Skip to content

machevalia/WebApplicationTesting

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
Access Control
Access Control
 
 
Authentication
Authentication
 
 
Business Logic Vulnerabilities
Business Logic Vulnerabilities
 
 
CORS
CORS
 
 
CSRF
CSRF
 
 
Clickjacking
Clickjacking
 
 
Command Injections
Command Injections
 
 
DOM Vulnerabilities
DOM Vulnerabilities
 
 
Deserialization
Deserialization
 
 
File Upload Vulnerabilities
File Upload Vulnerabilities
 
 
Host Header Attacks
Host Header Attacks
 
 
Information Disclosure
Information Disclosure
 
 
Oauth
Oauth
 
 
Path Traversal
Path Traversal
 
 
Request Smuggling
Request Smuggling
 
 
SQL Injections
SQL Injections
 
 
SSTI
SSTI
 
 
Server-Side Request Forgery
Server-Side Request Forgery
 
 
Server-Side Vulnerabilities
Server-Side Vulnerabilities
 
 
Web Cache Poisoning
Web Cache Poisoning
 
 
XSS
XSS
 
 
XXE
XXE
 
 
README.md
README.md
 
 

Repository files navigation

Universal Web Application Hunt Methodology

Purpose: A question-driven, end-to-end workflow from first touch to exploitation and reporting. It integrates your per-vuln methodologies (XSS, SQLi, DOM, CSRF, CORS, XXE, SSTI, SSRF, Path Traversal, Command Injection) and ensures coverage.

Phase 0 — Scoping and setup

  • What’s in scope (hosts, APIs, mobile, third-party callbacks)?
  • Allowed traffic types (auth, egress, destructive tests)?
  • Credentials/roles available? Test accounts? OAST domain?

Artifacts to prepare: Burp project, Collaborator domain, wordlists from this repo, browser with extensions (DOM Invader), headless tools (param miner, content discovery), notes template.

Phase 1 — External recon and mapping

  • What endpoints exist? Crawl and dirbust: web root, /api, /static, backups, admin panels.
  • What technologies? Fingerprint server/framework, CSP, cookies, headers.
  • What inputs exist? Params, JSON bodies, forms, file uploads, cookies, headers, path segments, fragments.
  • What roles/flows? Login, forgot password, OAuth flows, admin panels, webhooks.

Deliverable: Endpoint map with request prototypes and suspected sinks.

Phase 2 — Parameter and header discovery

  • Hidden parameters: Use Param Miner; brute candidate names based on frameworks.
  • Header sinks: Try X-Forwarded-Host, X-Original-URL, Referer (SSRF/CSRF bypass), Origin (CORS), Content-Type switches.
  • Cookies: Track values that reflect into DOM/HTML or server logic.

Deliverable: Parameter/header inventory and likely trust boundaries.

Phase 3 — Client-side code review (DOM analysis)

  • What sources feed the DOM? location.*, postMessage, storage, cookies.
  • What sinks? innerHTML, document.write, attribute setters, eval/new Function, navigation.
  • Are sanitizers used (DOMPurify/HTMLJanitor) and how can they be bypassed (attr clobbering, focus)?
  • Any web messaging without origin checks? JSON.parse on attacker-controlled data?

Reference: DOM Vulnerabilities/Hunt Methodology.md and PoCs.

Phase 4 — Server-side input testing (by context)

Ask for each endpoint/input:

  • Is the response content or behavior influenced by my input? If yes, what context?
  • Is data reflected raw (Reflected XSS), processed in templates (SSTI), concatenated into SQL (SQLi), used in filesystem paths (Traversal), executed by shell (CMDi), fetched server-side (SSRF), parsed as XML (XXE), or protected by CSRF/CORS?

Then follow the relevant methodology:

  • XSS: See XSS/Hunt Methodology.md and wordlists.

    • For exploit-server delivery of final payloads (redirect/navigation pages), see XSS/wordlists/exploit-delivery.txt for ready-made templates with placeholders.

    • For a CTF PoC of the Cookie Sandwich technique (Tomcat RFC2109 fall-back; quoted cookie parsing), use XSS/tools/cookie_sandwich_exploit.html.

      • Reference: PortSwigger research on cookie sandwiches.
      • Required query params:
        • or: open redirect URL (full), e.g. https://victim.tld/redirect
        • orp: open redirect param name, default next
        • xss: reflected XSS endpoint (full), e.g. https://app.victim.tld/search
        • xp: reflected param name, default q
        • rurl: reflecting endpoint that copies cookie into body, e.g. https://tracking.victim.tld/json
        • rc: cookie gadget name used by reflector, default session
        • cname: HttpOnly cookie name to extract, e.g. PHPSESSID
      • Optional:
        • path: cookie Path to bias ordering (default derived from rurl pathname)
        • ex: your exfil endpoint to receive the value via sendBeacon/POST
        • wrap: 1 to wrap the payload in <script> for HTML sinks (default 1)
        • auto: 1 to auto-redirect the victim, otherwise shows the crafted link
      • Flow: The page crafts an XSS payload that sets $Version=1 and two quoted cookies so the target HttpOnly cookie is sandwiched between known markers, then calls the reflecting endpoint with credentials and extracts the value. It optionally beacons to ex. Finally, it alerts the captured value for visual confirmation.
      • Usage example (open in your exploit server and substitute the values): XSS/tools/cookie_sandwich_exploit.html?auto=1&or=https://victim.tld/redirect&orp=next&xss=https://app.victim.tld/search&xp=q&rurl=https://tracking.victim.tld/json&rc=session&cname=PHPSESSID&path=/json

