CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • General Methodology
  • Exploration and enumeration
  • Investigate Parameters
  • Install and use Chrome in kali
  • Bypass Cert not private error on Chrome - Kali
  • For whitebox test
  • Git dorks
  • How to test for External service interaction without burp collaborator
  • Install dnserver
  • Launch dnserver
  • Test if your target sends dns request to random hosts
  • Useful resources for web pentest
  • Resources for practice
  1. Web Pentesting

General Methodo & Misc Tips

PreviousOWASP Top 10NextWeb Services and API

Last updated 1 year ago

Notes mostly from work and also from XSSrat course

General Methodology

Exploration and enumeration

  • Read the documentation

  • Explore the application

  • Inspect JS files (you could find API key, hidden endpoint, hidden parameters, passwords etc.)

  • Testing as unauthenticated

  • Testing as user

  • Testing as admin

  • When doing web pentest it is always worth using checklist as there are so many things to test for. is one checklist

  • Do not hesitate to tamper with responses also (not only requests)

  • Test multiple injections at the same time with the following payload (SQLi, SSTi, CSTi, XSS)

'"`><img src=x>${7*7}

Investigate Parameters

  • Business logic erros

  • IDORS

  • CSRF tokens (check if it is present and test it if it exists)

  • Parameter pollution (adding same parameter multiple times)

  • Image upload: SVG for XXE

  • Soap Request: XXE

  • SQLi

  • JWT tokens

  • Unmapped object properties

  • XSS

  • Admin panel bypass

  • Template injection

  • Captcha bypass

Install and use Chrome in kali

It can happen that an application is not made for firefox. In this case you will need another browser. Chrome could do the job.

  • Intall Chrome

sudo apt update
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install ./google-chrome-stable_current_amd64.deb
  • Launch it with proxy and ignore cert errors google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errors this way you will be able to see your request through burp as usual.

Bypass Cert not private error on Chrome - Kali

Warning: use we caution and only in your pentest environment/vm Sometimes when you test a website you get an annoying error related to the certificates when you have to go back to it multiple times a day it can be a paint to click on ignore every time. Here is a quick fix for this

  • At the end of "Command" add --ignore-certificate-errors and save, the command should look like this now:

/usr/bin/google-chrome-stable %U --ignore-certificate-errors

You can also use aliases if you prefer to launch everything with cmd. Here are the one I use (you have to add them in your .zshrc file or .bashrc file depending on the shell you use):

alias chromeburpnocert='google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errors'
alias chromenocert='google-chrome-stable --ignore-certificate-errors'
alias chrome='google-chrome-stable'

For whitebox test

Git dorks

  • When you are in whitebox you might get access to git repos. If for some reason you are not able to download the code, you can use git dorks to find specific strings

  • org:NameOfOrg keyword-in-repo-that-is-used-for-a-specific-project in:name,description,tags keyword-to-look-for example org:MyOrg myproject in:name,description,tags password

How to test for External service interaction without burp collaborator

Install dnserver

sudo apt update
pip install dnsserver

Launch dnserver

  • sudo python3 -m dnserver --port 5053 example_zones.toml (if you use sudo you will have to put sudo in front of pip install dnserver for the install part)

  • To test if you server works you can do this dig @gabrielle.pwn -p 5053 gabrielle.pwn MX

Test if your target sends dns request to random hosts

Now you should be able to input your dns server where you need to and check if the app actually requests it. You can use wireshark or another tool to monitor the traffic.

Useful resources for web pentest

  • Foxyproxy

  • I am more a Firefox user but when I have to use an alternate browser I use this extension it usually works pretty well. However the best method for Chrome, in my opinion, would be to use the new incognito window and allow foxyproxy in it, I find it more convenient.

  • This can be useful if you want to install apps to practice on

Resources for practice

In kali right click on Google Chrome and select Edit Application

Recently I had to check if I was able to trigger my target into sending dns request to random hosts. However I could not use burp collaborator. To replace it I used a great python tool that is similar to http simple server but for dns. This tool is called

Here
dnserver
Web Security Academy: Free Online Training from PortSwiggerWebSecAcademy
Portswigger Web Security Academy
Logo
Using Burp Suite and Owasp ZAP at the same time (Chaining Proxys)CybersecurityLife
Use Burp Suite and OWASP Zap at the same time by chaining proxy
FoxyProxy Standard – Get this Extension for 🦊 Firefox (en-CA)mozamo
Firefox
https://chrome.google.com/webstore/detail/multilogin/ijfgglilaeakmoilplpcjcgjaoleopfi?hl=enchrome.google.com
Multi Login Firefox containers alternative for Chrome
Logo
Firefox Multi-Account Containers – Get this Extension for 🦊 Firefox (en-CA)mozamo
Containers only on Firefox
Logo
FoxyProxy Standard
Chrome
GitHub - snoopysecurity/awesome-burp-extensions: A curated list of amazingly awesome Burp ExtensionsGitHub
Awesome Burp extensions - Snoopy Security
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTFGitHub
Payload all the things - swisskey repo
GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHub
Seclists
OWASP - Web Application Penetration Testing
https://wiki.owasp.org/index.php/Web_Application_Penetration_Testingwiki.owasp.org
Introduction - OWASP Cheat Sheet Series
OWASP Cheat Sheet (useful for recommendations in report)
GitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.GitHub
FuzzDB
GitHub - tanprathan/OWASP-Testing-Checklist: OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases.GitHub
OWASP Testing Checklist
https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
OWASP Testing Guide
RatSec Security
Practice with labs made by The XSS rat
Installing Docker on Kali Linux (updated for 2021.1)Medium
Install Docker on Kali
Logo
GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web applicationGitHub
OWASP Juice Shop
Logo
Logo
Logo
Logo
Uncle rat's notesWesley's Notion on Notion
Uncle rat's notes
Logo
Logo
Logo
Logo
Logo
Logo