisoning via H2.TE - Extract cookie
- H2.CL request smuggling - Deliver XSS
- HTTP/2 request smuggling via CRLF injection - steal cookies
- HTTP/2 request splitting via CRLF injection - steal cookies
- Browser-powered
- CL.0 request smuggling - access admin panel
- HTTP/2 downgrades
- Poison cache to deliver XSS payloads (observe weird behavior if other headers are added)
- Stage 1 or 2
- Unkeyed request headers
- Unkeyed cookies
- Unkeyed query string
- Single parameter
- Multiple parameters
- Parameter cloaking (mix with parameter pollution)
- Fat GET request (mix with parameter pollution)
- URL normalization
- Steal other user's cookies
- XSS to CSRF
- Stage 1 or 2
- Any input field that is reflected or stored somewhere
- Url parameters
- HTTP headers
- Form fields
- Source code: Check server response, Elements tab, Network tab for requests, loaded documents and JS files
- Reflected
- Stored
- DOM
- Perform account sensitive functionalities (potentially to takeover the user's account)
- Perform high privilege actions through another user (e.g.: Admin)
- Perform actions that extract data
- Stage 1 or 2
- Pages where account sensitive operations are performed
- change email
- Pages where the user might disclose sensitive information
- CSRF token bypass
- SameSite bypass
- Chained with XSS
- Cross-site WebSocket hijacking (CSWSH)
- Referer header bypass
- Make the user perform account sensitive operations
- Stage 1 or 2
- Pages where account sensitive operations are performed
- Single Step
- Multi Step
- Trigger XSS - Steal user's cookies
- Trigger Open Redirect
- Stages 1 and 2
- Look for event listeners in the page source and other files
- Web Message
- Open Redirect
- XSS
- Etc
- Extract sensitive information
- Stage 1 or 2
- Pages where sensitive information could be extracted
- Find a request disclosing sensitive information
- Inject the Origin header and start testing different url options
- Subdomain of the current Host
- Arbitrary URL accepted
- Only null origin allowed
- Chained with XSS
- Extract sensitive information from the server
- Stage 2 or 3
- Look for functionality where a SVG could be uploaded
- Look for API requests using XML
- If the API expects another format, see if it accepts XMLS
- If it does not accept XML, try to declare and XML entity and see the server response, it might reveal that the application is parsing XML
- Read local files
- XXE to SSRF
- In-band
- Out-of-band
- Execute XSS
- Steal other user's cookies
- Escalate Privileges
- RCE
- Stage 2 or 3
- Use DOM Invader
- Use DevTools to study the JavaScript files that are loaded
- Use Burp Suite Extension - Server-Side Prototype Pollution Scanner
- POST and PUT request updating object properties
- Client-side
- Server-side
- Escalate privileges
- Stage 2 or 3
- Identify requests that contain hostnames, IPs, or URLs
- Requests fetching data from backend server
- Try the Referer Header
- Chain with an open redirect
- Automate with Extension - Collaborator Everywhere
- Walk throuhgh all the pages
- Try to understand the logic of the application
- Regular/ In Band
- Blind / Out-of-Band
- Execute code on the server
- Retrieve sensitive data
- Stage 2 or 3
- In request parameters
- User provided input
- In-band
- Out-of-band
- Execute code on the server
- Retrieve sensitive data
- Stages 2 or 3
- Look for user controlled input that is reflected
- Enumerate the template engine being used by testing with multiple payloads
- If the previous step didn't work, try to trigger an error that discloses useful information
- Plaintext context
- Code context
- Retrieve sensitive data
- Stage 2 or 3
- Look for requests fetching resources from the server
- Absolute path
- Relative path
- Bypass validation
- Encoding needed
- Escalate privileges by accessing resources/functionalities we shouldn't have access to
- Stage 1 or 2
Start with the easiest step = /robots.txt and build up from there Check the source code for endpoints Look for comments in the code Check the Burp Suite HTTP history tab with the Search functionality Request's retrieving user information Request's modifying user information
- Access to functionality
- Access to information
- Force browsing
- Changing request parameter/cookie/header
- Change HTTP Method
- Mass assignment
- IDOR
- Referer header
- Gain Access to user accounts
- Enumerate usernames
- Stage 1 or 2
- Login Form
- Signup form
- Password reset functionality
- Password change functionality
- Account lock
- Login Form
- Signup form
- Password reset functionality
- Password change functionality
- IP Restriction bypass required
