General Methodo & Misc Tips
Notes mostly from work and also from XSSrat course
General Methodology
Exploration and enumeration
Read the documentation
Explore the application
Inspect JS files (you could find API key, hidden endpoint, hidden parameters, passwords etc.)
Testing as unauthenticated
Testing as user
Testing as admin
When doing web pentest it is always worth using checklist as there are so many things to test for. Here is one checklist
Do not hesitate to tamper with responses also (not only requests)
Test multiple injections at the same time with the following payload (SQLi, SSTi, CSTi, XSS)
Investigate Parameters
Business logic erros
IDORS
CSRF tokens (check if it is present and test it if it exists)
Parameter pollution (adding same parameter multiple times)
Image upload: SVG for XXE
Soap Request: XXE
SQLi
JWT tokens
Unmapped object properties
XSS
Admin panel bypass
Template injection
Captcha bypass
Install and use Chrome in kali
It can happen that an application is not made for firefox. In this case you will need another browser. Chrome could do the job.
Intall Chrome
Launch it with proxy and ignore cert errors
google-chrome-stable --proxy-server=127.0.0.1:8080 --ignore-certificate-errorsthis way you will be able to see your request through burp as usual.
Bypass Cert not private error on Chrome - Kali
Warning: use we caution and only in your pentest environment/vm Sometimes when you test a website you get an annoying error related to the certificates when you have to go back to it multiple times a day it can be a paint to click on ignore every time. Here is a quick fix for this
At the end of "Command" add
--ignore-certificate-errorsand save, the command should look like this now:
You can also use aliases if you prefer to launch everything with cmd. Here are the one I use (you have to add them in your .zshrc file or .bashrc file depending on the shell you use):
For whitebox test
Git dorks
When you are in whitebox you might get access to git repos. If for some reason you are not able to download the code, you can use git dorks to find specific strings
org:NameOfOrg keyword-in-repo-that-is-used-for-a-specific-project in:name,description,tags keyword-to-look-forexampleorg:MyOrg myproject in:name,description,tags password
How to test for External service interaction without burp collaborator
Recently I had to check if I was able to trigger my target into sending dns request to random hosts. However I could not use burp collaborator. To replace it I used a great python tool that is similar to http simple server but for dns. This tool is called dnserver
Install dnserver
Launch dnserver
sudo python3 -m dnserver --port 5053 example_zones.toml(if you use sudo you will have to put sudo in front of pip install dnserver for the install part)To test if you server works you can do this
dig @gabrielle.pwn -p 5053 gabrielle.pwn MX
Test if your target sends dns request to random hosts
Now you should be able to input your dns server where you need to and check if the app actually requests it. You can use wireshark or another tool to monitor the traffic.
Useful resources for web pentest
Foxyproxy
I am more a Firefox user but when I have to use an alternate browser I use this extension it usually works pretty well. However the best method for Chrome, in my opinion, would be to use the new incognito window and allow foxyproxy in it, I find it more convenient.
This can be useful if you want to install apps to practice on
Resources for practice
Last updated
