Web {
CSRF In Application-Wide{
Csrf Normal
Bypass Through {
Chnage Method To GET-Based
Change Value Of CSRF-Token To undefined
Add Parameter _method=PUT For Bypass CSRF Based PUT/DELETE
Delete CSRF Token Value Or Delete Token Parameter
Use The same CSRF Value In Different Accounts
Replace Value CSRF Token with Same Length Characters
Change Content-Type from application/json to text/plain
Use Vulnerable-Subdomain To Bypass CSRF Token
}
Session Management And Broken Auth {
Missing Secure or HTTPOnly Cookie Flag
Login Http Protocol
Session Fixation ( Only Hackerone )
Failure to Invalidate Session When ResetPassword/ChangePassword
}
Reset Password Function {
Try XSS Through Change Parameters to GET Method
Open Redirect
Reset Password Token URL Disclosed Through Referer To Thirdy Party
Reset Password Token is not Invalidated After Use
}
No Rate Limit {
No Rate Limiting on Form Registration
No Rate Limiting on Form Login
No Rate Limiting on Form Email-Triggering
No Rate Limiting on Form SMS-Triggering
}
Profile {
Setting {
IDOR On All Functions In Setting : Edit Profile , Delete Profile , Deasctive Notifications ....
Clickjacking On delete Account Or on Sensitive Action
SSTI Through ProfileName : {{7*7}} - ${7*7}
CSTI Through ProfileName : {{7*7}}
No Password Policy
}
View Account {
Web Cache Deception To Steal User Sensisitve-Data : /profile/dec.css
Exif Data IsNot Stripped From Images
}
}
Upload File Function {
Remote Command execution : ImageMagic
Upload Malicious Such : SVG , PHP-PHTML,PhP,Php5 , HTMl-HTM
Change Content Type To Diffrenets Content-Types Such : application/xml+svg , text/xml
Duplicate The content-type With Differents Values
Change Content-type Value To Valid-Content-Type-Value And Malicious-Content-Type-Value : Content-Type:
Try XXE Through Uplaod File Xml Or SVG Or Microsoft OXML Files Such : docs , doc [ Maybe The server will parse the file if its XML ]
Path Traversal To OverWrite On Users-Files On Server-File
XSS Through FileName
Command Injection Through Filename : `sleep (10)` - ;sleep(10) - |sleep(10) - &sleep(10)
SQL Injection Through filename: ' or sleep(10)-- - | " or sleep(10)-- - | ') or sleep(10)-- - | ") or sleep(10)-- -
}
Login Place {
OAuth {
Open Redirect On redirect_uri
Try Bypass Filtr With :
%09 - %2509
%2e - %252e
\@ - %5c%40
CSRF On OAuth Login By [ For Chaining In Future ] : Delete State Parameter Or Value
Steal Oauth Token Through Referer [ When Theres None-Open redirect in redirect_uri ] : redirect_uri=http://target.com/Post
Xss Through redirect_uri
}
SAML Auth {
Edit Email In SAMLResponse
Edit Email And Delete Tag [ <ds:Signature> ] Or Value Of The Tag
}
Brute-Force Attack [ If its not Out Of Scope ]
Blind-Xss Through IP Headers
Blind-SQL Through IP Headers
XSS Through GET-Method With Parameters
Open-Redirect On Login And On Logout
}
Company {
Privilege Escalation {
Add User - Delete User - Delete Invitations - And Other Actions
}
Information Disclosure {
Steal High-Privilege Invites Through Invite Token Disclosure
}
unauthorized Access {
Try To Repeate Requests After Delete The User-Member
}
CSRF in URL Invite
IDOR On Invite Users - Delete Company - And Others Actions
}
Apache Proxy - Nginx {
SSRF Through Host: Header
SSRF Through REQUEST-URI : GET http://collaborator/
Path Traversal On Nginx
}
}
Created
July 31, 2020 20:13
-
-
Save godzilla74/487df343c342c123381bf8c94f571f4c to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment