General Methodo & Misc Tips

Notes mostly from work and also from XSSrat course

General Methodology

Exploration and enumeration

Read the documentation
Explore the application
Inspect JS files (you could find API key, hidden endpoint, hidden parameters, passwords etc.)
Testing as unauthenticated
Testing as user
Testing as admin
When doing web pentest it is always worth using checklist as there are so many things to test for. Here is one checklist
Do not hesitate to tamper with responses also (not only requests)
Test multiple injections at the same time with the following payload (SQLi, SSTi, CSTi, XSS)

'"`><img src=x>${7*7}

Investigate Parameters

Business logic erros
IDORS
CSRF tokens (check if it is present and test it if it exists)
Parameter pollution (adding same parameter multiple times)
Image upload: SVG for XXE
Soap Request: XXE
SQLi
JWT tokens
Unmapped object properties
XSS
Admin panel bypass
Template injection
Captcha bypass

Install and use Chrome in kali

It can happen that an application is not made for firefox. In this case you will need another browser. Chrome could do the job.

Intall Chrome

sudo apt update
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install ./google-chrome-stable_current_amd64.deb

Launch it with proxy and ignore cert errors google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errors this way you will be able to see your request through burp as usual.

Bypass Cert not private error on Chrome - Kali

Warning: use we caution and only in your pentest environment/vm Sometimes when you test a website you get an annoying error related to the certificates when you have to go back to it multiple times a day it can be a paint to click on ignore every time. Here is a quick fix for this

In kali right click on Google Chrome and select Edit Application
At the end of "Command" add --ignore-certificate-errors and save, the command should look like this now:

/usr/bin/google-chrome-stable %U --ignore-certificate-errors

You can also use aliases if you prefer to launch everything with cmd. Here are the one I use (you have to add them in your .zshrc file or .bashrc file depending on the shell you use):

alias chromeburpnocert='google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errors'
alias chromenocert='google-chrome-stable --ignore-certificate-errors'
alias chrome='google-chrome-stable'

For whitebox test

Git dorks

When you are in whitebox you might get access to git repos. If for some reason you are not able to download the code, you can use git dorks to find specific strings
org:NameOfOrg keyword-in-repo-that-is-used-for-a-specific-project in:name,description,tags keyword-to-look-for example org:MyOrg myproject in:name,description,tags password

How to test for External service interaction without burp collaborator

Recently I had to check if I was able to trigger my target into sending dns request to random hosts. However I could not use burp collaborator. To replace it I used a great python tool that is similar to http simple server but for dns. This tool is called dnserver

Install dnserver

sudo apt update
pip install dnsserver

Launch dnserver

sudo python3 -m dnserver --port 5053 example_zones.toml (if you use sudo you will have to put sudo in front of pip install dnserver for the install part)
To test if you server works you can do this dig @gabrielle.pwn -p 5053 gabrielle.pwn MX

Test if your target sends dns request to random hosts

Now you should be able to input your dns server where you need to and check if the app actually requests it. You can use wireshark or another tool to monitor the traffic.

Useful resources for web pentest

Foxyproxy

I am more a Firefox user but when I have to use an alternate browser I use this extension it usually works pretty well. However the best method for Chrome, in my opinion, would be to use the new incognito window and allow foxyproxy in it, I find it more convenient.