    • Minimal, hardcoded landing page (simplest flow): XSS/tools/cookie_sandwich_min.html

      • Edit the CONFIG object at the top with your XSS endpoint, reflecting endpoint, cookie names, and path.
      • Host the file and send the victim directly; it auto-navigates to the XSS URL with the embedded sandwich payload.
  • REGEXSS (Regex-based XSS): See XSS/REGEXSS Hunt Methodology.md, XSS/Regex XSS Cheatsheet.md, and the new wordlists under XSS/wordlists/regexss-*.txt. A helper scanner lives at XSS/tools/regexss_dom_scanner.py.
  • DOM: See DOM Vulnerabilities/Hunt Methodology.md.
  • SQLi: See SQL Injections/DBMS Hunt Methodology.md.
  • CSRF: See CSRF/Hunt Methodology.md and PoCs.
  • CORS: See CORS/Hunt Methodology.md and PoCs.
  • XXE: See XXE/Hunt Methodology.md.
  • SSTI: Use SSTI/wordlists/* by engine.
  • SSRF: See Server-Side Request Forgery/Hunt Methodology.md and wordlists.
  • Path Traversal: See Path Traversal/Hunt Methodology.md.
  • Command Injection: See Command Injections/Hunt Methodology.md and wordlists.

Phase 5 — Auth, session, and access control

  • Roles and privilege: Horizontal/vertical access checks; IDORs.
  • Session handling: Cookie flags (HttpOnly, Secure, SameSite); session fixation; logout/rotation.
  • CSRF protections: Tokens, origin/referrer validation, SameSite behaviors.

Reference: CSRF/Hunt Methodology.md and your encounters.

Phase 6 — Egress, integrations, and supply chain

  • SSRF egress: Can the app make requests to internal nets/metadata? (Use SSRF lists.)
  • Webhooks and importers: URL filters, redirects, protocol smuggling.
  • Third-party SDKs/widgets: CORS, token leaks, postMessage.

Phase 7 — Chaining and escalation

  • Can SSRF reach an admin panel that is path-traversable or vulnerable to SSTI?
  • Can traversal expose config that enables SQLi or XXE endpoints?
  • Can DOM clobbering enable XSS that steals CSRF tokens to change state?

Document chains with prerequisites and impact.

Phase 8 — Validation, safety, and OAST

  • Prefer safe proofs (delays, OAST pings) before destructive actions.
  • Keep payloads minimal; respect scope; use temp files for any write tests.

Phase 9 — Reporting and remediation

  • For each issue: affected endpoints, payloads, conditions, impact, likelihood, and clear remediation tied to the relevant methodology.
  • Include headers, CSP, and config improvements; suggest allowlists, canonicalization, prepared statements, safe APIs, strict origins.

Quick checklists

Discovery

  • Crawl + dirbust + API discovery
  • Param Miner + hidden headers
  • JS review for sources/sinks + secrets

Context tests (per input)

  • Reflection → XSS/SSTI
  • DB errors/timing → SQLi
  • File reads/errors → Traversal
  • Shell behavior/timing → CMDi
  • Network egress/DNS hits → SSRF
  • XML parsing/OOB → XXE
  • Cross-origin headers → CORS
  • State changes without token → CSRF

Tie-back: Use wordlists/PoCs under each folder for focused payloads and escalation paths.

Encounter Cliff Notes

For each vulnerability area, see encounter-cliff-notes.md inside the corresponding folder for plain-language “how I found and exploited it” summaries distilled from your Encounters:

  • Access Control/encounter-cliff-notes.md
  • Authentication/encounter-cliff-notes.md
  • Business Logic Vulnerabilities/encounter-cliff-notes.md
  • Clickjacking/encounter-cliff-notes.md
  • Command Injections/encounter-cliff-notes.md
  • CORS/encounter-cliff-notes.md
  • CSRF/encounter-cliff-notes.md
  • Deserialization/encounter-cliff-notes.md
  • DOM Vulnerabilities/encounter-cliff-notes.md
  • File Upload Vulnerabilities/encounter-cliff-notes.md
  • Information Disclosure/encounter-cliff-notes.md
  • Path Traversal/encounter-cliff-notes.md
  • Request Smuggling/encounter-cliff-notes.md
  • Server-Side Request Forgery/encounter-cliff-notes.md
  • SQL Injections/encounter-cliff-notes.md
  • SSTI/encounter-cliff-notes.md
  • XXE/encounter-cliff-notes.md

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages