General Methodo & Misc Tips
Last updated
Last updated
Notes mostly from work and also from XSSrat course
Read the documentation
Explore the application
Inspect JS files (you could find API key, hidden endpoint, hidden parameters, passwords etc.)
Testing as unauthenticated
Testing as user
Testing as admin
When doing web pentest it is always worth using checklist as there are so many things to test for. is one checklist
Do not hesitate to tamper with responses also (not only requests)
Test multiple injections at the same time with the following payload (SQLi, SSTi, CSTi, XSS)
Business logic erros
IDORS
CSRF tokens (check if it is present and test it if it exists)
Parameter pollution (adding same parameter multiple times)
Image upload: SVG for XXE
Soap Request: XXE
SQLi
JWT tokens
Unmapped object properties
XSS
Admin panel bypass
Template injection
Captcha bypass
It can happen that an application is not made for firefox. In this case you will need another browser. Chrome could do the job.
Intall Chrome
Launch it with proxy and ignore cert errors google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errors this way you will be able to see your request through burp as usual.
Warning: use we caution and only in your pentest environment/vm Sometimes when you test a website you get an annoying error related to the certificates when you have to go back to it multiple times a day it can be a paint to click on ignore every time. Here is a quick fix for this
At the end of "Command" add --ignore-certificate-errors and save, the command should look like this now:
You can also use aliases if you prefer to launch everything with cmd. Here are the one I use (you have to add them in your .zshrc file or .bashrc file depending on the shell you use):
When you are in whitebox you might get access to git repos. If for some reason you are not able to download the code, you can use git dorks to find specific strings
org:NameOfOrg keyword-in-repo-that-is-used-for-a-specific-project in:name,description,tags keyword-to-look-for example org:MyOrg myproject in:name,description,tags password
sudo python3 -m dnserver --port 5053 example_zones.toml (if you use sudo you will have to put sudo in front of pip install dnserver for the install part)
To test if you server works you can do this dig @gabrielle.pwn -p 5053 gabrielle.pwn MX
Now you should be able to input your dns server where you need to and check if the app actually requests it. You can use wireshark or another tool to monitor the traffic.
Foxyproxy
I am more a Firefox user but when I have to use an alternate browser I use this extension it usually works pretty well. However the best method for Chrome, in my opinion, would be to use the new incognito window and allow foxyproxy in it, I find it more convenient.
This can be useful if you want to install apps to practice on
In kali right click on Google Chrome and select Edit Application
Recently I had to check if I was able to trigger my target into sending dns request to random hosts. However I could not use burp collaborator. To replace it I used a great python tool that is similar to http simple server but for dns. This tool is called
