Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Basic Enumeration
  • Identify Stack/ Language Used
  • Identify Server running the application
  • JS Libraries used? Are any of them vulnerable?
  • Is the application using any kind of WAF? 0xInfection Awesome WAF
  • - https://github.com/0xInfection/Awesome-WAF
  • Authentication?
  • Objects? (Real World Entities)
  • Session Establishment
  • Handling Special Characters
  • CSRF validation
  • CRUD
  • Functionalities Identification
  • Multiple User Roles?
  • Is API Used?
  • Is CORS implemented?
  • Is Websocket used?
  • IS captcha used?
  • What other headers is the application acepting?
  • SECLISTS to the rescue
  1. Reconnaissance

Web Application Reconnaissance

Basic Enumeration

Identify Stack/ Language Used

  • MERN => MongoDB Express React NodeJS

  • MEAN => MongoDB Express Angular NodeJS

  • ASP.NET and Razor Pages on IIS Server

  • LAMP => Linux, Apache, MYSQL, PHP

  • Java, Spring Boot, Mysql/Postgresql

  • Ruby on Rails => Ruby, Rails, SQlite/Postgresql/Mysql

  • Python, Django, Mysql/Postgresql

Identify Server running the application

  • Google Cloud Platform (GCP)

  • Amazon Web Services (AWS)

  • Microsoft Azure

  • IBM Cloud

JS Libraries used? Are any of them vulnerable?

  • jQuery

  • Lodash => Versions before 4.17.21 have known prototype pollution vulnerabilities

  • Vue.js => XSS via v-html directive if it is used to render untrusted HTML.

  • AngularJS => 1.X

Is the application using any kind of WAF? 0xInfection Awesome WAF

Authentication?

What is authentication done via?

Objects? (Real World Entities)

Since every application is solving real world problems, ask What are real world entities referred in the application and what are their data type? For example an application like facebook, whatsapp might have, Messaging functionality

  • conversationId: Number/String (ID)

  • participants: Array of user objects

  • messages: Array of message objects

  • lastReadTimestamp: Date

Session Establishment

How does the application identify me? How does it identify i am alex and another user is Hari or Administrator?

  • Using Cookies?

  • JWT?

  • Bearer Token?

  • Searilized sessions? (java?, php?, .net?, python?)

Handling Special Characters

  • Ask why is it breaking the application? which certain character is breaking the application? why? think in code level

  • Able to trigger error messages after fuzzing with special characters?

CSRF validation

Is csrf token used on crutial functionalities? is it validated or not? Try same csrf token before and after logging out of the application. How does the application reacts?

CRUD

What CRUD operation is each request doing? GET(READ), POST(CREATE), PATCH(UPDATE), etc.

Am i able to manipulate GET to POST, PATCH to DELETE?

Functionalities Identification

Identify what functionality is the application providing

  • Inviting external users?

  • Email / Messaging?

  • Files Upload?

  • Reservation/BOoking?

  • Checkout?

  • send money?

  • sell something?

  • Add, delete tasks? schedule tasks? update other member's tasks?

  • Edit profile?, edit settings?

  • Check, generate report?

  • Approve, decline something?

Multiple User Roles?

Privilege Escalation or functionality use of higher roles possible?

  • Admin?

  • Normal User?

  • Manager?

  • Supplier?

Is API Used?

Is CORS implemented?

For this we can utilized burp's search functionality Go to Burp => Search => Access-Control

Is Websocket used?

Try owasp top 10 bugs on websocket requests as well

IS captcha used?

Try various ways of bypassing captcha

What other headers is the application acepting?

Use param miner for this

SECLISTS to the rescue

If we suspect this type of bug might exist in this request's this parameter Use Seclist's sql injection, command injection, ssti, fuzzing payloads

PreviousService Tickets and AbusesNextExternal Reconnaissance

Last updated 11 months ago

-

How does the application handle special characters in input fields?

https://github.com/0xInfection/Awesome-WAF