The HTTP service is used to host websites, web applications or files. The HTTP service listens on TCP port 80 by default, and port 443 for HTTPS.
See Web Security Academy’s labs walkthroughs.
For HTTP server on Kali Linux, see Apache Web Server.
Resources
- OWASP Testing Guide: Stable | GitHub | Checklist
- OWASP Top 10: 2021 | 2017
- PortSwigger’s Web Security Academy: All labs | Learning material
- CWE Top 25 Most Dangerous Software Weaknesses
- List of vulnerabilities: OWASP | PortSwigger | Netsparker
- Using Burp Scanner during manual testing (PortSwigger)
- Core Ineligible Findings (HackerOne)
Web Application Testing
Pre-Engagement tasks
Pre-Engagement tasks like approval, defining the scope, test accounts. See Penetration Tests.
Before starting
Burp project
- Open Burp Suite and create a new project.
- Set the testing scope (Target->Scope settings):
- Explicitly set targets in scope.
- Explicitly exclude targets if needed (e.g. listed from bug bounty programs).
- Drop requests from these targets. See Burp Suite Targets.
- Set the Collaborator server if using a private server. See Burp Suite Collaborator.
Notes
- Create a notebook for the project in your favorite note application.
- Take note of out of scope vulnerabilities (from bug bounties).
Reconnaissance
WSTG-INFO-01: Conduct Search Engine Discovery Reconnaissance for Information Leakage (OWASP Testing Guide)
Enumeration
WSTG-INFO-02/03/04/05/06/07/08/09/10, WSTG-CONF-02/04/05
Configurations
See Web Application Configuration.
WSTG-CONF-01/03/06/07/08/09/10/11/12/13, WSTG-AUTH-02
- Default Credentials (WSTG-AUTH-02)
- Test cloud storage, see Cloud (WSTG-CONF-11)
- Non-production environments
- Error Handling (WSTG-ERRH-01/02)
- Web Cache Deception (NEW)
Source code analysis
Requires source code (whitebox testing) or when code is obtained via a vulnerability.
Static Code Analysis Scanners:
- Sonarqube
- VisualCodeGrepper (C++, C#, VB, PHP, Java and PL/SQL, WINDOWS ONLY)
- SAST Tools (from Wikipedia)
Session
WSTG-SESS: Session Management Testing (OWASP Testing Guide)
- Bypassing Session Management Schema (WSTG-SESS-01)
- Cookies Attributes (WSTG-SESS-02), HttpOnly, Secure, Scope *
- Persistent cookies *
- Session Fixation (WSTG-SESS-03)
- Exposed Session Variables (WSTG-SESS-04)
- Cross Site Request Forgery (CSRF) (WSTG-SESS-05)
- Session Timeout (WSTG-SESS-07)
- Session Puzzling (WSTG-SESS-08)
- Session Hijacking (WSTG-SESS-09)
- JSON Web Token (JWT) (WSTG-SESS-10)
- Testing for insufficient expiration on logout *
- Testing for token information disclosure *
- Testing for token storage on client Side *
- Testing for weak token security *
- Testing for insufficient signature validation *
- Testing for substitution attacks *
- Test tokens for predictability *
Input validation
WSTG-INPV: Input Validation Testing (OWASP Testing Guide)
- Fuzz all input parameters *
- Reflected Cross Site Scripting (XSS) (WSTG-INPV-01)
- Stored Cross Site Scripting (XSS) (WSTG-INPV-02)
- Testing for native software flaws (Buffer Overflow, integer bugs, format strings) *
- HTTP Verb Tampering: Replaced by HTTP Methods (WSTG-INPV-03)
- HTTP Parameter Pollution (HPP) (WSTG-INPV-04)
- Cross Site Tracing (XST)
- SQL Injection (SQLi) (WSTG-INPV-05)
- NoSQL Injection (NoSQLi)
- Object Relational Mapping (ORM) Injection
- LDAP Injection (WSTG-INPV-06)
- XML Injection (WSTG-INPV-07), including XML External Entity Injection (XXE)
- Server-Side Includes (SSI) Injection (WSTG-INPV-08)
- XPath Injection (WSTG-INPV-09)
- IMAP / SMTP Injection (WSTG-INPV-10)
- Code Injection (WSTG-INPV-11), Local File Inclusion (LFI) / Remote File Inclusion (RFI)
- OS Command Injection (WSTG-INPV-12)
- Format String Injection (WSTG-INPV-13)
- Incubated vulnerability (WSTG-INPV-14)
- HTTP Response Splitting / Web Cache Poisoning (WSTG-INPV-15)
- HTTP Smuggling (WSTG-INPV-15)
- HTTP Incoming Requests (WSTG-INPV-16)
- Host Header Injection (WSTG-INPV-17), Web Cache Poisoning, Password Reset Poisoning
- Server-side Template Injection (SSTI) (WSTG-INPV-18)
- Server-Side Request Forgery (SSRF) (WSTG-INPV-19)
- Mass Assignment (WSTG-INPV-20)
- Testing for SOAP injection *
- Object Injection / Insecure Deserialization (from PortSwigger’s labs)
- Client-Side Template Injection
- JSON Injection
- JSON Hijacking
- Log Injection
- Object-Graph Navigation Language (OGNL) Injection
- Prototype Property Pollution
- CSV Injection
Authorization
WSTG-ATHZ: Authorization Testing (OWASP Testing Guide)
- Insecure Direct Object References (IDOR) (WSTG-ATHZ-04)
- Directory Traversal (WSTG-ATHZ-01) / File Include * LFI/RFI?
- Bypassing authorization schema (WSTG-ATHZ-02), X-Original-URL and X-Rewrite-URL
- Privilege Escalation: Unix | Windows (WSTG-ATHZ-03)
- Test permissions of guest/training accounts *
- Test account suspension/resumption Process *
Cryptography
WSTG-CRYP: Testing for Weak Cryptography (OWASP Testing Guide)
- Weak SSL/TLS Ciphers Insufficient Transport Layer Protection (WSTG-CRYP-01), SSL certificates, SSLscan, Nmap NSE
- Padding Oracle (WSTG-CRYP-02)
- Sensitive Information Sent via Unencrypted Channels (WSTG-CRYP-03), check for insecure transmission of session tokens *
- Weak Encryption (WSTG-CRYP-04)
- Information exposure through query strings in url
- Testing for CBC bit flipping *
- Testing for hash length extension *
Client-side
WSTG-CLNT: Client-Side Testing (OWASP Testing Guide)
- Bypass Client-Side Validation
- DOM-based:
- DOM-based vulnerabilities (PortSwigger)
- DOM-Based Cross Site Scripting (XSS) (WSTG-CLNT-01)
- DOM clobbering (PortSwigger)
- DOM-based cookie manipulation (see labs WebSecurityAcademy (PortSwigger) – DOM-based vulnerabilities
- JavaScript Execution (WSTG-CLNT-02)
- Test for subresource integrity checks *
- Testing for linking to third-party Code *
- Testing for advertisement and analytics on critical flows *
- Testing for critical flows isolation *
- Leverage findings from previous phases in order to expand foothold in the environment. *
- HTML Injection (WSTG-CLNT-03)
- Open Redirection (WSTG-CLNT-04)
- CSS Injection (WSTG-CLNT-05)
- Client-Side Resource Manipulation (WSTG-CLNT-06)
- Cross Origin Resource Sharing (CORS) (WSTG-CLNT-07)
- Cross Site Flashing (WSTG-CLNT-08)
- Clickjacking (WSTG-CLNT-09) 1
- Web Messaging / Cross Document Messaging (WSTG-CLNT-11)
- Browser Storage (Local/Session/IndexedDB) (WSTG-CLNT-12)
- Cross Site Script Inclusion (XSSI) (WSTG-CLNT-13)
- Reverse Tabnabbing (WSTG-CLNT-14): legacy issue that does not affect modern browsers.
- Cookie bomb
- Testing of thick-client components (Java, ActiveX, Flash) *
1 See Core Ineligible Findings (HackerOne) when no sensitive actions
Application/Business logic
WSTG-BUSL: Business Logic Testing (OWASP Testing Guide)
- Identify the logic attack surface *
- Business Logic Data Validation (WSTG-BUSL-01)
- Ability to Forge Requests (WSTG-BUSL-02), test for debug parameters to bypass business logic, easter eggs
- Integrity Checks (WSTG-BUSL-03)
- Process Timing
- Race Conditions / TOCTOU *
- Number of Times a Function Can be Used Limits (WSTG-BUSL-05)
- Circumvention of Work Flows (WSTG-BUSL-06)
- Test defenses against Application Mis-use (WSTG-BUSL-07)
- Analyze SSL responses for caching of sensitive content *
- Analyze content for sensitive data in URL parameters *
- Test for reliance on client-side input validation *
APIs
REST Security Cheat Sheet (OWASP, GitHub)
WSTG-APIT: API Testing (OWASP Testing Guide)
- Find API Specification file/documentation (see Web app enumeration page, review metafiles)
- API Scanning: API recon, identify entry points
- For each API found, check supported HTTP Methods
- Find hidden parameters
- Testing GraphQL (WSTG-APIT-01)
- Server-side parameter pollution in a query string, see HTTP Parameter Pollution (HPP)
- Mass Assignment / Auto-binding
- Ensure APIs use HTTPS
- If the APIs use JWT: JSON Web Token (JWT) (WSTG-SESS-10)
- Test Error Handling (WSTG-ERRH-01/02)
Resources
Tools: Burp Suite, Postman, SoapUI
- API testing (PortSwigger)
- API (CSbyGB)
- API Security Checklist (GitHub)
- OWASP API Security Project (API Security Top 10)
- OWASP REST Security Cheat Sheet
- API Testing (OWASP Testing Guide on GitHub)
Features
Login
WSTG-ATHN: Authentication Testing (OWASP Testing Guide)
- Credentials Transported over an Encrypted Channel (WSTG-ATHN-01)
- Weak Lock Out Mechanism (WSTG-AUTH-03)
- Bypassing Authentication Schema (WSTG-AUTH-04)
- Remember Password Functionality / Password Autocomplete enabled (WSTG-AUTH-05): DEPRECATED
- Weak Password Policy (WSTG-AUTH-07), bruteforce passwords, bypass IP blocking?
