forked from The-XSS-Rat/SecurityTesting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
HuntingChecklist.txt
41 lines (35 loc) · 1.64 KB
/
HuntingChecklist.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Sessions
Make a user with every role and check if he can directly access pages he should not be able to
Take away a role and check if the user can still do the actions before logging out
Look at the session token, does it change? If not, they might be useable for session fixation
Delete a logged in user and check if he can still do actions before logging out
….
Stored XSS
For every input field
Try to get <a href=#>test</a> an entity in
Try to get an obfuscated entity in
If it catches on anything, go deeper
Reflected XSS
Check the error pages (404,403,..)
Trigger a 403 by trying to get the .htaccess file
Try every reflected parameter
CSRF
Check if there is a CSRF token
Check if the token changes
Check if the server still accepts the token if you give it a random token
Cookie
Httponly flag?
Secure flag?
Is the domain of the cookie checked?
If not You can write a cookie to a subpath and it will append that to the request
Is cookie reflected in URL GET parameter?
IDOR
Try directly going to objects that you have no right to that are on the same level of authentication as the user
Try directly going to objects that you have no right to that are on a higher level of authentication as the user
Try directly going to objects that you have no right to that are from a different client in the system
Chaining
Maybe use a CSRF to make someone insert XSS on their own page?
Maybe use XSS to steal non httpOnly cookie?
Maybe use XSS to overwrite cookie on different path?
Maybe use session that never changes togheter with xss to steal cookie for eternal account takeover (+ severity)
Maybe use XSS to steal info displayed on the page (GDPR issue - PILL data)