Web Vulnerabilities Methodology

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Katika kila Web Pentest, kuna maeneo kadhaa yaliyofichwa na yaliyo wazi ambayo yanaweza kuwa na udhaifu. Chapisho hili limetengenezwa kama orodha ya ukaguzi ili kuhakikisha kuwa umevitafuta udhaifu katika maeneo yote yanayowezekana.

Proxies

Tip

Sasa hivi web applications kwa kawaida hutumia aina fulani ya intermediary proxies, ambazo zinaweza kutumiwa/kutumiwa vibaya ili kufaida udhaifu. Udhaifu hizi zinahitaji proxy iliyo dhaifu kuwepo, lakini kawaida pia zinahitaji udhaifu wa ziada katika backend.

• Abusing hop-by-hop headers
• Cache Poisoning/Cache Deception
• HTTP Connection Contamination
• HTTP Connection Request Smuggling
• HTTP Request Smuggling
• HTTP Response Smuggling / Desync
• H2C Smuggling
• Server Side Inclusion/Edge Side Inclusion
• Uncovering Cloudflare
• XSLT Server Side Injection
• Proxy / WAF Protections Bypass

Ingizo la Mtumiaji

Tip

Mara nyingi web applications zitamruhusu mtumiaji kuingiza data ambayo itatibiwa baadaye.
Kulingana na muundo wa data ambayo server inatarajia, baadhi ya udhaifu yanaweza kutumika au yasitumike.

Thamani Zinazorudishwa

Ikiwa data iliyowasilishwa kwa namna fulani inaweza kurudishwa kwenye jibu, ukurasa unaweza kuwa na udhaifu wa masuala kadhaa.

• Client Side Path Traversal
• Client Side Template Injection
• Command Injection
• CRLF
• Dangling Markup
• File Inclusion/Path Traversal
• Open Redirect
• Prototype Pollution to XSS
• Server Side Inclusion/Edge Side Inclusion
• Server Side Request Forgery
• Server Side Template Injection
• Reverse Tab Nabbing
• XSLT Server Side Injection
• XSS
• XSSI
• XS-Search

Baadhi ya udhaifu uliotajwa unahitaji masharti maalum, wengine wanahitaji tu yaliyomo kurudishwa. Unaweza kupata polygloths za kuvutia za kujaribu haraka udhaifu katika:

Reflecting Techniques - PoCs and Polygloths CheatSheet

Vipengele vya Utafutaji

Ikiwa kipengele kinaweza kutumika kutafuta aina fulani ya data ndani ya backend, huenda ukaweza kulitumia vibaya kutafuta data yoyote ile.

• File Inclusion/Path Traversal
• NoSQL Injection
• LDAP Injection
• ReDoS
• SQL Injection
• ORM Injection
• RSQL Injection
• XPATH Injection

Forms, WebSockets and PostMsgs

Wakati websocket inapoposti ujumbe au fomu ikiruhusu watumiaji kufanya vitendo, udhaifu unaweza kutokea.

• Cross Site Request Forgery
• Cross-site WebSocket hijacking (CSWSH)
• Phone Number Injections
• PostMessage Vulnerabilities

HTTP Headers

Kulingana na HTTP headers zinazotolewa na web server, baadhi ya udhaifu yanaweza kuwepo.

• Clickjacking
• Iframe Traps / Click Isolation
• Content Security Policy bypass
• Cookies Hacking
• CORS - Misconfigurations & Bypass

Bypasses

Kuna vipengele maalum vichache ambavyo suluhisho za mkato zinaweza kuwa muhimu kuvitengenezea ili kuvipita

• 2FA/OTP Bypass
• Bypass Payment Process
• Captcha Bypass
• Account Takeover Playbooks
• Login Bypass
• Race Condition
• Rate Limit Bypass
• Reset Forgotten Password Bypass
• Registration Vulnerabilities

Vitu Vilivyopangwa / Vipengele Maalum

Baadhi ya vipengele vitahitaji data kuwa imepangwa kwa muundo maalum sana (kama object iliyoserializa ya lugha au XML). Kwa hivyo, ni rahisi kubaini kama application inaweza kuwa na udhaifu kwani inahitaji kushughulikia aina hiyo ya data.
Vipengele maalum pia vinaweza kuwa dhaifu ikiwa muundo maalum wa ingizo unatumika (kama Email Header Injections).

• Deserialization
• Email Header Injection
• JWT Vulnerabilities
• JSON / XML / YAML Hacking
• XML External Entity
• GraphQL Attacks
• gRPC-Web Attacks

Files

Vipengele vinavyoruhusu kupakia mafaili vinaweza kuwa na udhaifu wa masuala kadhaa.
Vipengele vinavyotengeneza mafaili vinavyojumuisha ingizo la mtumiaji vinaweza kutekeleza nambari isiyotegemewa.
Watumiaji wanaofungua mafaili yaliyo pakuliwa na watumiaji wengine au yaliyo tengenezwa moja kwa moja yakiwa na ingizo la mtumiaji wanaweza kuathiriwa.

• File Upload
• Formula Injection
• PDF Injection
• Server Side XSS

External Identity Management

• OAUTH to Account takeover
• SAML Attacks

Other Helpful Vulnerabilities

Udhaifu hizi zinaweza kusaidia kutekeleza udhaifu mwingine.

• Domain/Subdomain takeover
• IDOR
• Mass Assignment (CWE-915)
• Parameter Pollution
• Unicode Normalization vulnerability

Web Servers & Middleware

Usanidi usio sahihi kwenye stack ya edge mara nyingi hufungua mdudu wenye athari kubwa zaidi kwenye safu ya application.

• Apache
• Nginx
• IIS
• Tomcat
• Spring Actuators
• PUT Method / WebDAV
• Special HTTP Headers
• WSGI Deployment
• Werkzeug Debug Exposure

Application Frameworks & Stacks

Primitives maalum za framework mara nyingi hufunua gadgets, default hatari, au endpoints zinazomilikiwa na framework.

• Django
• Flask
• NodeJS / Express
• Angular
• Vue / Nuxt
• Next.js
• Laravel
• Symfony

CMS, SaaS & Managed Platforms

Bidhaa zenye uso mkubwa mara nyingi huja zikiwa na exploits zinazojulikana, plugins dhaifu, au endpoints za admin zilizo na vibali vya juu.

• WordPress
• Joomla
• Drupal
• Moodle
• Prestashop
• Atlassian Jira
• Grafana
• Rocket.Chat
• Zabbix
• Microsoft SharePoint
• Sitecore

APIs, Buckets & Integrations

Msaidizi wa upande wa server na integrasions za wahudumu wa tatu zinaweza kufichua udhaifu wa uchambaji wa faili au safu ya uhifadhi.

• Web API Pentesting
• Storage Buckets & Firebase
• Imagemagick Security
• Artifactory & Package Registries
• Code Review Tooling

Supply Chain & Identifier Abuse

Shambulio linalolenga build pipelines au vitambulisho vinavyotarajiwa linaweza kuwa mguu wa kwanza kabla ya kufaida mdudu wa jadi.

• Dependency Confusion
• Timing Attacks
• UUID Insecurities

Web3, Extensions & Tooling

Maombi ya kisasa yanapanuka hadi browsers, wallets, na pipelines za automation—weka vektor hizi ndani ya wigo.

• dApps / Decentralized Applications
• Browser Extension Pentesting
• wfuzz Web Fuzzing

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.