- 2FA Bypass
- Account lock
- Password Cracking
- XSS + Cracking
- Header Injection + Password Reset functionality
- Trigger XSS
- Trigger Cross-site WebSocket hijack (CSWSH)
- Extract's user information
- Stage 1 or 2
- Features using Websockets
- Chat features
- CSWSH
- XSS
- Escalate privileges
- RCE
- Stage 2 or 3
- Look for any data passed to the web application that looks like serialized data
- Look for files disclosing source code
- Generate error messages to disclose information
- Look for developer comments that disclose information
- Cookies
- Once serialized data has been found, modify it to see how the server responds
- Modifying object attributes
- Modifying data types
- Using application functionality to exploit insecure deserialization
- Arbitrary object injection
- Using Pre-built chain tools to exploit magic methods
- Subvert the application logic to elicit malicious actions
- Escalate privileges
- Stage 1 or 2
- Map the application
- Burp engagement tools: Search, Find comments, Discover content
- API endpoints
- Email change
- Lack of user input validation
- Failing to handle unconventional input
- Integer overflow
- String truncation
- Trusted users won't always stay trusworthy
- Escalate privileges after registering
- Email change
- Escalate privileges after registering
- Users won't always supply mandatory input
- Remove parameters one at a time and see what happens
- Users won't always follow the intended sequence
- Skipping steps
- Drop requests/Preventing steps
- Domain-specific flaws/Business-specific flaws
- Providing an encryption oracle
- Account takeover
- Escalate privileges
- Poison Cache to XSS
- SSRF
- Stage 1 or 2
- Host header, tamper with it
- Check if it is being validated. Change .net for .com, or add a collaborator payload
- Perform all subsequent tests and study how the server responds
- Password reset functionality
- Admin panel
- Password reset functionality
- Admin panel
- Web Cache poisoning
- SSRF
- Access intranet resources
- Connection reuse
- Gain Access to another user's account/information
- Stage 1 or 2
- Login page
- Attach social profile functionality
- Use oauth service providers' commonly known files to gather information
- Look for missing state parameter
- Oauth flow
- Check the value the parameter "response_type" is set to
- Implicit trust
- OpenID unprotected dynamic client registration + SSRF
- Profile linking
- Redirect - Steal victim's authorization code
- Re-write critical files in the web application
- RCE
- Exfiltrate data
- Stage 2 or 3
- File upload functionalities
- Example of characteristics that should be tested:
- Name
- Type
- Contents
- Size
- No validation or controls
- Content-Type restriction bypass
- File Upload + Path traversal
- Overriding server configuration files to bypass blacklist
- Obfuscated file extension
- RCE via polyglot web shell
- Escalate privileges
- Stage 1 or 2
- HTTP requests with a JWT
- Check for signature verification
- Check for weak signature secret
- Exploiting flawed JWT signature verification
- Brute-forcing secret keys
- JWT header parameter injections
- jwk parameter
- jwu parameter
- kid header + directory traversal
- Escalate privileges
- Stage 1 or 2
- Look for api requests in the HTTP history
- Fuzz for common graphql endpoints
- Determine what methods are allowed
- Send the Introspection query
- Bypassing GraphQL introspection defenses might be required
- Use the graphql visualizer or send the response of the introspection to Burp's site map to visualize the results
- Broken Access Control
- IDOR
- Bypassing rate limiting using aliases
- CSRF via GraphQL
- Exceed business logic
- Stage 1 or 2
- Single-use or rate-limited functionality
- Password reset functionality
- Limit overrun
- Bypass rate limits
- Multi-step sequences
- Single endpoint race condition
- Time-sensitive attacks
- Retrieve Data
- Subvert application logic: Login function, and more
- Stage 1 or 2
- Start with a single quote '
- URL parameters
- Login form
- JSON body parameters
- NoSQL Syntax Injection
- NoSQL operator injection
- Escalate privileges
- Disclose data
- Stage 1 or 2
- API endpoints
- Exploiting an unused API endpoint
- Exploiting a mass assignment vulnerability
- Exploiting server-side parameter pollution in a query string
- Retrieve data that the LLM has access to
- Trigger harmful actions via APIs
- Trigger attacks on other users and systems that query the LLM
- Stage 2 or 3
- In LLM powered functionality
- Prompt Injection
- Prompt Injection + Another Vulnerability
- Indirect Prompt Injection