Web Pentesting

The website contains lots of components and functionality, testing them can be frustrating and time consuming. I have been in a situation where I have to decide from where to start the test or forgot to test some of the areas or vulnerabilities in website. So, here I have created the simple cheatsheet for pentesting the website with some references to tools, websites and wordlists.

Cheatsheet

1

Directories and Pages enumeration

  • Enumerate the visible directories and pages.

  • Enumerate or test all the features available in page and functionality of buttons.

  • Gather their clients and their team members information form testimonial or about us section or page if available.

  • Gather the contact information like address, email addresses or contact number.

  • Test .git directory and robot.txt, which can be leaked.

2

Source code review

  • Check for comments in the source code which could reveal or give us some information.

  • Check for metadata, script and link tag which could reveal the use third-party libraries, dependencies, frameworks etc.

  • If code is not obfuscated, try to understand the code and its functionality.

  • Check all the scripts and assets linked to the source code.

3

Identifying technologies and finding its vulnerabilities

  • The technologies used can be identified via source code.

  • The whatweb cli and wappalyzer plugins can be used for identifying technologies used.

  • The 404 page can be used to identify the frameworks used in the website. The 0xdf has created the 404 page cheatsheet for identifying the frameworks.

  • If the technologies used is an open-source project, head over to its github or gitlab repository and in security tab its vulnerabilities will we listed.

  • Use searchsploit cli, synk, cvedetails or any other website or tools where we can find it's vulnearbilities and PoC's.

4

Intercepting the request

  • Look for additional or uncommon headers.

  • Enumerate the cookies or sessions token if present in the header.

  • Enumerate all the request called when certain functionality is triggered or while visiting pages or directories.

5

Forms and URL's

  • Test the URL's for vulnerabilites like LFI, XSS, IDOR, sql injection.

  • Test the Forms for vulnerabilities like LFI, XSS, SSTI, sql injection, command injection.

  • Use automated tools like sqlmap for database enumeration or gathering other valuable informations.

6

Fuzzing

  • Use fuzzing tools like ffuf, dirsearch, gobuster or any other tools for fuzzing directories, pages, sub-domain and vhost.

  • Fuzz the parameter's with payloads for finding vulnerabilities like LFI, XSS, IDOR, sql injection etc.

7

Finding exploits

  • The script for certain PoC's is published in github or gitlab.

  • The searchsploit or exploit-db contains the scripts for exploitation's certain CVE's vulnerabilities.

  • The open-source libraries or frameworks vulnerabilities and PoC's which is used in website can be found in the security tab in github or gitlab repository.

  • The metasploit frameworks contains the lots of exploits which can be used during pentesting.

8

Exploitation

  • Chaining vulnerabilities to gain access to system or some forbidden pages and directories in website.

  • Manual and automated exploitation.

  • Creating the scripts to exploit the vulnerability.

9

Reporting

  • Create the report of every steps or anything you perform during pentesting. It will help you to see where you have previously left, showcasing the found exploits PoC's and to prove you innocent if some malicious activity has occurred during the pentest which you have not performed.

References

Tools

Websites

Wordlists

  • Seclists - The wordlist which can be used for directory, pages, sub-domain and vhost fuzzing.

  • Rockyou - The wordlist which can be used for brute forcing and directory-attacks.

Note: Some of the tools are already installed in linux distros like kali and parrot os.

Happy Pentesting

PreviousPentestNextTools

Last updated