Situational Web Flashcards
What can you do if you want to find the language running on the back end?
Fuzz the file extension of index like index.FUZZ
What vulnerabilities to look for in an exposed login page?
SQL Injection
What tool to use for brute-forcing login credentials?
Hydra
What tool to use to test for SQL injection?
sqlmap
What attack to test when you find an exposed API?
Broken Access Control
How to identify an IDOR vulnerability?
Modify parameters in requests (e.g.
What tool to use for finding exposed sensitive files?
dirb
What headers should be checked for security misconfigurations?
CSP
What tool to use for testing Cross-Site Scripting (XSS)?
XSSHunter
How to check if a website is vulnerable to CORS misconfiguration?
Test Access-Control-Allow-Origin headers with malicious origins
What attack can be performed with unrestricted file upload?
Remote Code Execution (RCE)
What tool to use for testing for Server-Side Request Forgery (SSRF)?
Burp Collaborator
How to check for weak JWT signing keys?
Use jwt_tool or CrackJWT to brute-force signing key
What attack can be performed with insecure JWT algorithms?
Switch algorithm from RS256 to None to bypass authentication
What tool to use to enumerate subdomains?
Subfinder
What attack can be performed with a vulnerable deserialization function?
Remote Code Execution (RCE)
What tool to use for testing XML External Entity (XXE) vulnerabilities?
Burp Suite
How to identify and exploit a Host Header attack?
Modify Host header to bypass authentication or perform cache poisoning
What attack to test when you find an admin panel?
Brute-force login
What tool to use for testing CSRF vulnerabilities?
Burp Suite CSRF PoC generator
What vulnerabilities to test for in a GraphQL API?
Insecure Direct Object Reference (IDOR)
What attack can be performed with a NoSQL Injection vulnerability?
Authentication Bypass
How to check for rate limiting issues?
Send multiple requests rapidly and observe response behavior
What tool to use for checking misconfigured S3 buckets?
AWS CLI
How to bypass WAF protections?
Encode payloads
What attack can be performed with improper session management?
Session Fixation
How to check for hardcoded secrets in JavaScript files?
Review source code manually
What vulnerabilities to test for in an OAuth implementation?
Token Reuse
What tool to use for discovering web technologies?
Wappalyzer
What attack can be performed with a misconfigured CORS policy?
Stealing authentication tokens
How to find hidden endpoints in a web application?
Analyze JavaScript files
What vulnerabilities to test for in a file download feature?
Path Traversal
What tool to use for discovering vulnerable WordPress plugins?
WPScan
What attack can be performed with a vulnerable redirect endpoint?
Open Redirect
How to test for weak password policies?
Use common password lists with Hydra or Burp Intruder
What tool to use for analyzing web socket security?
Burp Suite
How to identify if a site is vulnerable to Clickjacking?
Check for missing X-Frame-Options header and use an iframe to embed the page
What attack can be performed with an unrestricted GraphQL query?
Data Over-Extraction
What tool to use for detecting CVEs in web applications?
Nuclei
How to exploit a SSTI (Server-Side Template Injection) vulnerability?
Inject template payloads like {{7*7}}
What tool to use for detecting JavaScript security issues?
Retire.js
How to exploit weak object-level authorization in an API?
Modify resource IDs in API requests and check unauthorized access
What tool to use for checking for CVEs in third-party libraries?
Dependency-Check
How to bypass a login page using SQL Injection?
Use payloads like ‘ OR 1=1 –
What vulnerabilities to test for in a multi-factor authentication system?
2FA Bypass via Response Manipulation
How to detect web cache poisoning vulnerabilities?
Modify request headers (X-Forwarded-Host
What attack can be performed with an open .git directory?
Source Code Disclosure
What tool to use for finding secrets in leaked repositories?
TruffleHog
What kind of PHP input sanitization is good for viewing source code?
Appended extensions (appending a .php)
What are some sanitization methods to keep in mind when exploiting LFI?
Appended Extensions, Filename Prefix, Removing .., Approved Paths
How can you bypass Appended Extension sanitization PHP LFI?
Truncation Bypass, Null Byte Injection, convert.base64-encode filter
What do you need to make truncation bypas work for LFI?
< PHP 5.3/5.4 and payload prefixed with non-existant directory
What version of PHP does Null byte injection bypass work for LFI?
< PHP 5.5
How can we bypass filename prefix santitization PHP LFI?
sometimes by prefixing payload with / character (only if there is a directory with the prefix name)
How to bypass .. removal sanitization PHP LFI?
using ….// and …/./ payloads
How to bypass approved paths sanitization php
begin path with approved directory (if approved files in languages/ directory begin payload with ./languages/ or languages/)
How can you tell if a server side include function is capable of executing PHP code?
Include a PHP code and see if the plain source or a generated page comes back.
What is a .net web shell?
<% eval request(‘cmd’) %>
HTML forms parameters are normally well tested. How can you exploit other parameters.
Identify parameters not used in forms and fuzz for parameters
