The HTTP service is used to host websites, web applications or files. The HTTP service listens on TCP port 80 by default, and port 443 for HTTPS.
💡 See Web Security Academy’s labs walkthroughs.
💡 For HTTP server on Kali Linux, see Apache Web Server.
Resources
- OWASP Testing Guide: Stable | GitHub | Checklist
- OWASP Top 10: 2021 | 2017
- PortSwigger’s Web Security Academy: All labs | Learning material
- CWE Top 25 Most Dangerous Software Weaknesses
- List of vulnerabilities: OWASP | PortSwigger | Netsparker
- Using Burp Scanner during manual testing (PortSwigger)
Web Application Testing
Pre-Engagement tasks
Pre-Engagement tasks like approval, defining the scope, test accounts. See Penetration Tests.
Before starting
Burp project
- Open Burp Suite and create a new project.
- Set the testing scope (Target->Scope settings):
- Explicitly set targets in scope.
- Explicitly exclude targets if needed (e.g. listed from bug bounty programs).
- Drop requests from these targets. See Burp Suite Targets.
- Set the Collaborator server if using a private server. See Burp Suite Collaborator.
Notes
- Create a notebook for the project in your favorite note application.
- Take note of out of scope vulnerabilities (from bug bounties).
Reconnaissance
WSTG-INFO-01: Conduct Search Engine Discovery Reconnaissance for Information Leakage (OWASP Testing Guide)
Enumeration
WSTG-INFO-02/03/04/05/06/07/08/09/10, WSTG-CONF-02/04/05
Configurations
See Web Application Configuration.
WSTG-CONF-01/03/06/07/08/09/10/11/12/13, WSTG-AUTH-02
- Default Credentials (WSTG-AUTH-02)
- Test cloud storage, see Cloud (WSTG-CONF-11)
- Non-production environments
- Error Handling (WSTG-ERRH-01/02)
Source code analysis
Requires source code (whitebox testing) or when code is obtained via a vulnerability.
Static Code Analysis Scanners:
- Sonarqube
- VisualCodeGrepper (C++, C#, VB, PHP, Java and PL/SQL, WINDOWS ONLY)
- SAST Tools (from Wikipedia)
Session
WSTG-SESS: Session Management Testing (OWASP Testing Guide)
- Bypassing Session Management Schema (WSTG-SESS-01)
- Cookies Attributes (WSTG-SESS-02), HttpOnly, Secure, Scope *
- Persistent cookies *
- Session Fixation (WSTG-SESS-03)
- Exposed Session Variables (WSTG-SESS-04)
- Cross Site Request Forgery (CSRF) (WSTG-SESS-05)
- Session Timeout (WSTG-SESS-07)
- Session Puzzling (WSTG-SESS-08)
- Session Hijacking (WSTG-SESS-09)
- JSON Web Token (JWT) (WSTG-SESS-10)
- Testing for insufficient expiration on logout *
- Testing for token information disclosure *
- Testing for token storage on client Side *
- Testing for weak token security *
- Testing for insufficient signature validation *
- Testing for substitution attacks *
- Test tokens for predictability *
Input validation
WSTG-INPV: Input Validation Testing (OWASP Testing Guide)
- Fuzz all input parameters *
- Reflected Cross Site Scripting (XSS) (WSTG-INPV-01)
- Stored Cross Site Scripting (XSS) (WSTG-INPV-02)
- Testing for native software flaws (Buffer Overflow, integer bugs, format strings) *
- HTTP Verb Tampering: Replaced by HTTP Methods (WSTG-INPV-03)
- HTTP Parameter Pollution (HPP) (WSTG-INPV-04)
- Cross Site Tracing (XST)
- SQL Injection (SQLi) (WSTG-INPV-05)
- NoSQL Injection (NoSQLi)
- Object Relational Mapping (ORM) Injection
- LDAP Injection (WSTG-INPV-06)
- XML Injection (WSTG-INPV-07), including XML External Entity Injection (XXE)
- Server-Side Includes (SSI) Injection (WSTG-INPV-08)
- XPath Injection (WSTG-INPV-09)
- IMAP / SMTP Injection (WSTG-INPV-10)
- Code Injection (WSTG-INPV-11), Local File Inclusion (LFI) / Remote File Inclusion (RFI)
- OS Command Injection (WSTG-INPV-12)
- Format String Injection (WSTG-INPV-13)
- Incubated vulnerability (WSTG-INPV-14)
- HTTP Response Splitting / Web Cache Poisoning (WSTG-INPV-15)
- HTTP Smuggling (WSTG-INPV-15)
- HTTP Incoming Requests (WSTG-INPV-16)
- Host Header Injection (WSTG-INPV-17), Web Cache Poisoning, Password Reset Poisoning
- Server-side Template Injection (SSTI) (WSTG-INPV-18)
- Server-Side Request Forgery (SSRF) (WSTG-INPV-19)
- Mass Assignment (WSTG-INPV-20)
- Testing for SOAP injection *
- Object Injection / Insecure Deserialization (from PortSwigger’s labs)
- Client-Side Template Injection
- JSON Injection
- JSON Hijacking
- Log Injection
- Object-Graph Navigation Language (OGNL) Injection
- Prototype Property Pollution
- CSV Injection
Authorization
WSTG-ATHZ: Authorization Testing (OWASP Testing Guide)
- Insecure Direct Object References (IDOR) (WSTG-ATHZ-04)
- Directory Traversal (WSTG-ATHZ-01) / File Include * LFI/RFI?
- Bypassing authorization schema (WSTG-ATHZ-02), X-Original-URL and X-Rewrite-URL
- Privilege Escalation: Unix | Windows (WSTG-ATHZ-03)
- Test permissions of guest/training accounts *
- Test account suspension/resumption Process *
Cryptography
WSTG-CRYP: Testing for Weak Cryptography (OWASP Testing Guide)
- Weak SSL/TLS Ciphers Insufficient Transport Layer Protection (WSTG-CRYP-01), SSL certificates, SSLscan, Nmap NSE
- Padding Oracle (WSTG-CRYP-02)
- Sensitive Information Sent via Unencrypted Channels (WSTG-CRYP-03), check for insecure transmission of session tokens *
- Weak Encryption (WSTG-CRYP-04)
- Information exposure through query strings in url
- Testing for CBC bit flipping *
- Testing for hash length extension *
Client-side
WSTG-CLNT: Client-Side Testing (OWASP Testing Guide)
- Bypass Client-Side Validation
- DOM-based:
- DOM-based vulnerabilities (PortSwigger)
- DOM-Based Cross Site Scripting (XSS) (WSTG-CLNT-01)
- DOM clobbering (PortSwigger)
- DOM-based cookie manipulation (see labs WebSecurityAcademy (PortSwigger) – DOM-based vulnerabilities
- JavaScript Execution (WSTG-CLNT-02)
- Test for subresource integrity checks *
- Testing for linking to third-party Code *
- Testing for advertisement and analytics on critical flows *
- Testing for critical flows isolation *
- Leverage findings from previous phases in order to expand foothold in the environment. *
- HTML Injection (WSTG-CLNT-03)
- Open Redirection (WSTG-CLNT-04)
- CSS Injection (WSTG-CLNT-05)
- Client-Side Resource Manipulation (WSTG-CLNT-06)
- Cross Origin Resource Sharing (CORS) (WSTG-CLNT-07)
- Cross Site Flashing (WSTG-CLNT-08)
- Clickjacking (WSTG-CLNT-09)
- Web Messaging / Cross Document Messaging (WSTG-CLNT-11)
- Browser Storage (Local/Session/IndexedDB) (WSTG-CLNT-12)
- Cross Site Script Inclusion (XSSI) (WSTG-CLNT-13)
- Reverse Tabnabbing (WSTG-CLNT-14): legacy issue that does not affect modern browsers.
- Cookie bomb
- Testing of thick-client components (Java, ActiveX, Flash) *
Application/Business logic
WSTG-BUSL: Business Logic Testing (OWASP Testing Guide)
- Identify the logic attack surface *
- Business Logic Data Validation (WSTG-BUSL-01)
- Ability to Forge Requests (WSTG-BUSL-02), test for debug parameters to bypass business logic, easter eggs
- Integrity Checks (WSTG-BUSL-03)
- Process Timing
- Race Conditions / TOCTOU *
- Number of Times a Function Can be Used Limits (WSTG-BUSL-05)
- Circumvention of Work Flows (WSTG-BUSL-06)
- Test defenses against Application Mis-use (WSTG-BUSL-07)
- Analyze SSL responses for caching of sensitive content *
- Analyze content for sensitive data in URL parameters *
- Test for reliance on client-side input validation *
APIs
REST Security Cheat Sheet (OWASP, GitHub)
WSTG-APIT: API Testing (OWASP Testing Guide)
- Find API Specification file/documentation (see Web app enumeration page, review metafiles)
- API Scanning: API recon, identify entry points
- For each API found, check supported HTTP Methods
- Find hidden parameters
- Testing GraphQL (WSTG-APIT-01)
- Server-side parameter pollution in a query string, see HTTP Parameter Pollution (HPP)
- Mass Assignment / Auto-binding
- Ensure APIs use HTTPS
- If the APIs use JWT: JSON Web Token (JWT) (WSTG-SESS-10)
- Test Error Handling (WSTG-ERRH-01/02)
Resources
💡 See labs WebSecurityAcademy (PortSwigger) – API testing.
