💾
kurare
  • 🤸Welcome!
  • 🔤Alphabet Soup
  • Training
    • CTFs & Labs
  • Directory Traver
  • Reporting
  • Toolbox
  • Rando Links
  • GRC (The box-checkers)
  • Common Software Repository
  • Social Networking
  • Penetration Testing Frameworks
  • Playbooks
    • Playbook: Figuring out software versions
    • Playbook: web applications
    • Playbook: Finding exploits
    • Playbook: Cloud Environments
  • Testing out credentials
  • Active Directory
  • Checklists
    • Pretest phase
    • Host Discovery
    • Website (external)
    • Black-box External Test
    • Host Enumeration
    • SMB enumeration
    • Page
  • Reporting
  • Services
    • VOIP / SIP
Powered by GitBook
On this page
  1. Playbooks

Playbook: web applications

Note: Run Burpsuite or another proxy in the background during all of this activity.

The Basement

  • Is the website encrypted (HTTPS)?

  • SSL/TLS encryption version, algorithms, key length. testssl or sslscan is good for this

  • Check for outdated web server software (Adobe, Tomcat, etc) - nitko can help

  • Check for outdated ASP.net etc libraries

  • Run Nikto or another web vulnerability scanner just to find low-hanging fruit

  • Check for DNS information with https://dnsdumpster.com/

Authentication

  • Try to sign up for a new account.

  • Click through the "Forgot my password" process.

    • See if there's any path that's guessable, like security questions

  • 2FA: If 2FA requires a 4 digit code or similar, it may be possible to brute-force.

File Discovery

  • Run gobuster, dirbuster, feroxbuster, etc to discover directories and files

  • Look through Google or other search engine results for files "hidden in plain sight"

  • Check for a robots.txt file for unpublished pages

Putting stuff on the website

  • Look for user-provided input like search bars, contact forms

  • Look for paths to upload files. Tips: https://kathan19.gitbook.io/howtohunt/file-upload-bypass/file_upload

    • If they're restricted, try renaming extensions, passing client-side checks, or making other changes

User access (you have a set of credentials)

  • Log in, look around

  • Look for unauthorized direct access via Autorize (a plugin for Burp)

Flaws to look for:

  • OWASP Top Ten is the fundamental guidebook on the most common vulnerabilities to look for.

  • XSS (Cross Site Scripting)

  • IDOR (Insecure Direct Object)

  • CSRF (Cross Site Request Forgery)

Additional references:

PreviousPlaybook: Figuring out software versionsNextPlaybook: Finding exploits

Last updated 1 year ago

HowToHunt/Web_Checklist_by_Chintan_Gurjar.pdf at master · KathanP19/HowToHuntGitHub
Logo
Web Application Pentesting ChecklistHowToHunt
Web Page Code Review TipsHowToHunt
Logo
Logo