- Weak Security Question/Answer (WSTG-AUTH-08)
- Weak Authentication in Alternative Channel (WSTG-AUTH-10)
- Multi-Factor Authentication (WSTG-AUTH-11), bypass MFA, bruteforce MFA code
- HTTP Basic Authentication
- Account Enumeration and Guessable User Account (WSTG-IDNT-04)
- OAuth Weaknesses (OAuth Authorization Server & OAuth Client)
(WSTG-ATHZ-05)- Missing CSRF protection *
- Testing for improper usage of implicit grant type *
- Testing for flawed redirect_uri validation *
Logout
- Broken Logout Functionality (WSTG-SESS-06)
- Browser Cache Weaknesses (WSTG-AUTH-06)
User registration / Self-registration
- Weak User Registration Process (WSTG-IDNT-02)
- Account Provisioning Process (WSTG-IDNT-03)
- Account Enumeration and Guessable User Account (WSTG-IDNT-04)
- Weak or unenforced username policy (WSTG-IDNT-05)
User profile
- Email address change
- Profil picture:
- Test for File Upload
- If image is fetched from a URL, try SSRF (port scan, read internal files, access internal hosts). If server is in the cloud, use SSRF to access the metadata endpoint to obtain a token and potentially take over the cloud environment. See Cloud SSRF (HackTricks).
- Roles:
- Try listing all the application roles from the profile section.
- If your role is listed in the profile section, try editing your profile to change the role (privilege escalation).
- Test Mass Assignment / Auto-binding. Add extra parameters like “role” or “isAdmin”.
- Personal information:
- Check for REST API calls with the user ID. Try other IDs to do an IDOR.
- Look for messages with the username, like “Welcome <username>”. Try Server-side Template Injection (SSTI).
- Try injection vulnerabilities.
- Web cache deception
- Cross Origin Resource Sharing (CORS)
- MFA management:
- Test CSRF on changing the MFA setting. Password should be required to change this setting.
- Test XSS
- Disable MFA for other users via IDOR.
Admin panel
- Role Definitions (WSTG-IDNT-01)
- Create user:
- Try CSRF on user creation form (for privilege escalation).
- Test creating a user via XSS in application inputs.
- Send the user creation request as a normal user (change session cookie).
- Try SQLi or NoSQLi.
- Look for messages with the username, like “Welcome <username>”. Try Server-side Template Injection (SSTI).
- Password:
- Check if the initial password uses the same password policy as the password change.
- How is the initial password transmitted to the user? When in clear text, the user should be forced to change it.
- Delete user:
File upload
WSTG-BUSL-08: Test Upload of Unexpected File Types
WSTG-BUSL-09: Test Upload of Malicious Files
See File Upload.
Password change or reset
WSTG-ATHN-09: Testing for Weak Password Change or Reset Functionalities (OWASP Testing Guide)
See Password change or reset. Password reset poisoning is in WSTG-INPV-17.
Payment functionality
WSTG-BUSL-10: Test Payment Functionality (OWASP Testing Guide)
WebSockets
See WebSockets (WSTG-CLNT-10).
Artificial intelligence (AI)
Web LLM attacks (e.g. prompt injection), see Artificial Intelligence (AI)
Controls
Captcha
See Captcha.
SSL/TLS fingerprinting
URL/Domain/IP whitelisting or restrictions
Adapting Downloaded Exploits
- Change the IP address and port (HTTP/HTTPS)
- Change paths or route
- If authentication, understand how it works, credentials etc.
- Understand requests sent (GET or POST)
- Does the exploit need special configuration settings to work?