Tools: Burp Suite, Postman, SoapUI
- API testing (PortSwigger)
- API (CSbyGB)
- API Security Checklist (GitHub)
- OWASP API Security Project (API Security Top 10)
- OWASP REST Security Cheat Sheet
- API Testing (OWASP Testing Guide on GitHub)
Features
Login
WSTG-ATHN: Authentication Testing (OWASP Testing Guide)
- Credentials Transported over an Encrypted Channel (WSTG-ATHN-01)
- Weak Lock Out Mechanism (WSTG-AUTH-03)
- Bypassing Authentication Schema (WSTG-AUTH-04)
- Remember Password Functionality / Password Autocomplete enabled (WSTG-AUTH-05): DEPRECATED
- Weak Password Policy (WSTG-AUTH-07), bruteforce passwords, bypass IP blocking?
- Weak Security Question/Answer (WSTG-AUTH-08)
- Weak Authentication in Alternative Channel (WSTG-AUTH-10)
- Multi-Factor Authentication (WSTG-AUTH-11), bypass MFA, bruteforce MFA code
- HTTP Basic Authentication
- Account Enumeration and Guessable User Account (WSTG-IDNT-04)
- OAuth Weaknesses (OAuth Authorization Server & OAuth Client)
(WSTG-ATHZ-05)- Missing CSRF protection *
- Testing for improper usage of implicit grant type *
- Testing for flawed redirect_uri validation *
Logout
- Broken Logout Functionality (WSTG-SESS-06)
- Browser Cache Weaknesses (WSTG-AUTH-06)
User registration / Self-registration
- Weak User Registration Process (WSTG-IDNT-02)
- Account Provisioning Process (WSTG-IDNT-03)
- Account Enumeration and Guessable User Account (WSTG-IDNT-04)
- Weak or unenforced username policy (WSTG-IDNT-05)
User profile
- Email address change
- Profil picture:
- Test for File Upload
- If image is fetched from a URL, try SSRF (port scan, read internal files, access internal hosts). If server is in the cloud, use SSRF to access the metadata endpoint to obtain a token and potentially take over the cloud environment. See Cloud SSRF (HackTricks).
- Roles:
- Try listing all the application roles from the profile section.
- If your role is listed in the profile section, try editing your profile to change the role (privilege escalation).
- Test Mass Assignment / Auto-binding. Add extra parameters like “role” or “isAdmin”.
- Personal information:
- Check for REST API calls with the user ID. Try other IDs to do an IDOR.
- Look for messages with the username, like “Welcome <username>”. Try Server-side Template Injection (SSTI).
- Try injection vulnerabilities.
- MFA management:
- Test CSRF on changing the MFA setting. Password should be required to change this setting.
- Test XSS
- Disable MFA for other users via IDOR.
Admin panel
- Role Definitions (WSTG-IDNT-01)
- Create user:
- Try CSRF on user creation form (for privilege escalation).
- Test creating a user via XSS in application inputs.
- Send the user creation request as a normal user (change session cookie).
- Try SQLi or NoSQLi.
- Look for messages with the username, like “Welcome <username>”. Try Server-side Template Injection (SSTI).
- Password:
- Check if the initial password uses the same password policy as the password change.
- How is the initial password transmitted to the user? When in clear text, the user should be forced to change it.
- Delete user:
File upload
WSTG-BUSL-08: Test Upload of Unexpected File Types
WSTG-BUSL-09: Test Upload of Malicious Files
See File Upload.
Password change or reset
WSTG-ATHN-09: Testing for Weak Password Change or Reset Functionalities (OWASP Testing Guide)
See Password change or reset. NOTE: password reset poisoning is in WSTG-INPV-17.
Payment functionality
WSTG-BUSL-10: Test Payment Functionality (OWASP Testing Guide)
WebSockets
See WebSockets (WSTG-CLNT-10).
Artificial intelligence (AI)
Web LLM attacks (e.g. prompt injection), see Artificial Intelligence (AI)
Controls
Captcha
See Captcha.
Adapting Downloaded Exploits
- Change the IP address and port (HTTP/HTTPS)
- Change paths or route
- If authentication, understand how it works, credentials etc.
- Understand requests sent (GET or POST)
- Does the exploit need special configuration settings to work?