Home - TairinySimeonato/WebAuditing GitHub Wiki

WebApp Pentest Methodology

Vulnerabilities

XSS
Open Redirection
CSRF/XSRF
File Upload
SQL Injection
Command Injection
SSRF
Brute Force
Path transversal (?)
LFI/RFI
Type Juggling
XXE
XPath Injection
Authentication and Session Management
Clickjacking
Security misconfiguration
Insecure storage/transmission of sensitive data
Open Redirection
Denial of Service
HTTP Request Smuggling
Directory listing
Using vulnerable components
Deserialization
DNS Rebinding

Security Policies

OAuth Framework

HTTP Protocol

HTTP Methods
HTTP Headers
Cookies
HTTP Headers Attacks

Tools

Burp
Dir buster / dirb /dirsearch
nikto
sqlmap
hydra
nmap
wfuzz
dotdotpwn

OWASP Top 10 2017

Injection*
Broken Authentication*
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
XSS
Insecure Deserialization
Using components with known vulnerabilities
Insufficient Logging and Monitoring

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Wordpress vulns: https://www.ripstech.com/php-security-calendar-2018/

Resources

Advanced

microcorruption ctf