🌐Web Applications

🔀Web Proxies🔎FFUF⚔️XSS🗂️MySQL🗺️SQLMap

• OWASP Top 10

• OWASP Web Security Testing Guide

• Cross-Site Request Forgery Prevention Cheat Sheet

• HTTP response codes

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Entities (XXE)

5. Broken Access Control

6. Security Misconfiguration

7. Cross-Site Scripting (XSS)

8. Insecure Deserialization

9. Using Components with Known Vulnerabilities

10. Insufficient Logging & Monitoring

Web Applications Vulnerabilities

• Sensitive Data Exposure

• Cross-Site Scripting (XSS)

Attacking Web Applications

• Password spraying

• SQL injection

• File Inclusion

• Unrestricted File Upload

• Insecure Direct Object Referencing (IDOR)

• Broken Access Control

• Command Injections

URL Encoding

• Character Encoding Table

• Encoding / Decoding online tool

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	;	%3b	Both
New Line		%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	|	%7c	Both (only second output is shown)
AND	&&	%26%26	Both (only if first succeeds)
OR	||	%7c%7c	Second (only if first fails)
Sub-Shell	``	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)
Tab		%09	Using tabs instead of spaces
$IFS		${IFS}	Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
Bash Brace Expansion		{}	Example: 127.0.0.1%0a{ls,-la} Commas will be replaced with spaces

Burp Repeater

1. To URL-encode text, select that text and right-click on it

2. Select (Convert Selection>URL>URL encode key characters), or by selecting the text and clicking [CTRL+U]

Front End Vulnerabilities

Cross-Site Scripting (XSS)

DOM XSS Javascript

#"><img src=/ onerror=alert(document.cookie)>